電腦維修中心
電腦維修中心每天都會更新以下電腦病毒及入侵警告, 希望大家可以及早留意; 以免因病毒感染而引致資料遺失或硬件損壞!
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| gotenberg--gotenberg | Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate arguments, allowing injection of arbitrary ExifTool pseudo-tags such as -FileName, -Directory, -SymLink, and -HardLink. This is a bypass of the incomplete key-sanitization fix introduced in v8.30.1. An unauthenticated attacker can rename or move any PDF being processed to an arbitrary path in the container filesystem, overwrite arbitrary files, or create symlinks and hard links at arbitrary paths. | 2026-05-06 | 10 | CVE-2026-40281 | https://github.com/gotenberg/gotenberg/security/advisories/GHSA-q7r4-hc83-hf2q https://github.com/gotenberg/gotenberg/commit/405f1069c026bb08f319fb5a44e5c67c33208318 |
| jkroepke--openvpn-auth-oauth2 | openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows. From version 1.26.3 to before version 1.27.3, when openvpn-auth-oauth2 is deployed in the experimental plugin mode (shared library loaded by OpenVPN via the plugin directive), clients that do not support WebAuth/SSO (e.g., the openvpn CLI on Linux) are incorrectly admitted to the VPN despite being denied by the authentication logic. The default management-interface mode is not affected because it does not use the OpenVPN plugin return-code mechanism. This issue has been patched in version 1.27.3. | 2026-05-08 | 10 | CVE-2026-41070 | https://github.com/jkroepke/openvpn-auth-oauth2/security/advisories/GHSA-246w-jgmq-88fg https://github.com/jkroepke/openvpn-auth-oauth2/commit/36f69a6c67c1054da7cbfa04ced3f0555127c8f2 |
| gitroomhq--postiz-app | Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a highly privileged GITHUB_TOKEN (write-all permissions). This can be achieved simply by opening a Pull Request from a fork with a maliciously modified Dockerfile.dev. This issue has been patched via commit da44801. | 2026-05-08 | 10 | CVE-2026-42298 | https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-v975-9h5p-xhm4 https://github.com/gitroomhq/postiz-app/commit/da448012dd87e94944cbe83a38e7fd023269ec46 |
| GeoVision Inc.--GV-VMS V20.0.2 | GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other security devices. It is a native application accessed locally, but it is also possible to enable remote access via the "WebCam Server" feature. Once enabled, it is possible to access to the management and monitoring feature via a regular Web interface. This webersever is another native application, compiled without ASLR, which makes exploitation much easier and more likely. Most of the features require authentication before being reachable and leverage a standard login page to grant access. However the `gvapi` endpoint uses its own authentication mechanism via an `HTTP Authorization` header. It supports both `Basic` authentication and the `Digest` modes of authentication. #### Stack-overflow via unbound copy of base64 decoded string The `b64decoder` string is sized dynamically, but it is then copied to the `Buffer` stack variable one character at the time at [0], and there's no bound-check. As such, if the decoded string is bigger than 256 characters (the size of the `Buffer` variable) then a stack overflow occurs. Because the data can be fully controlled by an attacker and lack of ASLR, this vulnerability can easily be exploited to gain full code execution as SYSTEM on the machine running the service. | 2026-05-04 | 10 | CVE-2026-42369 | https://www.geovision.com.tw/cyber_security.php https://https://talosintelligence.com/vulnerability_reports/ |
| Microsoft--Azure DevOps | Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network. | 2026-05-07 | 10 | CVE-2026-42826 | Azure DevOps Information Disclosure Vulnerability |
| Eclipse Foundation--Eclipse BaSyx | In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise. | 2026-05-05 | 10 | CVE-2026-7411 | https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423 https://gitlab.eclipse.org/security/cve-assignment/-/issues/102 |
| Opencart--opencart | OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID cookie values that the server accepts and maintains, enabling session takeover and unauthorized access to user accounts. | 2026-05-10 | 9.8 | CVE-2021-47923 | ExploitDB-50555 Official Product Homepage VulnCheck Advisory: OpenCart 3.0.3.8 Session Fixation via OCSESSID Cookie |
| thecartpress--TheCartPress | WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler. Attackers can send POST requests to the tcp_register_and_login_ajax action with tcp_role set to administrator to gain full administrative access without authentication. | 2026-05-10 | 9.8 | CVE-2021-47932 | ExploitDB-50378 Official Product Homepage VulnCheck Advisory: WordPress TheCartPress 1.5.3.6 Privilege Escalation Unauthenticated |
| mstore--MStore API | WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers can upload PHP files with arbitrary names to the config_file endpoint to achieve remote code execution on the server. | 2026-05-10 | 9.8 | CVE-2021-47933 | ExploitDB-50379 Official Product Homepage VulnCheck Advisory: WordPress MStore API 2.0.6 Arbitrary File Upload |
| Opencats--OpenCATS | OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Attackers can upload PHP payloads through the careers job application endpoint and execute system commands via POST requests to the uploaded file in the upload directory. | 2026-05-10 | 9.8 | CVE-2021-47936 | ExploitDB-50585 Official Product Homepage Product Reference VulnCheck Advisory: OpenCATS 0.9.4 Remote Code Execution via Resume Upload |
| download-from-files--Download From Files | WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting the AJAX fileupload action. Attackers can send POST requests to the admin-ajax.php endpoint with the download_from_files_617_fileupload action, manipulating the allowExt parameter to bypass file type restrictions and upload executable files like PHP shells to the web root. | 2026-05-10 | 9.8 | CVE-2021-47940 | ExploitDB-50287 Official Product Homepage VulnCheck Advisory: WordPress Download From Files 1.48 Arbitrary File Upload |
| equinox--[OSGi | Eclipse Equinox OSGi versions 3.8 through 3.18 contain a remote code execution vulnerability in the console interface that allows unauthenticated attackers to execute arbitrary code by exploiting the fork command functionality. Attackers can establish a telnet connection to the OSGi console, perform a telnet handshake, and send fork commands to download and execute malicious Java code, establishing a reverse shell connection. | 2026-05-05 | 9.8 | CVE-2023-54342 | ExploitDB-51878 VulnCheck Advisory: Eclipse Equinox OSGi 3.8-3.18 Console Remote Code Execution |
| equinox--[OSGi | Eclipse Equinox OSGi 3.7.2 and earlier contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by sending payloads to the console interface. Attackers can connect to the OSGi console port and send base64-encoded bash commands wrapped in fork directives to achieve code execution and establish reverse shell connections. | 2026-05-05 | 9.8 | CVE-2023-54344 | ExploitDB-51879 VulnCheck Advisory: Eclipse Equinox OSGi 3.7.2 Remote Code Execution via Console |
| dreamstechnologies--Mentoring | The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mentoring_process_registration() function. This makes it possible for unauthenticated attackers to register with administrator-level user accounts. | 2026-05-05 | 9.8 | CVE-2025-13618 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7192fb4c-0434-4e11-a2a7-c205b8d6b68e?source=cve https://themeforest.net/item/mentoring-education-wordpress-theme/36457081 https://mentoring-wp.dreamsmarketplace.com/documentation/changelog.html |
| Tegsoft Management and Information Services Trade Limited Company--Online Support Application | Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Tegsoft Management and Information Services Trade Limited Company Online Support Application allows Reflected XSS. This issue affects Online Support Application: from V3 through 31122025. | 2026-05-04 | 9.8 | CVE-2025-14320 | https://www.usom.gov.tr/bildirim/tr-26-0142 |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0. | 2026-05-04 | 9.8 | CVE-2026-24118 | https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p https://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3 https://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74 https://github.com/patriksimek/vm2/releases/tag/v3.11.0 |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5. | 2026-05-04 | 9.8 | CVE-2026-24120 | https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p https://github.com/patriksimek/vm2/releases/tag/v3.10.5 |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0. | 2026-05-04 | 9.8 | CVE-2026-24781 | https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c https://github.com/patriksimek/vm2/commit/8d30d93213c1898b3e035298b89a814970dd1189 https://github.com/patriksimek/vm2/commit/bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c https://github.com/patriksimek/vm2/commit/fd266d084e0a3322d0f71ba2a8dc4c96cd030228 https://github.com/patriksimek/vm2/releases/tag/v3.11.0 |
| Qualcomm, Inc.--Snapdragon | Buffer overflow due to incorrect authorization in PLC FW | 2026-05-04 | 9.6 | CVE-2026-25293 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0. | 2026-05-04 | 9.8 | CVE-2026-26332 | https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95 https://github.com/patriksimek/vm2/releases/tag/v3.11.0 |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5. | 2026-05-04 | 9.8 | CVE-2026-26956 | https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66 https://github.com/patriksimek/vm2/releases/tag/v3.10.5 |
| OpenCTI-Platform--opencti | OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploited by unauthenticated attackers to query the API as any existing user, including the default admin account. This issue has been fixed in version 6.9.13. As a workaround, the default admin can be disabled using the `APP__ADMIN__EXTERNALLY_MANAGED` configuration. | 2026-05-05 | 9.8 | CVE-2026-27960 | https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-6vvv-vmfr-xhrx |
| Microsoft--Azure Managed Instance for Apache Cassandra | Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network. | 2026-05-07 | 9.9 | CVE-2026-33109 | Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability |
| Microsoft--Microsoft Teams | Improper authorization in Microsoft Teams allows an authorized attacker to disclose information over a network. | 2026-05-07 | 9.6 | CVE-2026-33823 | Microsoft Team Events Portal Information Disclosure Vulnerability |
| Microsoft--Azure Managed Instance for Apache Cassandra | Improper input validation in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network. | 2026-05-07 | 9 | CVE-2026-33844 | Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability |
| Microsoft--Azure Cloud Shell | Improper neutralization of special elements used in a command ('command injection') in Azure Cloud Shell allows an unauthorized attacker to perform spoofing over a network. | 2026-05-07 | 9.6 | CVE-2026-35428 | Azure Cloud Shell Spoofing Vulnerability |
| Saleswonder LLC--WebinarIgnition | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saleswonder LLC WebinarIgnition allows Blind SQL Injection. This issue affects WebinarIgnition: from n/a through 4.08.253. | 2026-05-05 | 9.3 | CVE-2026-40797 | https://patchstack.com/database/wordpress/plugin/webinar-ignition/vulnerability/wordpress-webinarignition-plugin-4-06-08-sql-injection-vulnerability?_s_id=cve |
| Spring--Spring Cloud Config | Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater. | 2026-05-07 | 9.1 | CVE-2026-40982 | https://spring.io/security/cve-2026-40982 |
| ci4-cms-erp--ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated via a sql file that tampers with the file name field to contain hidden XSS payload. This issue has been patched in version 0.31.5.0. | 2026-05-07 | 9.1 | CVE-2026-41201 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-qxpq-82f3-xj47 https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0 |
| MervinPraison--PraisonAI | PraisonAI is a multi-agent teams system. Prior to version 4.6.9, the fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to parse_mcp_command(), allowing arbitrary executables like bash, python, or /bin/sh with inline code execution flags to pass through to subprocess execution. This issue has been patched in version 4.6.9. | 2026-05-08 | 9.8 | CVE-2026-41497 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9qhq-v63v-fv3j https://github.com/MervinPraison/PraisonAI/commit/47bff65413beaa3c21bf633c1fae4e684348368c |
| electerm--electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open ...") command without validation. This issue has been patched in version 3.3.8. | 2026-05-08 | 9.8 | CVE-2026-41500 | https://github.com/electerm/electerm/security/advisories/GHSA-wxw2-rwmh-vr8f https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee https://github.com/electerm/electerm/releases/tag/v3.3.8 |
| electerm--electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:130. The runLinux() function appends attacker-controlled remote version strings directly into an exec("rm -rf ...") command without validation. This issue has been patched in version 3.3.8. | 2026-05-08 | 9.8 | CVE-2026-41501 | https://github.com/electerm/electerm/security/advisories/GHSA-8x35-hph8-37hq https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee https://github.com/electerm/electerm/releases/tag/v3.3.8 |
| mauriciopoppe--math-codegen | math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse() is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into cg.parse() is vulnerable to full RCE. This issue has been patched in version 0.4.3. | 2026-05-08 | 9.8 | CVE-2026-41507 | https://github.com/mauriciopoppe/math-codegen/security/advisories/GHSA-p6x5-p4xf-cc4r https://github.com/mauriciopoppe/math-codegen/pull/11 https://github.com/mauriciopoppe/math-codegen/commit/4bb52d3030683362b3559ee8dd91350555a05f6b |
| 0din-ai--ai-scanner | ai-scanner is an AI model safety scanner built on NVIDIA garak. From version 1.0.0 to before version 1.4.1, there is a remote code execution vulnerability via JavaScript injection in `BrowserAutomation::PlaywrightService`. This issue has been patched in version 1.4.1. | 2026-05-08 | 9.9 | CVE-2026-41512 | https://github.com/0din-ai/ai-scanner/security/advisories/GHSA-r27j-xxgx-f5vr https://github.com/0din-ai/ai-scanner/releases/tag/v1.4.1 |
| enchant97--note-mark | Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password: "null" to the internal login endpoint receives a valid session for that user. The bypass is unauthenticated and requires no user interaction. This issue has been patched in version 0.19.3. | 2026-05-04 | 9.4 | CVE-2026-41571 | https://github.com/enchant97/note-mark/security/advisories/GHSA-pxf8-6wqm-r6hh https://github.com/enchant97/note-mark/releases/tag/v0.19.3 |
| inducer--relate | RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py - check_sign_in_key(). This issue has been patched via commit 2f68e16. | 2026-05-08 | 9 | CVE-2026-41588 | https://github.com/inducer/relate/security/advisories/GHSA-78j7-9xr9-2728 https://github.com/inducer/relate/commit/2f68e16cd3b96d25c188c1aa3f7e13cdb15cdaeb |
| charmbracelet--wish | Wish is an SSH server with defaults and a collection of middlewares. From version 2.0.0 to before version 2.0.1, the SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../ sequences over the SCP protocol. This issue has been patched in version 2.0.1. | 2026-05-07 | 9.6 | CVE-2026-41589 | https://github.com/charmbracelet/wish/security/advisories/GHSA-xjvp-7243-rg9h https://github.com/charmbracelet/wish/releases/tag/v2.0.1 |
| freescout-help-desk--freescout | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-character random invite_hash to set a new user's password. The endpoint performs no expiration check - the hash remains valid indefinitely until consumed. Combined with realistic hash-leakage scenarios (forwarded invite emails, HTTP referrer to external CDNs on the setup page, server-side log exposure, abandoned invite emails in shared inboxes), this enables unauthenticated permanent account takeover months or years after invite issuance. If the leaked invite was sent to an admin, the takeover yields admin access. This issue has been patched in version 1.8.217. | 2026-05-07 | 9.1 | CVE-2026-41902 | https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-hqff-cwx7-3jpm https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217 |
| givanz--Vvveb | Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to gain unrestricted read and write access to the entire Vvveb database, including administrator password hashes, customer personally identifiable information, and order data, enabling account takeover and data manipulation. | 2026-05-06 | 9.8 | CVE-2026-41930 | https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 https://github.com/givanz/Vvveb/security/advisories/GHSA-g38h-mr9p-fjmf https://github.com/givanz/Vvveb/commit/f85ca7c2bc389bda3cc2eca87b2514581a628c32 https://www.vulncheck.com/advisories/vvveb-hard-coded-credentials-information-disclosure-via-phpmyadmin |
| orneryd--NornicDB | Nornicdb is a distributed low-latency, Graph+Vector, Temporal MVCC with all sub-ms HNSW search, graph traversal, and writes. Prior to version 1.0.42-hotfix, the --address CLI flag (and NORNICDB_ADDRESS / server.host config key) is plumbed through to the HTTP server correctly but never reaches the Bolt server config. The Bolt listener therefore always binds to the wildcard address (all interfaces), regardless of what the user configures. On a LAN, this exposes the graph database - with its default admin:password credentials - to any device sharing the network. This issue has been patched in version 1.0.42-hotfix. | 2026-05-08 | 9.8 | CVE-2026-42072 | https://github.com/orneryd/NornicDB/security/advisories/GHSA-2hp7-65r3-wv54 https://github.com/orneryd/NornicDB/commit/adce4f9a9fc7b6aada07c0bfa2d737cd7a6efaca https://github.com/orneryd/NornicDB/releases/tag/v1.0.42 |
| EvoMap--evolver | Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync() without proper sanitization, enabling remote code execution when the corpus parameter contains shell metacharacters. This issue has been patched in version 1.69.3. | 2026-05-04 | 9.8 | CVE-2026-42076 | https://github.com/EvoMap/evolver/security/advisories/GHSA-j5w5-568x-rq53 https://github.com/EvoMap/evolver/releases/tag/v1.69.3 |
| OpenC3--cosmos | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From version 6.7.0 to before version 7.0.0-rc3, a SQL injection vulnerability exists in the Time-Series Database (TSDB) component of COSMOS. The tsdb_lookup function in the cvt_model.rb file directly places user-supplied input into a SQL query without sanitizing the input. As a result, a user can break out of the initial SQL statement and execute arbitrary SQL commands, including deleting data. This issue has been patched in version 7.0.0-rc3. | 2026-05-04 | 9.6 | CVE-2026-42087 | https://github.com/OpenC3/cosmos/security/advisories/GHSA-v529-vhwc-wfc5 https://github.com/OpenC3/cosmos/commit/9ba60c09c8836a37a2e4ea67ab35fe403e041415 https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3 |
| OpenC3--cosmos | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Python and Ruby scripts directly from the openc3-COSMOS-script-runner-api container. Because all the docker containers share a network, users can execute specially crafted scripts to bypass the API permissions check and perform administrative actions, including reading and modifying data inside the Redis database, which can be used to read secrets and change COSMOS settings, as well as read and write to the buckets service, which holds configuration, log, and plugin files. These actions are normally only available from the Admin Console or with administrative privileges. Any user with permission to create and run scripts can connect to any service in the docker network. This issue has been patched in version 7.0.0-rc3. | 2026-05-04 | 9.6 | CVE-2026-42088 | https://github.com/OpenC3/cosmos/security/advisories/GHSA-2wvh-87g2-89hr https://github.com/OpenC3/cosmos/releases/tag/v7.0.0 https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3 |
| streetwriters--notesnook | Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is that exported note fields such as title, headline, and content are inserted into the generated HTML template without HTML escaping. When the note is later exported to PDF, Notesnook renders that HTML into a same-origin, unsandboxed iframe using iframe.srcdoc = .... Injected script executes in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20. | 2026-05-04 | 9.6 | CVE-2026-42090 | https://github.com/streetwriters/notesnook/security/advisories/GHSA-fjm8-jg78-89h4 https://github.com/streetwriters/notesnook/releases/tag/3.3.20-android https://github.com/streetwriters/notesnook/releases/tag/v3.3.15 |
| useplunk--plunk | Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN, meaning anyone can forge a valid-looking webhook request. This allows an unauthenticated attacker to spoof SNS events to trigger workflow automations, unsubscribe contacts, manipulate email delivery metrics, and potentially exhaust billing credits. This issue has been patched in version 0.9.0. | 2026-05-08 | 9.1 | CVE-2026-42193 | https://github.com/useplunk/plunk/security/advisories/GHSA-9792-w86v-gx53 https://github.com/useplunk/plunk/releases/tag/v0.9.0 |
| labring--FastGPT | FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of FastGPT is vulnerable to unauthenticated Remote Code Execution (RCE). The startup script entrypoint.sh initializes code-server with the --auth none flag and binds the service to all network interfaces (0.0.0.0:8080). This configuration allows any user with network access to the port to bypass authentication and gain full control over the sandbox environment. This issue has been patched in version 4.14.13. | 2026-05-08 | 9.8 | CVE-2026-42302 | https://github.com/labring/FastGPT/security/advisories/GHSA-34rc-438g-7w78 https://github.com/labring/FastGPT/pull/6781 https://github.com/labring/FastGPT/commit/9d1cafce9241430fb5bcdd646455055c5f4ae0a4 https://github.com/labring/FastGPT/releases/tag/v4.14.13 |
| getsentry--sentry | Sentry is an error tracking and performance monitoring tool. From version 21.12.0 to before version 26.4.1, a critical vulnerability was discovered in the SAML SSO implementation of Sentry. The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability. This issue has been patched in version 26.4.1. | 2026-05-08 | 9.1 | CVE-2026-42354 | https://github.com/getsentry/sentry/security/advisories/GHSA-rcmw-7mc7-3rj7 https://github.com/getsentry/sentry/pull/113720 https://github.com/getsentry/sentry/commit/0c67558ae7fe08738912d4c5233b53ead048da3b https://github.com/getsentry/sentry/releases/tag/26.4.1 |
| GeoVision Inc.--GV-LPC2011/LPC2211 | An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability. | 2026-05-04 | 9.9 | CVE-2026-42364 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| GeoVision Inc.--GV-LPC2011/LPC2211 | A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attacker can visit a webpage to trigger this vulnerability. | 2026-05-04 | 9.9 | CVE-2026-42368 | https://www.geovision.com.tw/cyber_security.php https://https://talosintelligence.com/vulnerability_reports/ |
| GeoVision Inc.--GV-VMS V20.0.2 | A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. | 2026-05-04 | 9 | CVE-2026-42370 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| D-Link--DIR-605L Firmware | D-Link DIR-605L Hardware Revision B2 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn76_dlwbr_dir605L" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches. | 2026-05-04 | 9.8 | CVE-2026-42373 | D-Link DIR-605L B2 Hardcoded Telnet Backdoor - Securin Advisory |
| D-Link--DIR-600L Firmware | D-Link DIR-600L Hardware Revision B1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn61_dlwbr_dir600L" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches. | 2026-05-04 | 9.8 | CVE-2026-42374 | D-Link DIR-600L B1 Hardcoded Telnet Backdoor - Securin Advisory |
| D-Link--DIR-600L Firmware | D-Link DIR-600L Hardware Revision A1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn35_dlwbr_dir600l" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches. | 2026-05-04 | 9.8 | CVE-2026-42375 | D-Link DIR-600L A1 Hardcoded Telnet Backdoor - Securin Advisory |
| D-Link--DIR-456U Firmware | D-Link DIR-456U Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /etc/init0.d/S80telnetd.sh with the username "Alphanetworks" and the static password "whdrv01_dlob_dir456U" read from /etc/config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches. | 2026-05-04 | 9.8 | CVE-2026-42376 | D-Link DIR-456U A1 Hardcoded Telnet Backdoor - Securin Advisory |
| Termix-SSH--Termix | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container management endpoints in Termix interpolate the containerId URL path parameter and WebSocket message field directly into shell commands executed via ssh2.Client.exec() on remote managed servers without any sanitization or validation. An authenticated attacker can inject arbitrary OS commands by crafting a malicious container ID, achieving Remote Code Execution on any managed server. This issue has been patched in version 2.1.0. | 2026-05-08 | 9.9 | CVE-2026-42454 | https://github.com/Termix-SSH/Termix/security/advisories/GHSA-c2g2-hqgq-6w9v https://github.com/Termix-SSH/Termix/releases/tag/release-2.1.0-tag |
| go-pkgz--auth | auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a single local identity. Any application that trusts token.User.ID as the stable account key can end up mixing or fully merging unrelated Patreon users, which can lead to cross-account access, privilege confusion, and subscription-state leakage. This issue has been patched in versions 1.25.2 and 2.1.2. | 2026-05-09 | 9.1 | CVE-2026-42560 | https://github.com/go-pkgz/auth/security/advisories/GHSA-f6qq-3m3h-4g42 https://github.com/go-pkgz/auth/commit/c0b15ee72a8401da83c01781c16636c521f42698 https://github.com/go-pkgz/auth/releases/tag/v1.25.2 https://github.com/go-pkgz/auth/releases/tag/v2.1.2 |
| phpvms--phpvms | phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6. | 2026-05-09 | 9.4 | CVE-2026-42569 | https://github.com/phpvms/phpvms/security/advisories/GHSA-fv26-4939-62fh https://github.com/phpvms/phpvms/commit/f59ba8e0e8fc25c60c3faf14e526cfd49df3f7dc https://github.com/phpvms/phpvms/releases/tag/7.0.6 https://github.com/phpvms/phpvms/releases/tag/7.0.7 |
| Arelle--Arelle | Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges. | 2026-05-04 | 9.8 | CVE-2026-42796 | https://github.com/Arelle/Arelle/releases/tag/2.39.10 https://github.com/Arelle/Arelle/pull/2320 https://www.vulncheck.com/advisories/arelle-unauthenticated-rce-via-rest-configure |
| Apache Software Foundation--Apache Polaris | Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation becomes attacker- directed because the attacker can choose a reachable target location. In the confirmed variant, if the caller supplies a custom `location` during stage create and requests credential vending, Apache Polaris uses that location to construct delegated storage credentials immediately. The stage-create path itself neither runs the normal location validation nor the overlap checks before those credentials are issued. Closely related to that, the staged-create flow also accepts `write.data.path` / `write.metadata.path` in the request properties and feeds those location overrides into the same effective table location set used for credential vending. Those fields are secondary to the main custom-`location` exploit, but they are still attacker-influenced location inputs that should be validated before any credentials are issued. | 2026-05-04 | 9.9 | CVE-2026-42809 | https://lists.apache.org/thread/8tfsr8y7pgq6rdcvjx95hkcr47td671r |
| Apache Software Foundation--Apache Polaris | Apache Polaris accepts literal `*` characters in namespace and table names. When it later builds temporary S3 access policies for delegated table access, those same characters appear to be reused unescaped in S3 IAM resource patterns and `s3:prefix` conditions. In S3 IAM policy matching, `*` is treated as a wildcard rather than as ordinary text. That means temporary credentials issued for one crafted table can match the storage path of a different table. In private testing against Polaris 1.4.0 using Polaris' AWS S3 temporary- credential path on both MinIO and real AWS S3, credentials returned for crafted tables such as `f*.t1`, `f*.*`, `*.*`, and `foo.*` could reach other tables' S3 locations. The confirmed behavior includes: - reading another table's metadata control file ([Iceberg metadata JSON]); - listing another table's exact S3 table prefix ([table prefix]); - and, when write delegation was returned for the crafted table, creating and deleting an object under another table's exact S3 table prefix. A control case using ordinary different names did not allow the same cross-table access. A least-privilege AWS S3 variant was also confirmed in which the attacker principal had no Polaris permissions on the victim table and only the minimal permissions required to create and use a crafted wildcard table (namespace-scoped `TABLE_CREATE` and `TABLE_WRITE_DATA` on `*`). In that setup, direct Polaris access to `foo.t1` remained forbidden, but the attacker could still create and load `*.*`, receive delegated S3 credentials, and use those credentials to list, read, create, and delete objects under `foo.t1`. In Iceberg, the metadata JSON file is a control file: it tells readers which data files belong to the table, which snapshots exist, and which table version to read. So unauthorized access to it is already a meaningful confidentiality problem. The confirmed write-capable variant means the issue is not limited to disclosure. | 2026-05-04 | 9.9 | CVE-2026-42810 | https://lists.apache.org/thread/gg3qq9sqg4hdjmprqy46p40xmln61dm9 |
| Apache Software Foundation--Apache Polaris | In plain terms, Apache Polaris is supposed to issue short-lived GCS credentials that only work for one table's files, but a crafted namespace or table name can cause those credentials to work across the configured bucket instead. Apache Polaris builds Google Cloud Storage downscoped credentials by creating a Credential Access Boundary (CAB) with CEL conditions that are intended to restrict access to the requested table's storage path. The relevant CEL string is built from the bucket name and the table path. That table path is derived from namespace and table identifiers. In current code, that path appears to be inserted into the CEL expression without escaping. As a result, a namespace or table identifier containing a single quote and other URI-safe CEL fragments can break out of the intended quoted string and change the meaning of the CEL condition. In private testing against Polaris 1.4.0 on real Google Cloud Storage, it was confirmed that Polaris accepted a crafted identifier and returned delegated GCS credentials whose CEL path restriction had effectively collapsed. Those delegated credentials could then: - list another table's object prefix; - read another table's metadata control file (Iceberg metadata JSON); - create and delete an object under another table's object prefix; - and also list, read, create, and delete objects under an unrelated external prefix in the same bucket that was not part of any table path. That last point is important. The issue is not limited to "another table". In the confirmed setup, once Apache Polaris returned credentials for the crafted table, the path restriction inside the configured bucket was effectively gone. The practical effect is that temporary credentials for one crafted table can be broader than the table Polaris was asked to authorize, and can become effectively bucket-wide within the configured bucket. The current GCS testing used a Polaris principal with broad catalog privileges for setup. A separate least-privilege Polaris RBAC variant has not yet been tested on GCS. However, the storage-credential broadening behavior itself has been confirmed on GCS. | 2026-05-04 | 9.9 | CVE-2026-42811 | https://lists.apache.org/thread/hovn5hmkj9wj7v9cd8sn67svg03klgvg |
| Apache Software Foundation--Apache Polaris | In Apache Iceberg, the table's metadata files are control files: they tell readers which data files belong to the table and which table version to read. `write.metadata.path` is an optional table property that tells Polaris where to write those metadata files. For a table already registered in a Polaris-managed catalog, changing only that property through an `ALTER TABLE`-style settings change (not a row-level `INSERT`, `SELECT`, `UPDATE`, or `DELETE`) bypasses the commit-time branch that is supposed to revalidate storage locations. The full persisted / credential-vending variant requires the affected catalog to have `polaris.config.allow.unstructured.table.location=true`, with `allowedLocations` broad enough to include the attacker-chosen target. `allowedLocations` is the admin-configured allowlist of storage paths that the catalog is allowed to use. Public project materials suggest that this flag is a real supported compatibility / layout mode, not just a contrived lab-only prerequisite. In that configuration, a user who can change table settings can cause Apache Polaris itself to write new table metadata to an attacker-chosen reachable storage location before the intended location-validation branch runs. If the later concrete-path validation also accepts that location, Polaris persists the resulting metadata path into stored table state. Later table-load and credential APIs can then return temporary cloud-storage credentials for the same location without revalidating it. In plain terms, Polaris can later hand out temporary storage access for the same attacker-chosen area. That attacker-chosen area does not need to be limited to the poisoned table's own files. If it is a broader storage prefix, another table's prefix, or, depending on configuration or provider behavior, even a bucket/container root, the resulting disclosure or corruption scope can extend to any data and metadata Polaris can reach there. The practical consequences are therefore similar to the staged-create credential-vending issue already discussed: data and metadata reachable in that storage scope can be exposed and, if write-capable credentials are later issued, modified, corrupted, or removed. Even before that later credential step, Polaris itself performs the metadata write to the unchecked location. So the core issue is not only later credential vending. The primary defect is that Polaris skips its intended location checks before performing a security- sensitive metadata write when only `write.metadata.path` changes. When `polaris.config.allow.unstructured.table.location=false`, current code review suggests the later `updateTableLike(...)` validation usually rejects out-of-tree metadata locations before the unsafe path is persisted. That may reduce the persisted / credential-vending variant, but it does not prevent the underlying defect: Polaris still skips the intended pre-write location check when only `write.metadata.path` changes. | 2026-05-04 | 9.9 | CVE-2026-42812 | https://lists.apache.org/thread/wxd2wj3p0smvrk84msv317wg5tp3jtw9 |
| argoproj--argo-cd | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9. | 2026-05-07 | 9.6 | CVE-2026-42880 | https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: handle wraparound when searching for blocks for indirect mapped blocks Commit 4865c768b563 ("ext4: always allocate blocks only from groups inode can use") restricts what blocks will be allocated for indirect block based files to block numbers that fit within 32-bit block numbers. However, when using a review bot running on the latest Gemini LLM to check this commit when backporting into an LTS based kernel, it raised this concern: If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal group was populated via stream allocation from s_mb_last_groups), then start will be >= ngroups. Does this allow allocating blocks beyond the 32-bit limit for indirect block mapped files? The commit message mentions that ext4_mb_scan_groups_linear() takes care to not select unsupported groups. However, its loop uses group = *start, and the very first iteration will call ext4_mb_scan_group() with this unsupported group because next_linear_group() is only called at the end of the iteration. After reviewing the code paths involved and considering the LLM review, I determined that this can happen when there is a file system where some files/directories are extent-mapped and others are indirect-block mapped. To address this, add a safety clamp in ext4_mb_scan_groups(). | 2026-05-05 | 9.8 | CVE-2026-43067 | https://git.kernel.org/stable/c/f89bba144938921a2249237ad04a0183ff3f8930 https://git.kernel.org/stable/c/83170a05908b6cf2fb3235d3065bf613ff866f3c https://git.kernel.org/stable/c/4bec4a498ce86314d470ae6144120461f2138c29 https://git.kernel.org/stable/c/12624c5b724a81e14e532972b40d863b0de3b7d1 https://git.kernel.org/stable/c/2a368ccddfc492a0aa951e2caef2985f20e96503 https://git.kernel.org/stable/c/bb81702370fad22c06ca12b6e1648754dbc37e0f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dcache: Limit the minimal number of bucket to two There is an OOB read problem on dentry_hashtable when user sets 'dhash_entries=1': BUG: unable to handle page fault for address: ffff888b30b774b0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: Oops: 0000 [#1] SMP PTI RIP: 0010:__d_lookup+0x56/0x120 Call Trace: d_lookup.cold+0x16/0x5d lookup_dcache+0x27/0xf0 lookup_one_qstr_excl+0x2a/0x180 start_dirop+0x55/0xa0 simple_start_creating+0x8d/0xa0 debugfs_start_creating+0x8c/0x180 debugfs_create_dir+0x1d/0x1c0 pinctrl_init+0x6d/0x140 do_one_initcall+0x6d/0x3d0 kernel_init_freeable+0x39f/0x460 kernel_init+0x2a/0x260 There will be only one bucket in dentry_hashtable when dhash_entries is set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then, following process will access more than one buckets(which memory region is not allocated) in dentry_hashtable: d_lookup b = d_hash(hash) dentry_hashtable + ((u32)hashlen >> d_hash_shift) // The C standard defines the behavior of right shift amounts // exceeding the bit width of the operand as undefined. The // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen', // so 'b' will point to an unallocated memory region. hlist_bl_for_each_entry_rcu(b) hlist_bl_first_rcu(head) h->first // read OOB! Fix it by limiting the minimal number of dentry_hashtable bucket to two, so that 'd_hash_shift' won't exceeds the bit width of type u32. | 2026-05-05 | 9.1 | CVE-2026-43071 | https://git.kernel.org/stable/c/426ef05e82ee52c8d0e95fc0808b7383d8352d73 https://git.kernel.org/stable/c/ddd57ebce245f9c7e2f6902a6c087d6186d2385d https://git.kernel.org/stable/c/755b40903eff563768d4d96fd4ef51ec48adde3b https://git.kernel.org/stable/c/5718df131ab78897a9dd1f2e71c3ba732d4392af https://git.kernel.org/stable/c/277cedabb0ab86baae83fa58218be13c6d3e5526 https://git.kernel.org/stable/c/f08fe8891c3eeb63b73f9f1f6d97aa629c821579 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ioam6: fix OOB and missing lock When trace->type.bit6 is set: if (trace->type.bit6) { ... queue = skb_get_tx_queue(dev, skb); qdisc = rcu_dereference(queue->qdisc); This code can lead to an out-of-bounds access of the dev->_tx[] array when is_input is true. In such a case, the packet is on the RX path and skb->queue_mapping contains the RX queue index of the ingress device. If the ingress device has more RX queues than the egress device (dev) has TX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues. Add a check to avoid this situation since skb_get_tx_queue() does not clamp the index. This issue has also revealed that per queue visibility cannot be accurate and will be replaced later as a new feature. While at it, add missing lock around qdisc_qstats_qlen_backlog(). The function __ioam6_fill_trace_data() is called from both softirq and process contexts, hence the use of spin_lock_bh() here. | 2026-05-06 | 9.1 | CVE-2026-43083 | https://git.kernel.org/stable/c/6d1d9ed9b409e0662241e3d245d574a18f643494 https://git.kernel.org/stable/c/95a1334748c95dd15546056280ade0c4b8dd7b78 https://git.kernel.org/stable/c/b30b1675aa2bcf0491fd3830b051df4e08a7c8ca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry New test case fails unexpectedly when avx2 matching functions are used. The test first loads a ranomly generated pipapo set with 'ipv4 . port' key, i.e. nft -f foo. This works. Then, it reloads the set after a flush: (echo flush set t s; cat foo) | nft -f - This is expected to work, because its the same set after all and it was already loaded once. But with avx2, this fails: nft reports a clashing element. The reported clash is of following form: We successfully re-inserted a . b c . d Then we try to insert a . d avx2 finds the already existing a . d, which (due to 'flush set') is marked as invalid in the new generation. It skips the element and moves to next. Due to incorrect masking, the skip-step finds the next matching element *only considering the first field*, i.e. we return the already reinserted "a . b", even though the last field is different and the entry should not have been matched. No such error is reported for the generic c implementation (no avx2) or when the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback. Bisection points to 7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection") but that fix merely uncovers this bug. Before this commit, the wrong element is returned, but erronously reported as a full, identical duplicate. The root-cause is too early return in the avx2 match functions. When we process the last field, we should continue to process data until the entire input size has been consumed to make sure no stale bits remain in the map. | 2026-05-06 | 9.4 | CVE-2026-43114 | https://git.kernel.org/stable/c/fa4f1f52528c73989d820f32bfca06bec5afeece https://git.kernel.org/stable/c/3d53f9aafd469ae1ea27051e00f5b96ca1b55d52 https://git.kernel.org/stable/c/07de44424bb7f17ef9357e8535df96d9e97c40cb https://git.kernel.org/stable/c/0abbc43f71d99baadeeba6fa3fe1c80b676f57ed https://git.kernel.org/stable/c/d3c0037ffe1273fa1961e779ff6906234d6cf53c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file() If overlay is used on top of btrfs, dentry->d_sb translates to overlay's super block and fsid assignment will lead to a crash. Use file_inode(file)->i_sb to always get btrfs_sb. | 2026-05-06 | 9.1 | CVE-2026-43117 | https://git.kernel.org/stable/c/c09a7446aab5773f38d6abb25fce99b8e1dfbc97 https://git.kernel.org/stable/c/32372781d664a9b03c40343e96c29d0a6139f97d https://git.kernel.org/stable/c/2e4adfaec97ee053ad1bdfb5036845e66f7e0d8a https://git.kernel.org/stable/c/d110d7cdb045715c0b45b0dfd974525bb38f653d https://git.kernel.org/stable/c/a85b46db143fda5869e7d8df8f258ccef5fa1719 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dlm: validate length in dlm_search_rsb_tree The len parameter in dlm_dump_rsb_name() is not validated and comes from network messages. When it exceeds DLM_RESNAME_MAXLEN, it can cause out-of-bounds write in dlm_search_rsb_tree(). Add length validation to prevent potential buffer overflow. | 2026-05-06 | 9.8 | CVE-2026-43125 | https://git.kernel.org/stable/c/67288113c5e6cf9e659b4065c0ed6f16100e0c71 https://git.kernel.org/stable/c/082083c9fbd99422a0370fe2102144a231c9f5d6 https://git.kernel.org/stable/c/5f053a2e7209d326cbbc07738fa6d6893d307438 https://git.kernel.org/stable/c/080e5563f878c64e697b89e7439d730d0daad882 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix signededness bug in smb_direct_prepare_negotiation() smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, ...). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message. By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow. This fix replaces min_t(int, ...) with min_t(u32) | 2026-05-06 | 9.8 | CVE-2026-43185 | https://git.kernel.org/stable/c/ceae058eb707ddd0d68f0872f9d9f23b7c30c37b https://git.kernel.org/stable/c/55abc475d096da4a5356b6efb0cfdc6156bc1550 https://git.kernel.org/stable/c/6b4f875aac344cdd52a1f34cc70ed2f874a65757 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data() On the receive path, __ioam6_fill_trace_data() uses trace->nodelen to decide how much data to write for each node. It trusts this field as-is from the incoming packet, with no consistency check against trace->type (the 24-bit field that tells which data items are present). A crafted packet can set nodelen=0 while setting type bits 0-21, causing the function to write ~100 bytes past the allocated region (into skb_shared_info), which corrupts adjacent heap memory and leads to a kernel panic. Add a shared helper ioam6_trace_compute_nodelen() in ioam6.c to derive the expected nodelen from the type field, and use it: - in ioam6_iptunnel.c (send path, existing validation) to replace the open-coded computation; - in exthdrs.c (receive path, ipv6_hop_ioam) to drop packets whose nodelen is inconsistent with the type field, before any data is written. Per RFC 9197, bits 12-21 are each short (4-octet) fields, so they are included in IOAM6_MASK_SHORT_FIELDS (changed from 0xff100000 to 0xff1ffc00). | 2026-05-06 | 9.8 | CVE-2026-43186 | https://git.kernel.org/stable/c/f4d9d4b8fd839719d564651671e24c62c545c23b https://git.kernel.org/stable/c/fb3c662fafebc5b9d74417ed1de8759f6bb72143 https://git.kernel.org/stable/c/632d233cf2e64a46865ae2c064ae3c9df7c8864f https://git.kernel.org/stable/c/0591d6509c2ff13f09ea2998434aba0c0472e978 https://git.kernel.org/stable/c/e90346a2f1e8917d5760a44a1f61c44e3b36d96b https://git.kernel.org/stable/c/ea3632aefc04205436868541638e26f4a74d5637 https://git.kernel.org/stable/c/6db8b56eed62baacaf37486e83378a72635c04cc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netconsole: avoid OOB reads, msg is not nul-terminated msg passed to netconsole from the console subsystem is not guaranteed to be nul-terminated. Before recent commit 7eab73b18630 ("netconsole: convert to NBCON console infrastructure") the message would be placed in printk_shared_pbufs, a static global buffer, so KASAN had harder time catching OOB accesses. Now we see: printk: console [netcon_ext0] enabled BUG: KASAN: slab-out-of-bounds in string+0x1f7/0x240 Read of size 1 at addr ffff88813b6d4c00 by task pr/netcon_ext0/594 CPU: 65 UID: 0 PID: 594 Comm: pr/netcon_ext0 Not tainted 6.19.0-11754-g4246fd6547c9 Call Trace: kasan_report+0xe4/0x120 string+0x1f7/0x240 vsnprintf+0x655/0xba0 scnprintf+0xba/0x120 netconsole_write+0x3fe/0xa10 nbcon_emit_next_record+0x46e/0x860 nbcon_kthread_func+0x623/0x750 Allocated by task 1: nbcon_alloc+0x1ea/0x450 register_console+0x26b/0xe10 init_netconsole+0xbb0/0xda0 The buggy address belongs to the object at ffff88813b6d4000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 0 bytes to the right of allocated 3072-byte region [ffff88813b6d4000, ffff88813b6d4c00) | 2026-05-06 | 9.1 | CVE-2026-43197 | https://git.kernel.org/stable/c/3126a2f98beaec5a554a1fb31c46db1e8542665e https://git.kernel.org/stable/c/74ab1456eaa3b2eb986138f9e1f4cb37e73b6f58 https://git.kernel.org/stable/c/82aec772fca2223bc5774bd9af486fd95766e578 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tcp: fix potential race in tcp_v6_syn_recv_sock() Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock() is done too late. After tcp_v4_syn_recv_sock(), the child socket is already visible from TCP ehash table and other cpus might use it. Since newinet->pinet6 is still pointing to the listener ipv6_pinfo bad things can happen as syzbot found. Move the problematic code in tcp_v6_mapped_child_init() and call this new helper from tcp_v4_syn_recv_sock() before the ehash insertion. This allows the removal of one tcp_sync_mss(), since tcp_v4_syn_recv_sock() will call it with the correct context. | 2026-05-06 | 9.8 | CVE-2026-43198 | https://git.kernel.org/stable/c/fe89b2f05b854847784f91127319172945c1fadd https://git.kernel.org/stable/c/7178e2a8027423b2af17ab95df73a749a5b72e5b https://git.kernel.org/stable/c/858d2a4f67ff69e645a43487ef7ea7f28f06deae |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: do not pass flow_id to set_rps_cpu() Blamed commit made the assumption that the RPS table for each receive queue would have the same size, and that it would not change. Compute flow_id in set_rps_cpu(), do not assume we can use the value computed by get_rps_cpu(). Otherwise we risk out-of-bound access and/or crashes. | 2026-05-06 | 9.8 | CVE-2026-43208 | https://git.kernel.org/stable/c/5455a232edea6b946b99449f15ca771a8874a5a6 https://git.kernel.org/stable/c/ed712dc0d64dee5f0d05e4d8ca57711f8a9c850c https://git.kernel.org/stable/c/8a8a9fac9efa6423fd74938b940cb7d731780718 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: define and enforce CEPH_MAX_KEY_LEN When decoding the key, verify that the key material would fit into a fixed-size buffer in process_auth_done() and generally has a sane length. The new CEPH_MAX_KEY_LEN check replaces the existing check for a key with no key material which is a) not universal since CEPH_CRYPTO_NONE has to be excluded and b) doesn't provide much value since a smaller than needed key is just as invalid as no key -- this has to be handled elsewhere anyway. | 2026-05-08 | 9.8 | CVE-2026-43304 | https://git.kernel.org/stable/c/6405e8c680974bb74e2c98d5249fb52c7b12a6c6 https://git.kernel.org/stable/c/8d745d38c88ecbed95f6b2b39857bf89f35a3244 https://git.kernel.org/stable/c/e1dc45d97975f9db65694d234fbddf1915176e16 https://git.kernel.org/stable/c/1b275bd49e58752efb83767a5d1aed41356c5e64 https://git.kernel.org/stable/c/c1a0f5f1e5e7e98c36a362ec3d1fcfd9932931ed https://git.kernel.org/stable/c/d82467c07b03a27c3c5469b62bb3b726305a80bb https://git.kernel.org/stable/c/ac431d597a9bdfc2ba6b314813f29a6ef2b4a3bf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/ipv6: ioam6: prevent schema length wraparound in trace fill ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema payload, overrunning the trace buffer. Keep sclen in an unsigned int so the remaining-space check and the write cursor calculation both see the full schema length. | 2026-05-08 | 9.8 | CVE-2026-43341 | https://git.kernel.org/stable/c/e96d48b37708d53cbdc47f6f60b0714fc4a5f596 https://git.kernel.org/stable/c/d1b041080086e91d3733a5438a8c51ad5d3d8e09 https://git.kernel.org/stable/c/77695a69baca9b99d95fad09fc78c2318736604f https://git.kernel.org/stable/c/184d2e9db27c0f76226b5cad16fe29510a5d2280 https://git.kernel.org/stable/c/d6e1c9b02d85a4f1f4ba6d68e916d9b610a3ed7d https://git.kernel.org/stable/c/5e67ba9bb531e1ec6599a82a065dea9040b9ce50 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free by using call_rcu() for oplock_info ksmbd currently frees oplock_info immediately using kfree(), even though it is accessed under RCU read-side critical sections in places like opinfo_get() and proc_show_files(). Since there is no RCU grace period delay between nullifying the pointer and freeing the memory, a reader can still access oplock_info structure after it has been freed. This can leads to a use-after-free especially in opinfo_get() where atomic_inc_not_zero() is called on already freed memory. Fix this by switching to deferred freeing using call_rcu(). | 2026-05-08 | 9.8 | CVE-2026-43376 | https://git.kernel.org/stable/c/302fef75512b2c8329a3f5efab1ae7ba2562387a https://git.kernel.org/stable/c/08aa9f3c8cf4d0bee44df540dfe34e8d64069f2c https://git.kernel.org/stable/c/1d6abf145615dbfe267ce3b0a271f95e3780e18e https://git.kernel.org/stable/c/ce8507ee82c888126d8e7565e27c016308d24cde https://git.kernel.org/stable/c/1dfd062caa165ec9d7ee0823087930f3ab8a6294 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close() opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is being accessed after rcu_read_unlock() has been called. This creates a race condition where the memory could be freed by a concurrent writer between the unlock and the subsequent pointer dereferences (opinfo->is_lease, etc.), leading to a use-after-free. | 2026-05-08 | 9.8 | CVE-2026-43379 | https://git.kernel.org/stable/c/bf4d66d72e4a9e268c1012c331ce9eaedb5e2086 https://git.kernel.org/stable/c/960699317d39f46611f4ebeb69edc567c1f4e6b6 https://git.kernel.org/stable/c/dbbd328cf58261ca239756fe1c0d10c9518d3399 https://git.kernel.org/stable/c/b3568347c51c46e2cabc356bc34676df98296619 https://git.kernel.org/stable/c/eac3361e3d5dd8067b3258c69615888eb45e9f25 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/tcp-md5: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. | 2026-05-08 | 9.4 | CVE-2026-43383 | https://git.kernel.org/stable/c/821c8751fdeecdeecabeb11704dd33439c9e4bbc https://git.kernel.org/stable/c/345a9530756528d7ca407663d659c3c40e75c3dd https://git.kernel.org/stable/c/5d305a95130a8d08b9545e47f1e18d29d59866cb https://git.kernel.org/stable/c/02669e2a4d207068edce7e8b5fafd85822018ce6 https://git.kernel.org/stable/c/ae3831b44f477de048287493e184fc3ff913b624 https://git.kernel.org/stable/c/b502e97e29d791ff7a8051f29a414535739be218 https://git.kernel.org/stable/c/46d0d6f50dab706637f4c18a470aac20a21900d3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/tcp-ao: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. | 2026-05-08 | 9.8 | CVE-2026-43384 | https://git.kernel.org/stable/c/8be6ed64966da48b6c4726918f106c18742a5125 https://git.kernel.org/stable/c/a269cbdc442f8658bca35383e34b9d0b0ff95a1c https://git.kernel.org/stable/c/080b0e210088296dd50d6637c06c1db14246adfe https://git.kernel.org/stable/c/67edfec516d30d3e62925c397be4a1e5185802fc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kthread: consolidate kthread exit paths to prevent use-after-free Guillaume reported crashes via corrupted RCU callback function pointers during KUnit testing. The crash was traced back to the pidfs rhashtable conversion which replaced the 24-byte rb_node with an 8-byte rhash_head in struct pid, shrinking it from 160 to 144 bytes. struct kthread (without CONFIG_BLK_CGROUP) is also 144 bytes. With CONFIG_SLAB_MERGE_DEFAULT and SLAB_HWCACHE_ALIGN both round up to 192 bytes and share the same slab cache. struct pid.rcu.func and struct kthread.affinity_node both sit at offset 0x78. When a kthread exits via make_task_dead() it bypasses kthread_exit() and misses the affinity_node cleanup. free_kthread_struct() frees the memory while the node is still linked into the global kthread_affinity_list. A subsequent list_del() by another kthread writes through dangling list pointers into the freed and reused memory, corrupting the pid's rcu.func pointer. Instead of patching free_kthread_struct() to handle the missed cleanup, consolidate all kthread exit paths. Turn kthread_exit() into a macro that calls do_exit() and add kthread_do_exit() which is called from do_exit() for any task with PF_KTHREAD set. This guarantees that kthread-specific cleanup always happens regardless of the exit path - make_task_dead(), direct do_exit(), or kthread_exit(). Replace __to_kthread() with a new tsk_is_kthread() accessor in the public header. Export do_exit() since module code using the kthread_exit() macro now needs it directly. | 2026-05-08 | 9.8 | CVE-2026-43402 | https://git.kernel.org/stable/c/4729c7b00a347fd37d0cbc265b85f2884c3e06b6 https://git.kernel.org/stable/c/5a591d7a5e48d30100943940a30a6ab41b15c672 https://git.kernel.org/stable/c/28aaa9c39945b7925a1cc1d513c8f21ed38f5e4f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in process_message_header() If the message frame is (maliciously) corrupted in a way that the length of the control segment ends up being less than the size of the message header or a different frame is made to look like a message frame, out-of-bounds reads may ensue in process_message_header(). Perform an explicit bounds check before decoding the message header. | 2026-05-08 | 9.1 | CVE-2026-43406 | https://git.kernel.org/stable/c/76ccf21a12c5f6d6790bc32c7da82446d877b2f4 https://git.kernel.org/stable/c/75582aaa580c11aed4c7731cad6b068b700e7efb https://git.kernel.org/stable/c/50156622eb0888e62541d715a98584480a1bc7cb https://git.kernel.org/stable/c/dbd857a9e1e33ea71eaf3e211877027e533770d1 https://git.kernel.org/stable/c/69fe5af33fa3806f398d21c081d73c66e5523bc2 https://git.kernel.org/stable/c/035867ae6f18df0aeedb2a57a5b74091bd4e3fe8 https://git.kernel.org/stable/c/69fb5d91bba44ecf7eb80530b85fa4fb028921d5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() This patch fixes an out-of-bounds access in ceph_handle_auth_reply() that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In ceph_handle_auth_reply(), the value of the payload_len field of such a message is stored in a variable of type int. A value greater than INT_MAX leads to an integer overflow and is interpreted as a negative value. This leads to decrementing the pointer address by this value and subsequently accessing it because ceph_decode_need() only checks that the memory access does not exceed the end address of the allocation. This patch fixes the issue by changing the data type of payload_len to u32. Additionally, the data type of result_msg_len is changed to u32, as it is also a variable holding a non-negative length. Also, an additional layer of sanity checks is introduced, ensuring that directly after reading it from the message, payload_len and result_msg_len are not greater than the overall segment length. BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph] Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262 CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: ceph-msgr ceph_con_workfn [libceph] Call Trace: <TASK> dump_stack_lvl+0x76/0xa0 print_report+0xd1/0x620 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? kasan_complete_mode_report_info+0x72/0x210 kasan_report+0xe7/0x130 ? ceph_handle_auth_reply+0x642/0x7a0 [libceph] ? ceph_handle_auth_reply+0x642/0x7a0 [libceph] __asan_report_load_n_noabort+0xf/0x20 ceph_handle_auth_reply+0x642/0x7a0 [libceph] mon_dispatch+0x973/0x23d0 [libceph] ? apparmor_socket_recvmsg+0x6b/0xa0 ? __pfx_mon_dispatch+0x10/0x10 [libceph] ? __kasan_check_write+0x14/0x30i ? mutex_unlock+0x7f/0xd0 ? __pfx_mutex_unlock+0x10/0x10 ? __pfx_do_recvmsg+0x10/0x10 [libceph] ceph_con_process_message+0x1f1/0x650 [libceph] process_message+0x1e/0x450 [libceph] ceph_con_v2_try_read+0x2e48/0x6c80 [libceph] ? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph] ? save_fpregs_to_fpstate+0xb0/0x230 ? raw_spin_rq_unlock+0x17/0xa0 ? finish_task_switch.isra.0+0x13b/0x760 ? __switch_to+0x385/0xda0 ? __kasan_check_write+0x14/0x30 ? mutex_lock+0x8d/0xe0 ? __pfx_mutex_lock+0x10/0x10 ceph_con_workfn+0x248/0x10c0 [libceph] process_one_work+0x629/0xf80 ? __kasan_check_write+0x14/0x30 worker_thread+0x87f/0x1570 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? __pfx_try_to_wake_up+0x10/0x10 ? kasan_print_address_stack_frame+0x1f7/0x280 ? __pfx_worker_thread+0x10/0x10 kthread+0x396/0x830 ? __pfx__raw_spin_lock_irq+0x10/0x10 ? __pfx_kthread+0x10/0x10 ? __kasan_check_write+0x14/0x30 ? recalc_sigpending+0x180/0x210 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x3f7/0x610 ? __pfx_ret_from_fork+0x10/0x10 ? __switch_to+0x385/0xda0 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> [ idryomov: replace if statements with ceph_decode_need() for payload_len and result_msg_len ] | 2026-05-08 | 9.1 | CVE-2026-43407 | https://git.kernel.org/stable/c/ea080b21092590122c3f971cf588932cdbf47847 https://git.kernel.org/stable/c/edc678e5cd11730a2834b43071d8923f05bc334d https://git.kernel.org/stable/c/6cee34d6669fe176b4259131adb1a145c939b472 https://git.kernel.org/stable/c/8bb87547e92dcf0928ed763c60e0ac8d733c3656 https://git.kernel.org/stable/c/ed024d2f4c79c0eb2464df0fb640610ac301f9a0 https://git.kernel.org/stable/c/f9da5c1bbac5c8e33259fe00ed7347438fffa969 https://git.kernel.org/stable/c/9f9e2297f45fc2d2524eb104c289d69ddef95665 https://git.kernel.org/stable/c/b282c43ed156ae15ea76748fc15cd5c39dc9ab72 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Completely fix fcport double free In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() releases the first and the last reference. qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). Doing it one more time after kref_put() is a bad idea. | 2026-05-08 | 9.8 | CVE-2026-43414 | https://git.kernel.org/stable/c/d48ea85463f5b34f7b92ea0a13eddf1ab993da7b https://git.kernel.org/stable/c/c0b7da13a04bd70ef6070bfb9ea85f582294560a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The referenced commit in the fixes tag corrected the assumption in the mlx5 driver that the XDP buffer layout doesn't change during a program execution. However, this fix introduced another issue: the dropped fragments still need to be counted on the driver side to avoid page fragment reference counting issues. The issue was discovered by the drivers/net/xdp.py selftest, more specifically the test_xdp_native_tx_mb: - The mlx5 driver allocates a page_pool page and initializes it with a frag counter of 64 (pp_ref_count=64) and the internal frag counter to 0. - The test sends one packet with no payload. - On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP buffer with the packet data starting in the first fragment which is the page mentioned above. - The XDP program runs and calls bpf_xdp_pull_data() which moves the header into the linear part of the XDP buffer. As the packet doesn't contain more data, the program drops the tail fragment since it no longer contains any payload (pp_ref_count=63). - mlx5 device skips counting this fragment. Internal frag counter remains 0. - mlx5 releases all 64 fragments of the page but page pp_ref_count is 63 => negative reference counting error. Resulting splat during the test: WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] Modules linked in: [...] CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] [...] Call Trace: <TASK> mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core] mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core] mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core] mlx5e_close_rq+0x78/0xa0 [mlx5_core] mlx5e_close_queues+0x46/0x2a0 [mlx5_core] mlx5e_close_channel+0x24/0x90 [mlx5_core] mlx5e_close_channels+0x5d/0xf0 [mlx5_core] mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core] mlx5e_change_mtu+0x11d/0x490 [mlx5_core] mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core] netif_set_mtu_ext+0xfc/0x240 do_setlink.isra.0+0x226/0x1100 rtnl_newlink+0x7a9/0xba0 rtnetlink_rcv_msg+0x220/0x3c0 netlink_rcv_skb+0x4b/0xf0 netlink_unicast+0x255/0x380 netlink_sendmsg+0x1f3/0x420 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x1e8/0x240 ___sys_sendmsg+0x7c/0xb0 [...] __sys_sendmsg+0x5f/0xb0 do_syscall_64+0x55/0xc70 The problem applies for XDP_PASS as well which is handled in a different code path in the driver. This patch fixes the issue by doing page frag counting on all the original XDP buffer fragments for all relevant XDP actions (XDP_TX , XDP_REDIRECT and XDP_PASS). This is basically reverting to the original counting before the commit in the fixes tag. As frag_page is still pointing to the original tail, the nr_frags parameter to xdp_update_skb_frags_info() needs to be calculated in a different way to reflect the new nr_frags. | 2026-05-08 | 9.8 | CVE-2026-43465 | https://git.kernel.org/stable/c/7d7342a18fadcdb70a63b3c930dc63528ce51832 https://git.kernel.org/stable/c/043bd62f748bc9fd98154037aa598cffbd3c667c https://git.kernel.org/stable/c/db25c42c2e1f9c0d136420fff5e5700f7e771a6f |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context. | 2026-05-05 | 9.1 | CVE-2026-43534 | GitHub Security Advisory (GHSA-7g8c-cfr3-vqqr) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - Unsanitized External Input in Agent Hook Events |
| OpenClaw--OpenClaw | OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when the run should have been downgraded. | 2026-05-05 | 9.1 | CVE-2026-43566 | GitHub Security Advisory (GHSA-g2hm-779g-vm32) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.7 < 2026.4.14 - Privilege Escalation via Untrusted Webhook Wake Events |
| OpenClaw--OpenClaw | OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser session credentials. Attackers can access the noVNC helper route without bridge authentication to gain unauthorized access to the interactive browser session. | 2026-05-06 | 9.8 | CVE-2026-43575 | GitHub Security Advisory (GHSA-92jp-89mq-4374) Patch Commit VulnCheck Advisory: OpenClaw 2026.2.21 < 2026.4.10 - Authentication Bypass in Sandbox noVNC Helper Route |
| OpenClaw--OpenClaw | OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context than intended. | 2026-05-06 | 9.1 | CVE-2026-43578 | GitHub Security Advisory (GHSA-g375-h3v6-4873) Patch Commit VulnCheck Advisory: OpenClaw 2026.3.31 < 2026.4.10 - Privilege Escalation via Missed Async Exec Completion Events in Heartbeat Owner Downgrade |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox browser CDP relay that exposes Chrome DevTools Protocol on 0.0.0.0. Attackers can access the DevTools protocol outside intended local sandbox boundaries by exploiting the overly broad binding configuration. | 2026-05-06 | 9.6 | CVE-2026-43581 | GitHub Security Advisory (GHSA-525j-hqq2-66r4) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - Chrome DevTools Protocol Exposure via Overly Broad CDP Relay Binding |
| electerm--electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link. At time of publication, there are no publicly available patches. | 2026-05-08 | 9.6 | CVE-2026-43941 | https://github.com/electerm/electerm/security/advisories/GHSA-fwf6-j56g-m97c |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands. | 2026-05-06 | 9.8 | CVE-2026-44109 | GitHub Security Advisory (GHSA-xh72-v6v9-mwhc) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.15 - Authentication Bypass in Feishu Webhook and Card-Action Validation |
| linkwarden--linkwarden | Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. Prior to version 2.13.0, a Server-Side Request Forgery (SSRF) vulnerability in the fetchTitleAndHeaders function allows authenticated users to make arbitrary HTTP requests to internal services due to insufficient URL validation that only checks for "http://" or "https://" prefixes. This issue has been patched in version 2.13.0. | 2026-05-08 | 9.1 | CVE-2026-44313 | https://github.com/linkwarden/linkwarden/security/advisories/GHSA-5qpc-x7rv-hvmp |
| ahmadgb--GeekyBot AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content | The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a plugin installer helper that downloads and unzips attacker-supplied ZIP files into wp-content/plugins/. This makes it possible for unauthenticated attackers to perform arbitrary plugin installation and achieve remote code execution. | 2026-05-05 | 9.8 | CVE-2026-5294 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a1817c58-e807-4ef2-a382-28ca2fd5239e?source=cve https://plugins.trac.wordpress.org/changeset/3497169/geeky-bot |
| MoreConvert--MoreConvert Pro | The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verification tokens when the customer email address is changed. This makes it possible for unauthenticated attackers to authenticate as existing users, including administrators, by obtaining a valid guest verification token for an attacker-controlled email, changing the same guest customer email to the target account email through the public waitlist flow, and then using the original verification link. | 2026-05-05 | 9.8 | CVE-2026-5722 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fe887475-f7e8-4fda-a793-bc6f37b70f3e?source=cve https://wordpress.org/plugins/smart-wishlist-for-more-convert/ https://moreconvert.com/changelog/ |
| TUBITAK BILGEM Software Technologies Research Institute--Liderahenk | Origin Validation Error vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Liderahenk: from 2.0.1 before 2.0.2. | 2026-05-07 | 9.8 | CVE-2026-6508 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0181 |
| DivvyDrive Information Technologies Inc.--DivvyDrive | URL redirection to untrusted site ('open redirect') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Parameter Injection. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2. | 2026-05-07 | 9.6 | CVE-2026-6795 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182 |
| GeoVision Inc.--GV-IP Device Utility | An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the "obscurity" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default. | 2026-05-04 | 9.3 | CVE-2026-7161 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| GeoVision Inc.--GV-VMS V20.0.2 | A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. #### Stack-overflow via unconstrained sscanf The call to `sscanf` at [1] to split the `Buffer` variable into the `username` and `password` variables doesn't limit the size of the extracted content to match the destination buffers' sizes. In this case, if either the username or password decoded from the authorization string exceeds `40` characters (the size the stack variables `username` and `password`) then a stack overflow will occur. The data is controlled by an attacker, but sronger constraints (e.g. no null bytes) may make exploitation harder. A successful attack could lead to full code execution as SYSTEM on the machine running the service. | 2026-05-04 | 9 | CVE-2026-7372 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| Yarbo--Firmware | Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices running this firmware and cannot be changed or removed by end users, enabling trivial unauthorized access to device management interfaces by anyone who knows them. | 2026-05-07 | 9.8 | CVE-2026-7414 | https://github.com/Bin4ry/yarbo-nat-in-my-back-yard https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000001111111111100011111111111000000000000000000000000000000000000000000000000000001000 |
| Yarbo--Firmware | The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization of any kind. | 2026-05-07 | 9.8 | CVE-2026-7415 | https://github.com/Bin4ry/yarbo-nat-in-my-back-yard https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000000111111111100111111111110000000000000000000000000000000000000000000000000000001001 |
| ollama--ollama | Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed). | 2026-05-04 | 9.1 | CVE-2026-7482 | ollama/ollama PR #14406 — ggml: ensure tensor size is valid (fix) Fix commit 88d57d0 ollama v0.17.1 release notes |
| Totolink--WA300 | A security flaw has been discovered in Totolink WA300 5.2cu.7112_B20190227. The affected element is the function loginauth of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument http_host results in buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-04 | 9.8 | CVE-2026-7719 | VDB-360895 | Totolink WA300 POST Request cstecgi.cgi loginauth buffer overflow VDB-360895 | CTI Indicators (IOB, IOC, IOA) Submit #807197 | Totolink WA300 WA300 V5.2cu.7112_B20190227 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-WA300-loginAuth-34553a41781f8050b8ffc9e90a103cd5 https://www.totolink.net/ |
| Totolink--N300RH | A security flaw has been discovered in Totolink N300RH 3.2.4-B20220812. Affected by this vulnerability is the function loginauth of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. Performing a manipulation of the argument Password results in buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-04 | 9.8 | CVE-2026-7747 | VDB-360922 | Totolink N300RH Parameter cstecgi.cgi loginauth buffer overflow VDB-360922 | CTI Indicators (IOB, IOC, IOA) Submit #807201 | Totolink N300RH N300RH V3_Firmware V3.2.4-B20220812 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-N300RH-loginauth_password-34553a41781f80c0ad36f4d95122fd40?pvs=73 https://www.totolink.net/ |
| Totolink--A8000RU | A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setAppFilterCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable results in os command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-05 | 9.8 | CVE-2026-7823 | VDB-361075 | Totolink A8000RU cstecgi.cgi setAppFilterCfg os command injection VDB-361075 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807775 | Totolink A8000RU 7.1cu.643_b20200521 Command Injection https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_330/README.md https://www.totolink.net/ |
| EFM--ipTIME NAS1dual | A security vulnerability has been detected in EFM ipTIME NAS1dual 1.5.24. This issue affects the function get_csrf_whites of the file /cgi/advanced/misc_main.cgi. Such manipulation leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-05 | 9.8 | CVE-2026-7834 | VDB-361113 | EFM ipTIME NAS1dual misc_main.cgi get_csrf_whites stack-based overflow VDB-361113 | CTI Indicators (IOB, IOC, IOA) Submit #807787 | iptime nas1dual 1.5.24 Stack Overflow https://github.com/glkfc/IoT-Vulnerability/blob/main/iptime/nas1dual/iptime2_en.md |
| D-Link--DI-8100 | A weakness has been identified in D-Link DI-8100 16.07.26A1. Affected is the function sprintf of the file /auto_reboot.asp of the component HTTP Handler. This manipulation of the argument enable/time causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-05 | 9.8 | CVE-2026-7853 | VDB-361130 | D-Link DI-8100 HTTP auto_reboot.asp sprintf buffer overflow VDB-361130 | CTI Indicators (IOB, IOC, IOA) Submit #807837 | D-Link DI-8100 16.07.26A1 Denial of Service https://github.com/draw-ctf/report/blob/main/DI-8100/auto_reboot_asp_overflow.md https://www.dlink.com/ |
| D-Link--DI-8100 | A security vulnerability has been detected in D-Link DI-8100 16.07.26A1. Affected by this vulnerability is the function url_rule_asp of the file /url_rule.asp of the component POST Parameter Handler. Such manipulation leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2026-05-05 | 9.8 | CVE-2026-7854 | VDB-361131 | D-Link DI-8100 POST Parameter url_rule.asp url_rule_asp buffer overflow VDB-361131 | CTI Indicators (IOB, IOC, IOA) Submit #807838 | D-Link DI-8100 16.07.26A1 Denial of Service https://github.com/draw-ctf/report/blob/main/DI-8100/url_rule_asp_overflow.md https://www.dlink.com/ |
| Universal Robots--PolyScope 5 | OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS. | 2026-05-08 | 9.8 | CVE-2026-8153 | https://www.universal-robots.com/developer/communication-protocol/dashboard-server/ |
| opencartextensions--Extension TMD Vendor System | Opencart TMD Vendor System 3.x contains a blind SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the product_id parameter. Attackers can craft malicious SQL queries using time-based or content-based blind injection techniques to enumerate usernames, emails, and password reset codes from the oc_user table. | 2026-05-10 | 8.2 | CVE-2021-47928 | ExploitDB-50493 Official Product Homepage Product Reference VulnCheck Advisory: Opencart TMD Vendor System 3.x Blind SQL Injection via product route |
| Balbooa--Balbooa Joomla Forms Builder | Balbooa Joomla Forms Builder 2.0.6 contains an unauthenticated SQL injection vulnerability in the form submission handler that allows remote attackers to execute arbitrary SQL queries. Attackers can send POST requests to the com_baforms component with malicious JSON payloads in the 'id' field parameter to extract sensitive database information. | 2026-05-10 | 8.2 | CVE-2021-47930 | ExploitDB-50447 Official Product Homepage VulnCheck Advisory: Balbooa Joomla Forms Builder 2.0.6 SQL Injection Unauthenticated |
| Sentry--Sentry | Sentry 8.2.0 contains a remote code execution vulnerability that allows authenticated superusers to execute arbitrary commands by injecting malicious pickle-serialized objects through the audit log entry data parameter. Attackers can submit crafted POST requests to the admin audit log endpoint with base64-encoded compressed pickle payloads in the data field to achieve code execution with application privileges. | 2026-05-10 | 8.8 | CVE-2021-47935 | ExploitDB-50318 Product Reference VulnCheck Advisory: Sentry 8.2.0 Remote Code Execution via Pickle Deserialization |
| E107--e107 CMS | e107 CMS 2.3.0 contains a remote code execution vulnerability that allows authenticated users with theme installation permissions to execute arbitrary commands by uploading malicious theme files. Attackers can upload a crafted theme package through the theme.php endpoint that deploys a web shell to the e107_themes directory, then execute system commands via the payload.php script. | 2026-05-10 | 8.8 | CVE-2021-47937 | ExploitDB-50315 Official Product Homepage Product Reference VulnCheck Advisory: e107 CMS 2.3.0 Authenticated Remote Code Execution via Theme Upload |
| Impresscms--ImpressCMS | ImpressCMS 1.4.2 contains a remote code execution vulnerability in the autotasks administrative interface that allows authenticated attackers to execute arbitrary PHP code by injecting malicious code into the sat_code parameter. Attackers can authenticate, submit a POST request to /modules/system/admin.php?fct=autotasks&op=mod with crafted sat_code containing PHP commands, which creates an executable file that accepts arbitrary commands via GET parameters. | 2026-05-10 | 8.8 | CVE-2021-47938 | ExploitDB-50298 Official Product Homepage Product Reference VulnCheck Advisory: ImpressCMS 1.4.2 Remote Code Execution via Autotasks |
| Evo--Evolution CMS | Evolution CMS 3.1.6 contains a remote code execution vulnerability that allows authenticated users with module creation permissions to execute arbitrary system commands by injecting PHP code into module parameters. Attackers can send POST requests to /manager/index.php with malicious PHP code in the 'post' parameter to create modules that execute arbitrary commands when invoked. | 2026-05-10 | 8.8 | CVE-2021-47939 | ExploitDB-50296 Official Product Homepage Product Reference VulnCheck Advisory: Evolution CMS 3.1.6 Authenticated Remote Code Execution via Module Creation |
| Modalsurvey--Survey & Poll | WordPress Plugin Survey & Poll 1.5.7.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wp_sap cookie parameter. Attackers can craft SQL payloads in the cookie to extract sensitive database information including usernames, passwords, and other confidential data from the WordPress database. | 2026-05-10 | 8.2 | CVE-2021-47941 | ExploitDB-50269 Official Product Homepage VulnCheck Advisory: WordPress Plugin Survey & Poll 1.5.7.3 SQL Injection via sss_params |
| Textpattern--TextPattern CMS | TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through the file upload functionality. Attackers can upload a PHP shell via the Files section in the content area and execute commands by accessing the uploaded file at /textpattern/files/ with GET parameters passed to the system function. | 2026-05-10 | 8.8 | CVE-2021-47943 | ExploitDB-49996 ExploitDB-50415 VulnCheck Advisory: TextPattern CMS 4.8.7 Remote Code Execution via File Upload |
| Cyberpanel--CyberPanel | CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks through the filemanager controller endpoint. Attackers can manipulate the completeStartingPath parameter in POST requests to /filemanager/controller to create symbolic links, read sensitive files like database credentials, and execute arbitrary shell commands through the /websites/fetchFolderDetails endpoint. | 2026-05-10 | 8.8 | CVE-2021-47949 | ExploitDB-50230 Official Product Homepage Product Reference VulnCheck Advisory: CyberPanel 2.1 Authenticated Remote Code Execution via Symlink Attack |
| MegaTKC--Aero CMS | Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=add_post parameter, and the uploaded files are executed by the server. | 2026-05-10 | 8.8 | CVE-2022-50944 | ExploitDB-51085 Official Product Homepage VulnCheck Advisory: Aero CMS 0.0.1 PHP Code Injection via posts.php |
| DrayTek--Vigor 2960 | DrayTek Vigor 2960 firmware versions prior to 1.5.1.4 contain an OS command injection vulnerability in the CGI login handler that allows unauthenticated remote attackers to execute arbitrary commands by injecting shell metacharacters into the formpassword parameter. Attackers can exploit unsanitized input passed to the otp_check.sh script to achieve remote code execution with web server privileges. Exploitation requires knowledge of a valid username and that the target account has MOTP authentication enabled. | 2026-05-08 | 8.1 | CVE-2022-50994 | https://www.draytek.co.uk/support/downloads/vigor-2960/older-firmware/firmware-1514?task=download.send&id=2597:readme-v2960-1514&catid=1251 https://www.draytek.com/about/newsroom/2021/2021/end-of-life-notification-vigor2960 https://www.vulncheck.com/advisories/draytek-vigor-2960-os-command-injection-via-mainfunction-cgi |
| Erpnext--Frappe Framework (ERPNext) | Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the gi_frame attribute to traverse the call stack and invoke os.popen to execute system commands. | 2026-05-05 | 8.8 | CVE-2023-54345 | ExploitDB-51580 Official Product Homepage Product Reference Reference Source Code Repository Reference Source Code Repository VulnCheck Advisory: Frappe Framework ERPNext 13.4.0 Remote Code Execution |
| Rajodiya--ERPGo SaaS | ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Attackers can add malicious formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications. | 2026-05-05 | 8.8 | CVE-2023-54348 | ExploitDB-51220 Official Product Homepage Product Reference VulnCheck Advisory: ERPGo SaaS 3.9 CSV Injection via Vendor Creation |
| HCL--BigFix Service Management (SM) | HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation. This could allow unauthorized users to gain elevated privileges, bypassing intended access restrictions. This may result in exposure of sensitive data or unauthorized system modifications | 2026-05-06 | 8.3 | CVE-2024-30151 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127782 |
| PHOENIX CONTACT--FL MGUARD 2102 | A low privileged remote attacker can gain the root password due to improper removal of sensitive information before storage or transfer. | 2026-05-07 | 8 | CVE-2024-43384 | https://certvde.com/en/advisories/VDE-2024-039 |
| DivvyDrive Information Technologies Inc.--DivvyDrive | Improperly controlled modification of Dynamically-Determined object attributes, Allocation of resources without limits or throttling vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Excessive Allocation, Flooding. This issue affects DivvyDrive: from 4.8.2.19 before 4.8.3.2. | 2026-05-07 | 8.3 | CVE-2025-14341 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182 |
| Hitachi--Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900 | Remote Code Execution Vulnerability in Hitachi Storage Navigator and the maintenance console in Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28. This issue affects Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28 : before DKCMAIN Ver. 88-08-16-xx/00, SVP Ver. 88-08-18-xx/00, before DKCMAIN Ver. 93-07-26-xx/00, SVP Ver. 93-07-26-xx/00, before DKCMAIN Ver. A3-04-02-xx/00, MPC Ver. A3-04-02-xx/00, before DKCMAIN Ver. A3-03-41-xx/00, MPC Ver. A3-03-41-xx/00, before DKCMAIN Ver. A3-03-03-xx/00, MPC Ver. A3-03-03-xx/00. | 2026-05-07 | 8.3 | CVE-2025-1978 | https://www.hitachi.com/products/it/storage-solutions/sec_info/2026/2026_307.html |
| HCL--BigFix RunBookAI | HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component's input handling was identified that could permit unauthorized command execution. | 2026-05-06 | 8.8 | CVE-2025-31951 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130444 |
| Gen Digital--Norton Secure VPN | A privilege escalation vulnerability exists during the installation of Norton Secure VPN via the Microsoft Store. A low-privilege user can replace files during the installation process, which may result in deletion of arbitrary files that can lead to elevation of privileges. | 2026-05-04 | 8.8 | CVE-2025-58074 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2276 |
| Apache Software Foundation--Apache CloudStack | Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a new bucket with the same name, the previous owners can gain unauthorized read and write access to it by using the previously generated access and secret keys. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue. | 2026-05-08 | 8 | CVE-2025-66467 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| Hitachi--Hitachi Virtual Storage Platform One Block 23 | OS command injection vulneravility in the management gui (maintenance utility) of Hitachi Virtual Storage Platform One Block 23, 24, 26 and 28. This issue affects Hitachi Virtual Storage Platform One Block 23/24/26/28: before DKCMAIN A3-04-21-40/00, ESM A3-04-21/00. | 2026-05-07 | 8.1 | CVE-2025-9661 | https://www.hitachi.com/products/it/storage-solutions/sec_info/2026/2026_309.html |
| Cisco--Cisco Unity Connection | A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of a targeted device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. | 2026-05-06 | 8.8 | CVE-2026-20034 | cisco-sa-unity-rce-ssrf-hENhuASy |
| vda-linux--busybox_mirror | BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attackers to trigger memory corruption by sending a crafted DHCPv6 response with a malformed D6_OPT_DNS_SERVERS option. Attackers can exploit incorrect heap buffer allocation calculations in the option_to_env() function to cause denial of service or achieve arbitrary code execution on embedded systems without heap hardening. | 2026-05-04 | 8.1 | CVE-2026-29004 | https://y637f9qq2x.com/posts/busybox-dhcpv6-heap-overflow/ https://github.com/vda-linux/busybox_mirror/commit/42202bfb1e6ac51fa995beda8be4d7b654aeee2a https://github.com/vda-linux/busybox_mirror/commit/d368f3f7836d1c2484c8f839316e5c93e76d4409 https://busybox.net/ https://www.vulncheck.com/advisories/busybox-dhcpv6-client-heap-buffer-overflow-via-dns-servers |
| netbox-community--netbox | NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code by specifying malicious Python callables in the environment_params field. Attackers can bypass Jinja2 SandboxedEnvironment protections by setting the finalize parameter to any importable Python callable such as subprocess.getoutput, which is invoked on every rendered expression outside the sandbox's call interception mechanism, achieving remote code execution as the NetBox service user. | 2026-05-04 | 8.8 | CVE-2026-29514 | https://chocapikk.com/posts/2026/netbox-export-template-rce/ https://github.com/netbox-community/netbox/issues/22079 https://github.com/netbox-community/netbox/pull/22078 https://www.vulncheck.com/advisories/netbox-rce-via-rendertemplatemixin |
| Microsoft--Azure Machine Learning | Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network. | 2026-05-07 | 8.8 | CVE-2026-32207 | Azure Machine Learning Notebook Spoofing Vulnerability |
| Microsoft--Microsoft Partner Center | Externally controlled reference to a resource in another sphere in Microsoft Partner Center allows an unauthorized attacker to perform spoofing over a network. | 2026-05-07 | 8.2 | CVE-2026-34327 | Microsoft Partner Center Spoofing Vulnerability |
| Oracle Corporation--Oracle MCP Server Helper Tool product of Oracle Open Source Projects | Vulnerability in the Oracle MCP Server Helper Tool product of Oracle Open Source Projects (component: helper tool). The supported versions that is affected is 1.0.1-1.0.156. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle MCP Server Helper Tool. Successful attacks of this vulnerability can result in Oracle MCP Server Helper Tool executing malicious SQL. | 2026-05-05 | 8.7 | CVE-2026-35228 | Oracle Advisory |
| Microsoft--Azure AI Foundry | Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate privileges over a network. | 2026-05-07 | 8.6 | CVE-2026-35435 | Azure AI Foundry Elevation of Privilege Vulnerability |
| Gosoft Software Industry and Trade Ltd. Co.--Proticaret E-Commerce | Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Gosoft Software Industry and Trade Ltd. Co. Proticaret E-Commerce allows Cross-Site Scripting (XSS), Reflected XSS. This issue affects Proticaret E-Commerce: from v5.0.0 before V 6.0.1767.1383. | 2026-05-07 | 8.8 | CVE-2026-3953 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0180 |
| Microsoft--Azure Monitor Action Group notification system | Server-side request forgery (ssrf) in Azure Notification Service allows an authorized attacker to elevate privileges over a network. | 2026-05-07 | 8.1 | CVE-2026-41105 | Azure Monitor Action Group Notification System Elevation of Privilege Vulnerability |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, there is an integer overflow in ImageChannel::resize that leads to heap OOB write via OpenEXRUtil public API. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11. | 2026-05-07 | 8.8 | CVE-2026-41142 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-m25w-72cj-q6mg https://github.com/AcademySoftwareFoundation/openexr/pull/2367 https://github.com/AcademySoftwareFoundation/openexr/commit/0592ee539f33c122c90f09238579b902d838afb4 |
| YesWiki--yeswiki | YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data['id_fiche'] value (sourced from $_POST['id_fiche']) is concatenated directly into a raw SQL query without any sanitization or parameterization. This issue has been patched in version 4.6.1. | 2026-05-07 | 8.8 | CVE-2026-41143 | https://github.com/YesWiki/yeswiki/security/advisories/GHSA-f58v-p6j9-24c2 https://github.com/YesWiki/yeswiki/releases/tag/v4.6.1 |
| daptin--daptin | Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.4, the /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L() - a raw SQL literal expression builder - without any validation. This bypassed all parameterization and allowed authenticated users with any valid session to inject arbitrary SQL expressions. This issue has been patched in version 0.11.4. | 2026-05-07 | 8.3 | CVE-2026-41422 | https://github.com/daptin/daptin/security/advisories/GHSA-rw2c-8rfq-gwfv https://github.com/daptin/daptin/releases/tag/v0.11.4 |
| dagster-io--dagster | Dagster is an orchestration platform for the development, production, and observation of data assets. Prior to Dagster Core version 1.13.1 and prior to Dagster libraries version 0.29.1, the DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating dynamic partition key values into queries without escaping. A user with the Add Dynamic Partitions permission could create a partition key that injects arbitrary SQL, which would execute against the target database backend under the I/O manager's credentials. Only deployments that use dynamic partitions are affected. Pipelines using static or time-window partitions are not impacted. This issue has been patched in Dagster Core version 1.13.1 and Dagster libraries version 0.29.1. | 2026-05-07 | 8.3 | CVE-2026-41490 | https://github.com/dagster-io/dagster/security/advisories/GHSA-mjw2-v2hm-wj34 https://github.com/dagster-io/dagster/releases/tag/1.13.1 |
| dapr--dapr | Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5. | 2026-05-08 | 8.1 | CVE-2026-41491 | https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463 https://github.com/dapr/dapr/pull/9589 |
| MervinPraison--PraisonAI | PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends - MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB - pass table_prefix straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase. postgres.py additionally accepts an unvalidated schema parameter used directly in DDL. This issue has been patched in praisonai version 4.6.9 and praisonaiagents version 1.6.9. | 2026-05-08 | 8.1 | CVE-2026-41496 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5 |
| inducer--relate | RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's make_sign_in_key() function and exam.py's gen_ticket_code() function. This issue has been patched via commit 2f68e16. | 2026-05-07 | 8.7 | CVE-2026-41505 | https://github.com/inducer/relate/security/advisories/GHSA-rvx5-95mm-p77v https://github.com/inducer/relate/commit/2f68e16cd3b96d25c188c1aa3f7e13cdb15cdaeb |
| Ajax30--BraveCMS-2.0 | Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade's unescaped output directive {!! !!}. Any JavaScript or HTML injected by an editor-role user is permanently stored and executed in every visitor's browser upon page load. This issue has been patched via commit 6c56603. | 2026-05-08 | 8.7 | CVE-2026-41524 | https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-xj46-722x-6433 https://github.com/Ajax30/BraveCMS-2.0/commit/6c5660373cf5f0ca9181603280427aca46ef11ea |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio SAML Identity Provider implementation discards the return value of its validateSignature() method at both call sites (handleSSORequest() line 418 and handleSLORequest() line 613). The method returns error strings on failure rather than throwing exceptions, but the developer believed it would throw (per comments on lines 416 and 611). This means the smc_require_auth_signed configuration option is completely ineffective - unsigned or invalidly-signed SAML AuthnRequests and LogoutRequests are processed identically to properly signed ones. This issue has been patched in version 5.0.9. | 2026-05-07 | 8.2 | CVE-2026-41669 | https://github.com/Admidio/admidio/security/advisories/GHSA-25cw-98hg-g3cg https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the SAML IdP implementation in Admidio's SSO module uses the AssertionConsumerServiceURL value directly from incoming SAML AuthnRequest messages as the destination for the SAML response, without validating it against the registered ACS URL (smc_acs_url) stored in the database for the corresponding service provider client. An attacker who knows the Entity ID of a registered SP client can craft a SAML AuthnRequest with an arbitrary AssertionConsumerServiceURL, causing the IdP to send the signed SAML response -- containing user identity attributes (login name, email, roles, profile fields) -- to an attacker-controlled URL. This issue has been patched in version 5.0.9. | 2026-05-07 | 8.2 | CVE-2026-41670 | https://github.com/Admidio/admidio/security/advisories/GHSA-p9w9-87c8-m235 https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| i18next--i18next-http-middleware | i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape(), which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the application used an older i18next (< 19.5.0) that still exercised the backward-compatibility fallback at LanguageDetector.js:100 or otherwise produced a raw detected value, CRLF sequences in the attacker-controlled lng parameter reached res.setHeader('Content-Language', ...) verbatim. This issue has been patched in version 3.9.3. | 2026-05-08 | 8.6 | CVE-2026-41683 | https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-c3h8-g69v-pjrg |
| i18next--i18next-http-middleware | 18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that reach internal object-key writes: getResourcesHandler and missingKeyHandler. This can break authorisation checks (if (user.isAdmin) returning true for any user), cause type-confusion DoS, and depending on downstream code it can be chained into RCE. | 2026-05-08 | 8.6 | CVE-2026-41690 | https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-5fgg-jcpf-8jjw |
| i18next--i18next-fs-backend | i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting file from disk. The interpolation is unencoded and unvalidated, so a crafted lng or ns value - containing .., a path separator, a control character, a prototype key, or simply an unexpectedly long string - allows an attacker who can influence either value to read or overwrite files outside the intended locale directory. When lng / ns are derived from untrusted input (request-scoped i18next instances behind an HTTP layer such as i18next-http-middleware, or any framework that lets the end user pick the language via query string, cookie, or header), a single request such as ?lng=../../../../etc/passwd causes the backend to attempt to read that path. This issue has been patched in version 2.6.4. | 2026-05-08 | 8.2 | CVE-2026-41693 | https://github.com/i18next/i18next-fs-backend/security/advisories/GHSA-8847-338w-5hcj |
| Spring--Spring AI | Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs. Spring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 or greater. | 2026-05-09 | 8.6 | CVE-2026-41705 | https://spring.io/security/cve-2026-41705 |
| omnifaces--omnifaces | OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Code Execution (RCE). This affects applications that use CDNResourceHandler with a wildcard CDN mapping (e.g. libraryName:*=https://cdn.example.com/*). An attacker can craft a resource request URL containing an EL expression in the resource name, which is evaluated server-side. This issue has been patched in versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3. | 2026-05-08 | 8.1 | CVE-2026-41883 | https://github.com/omnifaces/omnifaces/security/advisories/GHSA-vp6r-9m58-5xv8 |
| th30d4y--OpenLearnX | OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to version 2.0.3, a remote code execution (RCE) vulnerability was identified in the OpenLearnX code execution environment, allowing sandbox escape and arbitrary command execution. This issue has been patched in version 2.0.3. | 2026-05-08 | 8.8 | CVE-2026-41900 | https://github.com/th30d4y/OpenLearnX/security/advisories/GHSA-8h25-q488-4hxw https://github.com/th30d4y/OpenLearnX/commit/14765d7d1856d564747c55c5412e2f38feab079e https://github.com/th30d4y/OpenLearnX/releases/tag/v2.0.3-security-fix |
| givanz--Vvveb | Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code by exploiting insufficient file extension restrictions. Attackers with editor, author, contributor, or site_admin roles can write a malicious .htaccess file to map arbitrary extensions to the PHP handler, then upload PHP code with that extension to achieve unauthenticated remote code execution when the file is accessed via HTTP. | 2026-05-06 | 8.8 | CVE-2026-41934 | https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 https://github.com/givanz/Vvveb/security/advisories/GHSA-vfjj-gcvv-w248 https://github.com/givanz/Vvveb/commit/1196561276a3f49da5a714fef89ac9a6c6f9e33b https://www.vulncheck.com/advisories/vvveb-authenticated-rce-via-code-editor |
| givanz--Vvveb | Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the admin Tools/Import feature that allows authenticated site_admin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in system/import/xml.php to inject file:// or php://filter entity references that are resolved and persisted into the application database, enabling arbitrary file disclosure and administrator password hash overwriting for privilege escalation. | 2026-05-06 | 8.1 | CVE-2026-41936 | https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 https://github.com/givanz/Vvveb/security/advisories/GHSA-rfxr-4xpm-wrp7 https://github.com/givanz/Vvveb/commit/86f7128a18edebe0ff47e3855558467eb0ef9106 https://www.vulncheck.com/advisories/vvveb-xml-external-entity-injection-via-import |
| givanz--Vvveb | Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and trigger execution by sending an unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges. | 2026-05-06 | 8.8 | CVE-2026-41938 | https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g https://github.com/givanz/Vvveb/commit/54a9e846fb94192f1b31ae81d81d25c874662e6a https://www.vulncheck.com/advisories/vvveb-rce-via-media-upload-handler |
| inngest--inngest-js | Inngest is a platform for running event-driven and scheduled background functions with queueing, retries, and step orchestration. Versions 3.22.0 through 3.53.1 contain a vulnerability that allows unauthenticated remote attackers to exfiltrate environment variables from the host process via the serve() HTTP handler. The serve() handler implements GET, POST, and PUT methods. Requests using PATCH, OPTIONS, or DELETE fall through to a generic handler that returns diagnostic information. A change introduced in v3.22.0 caused this diagnostic response to include the contents of process.env, exposing any secrets, API keys, or credentials present in the environment. An application is vulnerable if its serve() endpoint is reachable via PATCH, OPTIONS, or DELETE requests, which is common in setups like Next.js Pages Router or Express's app.use(...). Not affected are Next.js App Router handlers that export only GET, POST, and PUT, and applications using the connect worker method. This issue has been fixed in version 3.54.0. To work around this issue if upgrading is not immediately possible, restrict the serve() endpoint at the framework or reverse-proxy layer to accept only GET, POST, and PUT. The Inngest serve() endpoint does not require any other HTTP methods. | 2026-05-07 | 8.6 | CVE-2026-42047 | https://github.com/inngest/inngest-js/security/advisories/GHSA-2jf5-6wwv-vhxx https://github.com/inngest/inngest-js/releases/tag/inngest%403.54.1 |
| EvoMap--evolver | Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary locations on the filesystem. The --out= flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite critical system files or create files in sensitive location. This issue has been patched in version 1.69.3. | 2026-05-04 | 8.1 | CVE-2026-42075 | https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j https://github.com/EvoMap/evolver/releases/tag/v1.69.3 |
| icip-cas--PPTAgent | PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, PPTAgent is vulnerable to arbitrary code execution via Python eval() of LLM-generated code with builtins in scope. This issue has been patched via commit 418491a. | 2026-05-04 | 8.6 | CVE-2026-42079 | https://github.com/icip-cas/PPTAgent/security/advisories/GHSA-89g2-xw5c-v95p https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00 |
| OpenC3--cosmos | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3. | 2026-05-04 | 8.1 | CVE-2026-42084 | https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7 https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776 https://github.com/OpenC3/cosmos/releases/tag/v6.10.5 https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3 |
| avo-hq--avo | Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. This issue has been patched in version 3.31.2. | 2026-05-08 | 8.8 | CVE-2026-42205 | https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8 https://github.com/avo-hq/avo/releases/tag/v3.31.2 |
| gitpython-developers--GitPython | GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass that check. If an application passes attacker-controlled kwargs into Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), this leads to arbitrary command execution even when allow_unsafe_options is left at its default value of False. This issue has been patched in version 3.1.47. | 2026-05-07 | 8.8 | CVE-2026-42215 | https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-rpm5-65cw-6hj4 https://github.com/gitpython-developers/GitPython/releases/tag/3.1.47 |
| 0xJacky--nginx-ui | Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in transit; it does not authenticate who is allowed to perform installation. A remote attacker who reaches the service before the legitimate operator can set the admin email, username, and password, causing permanent initial-instance takeover. This issue has been patched in version 2.3.8. | 2026-05-04 | 8.1 | CVE-2026-42221 | https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h27v-ph7w-m9fp https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8 |
| 0xJacky--nginx-ui | Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. At time of publication no public patches are available. | 2026-05-04 | 8.1 | CVE-2026-42222 | https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-mxqh-q9h6-v8pq |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. This means every XSS becomes a full account takeover - the attacker steals the JWT and has persistent access to the victim's account. The cookie also lacks secure: true (sent over plaintext HTTP) and sameSite attribute. This issue has been patched in version 3.35.10. | 2026-05-07 | 8.1 | CVE-2026-42239 | https://github.com/Budibase/budibase/security/advisories/GHSA-4f9j-vr4p-642r https://github.com/Budibase/budibase/releases/tag/3.35.10 |
| openziti--zrok | zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and-on shares without OS-level permission restrictions-write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2. | 2026-05-08 | 8.7 | CVE-2026-42275 | https://github.com/openziti/zrok/security/advisories/GHSA-74m3-9qvm-rp9h https://github.com/openziti/zrok/commit/459bcfc1e121decae1b1d11c37ad94e4ed5bbf2e https://github.com/openziti/zrok/releases/tag/v2.0.2 |
| gitpython-developers--GitPython | GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (starts with --branch), but after split becomes ["--branch", "main", "--config", "core.hooksPath=/x"]. Git applies the config and executes attacker hooks during clone. This issue has been patched in version 3.1.47. | 2026-05-07 | 8.1 | CVE-2026-42284 | https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-x2qx-6953-8485 https://github.com/gitpython-developers/GitPython/releases/tag/3.1.47 |
| argoproj--argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, override pod security context, add tolerations to schedule on control-plane nodes, or enable SA token mounting. This defeats the stated purpose of the feature. The practical impact depends on what Kubernetes-level controls are in place. Clusters with PodSecurity admission or OPA/Gatekeeper would independently block some of these (like hostNetwork). Clusters that rely on Argo's Strict mode as the primary enforcement layer are fully exposed. This issue has been patched in versions 3.7.14 and 4.0.5. | 2026-05-09 | 8.1 | CVE-2026-42296 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-3775-99mw-8rp4 https://github.com/argoproj/argo-workflows/commit/534f4ff1cbd86908e8ff76d97d553ad5a49a950d https://github.com/argoproj/argo-workflows/releases/tag/v3.7.14 https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5 |
| geopython--pygeoapi | pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, OGC API process execution requests can use the subscriber object to requests to internal HTTP services. This issue has been patched in version 0.23.3. | 2026-05-08 | 8.6 | CVE-2026-42352 | https://github.com/geopython/pygeoapi/security/advisories/GHSA-jgvc-94c8-3chc https://github.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef https://github.com/geopython/pygeoapi/releases/tag/0.23.3 |
| i18next--i18next-http-middleware | i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3. | 2026-05-08 | 8.2 | CVE-2026-42353 | https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-jfgf-83c5-2c4m |
| GeoVision Inc.--GV-LPC2011/LPC2211 | A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability. | 2026-05-04 | 8.6 | CVE-2026-42365 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| D-Link--DIR-605L Firmware | D-Link DIR-605L Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn35_dlwbr_dir605l" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches. | 2026-05-04 | 8.8 | CVE-2026-42372 | D-Link DIR-605L Support Page |
| OpenClaw--OpenClaw | OpenClaw versions 2026.4.5 before 2026.4.10 contain a sandbox escape vulnerability allowing sandboxed agents to override exec routing by specifying host=node. Attackers can bypass sandbox boundaries and route execution to remote nodes instead of intended sandbox paths. | 2026-05-05 | 8.8 | CVE-2026-42434 | GitHub Security Advisory (GHSA-736r-jwj6-4w23) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.5 < 2026.4.10 - Sandbox Escape via host Parameter Override in Exec Routing |
| OpenClaw--OpenClaw | OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attackers can bypass exec preflight handling to manipulate high-risk shell variables like SHELLOPTS and PS4, affecting execution semantics and security controls. | 2026-05-05 | 8.8 | CVE-2026-42435 | GitHub Security Advisory (GHSA-j6c7-3h5x-99g9) Patch Commit VulnCheck Advisory: OpenClaw 2026.2.22 < 2026.4.12 - Shell-Wrapper Detection Bypass via Environment Variable Assignment Injection |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy protections by exploiting the /tabs/action endpoint to perform unauthorized tab navigation operations. | 2026-05-05 | 8.5 | CVE-2026-42439 | GitHub Security Advisory (GHSA-rj2p-j66c-mgqh) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - SSRF Policy Bypass in Browser Tabs Action Routes |
| czlonkowski--n8n-mcp | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the SDK embedder path (N8NDocumentationMCPServer constructor, getN8nApiClient(), and validateInstanceContext()), the synchronous URL validator in SSRFProtection.validateUrlSync() had no IPv6 checks. IPv4-mapped IPv6 addresses such as http://[::ffff:169.254.169.254] bypassed the cloud-metadata, localhost, and private-IP range checks. An attacker able to supply an n8nApiUrl value could cause the server to issue HTTP requests to cloud metadata endpoints, RFC1918 private networks, or localhost services. Response bodies are returned to the caller (non-blind SSRF), and the n8nApiKey is forwarded in the x-n8n-api-key header to the attacker-controlled target. Projects with deployments embedding n8n-mcp as an SDK using N8NDocumentationMCPServer or N8NMCPEngine with user-supplied InstanceContext are affected. The first-party HTTP server deployment was not primarily affected - it has a second async validator (validateWebhookUrl) that catches IPv6 addresses. This issue has been fixed in version 2.47.14. If users are unable to upgrade immediately as a workaround they can validate URLs before passing to the SDK, restrict egress at the network layer, and reject user-controlled n8nApiUrl values. | 2026-05-07 | 8.5 | CVE-2026-42449 | https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-56c3-vfp2-5qqj https://github.com/czlonkowski/n8n-mcp/commit/9639f757853149f0cb16663cc8b6b6468f27a25f |
| Termix-SSH--Termix | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, /users/login issues a temporary JWT (temp_token) for TOTP-enabled accounts. That token carries a pendingTOTP state and should only be valid for the second-factor flow. However, the auth middleware accepts this token on regular authenticated endpoints. This effectively turns 2FA into single-factor (password) for impacted accounts. This issue has been patched in version 2.1.0. | 2026-05-08 | 8.1 | CVE-2026-42452 | https://github.com/Termix-SSH/Termix/security/advisories/GHSA-vx59-rf9w-9jv8 https://github.com/Termix-SSH/Termix/releases/tag/release-2.1.0-tag |
| gitroomhq--postiz-app | Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/<postId>?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML on the main application origin. This issue has been patched in version 2.21.7. | 2026-05-08 | 8.9 | CVE-2026-42556 | https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-hhxq-3wg7-4rj8 https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7 |
| alextselegidis--plainpad | Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/{id}. The endpoint directly persists the admin attribute from user input, and the escalated account can immediately access admin-only routes. This issue has been patched in version 1.1.1. | 2026-05-09 | 8.3 | CVE-2026-42562 | https://github.com/alextselegidis/plainpad/security/advisories/GHSA-pvfv-wvpm-q6f6 https://github.com/alextselegidis/plainpad/issues/138 https://github.com/alextselegidis/plainpad/commit/9216a876d27b22c3d9259551636d803f7cb075fc https://github.com/alextselegidis/plainpad/releases/tag/1.1.1 |
| AzuraCast--AzuraCast | AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint (POST /api/station/{station_id}/files/upload) is not sanitized for path traversal sequences. When combined with a local filesystem storage backend (the default), an authenticated user with media management permissions can write arbitrary files outside the station's media storage directory, achieving remote code execution by writing a PHP webshell to the web root. This issue has been patched in version 0.23.6. | 2026-05-09 | 8.8 | CVE-2026-42605 | https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-vp2f-cqqp-478j https://github.com/AzuraCast/AzuraCast/commit/18c793b4427eb49e67a2fea99a89f1c9d9dd808d https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6 |
| AzuraCast--AzuraCast | AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover. This issue has been patched in version 0.23.6. | 2026-05-09 | 8.1 | CVE-2026-42606 | https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-gv7r-3mr9-h5x8 https://github.com/AzuraCast/AzuraCast/commit/7c622a18b451533de317e53862b1f84acf4efd85 https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: validate bsscfg indices in IF events brcmf_fweh_handle_if_event() validates the firmware-provided interface index before it touches drvr->iflist[], but it still uses the raw bsscfgidx field as an array index without a matching range check. Reject IF events whose bsscfg index does not fit in drvr->iflist[] before indexing the interface array. [add missing wifi prefix] | 2026-05-06 | 8.8 | CVE-2026-43110 | https://git.kernel.org/stable/c/3ec7437e9d11374105c2c4e47ae671537729d7e6 https://git.kernel.org/stable/c/9fca68c2512a362cad258e4df12a307bb2ee4b8e https://git.kernel.org/stable/c/1ae1e1caa428844e481231f6dbe9b4f475f1d52d https://git.kernel.org/stable/c/b427c2b05222db36d32ee141609de6128e9091bb https://git.kernel.org/stable/c/304950a467d83678bd0b0f46331882e2ac23b12d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath When cifs_sanitize_prepath is called with an empty string or a string containing only delimiters (e.g., "/"), the current logic attempts to check *(cursor2 - 1) before cursor2 has advanced. This results in an out-of-bounds read. This patch adds an early exit check after stripping prepended delimiters. If no path content remains, the function returns NULL. The bug was identified via manual audit and verified using a standalone test case compiled with AddressSanitizer, which triggered a SEGV on affected inputs. | 2026-05-06 | 8.8 | CVE-2026-43112 | https://git.kernel.org/stable/c/5d4fe469fe7dbff7d874c196bb680a82f2625d95 https://git.kernel.org/stable/c/2d29214448ec0f4e7e18bb1c14dd4a6c07f1c439 https://git.kernel.org/stable/c/86f9c23e0814cfdffda9eedf0c591c51ba209010 https://git.kernel.org/stable/c/49b1ce6d7cfb6c5a49f68bf5ccfcfb6ba14e63c3 https://git.kernel.org/stable/c/78ec5bf2f589ec7fd8f169394bfeca541b077317 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: wl1251: validate packet IDs before indexing tx_frames wl1251_tx_packet_cb() uses the firmware completion ID directly to index the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the completion block, and the callback does not currently verify that it fits the array before dereferencing it. Reject completion IDs that fall outside wl->tx_frames[] and keep the existing NULL check in the same guard. This keeps the fix local to the trust boundary and avoids touching the rest of the completion flow. | 2026-05-06 | 8.8 | CVE-2026-43113 | https://git.kernel.org/stable/c/b6ba1eacf276063ebeefbbae8056043c24f2efaf https://git.kernel.org/stable/c/df15adc692a802636dd3f258fc7cca8bf7a0ed9a https://git.kernel.org/stable/c/8d7465be5163a923ee5d7459719ef5a021c1584a https://git.kernel.org/stable/c/26ee518695c484f75e3606d631278e84bd24ae02 https://git.kernel.org/stable/c/0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ This adds a check for encryption key size upon receiving L2CAP_LE_CONN_REQ which is required by L2CAP/LE/CFC/BV-15-C which expects L2CAP_CR_LE_BAD_KEY_SIZE. | 2026-05-06 | 8.1 | CVE-2026-43134 | https://git.kernel.org/stable/c/335071c0c3637064ec250481f589075db44fe4e6 https://git.kernel.org/stable/c/fa6ad76fa8623c0a50d529cd5726fa5d819a3be4 https://git.kernel.org/stable/c/9118601ff90b79e8df3c0c98f48ae00c1b02ecef https://git.kernel.org/stable/c/481ea39b342c347b6ac029f3d418486280be4e45 https://git.kernel.org/stable/c/ec91078e132179b04e0c3906b599816c056ceaad https://git.kernel.org/stable/c/96581749c7c14fbec32c35728520867929600041 https://git.kernel.org/stable/c/8dd43f9a9323f9c01bc8246da8d81a4c783c9e97 https://git.kernel.org/stable/c/138d7eca445ef37a0333425d269ee59900ca1104 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm6: fix uninitialized saddr in xfrm6_get_saddr() xfrm6_get_saddr() does not check the return value of ipv6_dev_get_saddr(). When ipv6_dev_get_saddr() fails to find a suitable source address (returns -EADDRNOTAVAIL), saddr->in6 is left uninitialized, but xfrm6_get_saddr() still returns 0 (success). This causes the caller xfrm_tmpl_resolve_one() to use the uninitialized address in xfrm_state_find(), triggering KMSAN warning: ===================================================== BUG: KMSAN: uninit-value in xfrm_state_find+0x2424/0xa940 xfrm_state_find+0x2424/0xa940 xfrm_resolve_and_create_bundle+0x906/0x5a20 xfrm_lookup_with_ifid+0xcc0/0x3770 xfrm_lookup_route+0x63/0x2b0 ip_route_output_flow+0x1ce/0x270 udp_sendmsg+0x2ce1/0x3400 inet_sendmsg+0x1ef/0x2a0 __sock_sendmsg+0x278/0x3d0 __sys_sendto+0x593/0x720 __x64_sys_sendto+0x130/0x200 x64_sys_call+0x332b/0x3e70 do_syscall_64+0xd3/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f Local variable tmp.i.i created at: xfrm_resolve_and_create_bundle+0x3e3/0x5a20 xfrm_lookup_with_ifid+0xcc0/0x3770 ===================================================== Fix by checking the return value of ipv6_dev_get_saddr() and propagating the error. | 2026-05-06 | 8.6 | CVE-2026-43139 | https://git.kernel.org/stable/c/4f28141786e1fe884ce42a5197ba9beed540f0ea https://git.kernel.org/stable/c/6535867673bf301d52aa00593a4d1d18cc3922fa https://git.kernel.org/stable/c/eb2ee15290af14c60b45cf2b73f5687d1d077d9b https://git.kernel.org/stable/c/719918fc88df6da023dfff370cd965151a5afd7f https://git.kernel.org/stable/c/dc0abce055134cb83b0d981d31ceb20dda419787 https://git.kernel.org/stable/c/c7221e7bd8fc2ef38a0b27be580d9d202281306b https://git.kernel.org/stable/c/3dcd1664ac15eee6a690daec7c4ffc59190406f7 https://git.kernel.org/stable/c/1799d8abeabc68ec05679292aaf6cba93b343c05 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: fix freemap adjustments when adding xattrs to leaf blocks xfs/592 and xfs/794 both trip this assertion in the leaf block freemap adjustment code after ~20 minutes of running on my test VMs: ASSERT(ichdr->firstused >= ichdr->count * sizeof(xfs_attr_leaf_entry_t) + xfs_attr3_leaf_hdr_size(leaf)); Upon enabling quite a lot more debugging code, I narrowed this down to fsstress trying to set a local extended attribute with namelen=3 and valuelen=71. This results in an entry size of 80 bytes. At the start of xfs_attr3_leaf_add_work, the freemap looks like this: i 0 base 448 size 0 rhs 448 count 46 i 1 base 388 size 132 rhs 448 count 46 i 2 base 2120 size 4 rhs 448 count 46 firstused = 520 where "rhs" is the first byte past the end of the leaf entry array. This is inconsistent -- the entries array ends at byte 448, but freemap[1] says there's free space starting at byte 388! By the end of the function, the freemap is in worse shape: i 0 base 456 size 0 rhs 456 count 47 i 1 base 388 size 52 rhs 456 count 47 i 2 base 2120 size 4 rhs 456 count 47 firstused = 440 Important note: 388 is not aligned with the entries array element size of 8 bytes. Based on the incorrect freemap, the name area starts at byte 440, which is below the end of the entries array! That's why the assertion triggers and the filesystem shuts down. How did we end up here? First, recall from the previous patch that the freemap array in an xattr leaf block is not intended to be a comprehensive map of all free space in the leaf block. In other words, it's perfectly legal to have a leaf block with: * 376 bytes in use by the entries array * freemap[0] has [base = 376, size = 8] * freemap[1] has [base = 388, size = 1500] * the space between 376 and 388 is free, but the freemap stopped tracking that some time ago If we add one xattr, the entries array grows to 384 bytes, and freemap[0] becomes [base = 384, size = 0]. So far, so good. But if we add a second xattr, the entries array grows to 392 bytes, and freemap[0] gets pushed up to [base = 392, size = 0]. This is bad, because freemap[1] hasn't been updated, and now the entries array and the free space claim the same space. The fix here is to adjust all freemap entries so that none of them collide with the entries array. Note that this fix relies on commit 2a2b5932db6758 ("xfs: fix attr leaf header freemap.size underflow") and the previous patch that resets zero length freemap entries to have base = 0. | 2026-05-06 | 8.8 | CVE-2026-43158 | https://git.kernel.org/stable/c/d08976725355b9d54d8332fce223fa281cc304a5 https://git.kernel.org/stable/c/6a8737afbccc340e718e0b22577312826390be8b https://git.kernel.org/stable/c/a396b3d73d51355e50acdb403ba9c4cae4c1174e https://git.kernel.org/stable/c/38613c01f69e1e77e6b8acab1e8ac665d01c2f15 https://git.kernel.org/stable/c/ef42a8766ff3fdf51cf72fb36d0859c09d134478 https://git.kernel.org/stable/c/43f3b18679615a93bd848afde3602ba160637a46 https://git.kernel.org/stable/c/24ce71852f2cee6581e2cbebc15489ed52bf63b7 https://git.kernel.org/stable/c/3eefc0c2b78444b64feeb3783c017d6adc3cd3ce |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix 22000 series SMEM parsing If the firmware were to report three LMACs (which doesn't exist in hardware) then using "fwrt->smem_cfg.lmac[2]" is an overrun of the array. Reject such and use IWL_FW_CHECK instead of WARN_ON in this function. | 2026-05-06 | 8.8 | CVE-2026-43172 | https://git.kernel.org/stable/c/1d49a42717bdc8de77eabeb5b7d3e88d141ffea9 https://git.kernel.org/stable/c/2b4b1510aaaf5b9fb57327ecffc20c055f61f205 https://git.kernel.org/stable/c/58192b9ce09b0f0f86e2036683bd542130b91a98 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: validate release report content before using for RTL8922DE The commit 957eda596c76 ("wifi: rtw89: pci: validate sequence number of TX release report") does validation on existing chips, which somehow a release report of SKB becomes malformed. As no clear cause found, add rules ahead for RTL8922DE to avoid crash if it happens. | 2026-05-06 | 8.8 | CVE-2026-43176 | https://git.kernel.org/stable/c/ebeaa3b24ba568ff8505165f954dba15cc53e4b3 https://git.kernel.org/stable/c/3e8a88b5e8b3506d9c5e031a65ba65ce9a0683a3 https://git.kernel.org/stable/c/5f93d611b33a05bd03d6843c8efe8cb6a1992620 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: delete attr leaf freemap entries when empty Back in commit 2a2b5932db6758 ("xfs: fix attr leaf header freemap.size underflow"), Brian Foster observed that it's possible for a small freemap at the end of the end of the xattr entries array to experience a size underflow when subtracting the space consumed by an expansion of the entries array. There are only three freemap entries, which means that it is not a complete index of all free space in the leaf block. This code can leave behind a zero-length freemap entry with a nonzero base. Subsequent setxattr operations can increase the base up to the point that it overlaps with another freemap entry. This isn't in and of itself a problem because the code in _leaf_add that finds free space ignores any freemap entry with zero size. However, there's another bug in the freemap update code in _leaf_add, which is that it fails to update a freemap entry that begins midway through the xattr entry that was just appended to the array. That can result in the freemap containing two entries with the same base but different sizes (0 for the "pushed-up" entry, nonzero for the entry that's actually tracking free space). A subsequent _leaf_add can then allocate xattr namevalue entries on top of the entries array, leading to data loss. But fixing that is for later. For now, eliminate the possibility of confusion by zeroing out the base of any freemap entry that has zero size. Because the freemap is not intended to be a complete index of free space, a subsequent failure to find any free space for a new xattr will trigger block compaction, which regenerates the freemap. It looks like this bug has been in the codebase for quite a long time. | 2026-05-06 | 8.8 | CVE-2026-43187 | https://git.kernel.org/stable/c/f3c0d1fc1eadbb4adbee5ab7757d41d35f48325b https://git.kernel.org/stable/c/aa9083d97e2157da3c6fb45ddb1a97af7f188f7f https://git.kernel.org/stable/c/a631899025d47ea1aa6464d76db5b4d3b6d196fd https://git.kernel.org/stable/c/ffaf5c99d0f862db021fb1af8b813c1416b1beb2 https://git.kernel.org/stable/c/e1b8c6452ee99a30e188a88f3f3f804fb1c6004a https://git.kernel.org/stable/c/f31a8334e1c54b126fcecf98645a49b6bc5ad399 https://git.kernel.org/stable/c/479b05fc3ee272090f671b06a41f3da8aa78eece https://git.kernel.org/stable/c/6f13c1d2a6271c2e73226864a0e83de2770b6f34 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_tcpmss: check remaining length before reading optlen Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining option length. If the last byte of the option field is not EOL/NOP (0/1), the code attempts to index op[i+1]. In the case where i + 1 == optlen, this causes an out-of-bounds read, accessing memory past the optlen boundary (either reading beyond the stack buffer _opt or the following payload). | 2026-05-06 | 8.2 | CVE-2026-43190 | https://git.kernel.org/stable/c/f895191dc32c53eaf443b6443fe40945b2f92287 https://git.kernel.org/stable/c/cd5beda7e0e32865e214f28034bb92c1cecff885 https://git.kernel.org/stable/c/eaedc0bc18be46fe7f58170e967959a932c4f824 https://git.kernel.org/stable/c/07a9b32eaae792ff7d0fcac14d8920c937c0a9c3 https://git.kernel.org/stable/c/8b300f726640c48c3edfe9c453334dd801f4b74e https://git.kernel.org/stable/c/5e13d0a37666955b6cfddc0f73cb40ed645b8a05 https://git.kernel.org/stable/c/f6c412dcfd76b0516d51aa847d8f4c7b70381b09 https://git.kernel.org/stable/c/735ee8582da3d239eb0c7a53adca61b79fb228b3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: Fix locking usage for tcon fields We used to use the cifs_tcp_ses_lock to protect a lot of objects that are not just the server, ses or tcon lists. We later introduced srv_lock, ses_lock and tc_lock to protect fields within the corresponding structs. This was done to provide a more granular protection and avoid unnecessary serialization. There were still a couple of uses of cifs_tcp_ses_lock to provide tcon fields. In this patch, I've replaced them with tc_lock. | 2026-05-06 | 8.8 | CVE-2026-43215 | https://git.kernel.org/stable/c/953953abb66e52c224057ab91e404284fefeab62 https://git.kernel.org/stable/c/601dd3b79769b38d30b693c40afdb2a4b7edf9d0 https://git.kernel.org/stable/c/3969db6b22e3d90d8c5f22ac1a7fe0350a94c136 https://git.kernel.org/stable/c/8c59eeeeffa1524ef57e173a89a1a3ff539888d5 https://git.kernel.org/stable/c/96c4af418586ee9a6aab61738644366426e05316 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets When the FarSync T-series card is being detached, the fst_card_info is deallocated in fst_remove_one(). However, the fst_tx_task or fst_int_task may still be running or pending, leading to use-after-free bugs when the already freed fst_card_info is accessed in fst_process_tx_work_q() or fst_process_int_work_q(). A typical race condition is depicted below: CPU 0 (cleanup) | CPU 1 (tasklet) | fst_start_xmit() fst_remove_one() | tasklet_schedule() unregister_hdlc_device()| | fst_process_tx_work_q() //handler kfree(card) //free | do_bottom_half_tx() | card-> //use The following KASAN trace was captured: ================================================================== BUG: KASAN: slab-use-after-free in do_bottom_half_tx+0xb88/0xd00 Read of size 4 at addr ffff88800aad101c by task ksoftirqd/3/32 ... Call Trace: <IRQ> dump_stack_lvl+0x55/0x70 print_report+0xcb/0x5d0 ? do_bottom_half_tx+0xb88/0xd00 kasan_report+0xb8/0xf0 ? do_bottom_half_tx+0xb88/0xd00 do_bottom_half_tx+0xb88/0xd00 ? _raw_spin_lock_irqsave+0x85/0xe0 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? __pfx___hrtimer_run_queues+0x10/0x10 fst_process_tx_work_q+0x67/0x90 tasklet_action_common+0x1fa/0x720 ? hrtimer_interrupt+0x31f/0x780 handle_softirqs+0x176/0x530 __irq_exit_rcu+0xab/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ... Allocated by task 41 on cpu 3 at 72.330843s: kasan_save_stack+0x24/0x50 kasan_save_track+0x17/0x60 __kasan_kmalloc+0x7f/0x90 fst_add_one+0x1a5/0x1cd0 local_pci_probe+0xdd/0x190 pci_device_probe+0x341/0x480 really_probe+0x1c6/0x6a0 __driver_probe_device+0x248/0x310 driver_probe_device+0x48/0x210 __device_attach_driver+0x160/0x320 bus_for_each_drv+0x101/0x190 __device_attach+0x198/0x3a0 device_initial_probe+0x78/0xa0 pci_bus_add_device+0x81/0xc0 pci_bus_add_devices+0x7e/0x190 enable_slot+0x9b9/0x1130 acpiphp_check_bridge.part.0+0x2e1/0x460 acpiphp_hotplug_notify+0x36c/0x3c0 acpi_device_hotplug+0x203/0xb10 acpi_hotplug_work_fn+0x59/0x80 ... Freed by task 41 on cpu 1 at 75.138639s: kasan_save_stack+0x24/0x50 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kfree+0x135/0x410 fst_remove_one+0x2ca/0x540 pci_device_remove+0xa6/0x1d0 device_release_driver_internal+0x364/0x530 pci_stop_bus_device+0x105/0x150 pci_stop_and_remove_bus_device+0xd/0x20 disable_slot+0x116/0x260 acpiphp_disable_and_eject_slot+0x4b/0x190 acpiphp_hotplug_notify+0x230/0x3c0 acpi_device_hotplug+0x203/0xb10 acpi_hotplug_work_fn+0x59/0x80 ... The buggy address belongs to the object at ffff88800aad1000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 28 bytes inside of freed 1024-byte region The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaad0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x100000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000 head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 0100000000000003 ffffea00002ab401 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800aad0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88800aad0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88800aad1000: fa fb ---truncated--- | 2026-05-06 | 8.8 | CVE-2026-43232 | https://git.kernel.org/stable/c/cac048ebfbb92d91d719f74b59177cb70a7633b8 https://git.kernel.org/stable/c/086131807d119238cd464e5b0845e48d938dfd79 https://git.kernel.org/stable/c/ae894e47e1cd5a6bf8a0423d888c45df8b2b02dc https://git.kernel.org/stable/c/337d7b4112a47984ee319171b75b73bab47e7924 https://git.kernel.org/stable/c/200bdb8d367ca9b478f9c56ebe56411604d55c81 https://git.kernel.org/stable/c/21d341fe514fd07e345ed264c9eee21cb2061ca2 https://git.kernel.org/stable/c/04edfdfdfcdefc02408ab670607261b0a0a9a02e https://git.kernel.org/stable/c/bae8a5d2e759da2e0cba33ab2080deee96a09373 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_choice() In decode_choice(), the boundary check before get_len() uses the variable `len`, which is still 0 from its initialization at the top of the function: unsigned int type, ext, len = 0; ... if (ext || (son->attr & OPEN)) { BYTE_ALIGN(bs); if (nf_h323_error_boundary(bs, len, 0)) /* len is 0 here */ return H323_ERROR_BOUND; len = get_len(bs); /* OOB read */ When the bitstream is exactly consumed (bs->cur == bs->end), the check nf_h323_error_boundary(bs, 0, 0) evaluates to (bs->cur + 0 > bs->end), which is false. The subsequent get_len() call then dereferences *bs->cur++, reading 1 byte past the end of the buffer. If that byte has bit 7 set, get_len() reads a second byte as well. This can be triggered remotely by sending a crafted Q.931 SETUP message with a User-User Information Element containing exactly 2 bytes of PER-encoded data ({0x08, 0x00}) to port 1720 through a firewall with the nf_conntrack_h323 helper active. The decoder fully consumes the PER buffer before reaching this code path, resulting in a 1-2 byte heap-buffer-overflow read confirmed by AddressSanitizer. Fix this by checking for 2 bytes (the maximum that get_len() may read) instead of the uninitialized `len`. This matches the pattern used at every other get_len() call site in the same file, where the caller checks for 2 bytes of available data before calling get_len(). | 2026-05-06 | 8.2 | CVE-2026-43233 | https://git.kernel.org/stable/c/bcb50aa0b8f2b74a9fe5a1c7bee6f2657a288041 https://git.kernel.org/stable/c/2a3aac4205e7d2f1aca2e3827de8cdd517d36c4a https://git.kernel.org/stable/c/81f2fc5b0d0cf4696146f00f837596d10b92dead https://git.kernel.org/stable/c/7ef82863d42261817a6394c6c881bd6757a70f16 https://git.kernel.org/stable/c/53d32735d77ab56cc3fc7bd53a7d099418f19be1 https://git.kernel.org/stable/c/f0a83d0a4b7c127d32ac06d607a9214937716129 https://git.kernel.org/stable/c/35f1943d242e1b9f0b6e91c0c93bfb293a9f8224 https://git.kernel.org/stable/c/baed0d9ba91d4f390da12d5039128ee897253d60 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: prevent races in ->query_interfaces() It was possible for two query interface works to be concurrently trying to update the interfaces. Prevent this by checking and updating iface_last_update under iface_lock. | 2026-05-06 | 8.8 | CVE-2026-43239 | https://git.kernel.org/stable/c/93e8e3ee165ae4609a1222b516b573837103d2c3 https://git.kernel.org/stable/c/ab6564f416a6eaf1199200b6100952407b438f7d https://git.kernel.org/stable/c/6287eefaf21ec805d42f941bd368018cf397a7f5 https://git.kernel.org/stable/c/76cc4faba0343c6db945b8dc75425b33d633e1b8 https://git.kernel.org/stable/c/c3c06e42e1527716c54f3ad2ced6a034b5f3a489 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: 9p/xen: protect xen_9pfs_front_free against concurrent calls The xenwatch thread can race with other back-end change notifications and call xen_9pfs_front_free() twice, hitting the observed general protection fault due to a double-free. Guard the teardown path so only one caller can release the front-end state at a time, preventing the crash. This is a fix for the following double-free: [ 27.052347] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI [ 27.052357] CPU: 0 UID: 0 PID: 32 Comm: xenwatch Not tainted 6.18.0-02087-g51ab33fc0a8b-dirty #60 PREEMPT(none) [ 27.052363] RIP: e030:xen_9pfs_front_free+0x1d/0x150 [ 27.052368] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 41 55 41 54 55 48 89 fd 48 c7 c7 48 d0 92 85 53 e8 cb cb 05 00 48 8b 45 08 48 8b 55 00 <48> 3b 28 0f 85 f9 28 35 fe 48 3b 6a 08 0f 85 ef 28 35 fe 48 89 42 [ 27.052377] RSP: e02b:ffffc9004016fdd0 EFLAGS: 00010246 [ 27.052381] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88800d66e400 RCX: 0000000000000000 [ 27.052385] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000000 RDI: 0000000000000000 [ 27.052389] RBP: ffff88800a887040 R08: 0000000000000000 R09: 0000000000000000 [ 27.052393] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e46b68 [ 27.052397] R13: 0000000000000200 R14: 0000000000000000 R15: ffff88800a887040 [ 27.052404] FS: 0000000000000000(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000 [ 27.052408] CS: e030 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.052412] CR2: 00007f9714004360 CR3: 0000000004834000 CR4: 0000000000050660 [ 27.052418] Call Trace: [ 27.052420] <TASK> [ 27.052422] xen_9pfs_front_changed+0x5d5/0x720 [ 27.052426] ? xenbus_otherend_changed+0x72/0x140 [ 27.052430] ? __pfx_xenwatch_thread+0x10/0x10 [ 27.052434] xenwatch_thread+0x94/0x1c0 [ 27.052438] ? __pfx_autoremove_wake_function+0x10/0x10 [ 27.052442] kthread+0xf8/0x240 [ 27.052445] ? __pfx_kthread+0x10/0x10 [ 27.052449] ? __pfx_kthread+0x10/0x10 [ 27.052452] ret_from_fork+0x16b/0x1a0 [ 27.052456] ? __pfx_kthread+0x10/0x10 [ 27.052459] ret_from_fork_asm+0x1a/0x30 [ 27.052463] </TASK> [ 27.052465] Modules linked in: [ 27.052471] ---[ end trace 0000000000000000 ]--- | 2026-05-06 | 8.8 | CVE-2026-43249 | https://git.kernel.org/stable/c/a5d00dff97118a32fcf5fec7a4c3f864c4620c4e https://git.kernel.org/stable/c/59e7707492576bdbfa8c1dbe7d90791df31e4773 https://git.kernel.org/stable/c/bf841d43f7a33d75675ba7f4e214ac1c67913065 https://git.kernel.org/stable/c/ce8ded2e61f47747e31eeefb44dc24a2160a7e32 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq() The cluster_cfg array is dynamically allocated to hold per-CPU configuration structures, with its size based on the number of online CPUs. Previously, this array was indexed using hartid, which may be non-contiguous or exceed the bounds of the array, leading to out-of-bounds access. Switch to using cpuid as the index, as it is guaranteed to be within the valid range provided by for_each_online_cpu(). | 2026-05-06 | 8.4 | CVE-2026-43274 | https://git.kernel.org/stable/c/95438699c92947155823dcd3918049a07f3cd867 https://git.kernel.org/stable/c/0442b6229e2eedc95a6d3d18ce75dec7f5b5377c https://git.kernel.org/stable/c/f7c330a8c83c9b0332fd524097eaf3e69148164d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle dma_free_coherent() in error path takes priv->rx_buf.alloc_len as the dma handle. This would lead to improper unmapping of the buffer. Change the dma handle to priv->rx_buf.alloc_phys. | 2026-05-06 | 8.8 | CVE-2026-43283 | https://git.kernel.org/stable/c/0f589ee54fd6d76d3f75e745f7f12c64cbd749e5 https://git.kernel.org/stable/c/accd0599bc8e73b962247c6c6c70ca7aa1f8e8d0 https://git.kernel.org/stable/c/8320727be7ff704e07c87624efc2a4a75f54b3ce https://git.kernel.org/stable/c/1e300c33ef3cc544c2b9c693778fe9490cfe9184 https://git.kernel.org/stable/c/1b1371cd4032ae859838ebc74215f569987bb197 https://git.kernel.org/stable/c/1b1d3c5d58a80a19d017a409aa2308162bab5bbf https://git.kernel.org/stable/c/7e54ff938bebb173822b4c38b33fc164c1cabf92 https://git.kernel.org/stable/c/ffe68c3766997d82e9ccaf1cdbd47eba269c4aa2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data(). | 2026-05-08 | 8.8 | CVE-2026-43284 | https://git.kernel.org/stable/c/a6cb440f274a22456ef3e86b457344f1678f38f9 https://git.kernel.org/stable/c/ab8b995323e5237041472d07e5055f5f7dcdf15b https://git.kernel.org/stable/c/fe785bb3a8096dffcc4048a85cd0c83337eeecad https://git.kernel.org/stable/c/5d55c7336f8032d434adcc5fab987ccc93a44aec https://git.kernel.org/stable/c/8253aab4659ca16116b522203c2a6b18dccacea7 https://git.kernel.org/stable/c/50ed1e7873100f77abad20fd31c51029bc49cd03 https://git.kernel.org/stable/c/b54edf1e9a3fd3491bdcb82a21f8d21315271e0d https://git.kernel.org/stable/c/71a1d9d985d26716f74d21f18ee8cac821b06e97 https://git.kernel.org/stable/c/52646cbd00e765a6db9c3afe9535f26218276034 https://git.kernel.org/stable/c/f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: nfc: nci: Fix parameter validation for packet data Since commit 9c328f54741b ("net: nfc: nci: Add parameter validation for packet data") communication with nci nfc chips is not working any more. The mentioned commit tries to fix access of uninitialized data, but failed to understand that in some cases the data packet is of variable length and can therefore not be compared to the maximum packet length given by the sizeof(struct). | 2026-05-08 | 8.3 | CVE-2026-43291 | https://git.kernel.org/stable/c/a24a8a582da4426b2042e510a1080df84083b51d https://git.kernel.org/stable/c/f5218426f765eee22e178df9c126d974792fb6a5 https://git.kernel.org/stable/c/ad058a4317db7fdb3f09caa6ed536d24a62ce6a0 https://git.kernel.org/stable/c/3b91160e9a91b5a2662875417dc42dc5b0bf03ea https://git.kernel.org/stable/c/c692db813a7e3b7c3c17d6e9a3ad2a018bf1142b https://git.kernel.org/stable/c/498fc5d0d650c77e87fcc73808d4f43240c21805 https://git.kernel.org/stable/c/571dcbeb8e635182bb825ae758399831805693c2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Fix UAF in le_read_features_complete This fixes the following backtrace caused by hci_conn being freed before le_read_features_complete but after hci_le_read_remote_features_sync so hci_conn_del -> hci_cmd_sync_dequeue is not able to prevent it: ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline] BUG: KASAN: slab-use-after-free in hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline] BUG: KASAN: slab-use-after-free in le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344 Write of size 4 at addr ffff8880796b0010 by task kworker/u9:0/52 CPU: 0 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:194 [inline] kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline] hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline] le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344 hci_cmd_sync_work+0x1ff/0x430 net/bluetooth/hci_sync.c:334 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> Allocated by task 5932: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:400 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] __hci_conn_add+0xf8/0x1c70 net/bluetooth/hci_conn.c:963 hci_conn_add_unset+0x76/0x100 net/bluetooth/hci_conn.c:1084 le_conn_complete_evt+0x639/0x1f20 net/bluetooth/hci_event.c:5714 hci_le_enh_conn_complete_evt+0x23d/0x380 net/bluetooth/hci_event.c:5861 hci_le_meta_evt+0x357/0x5e0 net/bluetooth/hci_event.c:7408 hci_event_func net/bluetooth/hci_event.c:7716 [inline] hci_event_packet+0x685/0x11c0 net/bluetooth/hci_event.c:7773 hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 Freed by task 5932: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 __kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587 kasan_save_free_info mm/kasan/kasan.h:406 [inline] poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free mm/slub.c:6663 [inline] kfree+0x2f8/0x6e0 mm/slub.c:6871 device_release+0xa4/0x240 drivers/base/core.c:2565 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1e7/0x590 lib/kobject. ---truncated--- | 2026-05-08 | 8.8 | CVE-2026-43322 | https://git.kernel.org/stable/c/260dc2be643b4a35b27008490c533613e3e53867 https://git.kernel.org/stable/c/035c25007c9e698bef3826070ee34bb6d778020c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SMP: force responder MITM requirements before building the pairing response smp_cmd_pairing_req() currently builds the pairing response from the initiator auth_req before enforcing the local BT_SECURITY_HIGH requirement. If the initiator omits SMP_AUTH_MITM, the response can also omit it even though the local side still requires MITM. tk_request() then sees an auth value without SMP_AUTH_MITM and may select JUST_CFM, making method selection inconsistent with the pairing policy the responder already enforces. When the local side requires HIGH security, first verify that MITM can be achieved from the IO capabilities and then force SMP_AUTH_MITM in the response in both rsp.auth_req and auth. This keeps the responder auth bits and later method selection aligned. | 2026-05-08 | 8.8 | CVE-2026-43334 | https://git.kernel.org/stable/c/425a22c5373d4e1b46492ab869074ebeeade61f3 https://git.kernel.org/stable/c/7ab69426e7ecbd18a222ee2ec87ca612d30197d7 https://git.kernel.org/stable/c/01bb4045d2306c266178f49ce0c3576d237a3040 https://git.kernel.org/stable/c/91649c02c1baaa18cedf7fb425fa1f0f852c8183 https://git.kernel.org/stable/c/c8ff0ca6508535bccabd81c5c9dcc63de8a3d4fb https://git.kernel.org/stable/c/fa14e0e19820b1bbdb42185c9c4efa950bcffef9 https://git.kernel.org/stable/c/ec17efb1ef91506cfd17a77692eaf4bbacb520ea https://git.kernel.org/stable/c/d05111bfe37bfd8bd4d2dfe6675d6bdeef43f7c7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix in-place encryption corruption in SMB2_write() SMB2_write() places write payload in iov[1..n] as part of rq_iov. smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message() encrypts iov[1] in-place, replacing the original plaintext with ciphertext. On a replayable error, the retry sends the same iov[1] which now contains ciphertext instead of the original data, resulting in corruption. The corruption is most likely to be observed when connections are unstable, as reconnects trigger write retries that re-send the already-encrypted data. This affects SFU mknod, MF symlinks, etc. On kernels before 6.10 (prior to the netfs conversion), sync writes also used this path and were similarly affected. The async write path wasn't unaffected as it uses rq_iter which gets deep-copied. Fix by moving the write payload into rq_iter via iov_iter_kvec(), so smb3_init_transform_rq() deep-copies it before encryption. | 2026-05-08 | 8.1 | CVE-2026-43362 | https://git.kernel.org/stable/c/438e77435aee2894d5edf90be5c87004a57f6258 https://git.kernel.org/stable/c/52327268224fb9ccc7ecfbbdfdfff54b6e93c518 https://git.kernel.org/stable/c/92e64f1852f455f57d0850989e57c30d7fac7d95 https://git.kernel.org/stable/c/aea5e37388a080361110ab5790f57ae0af383650 https://git.kernel.org/stable/c/d78840a6a38d312dc1a51a65317bb67e46f0b929 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: fix undersized l_iclog_roundoff values If the superblock doesn't list a log stripe unit, we set the incore log roundoff value to 512. This leads to corrupt logs and unmountable filesystems in generic/617 on a disk with 4k physical sectors... XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c XFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197. XFS (sda1): failed to locate log tail XFS (sda1): log mount/recovery failed: error -74 XFS (sda1): log mount failed XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c XFS (sda1): Ending clean mount ...on the current xfsprogs for-next which has a broken mkfs. xfs_info shows this... meta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks = sectsz=4096 attr=2, projid32bit=1 = crc=1 finobt=1, sparse=1, rmapbt=1 = reflink=1 bigtime=1 inobtcount=1 nrext64=1 = exchange=1 metadir=1 data = bsize=4096 blocks=2579968, imaxpct=25 = sunit=0 swidth=0 blks naming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1 log =internal log bsize=4096 blocks=16384, version=2 = sectsz=4096 sunit=0 blks, lazy-count=1 realtime =none extsz=4096 blocks=0, rtextents=0 = rgcount=0 rgsize=268435456 extents = zoned=0 start=0 reserved=0 ...observe that the log section has sectsz=4096 sunit=0, which means that the roundoff factor is 512, not 4096 as you'd expect. We should fix mkfs not to generate broken filesystems, but anyone can fuzz the ondisk superblock so we should be more cautious. I think the inadequate logic predates commit a6a65fef5ef8d0, but that's clearly going to require a different backport. | 2026-05-08 | 8.2 | CVE-2026-43365 | https://git.kernel.org/stable/c/5afae524f83d6a18517298491a5624cb0eae5029 https://git.kernel.org/stable/c/2ecda4b83749c1fef0c9dea4fd5e8b513aba3e40 https://git.kernel.org/stable/c/41e91dff2d3974730b5ee50daa8e27ec254cbf91 https://git.kernel.org/stable/c/e88ce9f0536f3b2149afb70625cfc4bd74a4ac6d https://git.kernel.org/stable/c/446a1f5bb64ba38adb93cb043ff0f7b85e8937ca https://git.kernel.org/stable/c/5e7148402dfc4a5b7894d8e97b15e5c2e70924aa https://git.kernel.org/stable/c/52a8a1ba883defbfe3200baa22cf4cd21985d51a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: Don't log keys in SMB3 signing and encryption key generation When KSMBD_DEBUG_AUTH logging is enabled, generate_smb3signingkey() and generate_smb3encryptionkey() log the session, signing, encryption, and decryption key bytes. Remove the logs to avoid exposing credentials. | 2026-05-08 | 8.1 | CVE-2026-43377 | https://git.kernel.org/stable/c/4084ed720d7d5f4e975c9e4a6267a552dad3b24a https://git.kernel.org/stable/c/fec5c70b82af3f59f15bb984df94e5ad1fccfb1e https://git.kernel.org/stable/c/3fe2d9ec166b7df9a8df6c0fdcfc210572e27e3f https://git.kernel.org/stable/c/407cc37c21d51f9b9d4d20204b04890880cfa6ae https://git.kernel.org/stable/c/c6b01b997a2094969e315f1ebfc1d64b8ae2163d https://git.kernel.org/stable/c/441336115df26b966575de56daf7107ed474faed |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nsfs: tighten permission checks for handle opening Even privileged services should not necessarily be able to see other privileged service's namespaces so they can't leak information to each other. Use may_see_all_namespaces() helper that centralizes this policy until the nstree adapts. | 2026-05-08 | 8.8 | CVE-2026-43391 | https://git.kernel.org/stable/c/1797ee11451f1b2be69863a9f5bd43b948813fdf https://git.kernel.org/stable/c/d2324a9317f00013facb0ba00b00440e19d2af5e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nsfs: tighten permission checks for ns iteration ioctls Even privileged services should not necessarily be able to see other privileged service's namespaces so they can't leak information to each other. Use may_see_all_namespaces() helper that centralizes this policy until the nstree adapts. | 2026-05-08 | 8.8 | CVE-2026-43403 | https://git.kernel.org/stable/c/3376b345df155ca36d8611857b41ff7d5183fc38 https://git.kernel.org/stable/c/2f3dea284c761c890d676f77d5e55c0c496b4ef4 https://git.kernel.org/stable/c/0ad650e60150eda789deca5e78a6a09d26bf8fc9 https://git.kernel.org/stable/c/e6b899f08066e744f89df16ceb782e06868bd148 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: guard option walkers against 1-byte tail reads When the last byte of options is a non-single-byte option kind, walkers that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end of the option area. Add an explicit i == optlen - 1 check before dereferencing op[i + 1] in xt_tcpudp and xt_dccp option walkers. | 2026-05-08 | 8.2 | CVE-2026-43452 | https://git.kernel.org/stable/c/c2a445367a496a3c25dbc940c10c8bd1cfd4c14a https://git.kernel.org/stable/c/ae1e1267650638136b84c23f2b31250f0ccb6823 https://git.kernel.org/stable/c/c39f84e4be1be63fc60ca7141ea7b76edcea5907 https://git.kernel.org/stable/c/9b94f0e42ed248eb31929da84ed9f5310d7ff540 https://git.kernel.org/stable/c/5b18b8b35c7cded2d17b2b2604c9b0694ff48d1c https://git.kernel.org/stable/c/bc18551c6169eac5ed813778d3e3e484002dbbe5 https://git.kernel.org/stable/c/d04800323336eebf441d153f43234eac9b833d36 https://git.kernel.org/stable/c/cfe770220ac2dbd3e104c6b45094037455da81d4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery In case of a TX error CQE, a recovery flow is triggered, mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc, desyncing the DMA FIFO producer and consumer. After recovery, the producer pushes new DMA entries at the old dma_fifo_pc, while the consumer reads from position 0. This causes us to unmap stale DMA addresses from before the recovery. The DMA FIFO is a purely software construct with no HW counterpart. At the point of reset, all WQEs have been flushed so dma_fifo_cc is already equal to dma_fifo_pc. There is no need to reset either counter, similar to how skb_fifo pc/cc are untouched. Remove the 'dma_fifo_cc = 0' reset. This fixes the following WARNING: WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90 Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:iommu_dma_unmap_page+0x79/0x90 Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 Call Trace: <IRQ> ? __warn+0x7d/0x110 ? iommu_dma_unmap_page+0x79/0x90 ? report_bug+0x16d/0x180 ? handle_bug+0x4f/0x90 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? iommu_dma_unmap_page+0x79/0x90 ? iommu_dma_unmap_page+0x2e/0x90 dma_unmap_page_attrs+0x10d/0x1b0 mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core] mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core] mlx5e_napi_poll+0x8b/0xac0 [mlx5_core] __napi_poll+0x24/0x190 net_rx_action+0x32a/0x3b0 ? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core] ? notifier_call_chain+0x35/0xa0 handle_softirqs+0xc9/0x270 irq_exit_rcu+0x71/0xd0 common_interrupt+0x7f/0xa0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40 | 2026-05-08 | 8.2 | CVE-2026-43466 | https://git.kernel.org/stable/c/821f85d619f7f22cda7b9d7de89cf5eeb1d11544 https://git.kernel.org/stable/c/6eb68ecc5acc3b319986566c595990b8a7265b23 https://git.kernel.org/stable/c/6f41f7812bfa7f991b732a4b45c5c52fc4be3b4e https://git.kernel.org/stable/c/383b37c04a4827ba60b2bafc1a6cdfd995aed58f https://git.kernel.org/stable/c/9c5ee9b981ee050b73fdf3f4a2464d6f1a8e10a8 https://git.kernel.org/stable/c/ce1b19dd0684eeb68a124c11085bd611260b36d9 https://git.kernel.org/stable/c/829efcccfa8f69db5dc8332961295587d218cee6 https://git.kernel.org/stable/c/1633111d69053512d099658d4a05fc736fab36b0 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SSRF requests, with fetched bytes subsequently re-uploaded through the channel. | 2026-05-05 | 8.2 | CVE-2026-43526 | GitHub Security Advisory (GHSA-2767-2q9v-9326) Patch Commit (1) Patch Commit (2) VulnCheck Advisory: OpenClaw < 2026.4.12 - Server-Side Request Forgery via QQBot Reply Media URL Handling |
| OpenClaw--OpenClaw | OpenClaw versions 2026.2.23 before 2026.4.12 contain a weakened exec approval binding vulnerability in busybox and toybox applet execution that allows attackers to obscure which applet would actually run. Attackers can exploit opaque multi-call binaries to bypass exec approval mechanisms and weaken risk classification of unsafe applet invocations. | 2026-05-05 | 8.8 | CVE-2026-43530 | GitHub Security Advisory (GHSA-2cq5-mf3v-mx44) Patch Commit VulnCheck Advisory: OpenClaw 2026.2.23 < 2026.4.12 - Weakened Exec Approval Binding via busybox and toybox Applet Execution |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling. | 2026-05-05 | 8.6 | CVE-2026-43533 | GitHub Security Advisory (GHSA-66r7-m7xm-v49h) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - Arbitrary Local File Read via QQBot Media Tags |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers can exploit this by crafting malicious workspace plugins that are automatically selected and enabled during authentication setup without explicit user consent. | 2026-05-05 | 8.8 | CVE-2026-43569 | GitHub Security Advisory (GHSA-939r-rj45-g2rj) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.9 - Untrusted Provider Plugin Auto-enablement via Workspace Provider Auth |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates during setup-time plugin loading. | 2026-05-05 | 8.8 | CVE-2026-43571 | GitHub Security Advisory (GHSA-82qx-6vj7-p8m2) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - Untrusted Workspace Plugin Shadow Resolution in Channel Setup |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Attackers can exploit this by manipulating these environment variables to influence downstream execution behavior or network connectivity. | 2026-05-06 | 8.8 | CVE-2026-43584 | GitHub Security Advisory (GHSA-vfp4-8x56-j7c5) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - Insufficient Environment Variable Denylist in Exec Policy |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer tokens for unauthorized gateway access. | 2026-05-06 | 8.1 | CVE-2026-43585 | GitHub Security Advisory (GHSA-xmxx-7p24-h892) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.15 - Bearer Token Validation Bypass via Stale SecretRef Resolution |
| electerm--electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation. Because runWidget is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a path traversal (../) to load and execute an arbitrary JavaScript file anywhere on the victim's filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise. This issue has been patched in version 3.7.16. | 2026-05-08 | 8.4 | CVE-2026-43940 | https://github.com/electerm/electerm/security/advisories/GHSA-f77v-9vpc-6pjm https://github.com/electerm/electerm/releases/tag/v3.7.16 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute room control commands without being in configured allowlists by posting in bot rooms, potentially enabling privileged OpenClaw behavior. | 2026-05-06 | 8.8 | CVE-2026-44110 | GitHub Security Advisory (GHSA-2gvc-4f3c-2855) Patch Commit (1) Patch Commit (2) VulnCheck Advisory: OpenClaw < 2026.4.15 - Authorization Bypass in Matrix Room Control Commands via DM Pairing Store |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell expansion hiding in unquoted heredoc bodies. Attackers can bypass allowlist validation by embedding shell expansion tokens in heredoc bodies to execute unapproved commands at runtime. | 2026-05-06 | 8.8 | CVE-2026-44115 | GitHub Security Advisory (GHSA-x3h8-jrgh-p8jx) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.22 - Shell Expansion Bypass in Unquoted Heredocs via Exec Allowlist |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources. | 2026-05-06 | 8.6 | CVE-2026-44116 | GitHub Security Advisory (GHSA-2hh7-c75g-qj2r) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo Photo URL Validation |
| ProFTPD--ProFTPD | In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability. | 2026-05-05 | 8.1 | CVE-2026-44331 | https://github.com/proftpd/proftpd/issues/2057 https://github.com/proftpd/proftpd/commit/766622456440fbca33abd7927c523673a11d1ed1 |
| MervinPraison--PraisonAI | PraisonAI is a multi-agent teams system. From version 4.5.139 to before version 4.6.32, CVE-2026-40287's fix gated tools.py auto-import behind PRAISONAI_ALLOW_LOCAL_TOOLS=true in two files (tool_resolver.py, api/call.py). A third import sink in praisonai/templates/tool_override.py was missed and remains unguarded. It is reached by the recipe runner on every recipe execution and is remotely triggerable through POST /v1/recipes/run with a recipe value pointing at any local absolute path or any GitHub repo (because SecurityConfig.allow_any_github defaults to True). The attacker drops a tools.py next to TEMPLATE.yaml; the server exec_module()s it. No auth required by default, no environment opt-in required. This issue has been patched in version 4.6.32. | 2026-05-08 | 8.4 | CVE-2026-44334 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-xcmw-grxf-wjhj |
| MervinPraison--PraisonAI | PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default agent configuration, _perm_allow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An attacker who can influence tool-call names can therefore invoke unintended application callables that were never declared as tools. This issue has been patched in praisonai version 4.6.37 and praisonaiagents version 1.6.37. | 2026-05-08 | 8.6 | CVE-2026-44339 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-gmjg-hv98-qggq |
| MailEnable--MailEnable Enterprise Premium | MailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability in the WebAdmin mobile portal that allows attackers to bypass authentication checks by reusing AuthenticationToken cookies generated for low-privileged users. Attackers can obtain a token from the WebMail login endpoint using the PersistentLogin parameter and replay it against the WebAdmin portal to perform highly privileged administrative actions. | 2026-05-08 | 8.1 | CVE-2026-44400 | https://www.mailenable.com/Premium-ReleaseNotes.txt https://www.vulncheck.com/advisories/mailenable-enterprise-premium-authorization-bypass-via-webadmin |
| wedevs--User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration | The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and including, 4.3.1 This is due to insufficient input validation and type checking on the wpuf_files parameter during form submission, combined with unconditional deserialization via maybe_unserialize() when displaying post content. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary PHP objects, which can be leveraged to execute arbitrary code, delete arbitrary files, or perform other malicious actions if a POP chain is present on the target system. | 2026-05-08 | 8.8 | CVE-2026-5127 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2b5d27cc-c6eb-4c5c-8ee1-30483b91c6fd?source=cve https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/wpuf-functions.php#L959 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/wpuf-functions.php#L959 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/wpuf-functions.php#L1103 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/wpuf-functions.php#L1103 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L679 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L679 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L704 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L704 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L429 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L429 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L502 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L502 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Ajax/Frontend_Form_Ajax.php#L35 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Ajax/Frontend_Form_Ajax.php#L35 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Ajax/Frontend_Form_Ajax.php#L36 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Ajax/Frontend_Form_Ajax.php#L36 https://plugins.trac.wordpress.org/changeset/3514258/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-user-frontend/tags/4.3.1&new_path=%2Fwp-user-frontend/tags/4.3.2 |
| DivvyDrive Information Technologies Inc.--DivvyDrive | Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Stored XSS. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2. | 2026-05-07 | 8.8 | CVE-2026-5784 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182 |
| Ivanti--Endpoint Manager Mobile | An Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote authenticated attacker to gain administrative access. | 2026-05-07 | 8.8 | CVE-2026-5786 | https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs |
| Ivanti--Endpoint Manager Mobile | An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates. | 2026-05-07 | 8.9 | CVE-2026-5787 | https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs |
| DivvyDrive Information Technologies Inc.--DivvyDrive | Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross-Site Scripting (XSS). This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2. | 2026-05-07 | 8.8 | CVE-2026-6002 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182 |
| MuffinGroup--Betheme | The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 28.4. This is due to the upload_icons() function workflow moving and unzipping user-controlled ZIP files into a public uploads directory without validating extracted file types. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files (including PHP) and achieve remote code execution via the Icons icon-pack upload flow. | 2026-05-05 | 8.8 | CVE-2026-6261 | https://www.wordfence.com/threat-intel/vulnerabilities/id/722c04c3-8f74-4081-b3a4-cb1ae2027312?source=cve https://support.muffingroup.com/changelog/ |
| Red Hat--Red Hat Ansible Automation Platform 2.5 for RHEL 8 | A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a victim's account or gain unauthorized access to other accounts, including administrative accounts, by manipulating the IDP-provided email. | 2026-05-04 | 8.3 | CVE-2026-6266 | RHSA-2026:13508 RHSA-2026:13512 RHSA-2026:13545 https://access.redhat.com/security/cve/CVE-2026-6266 RHBZ#2458142 |
| www[.]pgbouncer[.]org--PgBouncer | The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow. | 2026-05-09 | 8.1 | CVE-2026-6665 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| www[.]pgbouncer[.]org--PgBouncer | The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow. | 2026-05-09 | 8.1 | CVE-2026-6665 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| Revolution Slider--Slider Revolution | The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function. This is due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload files that may be executable, which makes remote code execution possible. The vulnerability was partially patched in version 7.0.10 and fully patched in version 7.0.11. | 2026-05-07 | 8.8 | CVE-2026-6692 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a2e802a6-d2f1-47cc-883a-89110e569168?source=cve https://www.sliderrevolution.com/ |
| davidanderson--WP-Optimize Cache, Compress images, Minify & Clean database to boost page speed & performance | The WP-Optimize - Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unscheduled_original_file_deletion function in all versions up to, and including, 4.5.2 This makes it possible for authenticated attackers, with author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is possible because 'original-file' is a public (non-protected) meta key - it does not begin with an underscore - allowing Authors to freely create or modify it on their own attachment posts via the standard Edit Media form or the REST API. | 2026-05-07 | 8.1 | CVE-2026-7252 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cc815ef2-dd02-4faa-b202-dd1552f889db?source=cve https://plugins.trac.wordpress.org/browser/wp-optimize/trunk/includes/class-updraft-smush-manager.php#L1649 https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.5.2/includes/class-updraft-smush-manager.php#L1649 https://plugins.trac.wordpress.org/browser/wp-optimize/trunk/includes/class-updraft-smush-manager.php#L1645 https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.5.2/includes/class-updraft-smush-manager.php#L1645 https://plugins.trac.wordpress.org/browser/wp-optimize/trunk/includes/class-updraft-smush-manager.php#L81 https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.5.2/includes/class-updraft-smush-manager.php#L81 https://plugins.trac.wordpress.org/changeset/3518513/wp-optimize/trunk/includes/class-updraft-smush-manager.php https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-optimize/tags/4.5.2&new_path=%2Fwp-optimize/tags/4.5.3 |
| Eclipse Foundation--Eclipse BaSyx | In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS). | 2026-05-05 | 8.6 | CVE-2026-7412 | https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423 https://gitlab.eclipse.org/security/cve-assignment/-/issues/103 |
| Totolink--WA300 | A vulnerability was determined in Totolink WA300 5.2cu.7112_B20190227. This issue affects the function UploadCustomModule of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Executing a manipulation of the argument File can lead to buffer overflow. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-04 | 8.8 | CVE-2026-7717 | VDB-360893 | Totolink WA300 POST Request cstecgi.cgi UploadCustomModule buffer overflow VDB-360893 | CTI Indicators (IOB, IOC, IOA) Submit #807193 | Totolink WA300 WA300 V5.2cu.7112_B20190227 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-WA300-UploadCustomModule-34553a41781f80a8a287e48a7fb04de9 https://www.totolink.net/ |
| Totolink--N300RH | A weakness has been identified in Totolink N300RH 3.2.4-B20220812. Affected by this issue is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Executing a manipulation of the argument FileName can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-04 | 8.8 | CVE-2026-7748 | VDB-360923 | Totolink N300RH POST Request cstecgi.cgi setUpgradeFW buffer overflow VDB-360923 | CTI Indicators (IOB, IOC, IOA) Submit #807202 | Totolink N300RH N300RH V3_Firmware V3.2.4-B20220812 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-N300RH-setUpgradeFW-34553a41781f80abb1d1c627d7ff4329?pvs=73 https://www.totolink.net/ |
| Totolink--N300RH | A security vulnerability has been detected in Totolink N300RH 3.2.4-B20220812. This affects the function setWanConfig of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument priDns leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-05-04 | 8.8 | CVE-2026-7749 | VDB-360924 | Totolink N300RH POST Request cstecgi.cgi setWanConfig buffer overflow VDB-360924 | CTI Indicators (IOB, IOC, IOA) Submit #807203 | Totolink N300RH N300RH V3_Firmware V3.2.4-B20220812 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-N300RH-setWanConfig-34553a41781f80ed8500d9b8d54074f2 https://www.totolink.net/ |
| Totolink--N300RH | A vulnerability was detected in Totolink N300RH 3.2.4-B20220812. This vulnerability affects the function setMacFilterRules of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument mac_address results in buffer overflow. The attack may be launched remotely. The exploit is now public and may be used. | 2026-05-04 | 8.8 | CVE-2026-7750 | VDB-360925 | Totolink N300RH POST Request cstecgi.cgi setMacFilterRules buffer overflow VDB-360925 | CTI Indicators (IOB, IOC, IOA) Submit #807204 | Totolink N300RH N300RH V3_Firmware V3.2.4-B20220812 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-N300RH-setMacFilterRules-34553a41781f809cb952cdcb71ce90d8 https://www.totolink.net/ |
| SmarterTools Inc.--SmarterMail | SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak encryption algorithms and hardcoded keys to decrypt and access stored passwords and 2FA secrets for all users. | 2026-05-08 | 8.1 | CVE-2026-7807 | https://www.smartertools.com/smartermail/release-notes/current https://www.vulncheck.com/advisories/smartertools-smartermail-build-9560-server-local-file-inclusion-via-the-api-v1-report-summary-type-api |
| GeoVision Inc.--ASManager | A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on the server by sending a crafted HTTP POST request to the ASWebCommon.srf backend endpoint to bypass the frontend restrictions. | 2026-05-06 | 8.8 | CVE-2026-7841 | https://www.geovision.com.tw/cyber_security.php |
| D-Link--DI-8100 | A vulnerability was detected in D-Link DI-8100 16.07.26A1. Affected by this issue is the function tggl_asp of the file /tggl.asp of the component HTTP Request Handler. Performing a manipulation of the argument Name results in buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used. | 2026-05-05 | 8.8 | CVE-2026-7855 | VDB-361132 | D-Link DI-8100 HTTP Request tggl.asp tggl_asp buffer overflow VDB-361132 | CTI Indicators (IOB, IOC, IOA) Submit #807841 | D-Link DI-8100 16.07.26A1 Denial of Service https://github.com/draw-ctf/report/blob/main/DI-8100/tggl_asp_overflow.md https://www.dlink.com/ |
| Qwibit--NanoClaw | NanoClaw version 1.2.0 and prior contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read files outside the intended outbox directory by supplying crafted messages_out.id and content.files values or creating symlinked outbox files. Attackers can exploit this vulnerability to trigger host-side reads of arbitrary files and in some cases achieve recursive deletion of paths outside the intended cleanup target. | 2026-05-06 | 8.8 | CVE-2026-7875 | https://github.com/qwibitai/nanoclaw/pull/2001 https://github.com/qwibitai/nanoclaw/commit/7814e45570edf0024a1a5c2ba9fbc9cb3a49f7f7 https://github.com/qwibitai/nanoclaw/releases/tag/v1.2.0 |
| Totolink--X5000R | A vulnerability has been found in Totolink X5000R 9.1.0u.6369_B20230113. This vulnerability affects the function sub_458E40 of the file /boafrm/formDdns. The manipulation of the argument submit-url leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2026-05-08 | 8.8 | CVE-2026-8137 | VDB-361926 | Totolink X5000R formDdns sub_458E40 buffer overflow VDB-361926 | CTI Indicators (IOB, IOC, IOA) Submit #808863 | Totolink X5000R V9.1.0u.6369_B20230113 Stack-based Buffer Overflow https://github.com/Kiciot/cve/issues/4 https://www.totolink.net/ |
| Tenda--CX12L | A vulnerability was found in Tenda CX12L 16.03.53.12. This issue affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg". The manipulation results in stack-based buffer overflow. The attack can be executed remotely. The exploit has been made public and could be used. | 2026-05-08 | 8.8 | CVE-2026-8138 | VDB-361927 | Tenda CX12L SetPptpServerCfg” formSetPPTPServer stack-based overflow VDB-361927 | CTI Indicators (IOB, IOC, IOA) Submit #808867 | Tenda CX12L V16.03.53.12 Stack-based Buffer Overflow https://github.com/cve-a/lvdan/issues/6 https://www.tenda.com.cn/ |
| Amazon--Amazon Redshift JDBC Driver | An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application context, provided a suitable class is available on the application's classpath. To mitigate this issue, users should upgrade to version 2.2.2 or later. | 2026-05-08 | 8.1 | CVE-2026-8178 | https://github.com/aws/amazon-redshift-jdbc-driver/releases/tag/v2.2.2 https://aws.amazon.com/security/security-bulletins/2026-028-aws/ https://github.com/aws/amazon-redshift-jdbc-driver/security/advisories/GHSA-wmmv-vvg5-993q |
| EFM--ipTIME A8004T | A security vulnerability has been detected in EFM ipTIME A8004T 14.18.2. This vulnerability affects the function formWifiBasicSet of the file /goform/WifiBasicSet. The manipulation of the argument security_5g leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 8.8 | CVE-2026-8234 | VDB-362454 | EFM ipTIME A8004T WifiBasicSet formWifiBasicSet stack-based overflow VDB-362454 | CTI Indicators (IOB, IOC, IOA) Submit #808865 | IPTIME A8004T 14.18.2 Stack-based Buffer Overflow https://github.com/Kiciot/cve/issues/5 |
| memono--Notepad | memono Notepad 4.2 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character buffers into note fields. Attackers can generate a payload containing 350000 repeated characters and paste it twice into a new note to trigger an application crash on iOS devices. | 2026-05-10 | 7.5 | CVE-2021-47944 | ExploitDB-49977 VulnCheck Advisory: memono Notepad 4.2 Denial of Service via Buffer Overflow |
| argus--Argus Surveillance DVR | Argus Surveillance DVR 4.0 contains an unquoted service path vulnerability in the DVRWatchdog service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can place a malicious executable in the Program Files directory to be executed with LocalSystem privileges when the service starts. | 2026-05-10 | 7.8 | CVE-2021-47945 | ExploitDB-50261 VulnCheck Advisory: Argus Surveillance DVR 4.0 Unquoted Service Path Privilege Escalation |
| Backupbliss--WordPress Plugin Backup Migration | WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file paths. Attackers can enumerate backup directories through configuration files and complete logs, then construct direct download URLs to retrieve sensitive backup archives containing full database dumps. | 2026-05-05 | 7.5 | CVE-2023-54346 | ExploitDB-51445 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Backup Migration 1.2.8 Unauthenticated Database Backup Download |
| Open-Emr--OpenEMR | OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login endpoint. Attackers can submit POST requests with authUser and clearPass parameters to systematically test username and password combinations without account lockout restrictions. | 2026-05-05 | 7.5 | CVE-2023-54347 | ExploitDB-51413 Official Product Homepage Product Reference VulnCheck Advisory: OpenEMR 7.0.1 Authentication Brute Force Mitigation Bypass |
| Qualcomm, Inc.--Snapdragon | Memory corruption when processing camera sensor input/output control codes with invalid output buffers. | 2026-05-04 | 7.8 | CVE-2025-47405 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while creating a process on the digital signal processor due to allocation failure at the kernel level. | 2026-05-04 | 7.8 | CVE-2025-47407 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption when another driver calls an IOCTL with invalid input/output buffer. | 2026-05-04 | 7.8 | CVE-2025-47408 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| WPMart--Team Member | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMart Team Member allows Blind SQL Injection. This issue affects Team Member: from n/a through 8.5. | 2026-05-07 | 7.6 | CVE-2025-68060 | https://patchstack.com/database/wordpress/plugin/team-showcase-supreme/vulnerability/wordpress-team-member-plugin-8-5-sql-injection-vulnerability?_s_id=cve |
| Unisoc (Shanghai) Technologies Co., Ltd.--SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300 | In IMS, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | 2026-05-06 | 7.5 | CVE-2025-71251 | https://www.unisoc.com/en/support/product-security-bulletin/2051836844671422466 |
| Unisoc (Shanghai) Technologies Co., Ltd.--SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300 | In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | 2026-05-06 | 7.5 | CVE-2025-71252 | https://www.unisoc.com/en/support/product-security-bulletin/2051836844671422466 |
| Unisoc (Shanghai) Technologies Co., Ltd.--SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300 | In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | 2026-05-06 | 7.5 | CVE-2025-71253 | https://www.unisoc.com/en/support/product-security-bulletin/2051836844671422466 |
| Unisoc (Shanghai) Technologies Co., Ltd.--SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300 | In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | 2026-05-06 | 7.5 | CVE-2025-71254 | https://www.unisoc.com/en/support/product-security-bulletin/2051836844671422466 |
| Unisoc (Shanghai) Technologies Co., Ltd.--SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300 | In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | 2026-05-06 | 7.5 | CVE-2025-71255 | https://www.unisoc.com/en/support/product-security-bulletin/2051836844671422466 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In nr modem, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | 2026-05-06 | 7.5 | CVE-2025-71256 | https://www.unisoc.com/en/support/product-security-bulletin/2051836844671422466 |
| GravityMore--Gravity Bookings | The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.5.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-06 | 7.5 | CVE-2026-1719 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ce032abe-ee9d-4be1-ac97-5fa95d598e85?source=cve https://gravitybooking.com/ |
| Cisco--Cisco Unity Connection | A vulnerability in the web UI of Cisco Unity Connection Web Inbox could allow an unauthenticated, remote attacker to conduct SSRF attacks through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device. | 2026-05-06 | 7.2 | CVE-2026-20035 | cisco-sa-unity-rce-ssrf-hENhuASy |
| Cisco--Cisco IoT Field Network Director (IoT-FND) | A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to cause a DoS condition on a remotely managed router. This vulnerability is due to improper error handling. An attacker could exploit this vulnerability by submitting crafted input to the web-based management interface. A successful exploit could allow the attacker to request unauthorized files from a remote router, causing the router to reload and resulting in a DoS condition. | 2026-05-06 | 7.7 | CVE-2026-20167 | cisco-sa-iot-fnd-dos-n8N26Q4u |
| Cisco--Cisco Small Business Smart and Managed Switches | A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco 350 Series Managed Switches (SG350) and Cisco 350X Series Stackable Managed Switches (SG350X) firmware could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper error handling when parsing response data for a specific SNMP request. An attacker could exploit this vulnerability by sending a specific SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition. This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMPv2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMPv3, the attacker must have valid SNMP user credentials for the affected system. | 2026-05-06 | 7.7 | CVE-2026-20185 | cisco-sa-sg350-snmp-dos-GEFZr2Tj |
| Cisco--Cisco Crosswork Network Change Automation | A vulnerability in the connection-handling mechanism of Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. This vulnerability is due to an inadequate implementation of rate-limiting on incoming network connections. An attacker could exploit this vulnerability by sending a large number of connection requests to an affected system. A successful exploit could allow the attacker to exhaust available connection resources, causing Cisco CNC and Cisco NSO to become unresponsive and resulting in a DoS condition for legitimate users and dependent services. A manual reboot of the system is required to recover from this condition. | 2026-05-06 | 7.5 | CVE-2026-20188 | cisco-sa-nso-dos-7Egqyc |
| Meta--react-server-dom-turbopack | A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server crashes, out-of-memory exceptions or excessive CPU usage; affecting the following packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5). | 2026-05-06 | 7.5 | CVE-2026-23870 | https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when copying data from a freed source while executing performance counter deselect operation. | 2026-05-04 | 7.8 | CVE-2026-24082 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Jules Colle--Conditional Fields for Contact Form 7 | Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process. | 2026-05-04 | 7.5 | CVE-2026-25863 | https://wordpress.org/plugins/cf7-conditional-fields/#developers https://www.vulncheck.com/advisories/conditional-fields-for-contact-form-7-dos-via-uncontrolled-resource-consumption |
| Microsoft--Microsoft 365 Copilot's Business Chat | Improper neutralization of special elements in M365 Copilot allows an unauthorized attacker to disclose information over a network. | 2026-05-07 | 7.5 | CVE-2026-26129 | M365 Copilot Information Disclosure Vulnerability |
| Microsoft--Microsoft 365 Copilot's Business Chat | Improper neutralization of special elements in output used by a downstream component ('injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network. | 2026-05-07 | 7.5 | CVE-2026-26164 | M365 Copilot Information Disclosure Vulnerability |
| Profelis Information and Consulting Trade and Industry Limited Company--SambaBox | Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Information and Consulting Trade and Industry Limited Company SambaBox allows OS Command Injection. This issue affects SambaBox: from 5.1 before 5.3. | 2026-05-04 | 7.2 | CVE-2026-3120 | https://www.usom.gov.tr/bildirim/tr-26-0155 |
| Scott Paterson--easy-paypal-events-tickets | Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contain a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID. This plugin was officially closed as of 2026-03-18. | 2026-05-04 | 7.5 | CVE-2026-32834 | https://gist.github.com/4lec4st/eb20f9934f8c23b4b241f74a8d884ce9 https://wordpress.org/plugins/easy-paypal-events-tickets https://www.vulncheck.com/advisories/easy-paypal-events-tickets-authentication-bypass-via-qr-code-scanning |
| Microsoft--Copilot Chat (Microsoft Edge) | Improper neutralization of special elements used in a command ('command injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network. | 2026-05-07 | 7.5 | CVE-2026-33111 | Copilot Chat (Microsoft Edge) Information Disclosure Vulnerability |
| 10web--Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder | The Form Maker by 10Web - Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-05 | 7.5 | CVE-2026-3359 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f37cc880-d8a4-431a-9639-abf01163030a?source=cve https://plugins.trac.wordpress.org/changeset/3518461/form-maker |
| Red Hat--Red Hat Hardened Images | A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption. | 2026-05-04 | 7.5 | CVE-2026-33846 | RHSA-2026:13274 https://access.redhat.com/security/cve/CVE-2026-33846 RHBZ#2450625 |
| Akamai--Guardicore Platform Agent | Akamai Guardicore Platform Agent (GPA) and Zero Trust Client on Linux and macOS allow TOCTOU-based local privilege escalation. The GPA service creates an IPC socket in the world-writable /tmp directory. It accepts unauthenticated IPC control messages. This enables a TOCTOU vulnerability in the HandleSaveLogs() function of the GPA service, by creating a log file and manipulating it into a symlink that points to the targeted path; this can allow an unprivileged local user to make arbitrary root-owned files world-writable. In addition, a diagnostic collection tool (gimmelogs) running with root privileges was vulnerable to command injection from the dbstore, offering a second privilege escalation vector. (On Windows, gimmelogs does not have command injection but does allow writing a ZIP archive to an unintended location.) This affects Akamai Guardicore Platform Agent 7.0 through 7.3.1 and Akamai Zero Trust Client 6.0 through 6.1.5. | 2026-05-08 | 7.4 | CVE-2026-34354 | https://www.akamai.com/blog/security-research/advisory-cve-2026-34354-guardicore-local-privilege-escalation |
| ahmadgb--GeekyBot AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content | The GeekyBot - Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to SQL Injection via the 'attributekey' parameter in versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-05 | 7.5 | CVE-2026-3456 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4c716fd3-6297-4b3a-a796-65f68f2986cf?source=cve https://plugins.trac.wordpress.org/changeset/3474168/geeky-bot |
| Hikvision--DS-3E1310P-SI | Some Hikvision switch products (discontinued since December 2023) are vulnerable to authenticated remote command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution. | 2026-05-09 | 7.2 | CVE-2026-3828 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/command-execution-vulnerability-in-some-hikvision-switch-product/ |
| OpenStack--Cyborg | OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC. | 2026-05-07 | 7.4 | CVE-2026-40213 | https://bugs.launchpad.net/openstack-cyborg/+bug/2143263 https://www.openwall.com/lists/oss-security/2026/05/07/6 https://security.openstack.org/ossa/OSSA-2026-011.html |
| Spring--Spring Cloud Config | When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater. | 2026-05-07 | 7.5 | CVE-2026-40981 | https://spring.io/security/cve-2026-40981 |
| Spring--Spring Cloud Config | The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater. | 2026-05-07 | 7.4 | CVE-2026-41002 | https://spring.io/security/cve-2026-41002 |
| harttle--liquidjs | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. This allows any user who can submit a Liquid template to perform a Denial of Service attack. This issue has been patched in version 10.25.7. | 2026-05-09 | 7.5 | CVE-2026-41311 | https://github.com/harttle/liquidjs/security/advisories/GHSA-4rc3-7j7w-m548 https://github.com/harttle/liquidjs/commit/e2311dfd6e82f73509308aa8a3a1fafc92e226f0 https://github.com/harttle/liquidjs/releases/tag/v10.25.7 |
| QuantumNous--new-api | New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. This issue has been patched in version 0.12.10. | 2026-05-08 | 7.1 | CVE-2026-41432 | https://github.com/QuantumNous/new-api/security/advisories/GHSA-xff3-5c9p-2mr4 https://github.com/QuantumNous/new-api/releases/tag/v0.12.10 |
| Scott Paterson--easy-paypal-events-tickets | Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers. This plugin was officially closed as of 2026-03-18. | 2026-05-04 | 7.5 | CVE-2026-41471 | https://gist.github.com/4lec4st/9fd04b4bfadb3f7e388f61588f5f2564 https://wordpress.org/plugins/easy-paypal-events-tickets https://www.vulncheck.com/advisories/easy-paypal-events-tickets-information-disclosure-via-qr-code-endpoint |
| cilium--cilium | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.15, 1.18.9, and 1.19.3, the output of cilium-bugtool can contain sensitive data when the tool is run against Cilium deployments with WireGuard encryption enabled. This issue has been patched in versions 1.17.15, 1.18.9, and 1.19.3. | 2026-05-08 | 7.9 | CVE-2026-41520 | https://github.com/cilium/cilium/security/advisories/GHSA-gj49-89wh-h4gj https://github.com/cilium/cilium/releases/tag/v1.17.15 https://github.com/cilium/cilium/releases/tag/v1.18.9 https://github.com/cilium/cilium/releases/tag/v1.19.3 |
| Bricks--Bricks Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bricks Builder allows Reflected XSS. This issue affects Bricks Builder: from n/a through 1.9.2 to 2.2. | 2026-05-07 | 7.1 | CVE-2026-41554 | https://patchstack.com/database/wordpress/theme/bricks/vulnerability/wordpress-bricks-builder-theme-1-9-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| sebastianbergmann--phpunit | PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5, PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newline as a directive separator, a value containing a newline is parsed by the child process as multiple INI directives. An attacker able to influence a single INI value can therefore inject arbitrary additional directives into the child's configuration, including auto_prepend_file, extension, disable_functions, open_basedir, and others. Setting auto_prepend_file to an attacker-controlled path yields remote code execution in the child process. This issue has been patched in versions 12.5.22 and 13.1.6. | 2026-05-08 | 7.8 | CVE-2026-41570 | https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-qrr6-mg7r-m243 https://github.com/sebastianbergmann/phpunit/pull/6592 |
| Ajax30--BraveCMS-2.0 | Brave CMS is an open-source CMS. Prior to commit 6c56603, the contact form is publicly accessible (no authentication required). User-supplied message text is passed through PHP's nl2br() function, which converts newlines to <br> tags but does not escape HTML. The resulting string is then passed to a Blade email template using the unescaped {!! $msg !!} directive. The resulting content is then rendered in a Blade email template using the unescaped {!! $msg !!} directive. Because HTML is not sanitized, arbitrary markup can be injected into the email body. While modern HTML-capable email clients (Gmail or Outlook Web) typically block JavaScript execution, they still render HTML content. This allows attackers to craft convincing phishing interfaces inside the email sent to the administrator. This issue has been patched via commit 6c56603. | 2026-05-08 | 7.1 | CVE-2026-41576 | https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-x7cg-8grr-grvx https://github.com/Ajax30/BraveCMS-2.0/commit/6c5660373cf5f0ca9181603280427aca46ef11ea |
| nocobase--nocobase | NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39. | 2026-05-07 | 7.5 | CVE-2026-41640 | https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432 https://github.com/nocobase/nocobase/pull/9133 https://github.com/nocobase/nocobase/commit/202e2b8efe44ba90adbf1087f6f70881ff947604 https://github.com/nocobase/nocobase/releases/tag/v2.0.39 |
| nocobase--nocobase | NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE, dblink) is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions can create a SQL collection with benign SQL, then update it with arbitrary SQL that bypasses all validation, and query the collection to execute the injected SQL and exfiltrate data. This issue has been patched in version 2.0.39. | 2026-05-07 | 7.2 | CVE-2026-41641 | https://github.com/nocobase/nocobase/security/advisories/GHSA-wrwh-c28m-9jjh https://github.com/nocobase/nocobase/pull/9134 https://github.com/nocobase/nocobase/commit/851aee543efa894142e0f7be03eb55d9cec06a91 https://github.com/nocobase/nocobase/releases/tag/v2.0.39 |
| osrg--gobgp | GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.3.0, a remote Denial of Service (DoS) vulnerability exists in GoBGP due to a nil pointer dereference. When a malformed BGP UPDATE message contains an unrecognized Path Attribute marked as "Well-known," the daemon fails to interrupt the message handling flow. This results in an illegal memory access and a full process crash (panic). This issue has been patched in version 4.4.0. | 2026-05-07 | 7.5 | CVE-2026-41642 | https://github.com/osrg/gobgp/security/advisories/GHSA-7235-89m6-f4px https://github.com/osrg/gobgp/releases/tag/v4.4.0 |
| osrg--gobgp | GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. Prior to version 4.3.0, a remote Denial of Service (DoS) vulnerability exists in GoBGP where a malformed BGP UPDATE message can trigger a runtime error: index out of range panic. This occurs during the processing of 4-byte AS attributes when the message structure causes an internal slice index shift that is not properly handled. This issue has been patched in version 4.3.0. | 2026-05-07 | 7.5 | CVE-2026-41643 | https://github.com/osrg/gobgp/security/advisories/GHSA-8rxh-r2p6-7f2q https://github.com/osrg/gobgp/releases/tag/v4.3.0 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, a logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A group leader with profile edit rights on an admin account can strip that admin's 2FA. This issue has been patched in version 5.0.9. | 2026-05-07 | 7.1 | CVE-2026-41660 | https://github.com/Admidio/admidio/security/advisories/GHSA-rh3w-4ccx-prf9 https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| ellite--Wallos | Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but passes the original hostname to cURL without CURLOPT_RESOLVE pinning on 10 of 11 outbound HTTP endpoints, leaving a DNS rebinding TOCTOU window. At time of publication, there are no publicly available patches. | 2026-05-07 | 7.7 | CVE-2026-41688 | https://github.com/ellite/Wallos/security/advisories/GHSA-h4g7-xv3v-q73g https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef |
| locize--locize | locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener("message", …) handler that dispatches to registered internal handlers (editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, …) without validating event.origin. The pre-patch listener in src/api/postMessage.js gates dispatch on event.data.sender === "i18next-editor-frame" - that value sits inside the attacker-controlled message payload, not the browser-enforced origin. Any web page that could embed or be embedded by a locize-enabled host - an iframe on a third-party page, a window.open-ed victim, a parent frame reaching down - could send a crafted postMessage and trigger the internal handlers. This issue has been patched in version 4.0.21. | 2026-05-08 | 7.5 | CVE-2026-41886 | https://github.com/locize/locize/security/advisories/GHSA-w937-fg2h-xhq2 https://github.com/locize/locize/releases/tag/v4.0.21 |
| freescout-help-desk--freescout | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user with updateAutoReply permission can store an XSS payload in the mailbox auto-reply message. The payload is rendered unescaped in the auto-reply email sent to every customer who contacts the mailbox. Email clients do not enforce CSP, so the payload executes in the customer's webmail / mail-client context. This issue has been patched in version 1.8.217. | 2026-05-07 | 7.6 | CVE-2026-41904 | https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-q3fh-rj9h-jfrc https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217 |
| freescout-help-desk--freescout | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, Helper::sanitizeRemoteUrl() in app/Misc/Helper.php follows HTTP redirects via curlGetLastRedirectedUrl() but then re-validates the original URL instead of the final redirect destination. An attacker who can supply any URL that passes the initial host check can redirect FreeScout to internal HTTP services (cloud metadata, internal APIs, RFC1918 ranges) that would normally be blocked. This issue has been patched in version 1.8.217. | 2026-05-07 | 7.7 | CVE-2026-41905 | https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-22wf-848c-c856 https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217 |
| freescout-help-desk--freescout | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.214, the Change Customer modal correctly hides out-of-scope customers through the mailbox-filtered search endpoint, but the backend conversation_change_customer action accepts any supplied customer_email. A low-privileged agent can forge a request and bind a visible conversation to a hidden customer in another mailbox. This issue has been patched in version 1.8.214. | 2026-05-07 | 7.1 | CVE-2026-41906 | https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-p6hg-2cwg-rrx9 https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest-Shamir-Adleman - Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process. | 2026-05-07 | 7.1 | CVE-2026-42010 | https://access.redhat.com/security/cve/CVE-2026-42010 RHBZ#2467289 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems. | 2026-05-07 | 7.4 | CVE-2026-42011 | https://access.redhat.com/security/cve/CVE-2026-42011 RHBZ#2467437 |
| prometheus--prometheus | Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3. | 2026-05-04 | 7.5 | CVE-2026-42151 | https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj https://github.com/prometheus/prometheus/pull/18587 https://github.com/prometheus/prometheus/pull/18590 https://github.com/prometheus/prometheus/releases/tag/v3.11.3 https://github.com/prometheus/prometheus/releases/tag/v3.5.3 |
| prometheus--prometheus | Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3. | 2026-05-04 | 7.5 | CVE-2026-42154 | https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm https://github.com/prometheus/prometheus/pull/18584 https://github.com/prometheus/prometheus/pull/18585 https://github.com/prometheus/prometheus/releases/tag/v3.11.3 https://github.com/prometheus/prometheus/releases/tag/v3.5.3 |
| Eugeny--russh | Russh is a Rust SSH client & server library. Prior to version 0.60.1, a pre-authentication denial-of-service vulnerability exists in the server's keyboard-interactive authentication handler. A malicious client can crash any russh-based server that implements keyboard-interactive auth (e.g., for 2FA/TOTP) with a single malformed packet, requiring no credentials. This issue has been patched in version 0.60.1. | 2026-05-08 | 7.5 | CVE-2026-42189 | https://github.com/Eugeny/russh/security/advisories/GHSA-f5v4-2wr6-hqmg https://github.com/Eugeny/russh/commit/6c3c80a9b6d60763d6227d60fa8310e57172a4d1 https://github.com/Eugeny/russh/releases/tag/v0.60.1 |
| dail8859--NotepadNext | Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14. | 2026-05-07 | 7.8 | CVE-2026-42214 | https://github.com/dail8859/NotepadNext/security/advisories/GHSA-m5fq-c9x5-w54g https://github.com/dail8859/NotepadNext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc https://github.com/dail8859/NotepadNext/releases/tag/v0.14 |
| Icinga--ipl-web | ipl/web is a set of common web components for php projects. Prior to version 0.13.1, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no immediate chance to notice any wrongdoing. This issue has been patched in version 0.13.1. | 2026-05-08 | 7.6 | CVE-2026-42224 | https://github.com/Icinga/ipl-web/security/advisories/GHSA-55wf-5m3q-6jjf https://github.com/Icinga/ipl-web/commit/f387e92504d7a03bb857d1aee9b7410e06dd065d https://github.com/Icinga/ipl-web/releases/tag/v0.13.1 |
| legeling--PromptHub | PromptHub is an all-in-one AI toolbox for prompt, skill, and agent management. From version 0.4.9 to before version 0.5.4, apps/web/src/routes/skills.ts exposes an authenticated endpoint POST /api/skills/fetch-remote that fetches a user-supplied URL server-side and reflects the response body (up to 5 MB) back to the caller. The SSRF protection in apps/web/src/utils/remote-http.ts (isPrivateIPv6) attempts to block private/loopback destinations, but multiple alternate-but-valid IPv6 representations bypass the check. The bypasses reach any IPv4 address (loopback, RFC1918, link-local) via IPv4-mapped IPv6 in hex form, and the canonical ::1 via any representation that isn't the literal string "::1". Any authenticated user (role: user or admin) can trigger the SSRF. On deployments configured with ALLOW_REGISTRATION=true - a supported and documented configuration - this means any internet user who can register. This issue has been patched in version 0.5.4. | 2026-05-08 | 7.1 | CVE-2026-42261 | https://github.com/legeling/PromptHub/security/advisories/GHSA-9fhh-fjfg-5mr6 https://github.com/legeling/PromptHub/releases/tag/v0.5.4 |
| axios--axios | Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2. | 2026-05-08 | 7.4 | CVE-2026-42264 | https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj https://github.com/axios/axios/pull/10779 https://github.com/axios/axios/commit/47915144662f2733e6c051bdcb895a8c8f0586aa https://github.com/axios/axios/releases/tag/v1.15.2 |
| osrg--gobgp | GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.4.0, an unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribute lengths, it improperly handles the internal state transition to a "withdraw" action, leading to a nil pointer dereference in the AdjRib.Update function. This causes the entire GoBGP process to crash, resulting in a complete loss of service availability. This issue has been patched in version 4.5.0. | 2026-05-07 | 7.5 | CVE-2026-42285 | https://github.com/osrg/gobgp/security/advisories/GHSA-p3w2-64xm-833j https://github.com/osrg/gobgp/releases/tag/v4.5.0 |
| befeleme--pyp2spec | pyp2spec generates working Fedora RPM spec file for Python projects. Prior to version 0.14.1, pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine. This issue has been patched in version 0.14.1. | 2026-05-09 | 7.8 | CVE-2026-42301 | https://github.com/befeleme/pyp2spec/security/advisories/GHSA-r35x-v8p8-xvhw https://github.com/befeleme/pyp2spec/releases/tag/v0.14.1 |
| labring--FastGPT | FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith() check against a hardcoded list. This check can be bypassed using at least 7 different URL encoding techniques, all of which resolve to the same cloud metadata service but do not match the blocklist patterns. Additionally, the broader private IP check (isInternalIPv4/isInternalIPv6) is disabled by default because CHECK_INTERNAL_IP defaults to false (not 'true'), so these bypasses reach the metadata endpoint without any further validation. At time of publication, there are no publicly available patches. | 2026-05-08 | 7.7 | CVE-2026-42345 | https://github.com/labring/FastGPT/security/advisories/GHSA-jhqw-944x-xh94 |
| geopython--pygeoapi | pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, a raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with .. values, along with a resource of type stac-collection defined in configuration. This issue has been patched in version 0.23.3. | 2026-05-08 | 7.5 | CVE-2026-42351 | https://github.com/geopython/pygeoapi/security/advisories/GHSA-f6pr-83pg-ghh6 https://github.com/geopython/pygeoapi/commit/bf25b8695edbdd5476eeffc102b633d1d3e45f52 https://github.com/geopython/pygeoapi/releases/tag/0.23.3 |
| GeoVision Inc.--GV-LPC2011/LPC2211 | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-05-04 | 7.4 | CVE-2026-42366 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, screenshot, and tab routes that fail to consistently validate the final browser target after navigation. Authenticated callers can bypass SSRF restrictions to expose internal or disallowed page content by exploiting route-driven navigation without proper policy re-validation. | 2026-05-05 | 7.7 | CVE-2026-42436 | GitHub Security Advisory (GHSA-c4qm-58hj-j6pj) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.14 - Internal Page Content Exposure via Browser Snapshot and Screenshot Routes |
| OpenClaw--OpenClaw | OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing the webhook path. | 2026-05-05 | 7.5 | CVE-2026-42437 | GitHub Security Advisory (GHSA-vw3h-q6xq-jjm5) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.9 < 2026.4.10 - Denial of Service via Oversized WebSocket Frames in Voice-call Realtime Path |
| OpenClaw--OpenClaw | OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper that allows unauthorized local file disclosure. Attackers with denied read access via toolsBySender or group policy can trigger host-media attachment loading to bypass sender and group-scoped authorization boundaries and retrieve readable local files through the outbound media path. | 2026-05-05 | 7.7 | CVE-2026-42438 | GitHub Security Advisory (GHSA-jhpv-5j76-m56h) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.9 < 2026.4.10 - Sender Policy Bypass in Host Media Attachment Reads |
| chainguard-dev--apko | apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5. | 2026-05-09 | 7.5 | CVE-2026-42574 | https://github.com/chainguard-dev/apko/security/advisories/GHSA-qq3r-w4hj-gjp6 https://github.com/chainguard-dev/apko/pull/2187 https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442 https://github.com/chainguard-dev/apko/releases/tag/v1.2.5 |
| chainguard-dev--apko | apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString(), and the downloaded package control hash is computed, but the two values are never compared in getPackageImpl(). Mismatched packages are silently accepted. An attacker who can substitute download responses (compromised mirror, HTTP repository, poisoned CDN cache) can install arbitrary packages into built images. This issue has been patched in version 1.2.7. | 2026-05-09 | 7.5 | CVE-2026-42575 | https://github.com/chainguard-dev/apko/security/advisories/GHSA-hcwr-pq9g-rq3m https://github.com/chainguard-dev/apko/commit/a118c3d604107532b5525bd4bee2fb369a6228aa https://github.com/chainguard-dev/apko/releases/tag/v1.2.7 |
| OpenStack--Ironic | An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1. | 2026-05-05 | 7.7 | CVE-2026-42997 | https://www.openwall.com/lists/oss-security/2026/05/05/10 https://security.openstack.org/ossa/OSSA-2026-010.html |
| WeePie--WeePie Cookie Allow | The WeePie Cookie Allow plugin for WordPress is vulnerable to SQL Injection via the 'consent' parameter in all versions up to, and including, 3.4.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-05 | 7.5 | CVE-2026-4304 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f783e626-37c0-4ad9-9074-c5332583a0cb?source=cve https://codecanyon.net/item/weepie-cookie-allow-easy-complete-cookie-consent-plugin/10342528 https://weepie-plugins.com/changelog-weepie-cookie-allow-plugin/ |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: drop pending enqueued packets on removal Packets sitting in nfqueue might hold a reference to: - templates that specify the conntrack zone, because a percpu area is used and module removal is possible. - conntrack timeout policies and helper, where object removal leave a stale reference. Since these objects can just go away, drop enqueued packets to avoid stale reference to them. If there is a need for finer grain removal, this logic can be revisited to make selective packet drop upon dependencies. | 2026-05-05 | 7.8 | CVE-2026-43060 | https://git.kernel.org/stable/c/8a64e76933672b08bd85b63086f33432070fd729 https://git.kernel.org/stable/c/3da0b946835f33bf36b459ead764c61a761e689b https://git.kernel.org/stable/c/ab50302190b303f847c4eba0e31a01a56dec596e https://git.kernel.org/stable/c/e68a8db3a0546482b34e9ca5ca886bcf73eb37bb https://git.kernel.org/stable/c/6802ff8beceb9c4254318e81c1395720438f2cc2 https://git.kernel.org/stable/c/f29a055e4f593e577805b41228b142b58f48df1b https://git.kernel.org/stable/c/77da55dee67720e2b8d2db49a53334e6c017ee7b https://git.kernel.org/stable/c/36eae0956f659e48d5366d9b083d9417f3263ddc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp() l2cap_ecred_reconf_rsp() casts the incoming data to struct l2cap_ecred_conn_rsp (the ECRED *connection* response, 8 bytes with result at offset 6) instead of struct l2cap_ecred_reconf_rsp (2 bytes with result at offset 0). This causes two problems: - The sizeof(*rsp) length check requires 8 bytes instead of the correct 2, so valid L2CAP_ECRED_RECONF_RSP packets are rejected with -EPROTO. - rsp->result reads from offset 6 instead of offset 0, returning wrong data when the packet is large enough to pass the check. Fix by using the correct type. Also pass the already byte-swapped result variable to BT_DBG instead of the raw __le16 field. | 2026-05-05 | 7.1 | CVE-2026-43062 | https://git.kernel.org/stable/c/21d3ba696918d6373233aac0b9d51fcabdedddc0 https://git.kernel.org/stable/c/3b94e62caa1dc1198d0d55d97bd710da1dee15d7 https://git.kernel.org/stable/c/111f74547eee8cfedfb854284e80f35c8a491186 https://git.kernel.org/stable/c/dd3b221e21079ade8263fbb7176f3d55ad75d3b6 https://git.kernel.org/stable/c/d90150c72d2e6a8a3079e88755dafcfbe91c746d https://git.kernel.org/stable/c/5a1ea296f8589ce8f1e3141b2b123b34ad010e19 https://git.kernel.org/stable/c/f110b8f58b254bf997cec1bd60701b7798e9bb82 https://git.kernel.org/stable/c/15145675690cab2de1056e7ed68e59cbd0452529 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: don't irele after failing to iget in xfs_attri_recover_work xlog_recovery_iget* never set @ip to a valid pointer if they return an error, so this irele will walk off a dangling pointer. Fix that. | 2026-05-05 | 7.8 | CVE-2026-43063 | https://git.kernel.org/stable/c/b5c5a50c2f513d4a13a6763564a07b470e69cc5a https://git.kernel.org/stable/c/a1a5df1038f0b3c560d204270373621a4e622808 https://git.kernel.org/stable/c/40082d08b638485cbaa543dc8087a3d1844d6f08 https://git.kernel.org/stable/c/70685c291ef82269180758130394ecdc4496b52c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Reset register ID for BPF_END value tracking When a register undergoes a BPF_END (byte swap) operation, its scalar value is mutated in-place. If this register previously shared a scalar ID with another register (e.g., after an `r1 = r0` assignment), this tie must be broken. Currently, the verifier misses resetting `dst_reg->id` to 0 for BPF_END. Consequently, if a conditional jump checks the swapped register, the verifier incorrectly propagates the learned bounds to the linked register, leading to false confidence in the linked register's value and potentially allowing out-of-bounds memory accesses. Fix this by explicitly resetting `dst_reg->id` to 0 in the BPF_END case to break the scalar tie, similar to how BPF_NEG handles it via `__mark_reg_known`. | 2026-05-05 | 7.8 | CVE-2026-43070 | https://git.kernel.org/stable/c/a17443af874229408ce6b78e2c8a2b5adeb4b7d8 https://git.kernel.org/stable/c/0d15c3611a2cc5d08993545d4032055ae10ae2c1 https://git.kernel.org/stable/c/a3125bc01884431d30d731461634c8295b6f0529 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: eventpoll: defer struct eventpoll free to RCU grace period In certain situations, ep_free() in eventpoll.c will kfree the epi->ep eventpoll struct while it still being used by another concurrent thread. Defer the kfree() to an RCU callback to prevent UAF. | 2026-05-06 | 7.8 | CVE-2026-43074 | https://git.kernel.org/stable/c/a6566cd33f6f967a7651ebf2ce0dd31572e319cf https://git.kernel.org/stable/c/5b1173b165421561db29f30afc7e97d940a398a9 https://git.kernel.org/stable/c/7e8083f5eeedab0f460063b9c2c14c9a4e71a427 https://git.kernel.org/stable/c/ae0bb9c1fb7c2594519aeeb096cf2c3b7837b322 https://git.kernel.org/stable/c/07712db80857d5d09ae08f3df85a708ecfc3b61f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix out-of-bounds write in ocfs2_write_end_inline KASAN reports a use-after-free write of 4086 bytes in ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on a loop device. The actual bug is an out-of-bounds write past the inode block buffer, not a true use-after-free. The write overflows into an adjacent freed page, which KASAN reports as UAF. The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk id_count field to determine whether a write fits in inline data. On a corrupted filesystem, id_count can exceed the physical maximum inline data capacity, causing writes to overflow the inode block buffer. Call trace (crash path): vfs_copy_file_range (fs/read_write.c:1634) do_splice_direct splice_direct_to_actor iter_file_splice_write ocfs2_file_write_iter generic_perform_write ocfs2_write_end ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949) ocfs2_write_end_inline (fs/ocfs2/aops.c:1915) memcpy_from_folio <-- KASAN: write OOB So add id_count upper bound check in ocfs2_validate_inode_block() to alongside the existing i_size check to fix it. | 2026-05-06 | 7.8 | CVE-2026-43075 | https://git.kernel.org/stable/c/e2c9dc6b6e96f3585f2a1062ca3374a52db0938f https://git.kernel.org/stable/c/947f953978b0d9463498d548d0f054f5a75be2e9 https://git.kernel.org/stable/c/0c1af902223b6fcedb60904ca0b551254686c7b9 https://git.kernel.org/stable/c/69d3c69ade1e4285ab4ca48fe7acee0767e65604 https://git.kernel.org/stable/c/7bc5da4842bed3252d26e742213741a4d0ac1b14 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate inline data i_size during inode read When reading an inode from disk, ocfs2_validate_inode_block() performs various sanity checks but does not validate the size of inline data. If the filesystem is corrupted, an inode's i_size can exceed the actual inline data capacity (id_count). This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data buffer, triggering a use-after-free when accessing directory entries from freed memory. In the syzbot report: - i_size was 1099511627576 bytes (~1TB) - Actual inline data capacity (id_count) is typically <256 bytes - A garbage rec_len (54648) caused ctx->pos to jump out of bounds - This triggered a UAF in ocfs2_check_dir_entry() Fix by adding a validation check in ocfs2_validate_inode_block() to ensure inodes with inline data have i_size <= id_count. This catches the corruption early during inode read and prevents all downstream code from operating on invalid data. | 2026-05-06 | 7.8 | CVE-2026-43076 | https://git.kernel.org/stable/c/37f074e65f24f10f8d8df224a572e4cb9e6faf63 https://git.kernel.org/stable/c/c1de19e891be3bfb3e1d0c7cf07bbb8fb3b77c1b https://git.kernel.org/stable/c/cd2d765aa7157f852999842af32148128c735d39 https://git.kernel.org/stable/c/77d0295725109d77f5854ef5b58c0d06c08168cc https://git.kernel.org/stable/c/1524af3685b35feac76662cc551cbc37bd14775f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl When page reassignment was added to af_alg_pull_tsgl the original loop wasn't updated so it may try to reassign one more page than necessary. Add the check to the reassignment so that this does not happen. Also update the comment which still refers to the obsolete offset argument. | 2026-05-06 | 7.8 | CVE-2026-43078 | https://git.kernel.org/stable/c/fa48d3ea9cdbfb28c1fd6756c6c5cd01351aa51e https://git.kernel.org/stable/c/2b781d1d4f933990318bcc5c68fb75a717379e42 https://git.kernel.org/stable/c/f7826bc0b39928a4a22f6b815dd9940b22a63503 https://git.kernel.org/stable/c/710a4ce5d7afd9fe082c75dec282ab4a11c0fe71 https://git.kernel.org/stable/c/c8369a6d62f5abde9cbd4b62c45bf4b996be2468 https://git.kernel.org/stable/c/dea5fcf085f977b6c2de1b2d4ec4767b6c840d1f https://git.kernel.org/stable/c/9532501e0f1b200ea80baa0e33e0b06da10bb271 https://git.kernel.org/stable/c/31d00156e50ecad37f2cb6cbf04aaa9a260505ef |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: make hash table per queue Sharing a global hash table among all queues is tempting, but it can cause crash: BUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] [..] nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] nfnetlink_rcv_msg+0x46a/0x930 kmem_cache_alloc_node_noprof+0x11e/0x450 struct nf_queue_entry is freed via kfree, but parallel cpu can still encounter such an nf_queue_entry when walking the list. Alternative fix is to free the nf_queue_entry via kfree_rcu() instead, but as we have to alloc/free for each skb this will cause more mem pressure. | 2026-05-06 | 7.8 | CVE-2026-43084 | https://git.kernel.org/stable/c/22730cb96093b5be0609063bbb1923dbecd61252 https://git.kernel.org/stable/c/41e3652a178cb0eecd48e0e6e27fbb73a004046a https://git.kernel.org/stable/c/9e5ebef91120d2764aefe557c3a484b6288f341f https://git.kernel.org/stable/c/936206e3f6ff411581e615e930263d6f8b78df9d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: Wait for RCU readers during policy netns exit xfrm_policy_fini() frees the policy_bydst hash tables after flushing the policy work items and deleting all policies, but it does not wait for concurrent RCU readers to leave their read-side critical sections first. The policy_bydst tables are published via rcu_assign_pointer() and are looked up through rcu_dereference_check(), so netns teardown must also wait for an RCU grace period before freeing the table memory. Fix this by adding synchronize_rcu() before freeing the policy hash tables. | 2026-05-06 | 7.8 | CVE-2026-43091 | https://git.kernel.org/stable/c/b66920a3348c0f63ba18365248fa21fbf0b3a937 https://git.kernel.org/stable/c/438b1f668ad58f46ce699bb48e4698a7839e3f9e https://git.kernel.org/stable/c/3733fce2871c9bca9dd18a1a23b1432ea215a094 https://git.kernel.org/stable/c/33a3149dd81a1e2f52b80ee1e0fc380b39f3d028 https://git.kernel.org/stable/c/069daad4f2ae9c5c108131995529d5f02392c446 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xsk: tighten UMEM headroom validation to account for tailroom and min frame The current headroom validation in xdp_umem_reg() could leave us with insufficient space dedicated to even receive minimum-sized ethernet frame. Furthermore if multi-buffer would come to play then skb_shared_info stored at the end of XSK frame would be corrupted. HW typically works with 128-aligned sizes so let us provide this value as bare minimum. Multi-buffer setting is known later in the configuration process so besides accounting for 128 bytes, let us also take care of tailroom space upfront. | 2026-05-06 | 7.8 | CVE-2026-43093 | https://git.kernel.org/stable/c/a03975beb9f6af0d8ac051e30b2abeabe618414f https://git.kernel.org/stable/c/0ec4d3f6e6934deb843b561ae048cd17218e5ad1 https://git.kernel.org/stable/c/9ea6ba4f3195dcba6e8b3e7b2e748593b7cafb12 https://git.kernel.org/stable/c/6523bc1b40e69301f24c14338b762af4739d6d39 https://git.kernel.org/stable/c/a315e022a72d95ef5f1d4e58e903cb492b0ad931 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv4: icmp: fix null-ptr-deref in icmp_build_probe() ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing this error pointer to dev_hold() will cause a kernel crash with null-ptr-deref. Instead, silently discard the request. RFC 8335 does not appear to define a specific response for the case where an IPv6 interface identifier is syntactically valid but the implementation cannot perform the lookup at runtime, and silently dropping the request may safer than misreporting "No Such Interface". | 2026-05-06 | 7.5 | CVE-2026-43099 | https://git.kernel.org/stable/c/47a8bf52156ac7e7a581eca31c1f964ba4258d4d https://git.kernel.org/stable/c/6be325206850a0891896d38bcf83a09d8b54ec48 https://git.kernel.org/stable/c/f91b3ed9e7fa82a70511b5f6901c88379acf2964 https://git.kernel.org/stable/c/5b9911582d441f72fe6ccb15ffe3303bbc07f6f5 https://git.kernel.org/stable/c/fde29fd9349327acc50d19a0b5f3d5a6c964dfd8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: ioam: fix potential NULL dereferences in __ioam6_fill_trace_data() We need to check __in6_dev_get() for possible NULL value, as suggested by Yiming Qian. Also add skb_dst_dev_rcu() instead of skb_dst_dev(), and two missing READ_ONCE(). Note that @dev can't be NULL. | 2026-05-06 | 7.5 | CVE-2026-43101 | https://git.kernel.org/stable/c/4198aab6f000b4febb18ea820fea20634dd789c7 https://git.kernel.org/stable/c/3719c234fa94c37c955b1ecd3742ef280ec135e6 https://git.kernel.org/stable/c/4e65a8b8daa18d63255ec58964dd192c7fdd9f8b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix incorrect dentry refcount in cachefiles_cull() The patch mentioned below changed cachefiles_bury_object() to expect 2 references to the 'rep' dentry. Three of the callers were changed to use start_removing_dentry() which takes an extra reference so in those cases the call gets the expected references. However there is another call to cachefiles_bury_object() in cachefiles_cull() which did not need to be changed to use start_removing_dentry() and so was not properly considered. It still passed the dentry with just one reference so the net result is that a reference is lost. To meet the expectations of cachefiles_bury_object(), cachefiles_cull() must take an extra reference before the call. It will be dropped by cachefiles_bury_object(). | 2026-05-06 | 7.8 | CVE-2026-43106 | https://git.kernel.org/stable/c/6577df7dc7a7de128442b6192c7a32195c923480 https://git.kernel.org/stable/c/1635c2acdde86c4f555b627aec873c8677c421ed |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: roccat: fix use-after-free in roccat_report_event roccat_report_event() iterates over the device->readers list without holding the readers_lock. This allows a concurrent roccat_release() to remove and free a reader while it's still being accessed, leading to a use-after-free. Protect the readers list traversal with the readers_lock mutex. | 2026-05-06 | 7.8 | CVE-2026-43111 | https://git.kernel.org/stable/c/e6a445513fbc6a0329d2d5ff375b6725750ec5a6 https://git.kernel.org/stable/c/e16a6d11bd77b81632165f02cf0d5946df74b3b7 https://git.kernel.org/stable/c/36bb2d0b915014bbdc5044982b31b57b78045b93 https://git.kernel.org/stable/c/bca0b595e15450dd66b1153c76c4ef1087ee011b https://git.kernel.org/stable/c/d802d848308b35220f21a8025352f0c0aba15c12 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: ensure safe access to master conntrack Holding reference on the expectation is not sufficient, the master conntrack object can just go away, making exp->master invalid. To access exp->master safely: - Grab the nf_conntrack_expect_lock, this gets serialized with clean_from_lists() which also holds this lock when the master conntrack goes away. - Hold reference on master conntrack via nf_conntrack_find_get(). Not so easy since the master tuple to look up for the master conntrack is not available in the existing problematic paths. This patch goes for extending the nf_conntrack_expect_lock section to address this issue for simplicity, in the cases that are described below this is just slightly extending the lock section. The add expectation command already holds a reference to the master conntrack from ctnetlink_create_expect(). However, the delete expectation command needs to grab the spinlock before looking up for the expectation. Expand the existing spinlock section to address this to cover the expectation lookup. Note that, the nf_ct_expect_iterate_net() calls already grabs the spinlock while iterating over the expectation table, which is correct. The get expectation command needs to grab the spinlock to ensure master conntrack does not go away. This also expands the existing spinlock section to cover the expectation lookup too. I needed to move the netlink skb allocation out of the spinlock to keep it GFP_KERNEL. For the expectation events, the IPEXP_DESTROY event is already delivered under the spinlock, just move the delivery of IPEXP_NEW under the spinlock too because the master conntrack event cache is reached through exp->master. While at it, add lockdep notations to help identify what codepaths need to grab the spinlock. | 2026-05-06 | 7.8 | CVE-2026-43116 | https://git.kernel.org/stable/c/f338ced0473849c9f6ed0b77ca99f1aab5826787 https://git.kernel.org/stable/c/497f99b26fffdc5635706d1b4811f1ed8ee21a5b https://git.kernel.org/stable/c/bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix double free related to rereg_user_mr If IB_MR_REREG_TRANS is set during rereg_user_mr, the umem will be released and a new one will be allocated in irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans fails after the new umem is allocated, it releases the umem, but does not set iwmr->region to NULL. The problem is that this failure is propagated to the user, who will then call ibv_dereg_mr (as they should). Then, the dereg_mr path will see a non-NULL umem and attempt to call ib_umem_release again. Fix this by setting iwmr->region to NULL after ib_umem_release. Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region") | 2026-05-06 | 7.8 | CVE-2026-43120 | https://git.kernel.org/stable/c/62298a48f8b8788ad8b8464e6ffdf1ddebd2217e https://git.kernel.org/stable/c/66964118f1f50ed85001c8fc9f7ab5bbdd021ee0 https://git.kernel.org/stable/c/0f22c32141acdcda266b26cab2b830baf870f3e0 https://git.kernel.org/stable/c/0c5d70bcb9d2275a1c8515a924016fcfeb4ab441 https://git.kernel.org/stable/c/29a3edd7004bb635d299fb9bc6f0ea4ef13ed5a2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: mixer: oss: Add card disconnect checkpoints ALSA OSS mixer layer calls the kcontrol ops rather individually, and pending calls might be not always caught at disconnecting the device. For avoiding the potential UAF scenarios, add sanity checks of the card disconnection at each entry point of OSS mixer accesses. The rwsem is taken just before that check, hence the rest context should be covered by that properly. | 2026-05-06 | 7.8 | CVE-2026-43126 | https://git.kernel.org/stable/c/ae583f113d15fa97e5234133c20d09f8e6214e47 https://git.kernel.org/stable/c/e6645e625480cdf1079a4265f758d13b70721029 https://git.kernel.org/stable/c/8c097cf736993454acf3f711a3b376d6c7ad8965 https://git.kernel.org/stable/c/084d5d44418148662365eced3e126ad1a81ee3e2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/umem: Fix double dma_buf_unpin in failure path In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf is immediately unpinned but the umem_dmabuf->pinned flag is still set. Then, when ib_umem_release() is called, it calls ib_umem_dmabuf_revoke() which will call dma_buf_unpin() again. Fix this by removing the immediate unpin upon failure and just let the ib_umem_release/revoke path handle it. This also ensures the proper unmap-unpin unwind ordering if the dmabuf_map_pages call happened to fail due to dma_resv_wait_timeout (and therefore has a non-NULL umem_dmabuf->sgt). | 2026-05-06 | 7.8 | CVE-2026-43128 | https://git.kernel.org/stable/c/70542b69abff34d24b11ae0bb200cc7a766d18df https://git.kernel.org/stable/c/b324327ff6f48d8065dca67eb3b91357e72726bd https://git.kernel.org/stable/c/ba3bf0f1bf1d5d0404678485e872980532fcc2c4 https://git.kernel.org/stable/c/d3e32e2f3262f1b25d77c085ace38e2cc4ad75cf https://git.kernel.org/stable/c/40126bcbefa79ea86672e05dae608596bab38319 https://git.kernel.org/stable/c/104016eb671e19709721c1b0048dd912dc2e96be |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation Commit cc3ed80ae69f ("KVM: nSVM: always use vmcb01 to for vmsave/vmload of guest state") made KVM always use vmcb01 for the fields controlled by VMSAVE/VMLOAD, but it missed updating the VMLOAD/VMSAVE emulation code to always use vmcb01. As a result, if VMSAVE/VMLOAD is executed by an L2 guest and is not intercepted by L1, KVM will mistakenly use vmcb02. Always use vmcb01 instead of the current VMCB. | 2026-05-06 | 7.9 | CVE-2026-43133 | https://git.kernel.org/stable/c/10063e1251c1485034a018236080792ad083dcc5 https://git.kernel.org/stable/c/c3b7015000988ba35ecd5648f4b2283960f00543 https://git.kernel.org/stable/c/3880e331b0b31d0d5d3702b124f6c93539cd478a https://git.kernel.org/stable/c/fce2fd4a2ca05670a91015aacccf96a1c26268fd https://git.kernel.org/stable/c/d464cf1ed900d47c85393d40b00017b6adfc2e6c https://git.kernel.org/stable/c/0004ecb798b30e90d7ebfe74efae2d9423315a64 https://git.kernel.org/stable/c/127ccae2c185f62e6ecb4bf24f9cb307e9b9c619 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/arm-cmn: Reject unsupported hardware configurations So far we've been fairly lax about accepting both unknown CMN models (at least with a warning), and unknown revisions of those which we do know, as although things do frequently change between releases, typically enough remains the same to be somewhat useful for at least some basic bringup checks. However, we also make assumptions of the maximum supported sizes and numbers of things in various places, and there's no guarantee that something new might not be bigger and lead to nasty array overflows. Make sure we only try to run on things that actually match our assumptions and so will not risk memory corruption. We have at least always failed on completely unknown node types, so update that error message for clarity and consistency too. | 2026-05-06 | 7.8 | CVE-2026-43150 | https://git.kernel.org/stable/c/7e2c200010aa93fa78201da959b4ac6b9f8fed0b https://git.kernel.org/stable/c/d3e837e11ee9ed08df229272319199003ba00379 https://git.kernel.org/stable/c/00d69f21ef2ab00e6156c764d89e2b3539eb2f33 https://git.kernel.org/stable/c/08c7eadd8a934a1968e1aeeee8b61b853b99fb3a https://git.kernel.org/stable/c/a251d866f50b6a4c95901fa722025065679c2eca https://git.kernel.org/stable/c/36c0de02575ce59dfd879eb4ef63d53a68bbf9ce |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: remove xfs_attr_leaf_hasname The calling convention of xfs_attr_leaf_hasname() is problematic, because it returns a NULL buffer when xfs_attr3_leaf_read fails, a valid buffer when xfs_attr3_leaf_lookup_int returns -ENOATTR or -EEXIST, and a non-NULL buffer pointer for an already released buffer when xfs_attr3_leaf_lookup_int fails with other error values. Fix this by simply open coding xfs_attr_leaf_hasname in the callers, so that the buffer release code is done by each caller of xfs_attr3_leaf_read. | 2026-05-06 | 7.8 | CVE-2026-43153 | https://git.kernel.org/stable/c/2fbc8421d1db102c0e5458607e042a23a03648b1 https://git.kernel.org/stable/c/457121c01f609b9934addbb04d5c1ef638c71c61 https://git.kernel.org/stable/c/530082df991903f3330354e99e0cb7b05debfa86 https://git.kernel.org/stable/c/3a65ea768b8094e4699e72f9ab420eb9e0f3f568 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: udplite: Fix null-ptr-deref in __udp_enqueue_schedule_skb(). syzbot reported null-ptr-deref of udp_sk(sk)->udp_prod_queue. [0] Since the cited commit, udp_lib_init_sock() can fail, as can udp_init_sock() and udpv6_init_sock(). Let's handle the error in udplite_sk_init() and udplitev6_sk_init(). [0]: BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:82 [inline] BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] BUG: KASAN: null-ptr-deref in __udp_enqueue_schedule_skb+0x151/0x1480 net/ipv4/udp.c:1719 Read of size 4 at addr 0000000000000008 by task syz.2.18/2944 CPU: 1 UID: 0 PID: 2944 Comm: syz.2.18 Not tainted syzkaller #0 PREEMPTLAZY Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: <IRQ> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 kasan_report+0xa2/0xe0 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200 instrument_atomic_read include/linux/instrumented.h:82 [inline] atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] __udp_enqueue_schedule_skb+0x151/0x1480 net/ipv4/udp.c:1719 __udpv6_queue_rcv_skb net/ipv6/udp.c:795 [inline] udpv6_queue_rcv_one_skb+0xa2e/0x1ad0 net/ipv6/udp.c:906 udp6_unicast_rcv_skb+0x227/0x380 net/ipv6/udp.c:1064 ip6_protocol_deliver_rcu+0xe17/0x1540 net/ipv6/ip6_input.c:438 ip6_input_finish+0x191/0x350 net/ipv6/ip6_input.c:489 NF_HOOK+0x354/0x3f0 include/linux/netfilter.h:318 ip6_input+0x16c/0x2b0 net/ipv6/ip6_input.c:500 NF_HOOK+0x354/0x3f0 include/linux/netfilter.h:318 __netif_receive_skb_one_core net/core/dev.c:6149 [inline] __netif_receive_skb+0xd3/0x370 net/core/dev.c:6262 process_backlog+0x4d6/0x1160 net/core/dev.c:6614 __napi_poll+0xae/0x320 net/core/dev.c:7678 napi_poll net/core/dev.c:7741 [inline] net_rx_action+0x60d/0xdc0 net/core/dev.c:7893 handle_softirqs+0x209/0x8d0 kernel/softirq.c:622 do_softirq+0x52/0x90 kernel/softirq.c:523 </IRQ> <TASK> __local_bh_enable_ip+0xe7/0x120 kernel/softirq.c:450 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline] __dev_queue_xmit+0x109c/0x2dc0 net/core/dev.c:4856 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] ip6_finish_output+0x158/0x4e0 net/ipv6/ip6_output.c:219 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x342/0x580 net/ipv6/ip6_output.c:246 ip6_send_skb+0x1d7/0x3c0 net/ipv6/ip6_output.c:1984 udp_v6_send_skb+0x9a5/0x1770 net/ipv6/udp.c:1442 udp_v6_push_pending_frames+0xa2/0x140 net/ipv6/udp.c:1469 udpv6_sendmsg+0xfe0/0x2830 net/ipv6/udp.c:1759 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0xe5/0x270 net/socket.c:742 __sys_sendto+0x3eb/0x580 net/socket.c:2206 __do_sys_sendto net/socket.c:2213 [inline] __se_sys_sendto net/socket.c:2209 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2209 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd2/0xf20 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f67b4d9c629 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f67b5c98028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f67b5015fa0 RCX: 00007f67b4d9c629 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f67b4e32b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000040000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f67b5016038 R14: 00007f67b5015fa0 R15: 00007ffe3cb66dd8 </TASK> | 2026-05-06 | 7.5 | CVE-2026-43164 | https://git.kernel.org/stable/c/f27030ac5bef47d997cfac05a3d188aa69f4df7f https://git.kernel.org/stable/c/0f13fa087ead642ea1eb5fdb6eb092c913ef06b7 https://git.kernel.org/stable/c/470c7ca2b4c3e3a51feeb952b7f97a775b5c49cd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix interlaced plain identification for encoded extents Only plain data whose start position and on-disk physical length are both aligned to the block size should be classified as interlaced plain extents. Otherwise, it must be treated as shifted plain extents. This issue was found by syzbot using a crafted compressed image containing plain extents with unaligned physical lengths, which can cause OOB read in z_erofs_transform_plain(). | 2026-05-06 | 7.1 | CVE-2026-43166 | https://git.kernel.org/stable/c/9d5a97bc71ed5783687705c708454c4453aa91d1 https://git.kernel.org/stable/c/d3790f26d38606f020212486359b84632c19d08b https://git.kernel.org/stable/c/4a2d046e4b13202a6301a993961f5b30ae4d7119 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: procfs: fix possible double mmput() in do_procmap_query() When user provides incorrectly sized buffer for build ID for PROCMAP_QUERY we return with -ENAMETOOLONG error. After recent changes this condition happens later, after we unlocked mmap_lock/per-VMA lock and did mmput(), so original goto out is now wrong and will double-mmput() mm_struct. Fix by jumping further to clean up only vm_file and name_buf. | 2026-05-06 | 7.8 | CVE-2026-43178 | https://git.kernel.org/stable/c/f9fe092084cd04deea18747f58a2304026e76aaa https://git.kernel.org/stable/c/8adaff87db143583e08eec4f4e7788f1ef8af94d https://git.kernel.org/stable/c/90f5e87c9b75833b9ef3a4415b92c0247f28ab2f https://git.kernel.org/stable/c/61dc9f776705d6db6847c101b98fa4f0e9eb6fa3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode kaweth_set_rx_mode(), the ndo_set_rx_mode callback, calls netif_stop_queue() and netif_wake_queue(). These are TX queue flow control functions unrelated to RX multicast configuration. The premature netif_wake_queue() can re-enable TX while tx_urb is still in-flight, leading to a double usb_submit_urb() on the same URB: kaweth_start_xmit() { netif_stop_queue(); usb_submit_urb(kaweth->tx_urb); } kaweth_set_rx_mode() { netif_stop_queue(); netif_wake_queue(); // wakes TX queue before URB is done } kaweth_start_xmit() { netif_stop_queue(); usb_submit_urb(kaweth->tx_urb); // URB submitted while active } This triggers the WARN in usb_submit_urb(): "URB submitted while active" This is a similar class of bug fixed in rtl8150 by - commit 958baf5eaee3 ("net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast"). Also kaweth_set_rx_mode() is already functionally broken, the real set_rx_mode action is performed by kaweth_async_set_rx_mode(), which in turn is not a no-op only at ndo_open() time. | 2026-05-06 | 7.8 | CVE-2026-43180 | https://git.kernel.org/stable/c/443a830b1dc4f85c7560da59d4494b629feee215 https://git.kernel.org/stable/c/586318c2730433184c6f1d21183e346ddf25e81d https://git.kernel.org/stable/c/a2cd4b4db315a845a5603d08c9d03b11ddfc799d https://git.kernel.org/stable/c/ef9b10a020503888eb6c8ed85a3d901a624ede4c https://git.kernel.org/stable/c/9c79b839a63980c7da7ec5db895198045e154112 https://git.kernel.org/stable/c/fc393af769af845d9985e2845e49553d8f015a64 https://git.kernel.org/stable/c/8367c0e90126426e60581e4c07e1ec4411a0f843 https://git.kernel.org/stable/c/64868f5ecadeb359a49bc4485bfa7c497047f13a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rnbd-srv: Zero the rsp buffer before using it Before using the data buffer to send back the response message, zero it completely. This prevents any stray bytes to be picked up by the client side when there the message is exchanged between different protocol versions. | 2026-05-06 | 7.5 | CVE-2026-43184 | https://git.kernel.org/stable/c/e4272754063d52c9ad0169865add8816ba696471 https://git.kernel.org/stable/c/e2cacec7d4291300a282feb3af8eba57b93b15aa https://git.kernel.org/stable/c/b646e54d23b9b592d612a2036aab14e0f6c14206 https://git.kernel.org/stable/c/30868a6a5238849d554295aff3ce61d242d7fad8 https://git.kernel.org/stable/c/7aac0a30dcf41cdb510526740d9a2ab1520c5d98 https://git.kernel.org/stable/c/c94ede3c436dfbd9cedd9cb69f604f6fc901b6a2 https://git.kernel.org/stable/c/852475278ca5e96e0c0275950e1a84203e602b33 https://git.kernel.org/stable/c/69d26698e4fd44935510553809007151b2fe4db5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: consume xmit errors of GSO frames udpgro_frglist.sh and udpgro_bench.sh are the flakiest tests currently in NIPA. They fail in the same exact way, TCP GRO test stalls occasionally and the test gets killed after 10min. These tests use veth to simulate GRO. They attach a trivial ("return XDP_PASS;") XDP program to the veth to force TSO off and NAPI on. Digging into the failure mode we can see that the connection is completely stuck after a burst of drops. The sender's snd_nxt is at sequence number N [1], but the receiver claims to have received (rcv_nxt) up to N + 3 * MSS [2]. Last piece of the puzzle is that senders rtx queue is not empty (let's say the block in the rtx queue is at sequence number N - 4 * MSS [3]). In this state, sender sends a retransmission from the rtx queue with a single segment, and sequence numbers N-4*MSS:N-3*MSS [3]. Receiver sees it and responds with an ACK all the way up to N + 3 * MSS [2]. But sender will reject this ack as TCP_ACK_UNSENT_DATA because it has no recollection of ever sending data that far out [1]. And we are stuck. The root cause is the mess of the xmit return codes. veth returns an error when it can't xmit a frame. We end up with a loss event like this: ------------------------------------------------- | GSO super frame 1 | GSO super frame 2 | |-----------------------------------------------| | seg | seg | seg | seg | seg | seg | seg | seg | | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | ------------------------------------------------- x ok ok <ok>| ok ok ok <x> \\ snd_nxt "x" means packet lost by veth, and "ok" means it went thru. Since veth has TSO disabled in this test it sees individual segments. Segment 1 is on the retransmit queue and will be resent. So why did the sender not advance snd_nxt even tho it clearly did send up to seg 8? tcp_write_xmit() interprets the return code from the core to mean that data has not been sent at all. Since TCP deals with GSO super frames, not individual segment the crux of the problem is that loss of a single segment can be interpreted as loss of all. TCP only sees the last return code for the last segment of the GSO frame (in <> brackets in the diagram above). Of course for the problem to occur we need a setup or a device without a Qdisc. Otherwise Qdisc layer disconnects the protocol layer from the device errors completely. We have multiple ways to fix this. 1) make veth not return an error when it lost a packet. While this is what I think we did in the past, the issue keeps reappearing and it's annoying to debug. The game of whack a mole is not great. 2) fix the damn return codes We only talk about NETDEV_TX_OK and NETDEV_TX_BUSY in the documentation, so maybe we should make the return code from ndo_start_xmit() a boolean. I like that the most, but perhaps some ancient, not-really-networking protocol would suffer. 3) make TCP ignore the errors It is not entirely clear to me what benefit TCP gets from interpreting the result of ip_queue_xmit()? Specifically once the connection is established and we're pushing data - packet loss is just packet loss? 4) this fix Ignore the rc in the Qdisc-less+GSO case, since it's unreliable. We already always return OK in the TCQ_F_CAN_BYPASS case. In the Qdisc-less case let's be a bit more conservative and only mask the GSO errors. This path is taken by non-IP-"networks" like CAN, MCTP etc, so we could regress some ancient thing. This is the simplest, but also maybe the hackiest fix? Similar fix has been proposed by Eric in the past but never committed because original reporter was working with an OOT driver and wasn't providing feedback (see Link). | 2026-05-06 | 7.5 | CVE-2026-43194 | https://git.kernel.org/stable/c/ae3f627b45fbc3c776a4e484696f3cad7cbb4eca https://git.kernel.org/stable/c/0c9de092ef8c50a7ee9612811566f0aa81d8d7b6 https://git.kernel.org/stable/c/56bd32c0edca34041a5c215887fcf562fae2e2db https://git.kernel.org/stable/c/9ac6aebef4b4bfc5ed408b0b65645981574bc780 https://git.kernel.org/stable/c/ea5d7787635e26ec1194ec7eec0e8e5ae3bd10a5 https://git.kernel.org/stable/c/4cb163e9efcac4cd35c3043e097f25081a5c015c https://git.kernel.org/stable/c/c86901d22c89a6bf4e2f013e948aaabc60869893 https://git.kernel.org/stable/c/7aa767d0d3d04e50ae94e770db7db8197f666970 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix "scheduling while atomic" in IPsec MAC address query Fix a "scheduling while atomic" bug in mlx5e_ipsec_init_macs() by replacing mlx5_query_mac_address() with ether_addr_copy() to get the local MAC address directly from netdev->dev_addr. The issue occurs because mlx5_query_mac_address() queries the hardware which involves mlx5_cmd_exec() that can sleep, but it is called from the mlx5e_ipsec_handle_event workqueue which runs in atomic context. The MAC address is already available in netdev->dev_addr, so no need to query hardware. This avoids the sleeping call and resolves the bug. Call trace: BUG: scheduling while atomic: kworker/u112:2/69344/0x00000200 __schedule+0x7ab/0xa20 schedule+0x1c/0xb0 schedule_timeout+0x6e/0xf0 __wait_for_common+0x91/0x1b0 cmd_exec+0xa85/0xff0 [mlx5_core] mlx5_cmd_exec+0x1f/0x50 [mlx5_core] mlx5_query_nic_vport_mac_address+0x7b/0xd0 [mlx5_core] mlx5_query_mac_address+0x19/0x30 [mlx5_core] mlx5e_ipsec_init_macs+0xc1/0x720 [mlx5_core] mlx5e_ipsec_build_accel_xfrm_attrs+0x422/0x670 [mlx5_core] mlx5e_ipsec_handle_event+0x2b9/0x460 [mlx5_core] process_one_work+0x178/0x2e0 worker_thread+0x2ea/0x430 | 2026-05-06 | 7.5 | CVE-2026-43199 | https://git.kernel.org/stable/c/e1407fb7c337373dfaaae2445d828b0b9ae26a29 https://git.kernel.org/stable/c/57957bc7f1865778ec9b1618e15515feb6df7eb4 https://git.kernel.org/stable/c/546de94e41e92e1f7dc6213615fb7c794d05db98 https://git.kernel.org/stable/c/859380694f434597407632c29f30fdb5e763e6cc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: atm: fore200e: fix use-after-free in tasklets during device removal When the PCA-200E or SBA-200E adapter is being detached, the fore200e is deallocated. However, the tx_tasklet or rx_tasklet may still be running or pending, leading to use-after-free bug when the already freed fore200e is accessed again in fore200e_tx_tasklet() or fore200e_rx_tasklet(). One of the race conditions can occur as follows: CPU 0 (cleanup) | CPU 1 (tasklet) fore200e_pca_remove_one() | fore200e_interrupt() fore200e_shutdown() | tasklet_schedule() kfree(fore200e) | fore200e_tx_tasklet() | fore200e-> // UAF Fix this by ensuring tx_tasklet or rx_tasklet is properly canceled before the fore200e is released. Add tasklet_kill() in fore200e_shutdown() to synchronize with any pending or running tasklets. Moreover, since fore200e_reset() could prevent further interrupts or data transfers, the tasklet_kill() should be placed after fore200e_reset() to prevent the tasklet from being rescheduled in fore200e_interrupt(). Finally, it only needs to do tasklet_kill() when the fore200e state is greater than or equal to FORE200E_STATE_IRQ, since tasklets are uninitialized in earlier states. In a word, the tasklet_kill() should be placed in the FORE200E_STATE_IRQ branch within the switch...case structure. This bug was identified through static analysis. | 2026-05-06 | 7.5 | CVE-2026-43203 | https://git.kernel.org/stable/c/91f25749aaf57c47ae1e12478144e6ea8c8562f2 https://git.kernel.org/stable/c/73fbc5d1a9ccb626937500bbd67136f077d8237b https://git.kernel.org/stable/c/aba0b4bc09376dfc3d53c826514fe38fc8337f52 https://git.kernel.org/stable/c/e075ec9b08f862dade8011481058f7eb5f716c57 https://git.kernel.org/stable/c/97900f512252a59f23d6ce4ab215cc88fed66e68 https://git.kernel.org/stable/c/e4ff4e3ffcf9d5aad380cdd1d8cdc008bb34f97d https://git.kernel.org/stable/c/5189368f10903956be05062d160b2804bf5e5016 https://git.kernel.org/stable/c/8930878101cd40063888a68af73b1b0f8b6c79bc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set() The kfd_event_page_set() function writes KFD_SIGNAL_EVENT_LIMIT * 8 bytes via memset without checking the buffer size parameter. This allows unprivileged userspace to trigger an out-of bounds kernel memory write by passing a small buffer, leading to potential privilege escalation. | 2026-05-06 | 7.8 | CVE-2026-43206 | https://git.kernel.org/stable/c/3e04bc310d80b46eaf481f1fefcbcb37a187412d https://git.kernel.org/stable/c/de8d7a25cd2eb5875b1d8d4fbc7fe4b4138b781f https://git.kernel.org/stable/c/b4034442cb090e4a980bdcc1540948606cbc951b https://git.kernel.org/stable/c/4857c37c7ba9aa38b9a4c694e8bd8d0091c87940 https://git.kernel.org/stable/c/75fb57efdd7863fffbc39db23e9cad7aafda26ed https://git.kernel.org/stable/c/bfcd6b53e1f4feb182952f4ff9a137c36ceaf20b https://git.kernel.org/stable/c/4e72f419e4ed44cb3b60506752d8688c20a60a9b https://git.kernel.org/stable/c/8a70a26c9f34baea6c3199a9862ddaff4554a96d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: mtk-mdp: Fix error handling in probe function Add mtk_mdp_unregister_m2m_device() on the error handling path to prevent resource leak. Add check for the return value of vpu_get_plat_device() to prevent null pointer dereference. And vpu_get_plat_device() increases the reference count of the returned platform device. Add platform_device_put() to prevent reference leak. | 2026-05-06 | 7.8 | CVE-2026-43207 | https://git.kernel.org/stable/c/9d9c67976eda502edc6b3a148a1c5b6a18b69a98 https://git.kernel.org/stable/c/0bc43eaf021347f8d5aba87712c36b799695eec6 https://git.kernel.org/stable/c/9d7962d5c81d6cf3f8dbdb5c71c57600bac5772b https://git.kernel.org/stable/c/12cafc15d24611bfb43c82877b1bbb7454a85d5a https://git.kernel.org/stable/c/c8737d33d4e8ffae87e5d5edac17f8a705235cc2 https://git.kernel.org/stable/c/b3fc99fe5b25613dd61c57bc70b8479adff4f60d https://git.kernel.org/stable/c/2e8f53a7382943411557e370f1a4f3946624a30e https://git.kernel.org/stable/c/8a8a3232abac5b972058a5f2cb3e33199d2a8648 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: Fix pci_slot_trylock() error handling Commit a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()") delegates the bridge device's pci_dev_trylock() to pci_bus_trylock() in pci_slot_trylock(), but it forgets to remove the corresponding pci_dev_unlock() when pci_bus_trylock() fails. Before a4e772898f8b, the code did: if (!pci_dev_trylock(dev)) /* <- lock bridge device */ goto unlock; if (dev->subordinate) { if (!pci_bus_trylock(dev->subordinate)) { pci_dev_unlock(dev); /* <- unlock bridge device */ goto unlock; } } After a4e772898f8b the bridge-device lock is no longer taken, but the pci_dev_unlock(dev) on the failure path was left in place, leading to the bug. This yields one of two errors: 1. A warning that the lock is being unlocked when no one holds it. 2. An incorrect unlock of a lock that belongs to another thread. Fix it by removing the now-redundant pci_dev_unlock(dev) on the failure path. [Same patch later posted by Keith at https://patch.msgid.link/20260116184150.3013258-1-kbusch@meta.com] | 2026-05-06 | 7.8 | CVE-2026-43211 | https://git.kernel.org/stable/c/ebb27b7399ab8b9eb1f792b329aa5f6250c590d4 https://git.kernel.org/stable/c/fbe06a3058114bf95a17a4941b205f4b321c6f0a https://git.kernel.org/stable/c/943ed56606a7ab2fe5a99cad572dd17d484310c7 https://git.kernel.org/stable/c/a19b61fdb958ffadbba85b43c991eb9fc70c1c1c https://git.kernel.org/stable/c/0425aaf20b407d2f2cf3bf469808e4a35f9abb8b https://git.kernel.org/stable/c/bd435f4b738130d732ef64e0e57e45185f77165d https://git.kernel.org/stable/c/8b08ea9690b212b7bf7f12414039259cf34b1aa0 https://git.kernel.org/stable/c/9368d1ee62829b08aa31836b3ca003803caf0b72 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: Make cpumask_of_node() robust against NUMA_NO_NODE The arch definition of cpumask_of_node() cannot handle NUMA_NO_NODE - which is a valid index - so add a check for this. | 2026-05-06 | 7.8 | CVE-2026-43212 | https://git.kernel.org/stable/c/b5bf05e05cdf489a04137e4da407de9d4cca5295 https://git.kernel.org/stable/c/bb1a54f7f011f19ed936632698eae574e0b91063 https://git.kernel.org/stable/c/92adfb707beec0fe956424373654a70aad35ea13 https://git.kernel.org/stable/c/61a56df2fbaad3a4d00f0c6a904b5d1ee8982eb4 https://git.kernel.org/stable/c/1d8f2f024801019d85159a020b72a4424b46bcf4 https://git.kernel.org/stable/c/94b0c831eda778ae9e4f2164a8b3de485d8977bb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: validate sequence number of TX release report Hardware rarely reports abnormal sequence number in TX release report, which will access out-of-bounds of wd_ring->pages array, causing NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 1085 Comm: irq/129-rtw89_p Tainted: G S U 6.1.145-17510-g2f3369c91536 #1 (HASH:69e8 1) Call Trace: <IRQ> rtw89_pci_release_tx+0x18f/0x300 [rtw89_pci (HASH:4c83 2)] rtw89_pci_napi_poll+0xc2/0x190 [rtw89_pci (HASH:4c83 2)] net_rx_action+0xfc/0x460 net/core/dev.c:6578 net/core/dev.c:6645 net/core/dev.c:6759 handle_softirqs+0xbe/0x290 kernel/softirq.c:601 ? rtw89_pci_interrupt_threadfn+0xc5/0x350 [rtw89_pci (HASH:4c83 2)] __local_bh_enable_ip+0xeb/0x120 kernel/softirq.c:499 kernel/softirq.c:423 </IRQ> <TASK> rtw89_pci_interrupt_threadfn+0xf8/0x350 [rtw89_pci (HASH:4c83 2)] ? irq_thread+0xa7/0x340 kernel/irq/manage.c:0 irq_thread+0x177/0x340 kernel/irq/manage.c:1205 kernel/irq/manage.c:1314 ? thaw_kernel_threads+0xb0/0xb0 kernel/irq/manage.c:1202 ? irq_forced_thread_fn+0x80/0x80 kernel/irq/manage.c:1220 kthread+0xea/0x110 kernel/kthread.c:376 ? synchronize_irq+0x1a0/0x1a0 kernel/irq/manage.c:1287 ? kthread_associate_blkcg+0x80/0x80 kernel/kthread.c:331 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> To prevent crash, validate rpp_info.seq before using. | 2026-05-06 | 7.5 | CVE-2026-43213 | https://git.kernel.org/stable/c/ef7fa19809b2d892d45da53f90ac698d13c367fd https://git.kernel.org/stable/c/b342dd13aedccb0dd27365f6cc63a262f42394ce https://git.kernel.org/stable/c/957eda596c7665f2966970fd1dcc35fe299b38e8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2() Add SRCU read-side protection when reading PDPTR registers in __get_sregs2(). Reading PDPTRs may trigger access to guest memory: kvm_pdptr_read() -> svm_cache_reg() -> load_pdptrs() -> kvm_vcpu_read_guest_page() -> kvm_vcpu_gfn_to_memslot() kvm_vcpu_gfn_to_memslot() dereferences memslots via __kvm_memslots(), which uses srcu_dereference_check() and requires either kvm->srcu or kvm->slots_lock to be held. Currently only vcpu->mutex is held, triggering lockdep warning: ============================= WARNING: suspicious RCU usage in kvm_vcpu_gfn_to_memslot 6.12.59+ #3 Not tainted include/linux/kvm_host.h:1062 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by syz.5.1717/15100: #0: ff1100002f4b00b0 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x1d5/0x1590 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xf0/0x120 lib/dump_stack.c:120 lockdep_rcu_suspicious+0x1e3/0x270 kernel/locking/lockdep.c:6824 __kvm_memslots include/linux/kvm_host.h:1062 [inline] __kvm_memslots include/linux/kvm_host.h:1059 [inline] kvm_vcpu_memslots include/linux/kvm_host.h:1076 [inline] kvm_vcpu_gfn_to_memslot+0x518/0x5e0 virt/kvm/kvm_main.c:2617 kvm_vcpu_read_guest_page+0x27/0x50 virt/kvm/kvm_main.c:3302 load_pdptrs+0xff/0x4b0 arch/x86/kvm/x86.c:1065 svm_cache_reg+0x1c9/0x230 arch/x86/kvm/svm/svm.c:1688 kvm_pdptr_read arch/x86/kvm/kvm_cache_regs.h:141 [inline] __get_sregs2 arch/x86/kvm/x86.c:11784 [inline] kvm_arch_vcpu_ioctl+0x3e20/0x4aa0 arch/x86/kvm/x86.c:6279 kvm_vcpu_ioctl+0x856/0x1590 virt/kvm/kvm_main.c:4663 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xbd/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2026-05-06 | 7.8 | CVE-2026-43214 | https://git.kernel.org/stable/c/f621ca24f9f489e226e22560761b04884984133b https://git.kernel.org/stable/c/708e20c66b2761d878a2bc3c7534e7f814e4dec5 https://git.kernel.org/stable/c/9f2bfea51151dfbb24b52f452eb3d5f5fe0e506e https://git.kernel.org/stable/c/57536ff0a6bd69a5808d682925202babdb5ddc13 https://git.kernel.org/stable/c/b33f8d816950b10e7879cd8ffd7ae4b649ada4db https://git.kernel.org/stable/c/95d848dc7e639988dbb385a8cba9b484607cf98c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: verisilicon: AV1: Fix tile info buffer size Each tile info is composed of: row_sb, col_sb, start_pos and end_pos (4 bytes each). So the total required memory is AV1_MAX_TILES * 16 bytes. Use the correct #define to allocate the buffer and avoid writing tile info in non-allocated memory. | 2026-05-06 | 7.8 | CVE-2026-43222 | https://git.kernel.org/stable/c/a5b1ddbe31f49b4da78642157589970e9b60a231 https://git.kernel.org/stable/c/34f36f9c6114af781a5a4f7a7c99334c85b73fc7 https://git.kernel.org/stable/c/f122f2b3ce9dbde60bf7ab0b180fe4a01f9d9bc4 https://git.kernel.org/stable/c/74abfadd7ef5ac9f3a6111d550cc651d1457c641 https://git.kernel.org/stable/c/a505ca2db89ad92a8d8d27fa68ebafb12e04a679 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/rds: No shortcut out of RDS_CONN_ERROR RDS connections carry a state "rds_conn_path::cp_state" and transitions from one state to another and are conditional upon an expected state: "rds_conn_path_transition." There is one exception to this conditionality, which is "RDS_CONN_ERROR" that can be enforced by "rds_conn_path_drop" regardless of what state the condition is currently in. But as soon as a connection enters state "RDS_CONN_ERROR", the connection handling code expects it to go through the shutdown-path. The RDS/TCP multipath changes added a shortcut out of "RDS_CONN_ERROR" straight back to "RDS_CONN_CONNECTING" via "rds_tcp_accept_one_path" (e.g. after "rds_tcp_state_change"). A subsequent "rds_tcp_reset_callbacks" can then transition the state to "RDS_CONN_RESETTING" with a shutdown-worker queued. That'll trip up "rds_conn_init_shutdown", which was never adjusted to handle "RDS_CONN_RESETTING" and subsequently drops the connection with the dreaded "DR_INV_CONN_STATE", which leaves "RDS_SHUTDOWN_WORK_QUEUED" on forever. So we do two things here: a) Don't shortcut "RDS_CONN_ERROR", but take the longer path through the shutdown code. b) Add "RDS_CONN_RESETTING" to the expected states in "rds_conn_init_shutdown" so that we won't error out and get stuck, if we ever hit weird state transitions like this again." | 2026-05-06 | 7.5 | CVE-2026-43226 | https://git.kernel.org/stable/c/9bcd7c00691a2db9745817d5ea79262a503b135c https://git.kernel.org/stable/c/a179ac7be8f5a650d0068040705f4cddd6ca369c https://git.kernel.org/stable/c/19e384a7d00d888303a8285977cdf1970c6cccd6 https://git.kernel.org/stable/c/f0f729bdffb08af32e0f54521b81b8a9e0321f16 https://git.kernel.org/stable/c/81248b1eb3c5954cc1fc7b33b7c03e34d20cb8c8 https://git.kernel.org/stable/c/899ef00963ce76f9fc421a7d02335fe4ead6389b https://git.kernel.org/stable/c/9ff599a9be784a808c36765086e3db2144aa3b66 https://git.kernel.org/stable/c/ad22d24be635c6beab6a1fdd3f8b1f3c478d15da |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/rds: Clear reconnect pending bit When canceling the reconnect worker, care must be taken to reset the reconnect-pending bit. If the reconnect worker has not yet been scheduled before it is canceled, the reconnect-pending bit will stay on forever. | 2026-05-06 | 7.5 | CVE-2026-43230 | https://git.kernel.org/stable/c/3cf001aff71b1db1b4732a5381b012a114720664 https://git.kernel.org/stable/c/60b347333ec259ac7352f62cbbc365b04c065ff8 https://git.kernel.org/stable/c/597c46a42930c963f448720aaf5001dd4ed98af4 https://git.kernel.org/stable/c/391200c274e90c34071b909ba12e3390b81b767f https://git.kernel.org/stable/c/ba2e3472022f44baddf000621fed150d7a599ea3 https://git.kernel.org/stable/c/14eae5564053ac3973b9369dc674638f22f4765e https://git.kernel.org/stable/c/bcf034fa5f66b6a3e787f765a917934a2045cf7a https://git.kernel.org/stable/c/b89fc7c2523b2b0750d91840f4e52521270d70ed |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release The atmel_hlcdc_plane_atomic_duplicate_state() callback was copying the atmel_hlcdc_plane state structure without properly duplicating the drm_plane_state. In particular, state->commit remained set to the old state commit, which can lead to a use-after-free in the next drm_atomic_commit() call. Fix this by calling __drm_atomic_helper_duplicate_plane_state(), which correctly clones the base drm_plane_state (including the ->commit pointer). It has been seen when closing and re-opening the device node while another DRM client (e.g. fbdev) is still attached: ============================================================================= BUG kmalloc-64 (Not tainted): Poison overwritten ----------------------------------------------------------------------------- 0xc611b344-0xc611b344 @offset=836. First byte 0x6a instead of 0x6b FIX kmalloc-64: Restoring Poison 0xc611b344-0xc611b344=0x6b Allocated in drm_atomic_helper_setup_commit+0x1e8/0x7bc age=178 cpu=0 pid=29 drm_atomic_helper_setup_commit+0x1e8/0x7bc drm_atomic_helper_commit+0x3c/0x15c drm_atomic_commit+0xc0/0xf4 drm_framebuffer_remove+0x4cc/0x5a8 drm_mode_rmfb_work_fn+0x6c/0x80 process_one_work+0x12c/0x2cc worker_thread+0x2a8/0x400 kthread+0xc0/0xdc ret_from_fork+0x14/0x28 Freed in drm_atomic_helper_commit_hw_done+0x100/0x150 age=8 cpu=0 pid=169 drm_atomic_helper_commit_hw_done+0x100/0x150 drm_atomic_helper_commit_tail+0x64/0x8c commit_tail+0x168/0x18c drm_atomic_helper_commit+0x138/0x15c drm_atomic_commit+0xc0/0xf4 drm_atomic_helper_set_config+0x84/0xb8 drm_mode_setcrtc+0x32c/0x810 drm_ioctl+0x20c/0x488 sys_ioctl+0x14c/0xc20 ret_fast_syscall+0x0/0x54 Slab 0xef8bc360 objects=21 used=16 fp=0xc611b7c0 flags=0x200(workingset|zone=0) Object 0xc611b340 @offset=832 fp=0xc611b7c0 | 2026-05-06 | 7.8 | CVE-2026-43236 | https://git.kernel.org/stable/c/fd4a4d0711f48a99b25bcd45e00eef8339eff82d https://git.kernel.org/stable/c/6404898af86d986db1dbbe06177c143e40652e49 https://git.kernel.org/stable/c/796e77c14c4c1e2cd36473760fb6cc66c695eb47 https://git.kernel.org/stable/c/ac2d898da5095d46bd1ff8585fdd753d58ad91e7 https://git.kernel.org/stable/c/a205740a7231e967ac77cb731171642901c327af https://git.kernel.org/stable/c/7b4d0fab3ff2c00c6d34e1952c9df5129a826aee https://git.kernel.org/stable/c/549c6db503dbb85dbff4840830971853feac6625 https://git.kernel.org/stable/c/bc847787233277a337788568e90a6ee1557595eb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Refactor amdgpu_gem_va_ioctl for Handling Last Fence Update and Timeline Management v4 This commit simplifies the amdgpu_gem_va_ioctl function, key updates include: - Moved the logic for managing the last update fence directly into amdgpu_gem_va_update_vm. - Introduced checks for the timeline point to enable conditional replacement or addition of fences. v2: Addressed review comments from Christian. v3: Updated comments (Christian). v4: The previous version selected the fence too early and did not manage its reference correctly, which could lead to stale or freed fences being used. This resulted in refcount underflows and could crash when updating GPU timelines. The fence is now chosen only after the VA mapping work is completed, and its reference is taken safely. After exporting it to the VM timeline syncobj, the driver always drops its local fence reference, ensuring balanced refcounting and avoiding use-after-free on dma_fence. Crash signature: [ 205.828135] refcount_t: underflow; use-after-free. [ 205.832963] WARNING: CPU: 30 PID: 7274 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 ... [ 206.074014] Call Trace: [ 206.076488] <TASK> [ 206.078608] amdgpu_gem_va_ioctl+0x6ea/0x740 [amdgpu] [ 206.084040] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu] [ 206.089994] drm_ioctl_kernel+0x86/0xe0 [drm] [ 206.094415] drm_ioctl+0x26e/0x520 [drm] [ 206.098424] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu] [ 206.104402] amdgpu_drm_ioctl+0x4b/0x80 [amdgpu] [ 206.109387] __x64_sys_ioctl+0x96/0xe0 [ 206.113156] do_syscall_64+0x66/0x2d0 ... [ 206.553351] BUG: unable to handle page fault for address: ffffffffc0dfde90 ... [ 206.553378] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0 ... [ 206.553405] Call Trace: [ 206.553409] <IRQ> [ 206.553415] ? __pfx_drm_sched_fence_free_rcu+0x10/0x10 [gpu_sched] [ 206.553424] dma_fence_signal+0x30/0x60 [ 206.553427] drm_sched_job_done.isra.0+0x123/0x150 [gpu_sched] [ 206.553434] dma_fence_signal_timestamp_locked+0x6e/0xe0 [ 206.553437] dma_fence_signal+0x30/0x60 [ 206.553441] amdgpu_fence_process+0xd8/0x150 [amdgpu] [ 206.553854] sdma_v4_0_process_trap_irq+0x97/0xb0 [amdgpu] [ 206.554353] edac_mce_amd(E) ee1004(E) [ 206.554270] amdgpu_irq_dispatch+0x150/0x230 [amdgpu] [ 206.554702] amdgpu_ih_process+0x6a/0x180 [amdgpu] [ 206.555101] amdgpu_irq_handler+0x23/0x60 [amdgpu] [ 206.555500] __handle_irq_event_percpu+0x4a/0x1c0 [ 206.555506] handle_irq_event+0x38/0x80 [ 206.555509] handle_edge_irq+0x92/0x1e0 [ 206.555513] __common_interrupt+0x3e/0xb0 [ 206.555519] common_interrupt+0x80/0xa0 [ 206.555525] </IRQ> [ 206.555527] <TASK> ... [ 206.555650] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0 ... [ 206.555667] Kernel panic - not syncing: Fatal exception in interrupt | 2026-05-06 | 7.8 | CVE-2026-43237 | https://git.kernel.org/stable/c/e9e477d3197f7d8955a042c0d7f53f78f13218ba https://git.kernel.org/stable/c/0399b8416ecf64ef86ad23401fe23eabdb07831a https://git.kernel.org/stable/c/bd8150a1b3370a9f7761c5814202a3fe5a79f44f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs: ->d_compare() must not block ... so don't use __getname() there. Switch it (and ntfs_d_hash(), while we are at it) to kmalloc(PATH_MAX, GFP_NOWAIT). Yes, ntfs_d_hash() almost certainly can do with smaller allocations, but let ntfs folks deal with that - keep the allocation size as-is for now. Stop abusing names_cachep in ntfs, period - various uses of that thing in there have nothing to do with pathnames; just use k[mz]alloc() and be done with that. For now let's keep sizes as-in, but AFAICS none of the users actually want PATH_MAX. | 2026-05-06 | 7.5 | CVE-2026-43245 | https://git.kernel.org/stable/c/142c444a395f4d26055c8a4473e228bb86283f1e https://git.kernel.org/stable/c/fb4b1f969ba01fa1d4088467a02fc1e5f0806710 https://git.kernel.org/stable/c/ca2a04e84af79596e5cd9cfe697d5122ec39c8ce |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vhost: move vdpa group bound check to vhost_vdpa Remove duplication by consolidating these here. This reduces the posibility of a parent driver missing them. While we're at it, fix a bug in vdpa_sim where a valid ASID can be assigned to a group equal to ngroups, causing an out of bound write. | 2026-05-06 | 7.8 | CVE-2026-43248 | https://git.kernel.org/stable/c/ddb57354634b6ba851b79da45f1de42c646f27d0 https://git.kernel.org/stable/c/7441d35d14d9a3d66d925d90cb73c75394e6d454 https://git.kernel.org/stable/c/406db68f9cb976a8ddfafd631197264f2307e9c9 https://git.kernel.org/stable/c/cd025c1e876b4e262e71398236a1550486a73ede |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/amd: move wait_on_sem() out of spinlock With iommu.strict=1, the existing completion wait path can cause soft lockups under stressed environment, as wait_on_sem() busy-waits under the spinlock with interrupts disabled. Move the completion wait in iommu_completion_wait() out of the spinlock. wait_on_sem() only polls the hardware-updated cmd_sem and does not require iommu->lock, so holding the lock during the busy wait unnecessarily increases contention and extends the time with interrupts disabled. | 2026-05-06 | 7.5 | CVE-2026-43253 | https://git.kernel.org/stable/c/f2f65b28d802a667119147444ec2ae33eebf9a58 https://git.kernel.org/stable/c/715c263119fd1b918a9fcbd8a36ea5b604a46324 https://git.kernel.org/stable/c/e15768e68820142077bbca402d8e902f64ade1b0 https://git.kernel.org/stable/c/496269d12072ecb219826485bdbec70c92a8eef5 https://git.kernel.org/stable/c/d2a0cac10597068567d336e85fa3cbdbe8ca62bf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ovpn: tcp - fix packet extraction from stream When processing TCP stream data in ovpn_tcp_recv, we receive large cloned skbs from __strp_rcv that may contain multiple coalesced packets. The current implementation has two bugs: 1. Header offset overflow: Using pskb_pull with large offsets on coalesced skbs causes skb->data - skb->head to exceed the u16 storage of skb->network_header. This causes skb_reset_network_header to fail on the inner decapsulated packet, resulting in packet drops. 2. Unaligned protocol headers: Extracting packets from arbitrary positions within the coalesced TCP stream provides no alignment guarantees for the packet data causing performance penalties on architectures without efficient unaligned access. Additionally, openvpn's 2-byte length prefix on TCP packets causes the subsequent 4-byte opcode and packet ID fields to be inherently misaligned. Fix both issues by allocating a new skb for each openvpn packet and using skb_copy_bits to extract only the packet content into the new buffer, skipping the 2-byte length prefix. Also, check the length before invoking the function that performs the allocation to avoid creating an invalid skb. If the packet has to be forwarded to userspace the 2-byte prefix can be pushed to the head safely, without misalignment. As a side effect, this approach also avoids the expensive linearization that pskb_pull triggers on cloned skbs with page fragments. In testing, this resulted in TCP throughput improvements of up to 74%. | 2026-05-06 | 7.5 | CVE-2026-43254 | https://git.kernel.org/stable/c/0315bec883c67fa1413c61e504a28dc5bd02eb37 https://git.kernel.org/stable/c/7dba6cd7fb168d7615194a631c9c100c1c224131 https://git.kernel.org/stable/c/d4f687fbbce45b5e88438e89b5e26c0c15847992 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update() vfe_isr() iterates using MSM_VFE_IMAGE_MASTERS_NUM(7) as the loop bound and passes the index to vfe_isr_reg_update(). However, vfe->line[] array is defined with VFE_LINE_NUM_MAX(4): struct vfe_line line[VFE_LINE_NUM_MAX]; When index is 4, 5, 6, the access to vfe->line[line_id] exceeds the array bounds and resulting in out-of-bounds memory access. Fix this by using separate loops for output lines and write masters. | 2026-05-06 | 7.8 | CVE-2026-43256 | https://git.kernel.org/stable/c/e6cbf765686fb6c1d8f2530b3daf6c66efc92f5d https://git.kernel.org/stable/c/0c074e80921fd18984b75836730d76c768c84f65 https://git.kernel.org/stable/c/1b103307df6d461a0731be25aca69ad0335b0933 https://git.kernel.org/stable/c/fade67c88870f497a13ed450ba01f7236c92dd9b https://git.kernel.org/stable/c/e7a38ecda2498e7ce998793ac2a46ca47317635d https://git.kernel.org/stable/c/d965919af524e68cb2ab1a685872050ad2ee933d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: alpha: fix user-space corruption during memory compaction Alpha systems can suffer sporadic user-space crashes and heap corruption when memory compaction is enabled. Symptoms include SIGSEGV, glibc allocator failures (e.g. "unaligned tcache chunk"), and compiler internal errors. The failures disappear when compaction is disabled or when using global TLB invalidation. The root cause is insufficient TLB shootdown during page migration. Alpha relies on ASN-based MM context rollover for instruction cache coherency, but this alone is not sufficient to prevent stale data or instruction translations from surviving migration. Fix this by introducing a migration-specific helper that combines: - MM context invalidation (ASN rollover), - immediate per-CPU TLB invalidation (TBI), - synchronous cross-CPU shootdown when required. The helper is used only by migration/compaction paths to avoid changing global TLB semantics. Additionally, update flush_tlb_other(), pte_clear(), to use READ_ONCE()/WRITE_ONCE() for correct SMP memory ordering. This fixes observed crashes on both UP and SMP Alpha systems. | 2026-05-06 | 7.8 | CVE-2026-43258 | https://git.kernel.org/stable/c/d4ca6ca2c6f5a1d19d9014c5b36d96637846b5d6 https://git.kernel.org/stable/c/03e42b5f7ad4c2c3db8bd384bab7990d5d53c90f https://git.kernel.org/stable/c/bab8d762a8dbb816b10011e13b87d1bca91e5f77 https://git.kernel.org/stable/c/dd5712f3379cfe760267cdd28ff957d9ab4e51c7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix Null reference while testing fluster When multi instances are created/destroyed, many interrupts happens and structures for decoder are removed. "struct vpu_instance" this structure is shared for all flow in the decoder, so if the structure is not protected by lock, Null dereference could happens sometimes. IRQ Handler was spilt to two phases and Lock was added as well. | 2026-05-06 | 7.8 | CVE-2026-43263 | https://git.kernel.org/stable/c/ea316b784fe6a61b29131c98cddb24e651b1dcbc https://git.kernel.org/stable/c/d12bcf183ec7da4305d848068d15f18044eaf62a https://git.kernel.org/stable/c/e66ff2b08e4ee1c4d3b84f24818e5bcc178cc3a4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm: clear cloned request bio pointer when last clone bio completes Stale rq->bio values have been observed to cause double-initialization of cloned bios in request-based device-mapper targets, leading to use-after-free and double-free scenarios. One such case occurs when using dm-multipath on top of a PCIe NVMe namespace, where cloned request bios are freed during blk_complete_request(), but rq->bio is left intact. Subsequent clone teardown then attempts to free the same bios again via blk_rq_unprep_clone(). The resulting double-free path looks like: nvme_pci_complete_batch() nvme_complete_batch() blk_mq_end_request_batch() blk_complete_request() // called on a DM clone request bio_endio() // first free of all clone bios ... rq->end_io() // end_clone_request() dm_complete_request(tio->orig) dm_softirq_done() dm_done() dm_end_request() blk_rq_unprep_clone() // second free of clone bios Fix this by clearing the clone request's bio pointer when the last cloned bio completes, ensuring that later teardown paths do not attempt to free already-released bios. | 2026-05-06 | 7.8 | CVE-2026-43278 | https://git.kernel.org/stable/c/8d9ddad561136f7e6a9346767bf97b4d79e38e67 https://git.kernel.org/stable/c/7daf279c674d515fb22a727a7bbc92aeb35c5442 https://git.kernel.org/stable/c/e2e738e8dfbbf83bd2bae0467ec4420cc52da42a https://git.kernel.org/stable/c/b1c1a2637ebd675aa2d71fee8c70da8791d73850 https://git.kernel.org/stable/c/83d72091804600ead96dc9e9f518ea56cb4942f6 https://git.kernel.org/stable/c/fb8a6c18fb9a6561f7a15b58b272442b77a242dd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Add sanity check for OOB writes at silencing At silencing the playback URB packets in the implicit fb mode before the actual playback, we blindly assume that the received packets fit with the buffer size. But when the setup in the capture stream differs from the playback stream (e.g. due to the USB core limitation of max packet size), such an inconsistency may lead to OOB writes to the buffer, resulting in a crash. For addressing it, add a sanity check of the transfer buffer size at prepare_silent_urb(), and stop the data copy if the received data overflows. Also, report back the transfer error properly from there, too. Note that this doesn't fix the root cause of the playback error itself, but this merely covers the kernel Oops. | 2026-05-06 | 7.8 | CVE-2026-43279 | https://git.kernel.org/stable/c/fa01973bb79d70c4736b6a4b2de99fbb2cbc8d1f https://git.kernel.org/stable/c/780dc57794a217b49994fa1d0b42465fb10a00aa https://git.kernel.org/stable/c/8995fc0e00b3fee9bf7ecb3d836b635b730c1049 https://git.kernel.org/stable/c/fc9e5af60dc199051dc202ae78e1fe76a9977a5e https://git.kernel.org/stable/c/6af16f1b8649df4c00d6ced924bdd8b72c885b6a https://git.kernel.org/stable/c/ccaf9296763be4f76b59e2cac377006016c34435 https://git.kernel.org/stable/c/fba2105a157fffcf19825e4eea498346738c9948 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise When user provides a bogus pat_index value through the madvise IOCTL, the xe_pat_index_get_coh_mode() function performs an array access without validating bounds. This allows a malicious user to trigger an out-of-bounds kernel read from the xe->pat.table array. The vulnerability exists because the validation in madvise_args_are_sane() directly calls xe_pat_index_get_coh_mode(xe, args->pat_index.val) without first checking if pat_index is within [0, xe->pat.n_entries). Although xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug builds, it still performs the unsafe array access in production kernels. v2(Matthew Auld) - Using array_index_nospec() to mitigate spectre attacks when the value is used v3(Matthew Auld) - Put the declarations at the start of the block (cherry picked from commit 944a3329b05510d55c69c2ef455136e2fc02de29) | 2026-05-06 | 7.1 | CVE-2026-43280 | https://git.kernel.org/stable/c/ffba51100ff61792fefbae11ca38ac1987a818dd https://git.kernel.org/stable/c/79f52655567a6471ff3d0d6325ede91bb14461f4 https://git.kernel.org/stable/c/fbbe32618e97eff81577a01eb7d9adcd64a216d7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Return queued buffers on start_streaming() failure Return buffers if streaming fails to start due to uvc_pm_get() error. This bug may be responsible for a warning I got running while :; do yavta -c3 /dev/video0; done on an xHCI controller which failed under this workload. I had no luck reproducing this warning again to confirm. xhci_hcd 0000:09:00.0: HC died; cleaning up usb 13-2: USB disconnect, device number 2 WARNING: CPU: 2 PID: 29386 at drivers/media/common/videobuf2/videobuf2-core.c:1803 vb2_start_streaming+0xac/0x120 | 2026-05-08 | 7.8 | CVE-2026-43290 | https://git.kernel.org/stable/c/69c32df23bed6001864779b965fa009bcd9a26de https://git.kernel.org/stable/c/a5c01f15809d1d2c319d8bfb11d071df11ab731c https://git.kernel.org/stable/c/4cf3b6fd54ebb1ebc977bdc47fb6cfcf9a471a22 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: Workaround SQM/PSE stalls by disabling sticky NIX SQ manager sticky mode is known to cause stalls when multiple SQs share an SMQ and transmit concurrently. Additionally, PSE may deadlock on transitions between sticky and non-sticky transmissions. There is also a credit drop issue observed when certain condition clocks are gated. work around these hardware errata by: - Disabling SQM sticky operation: - Clear TM6 (bit 15) - Clear TM11 (bit 14) - Disabling sticky → non-sticky transition path that can deadlock PSE: - Clear TM5 (bit 23) - Preventing credit drops by keeping the control-flow clock enabled: - Set TM9 (bit 21) These changes are applied via NIX_AF_SQM_DBG_CTL_STATUS. With this configuration the SQM/PSE maintain forward progress under load without credit loss, at the cost of disabling sticky optimizations. | 2026-05-08 | 7.5 | CVE-2026-43296 | https://git.kernel.org/stable/c/9a3fd301329474f449e75f86d8a4f6b9c603fd6c https://git.kernel.org/stable/c/d0b3c8a80336029d9356f429151eb27922d80a3c https://git.kernel.org/stable/c/36cc5a5e0178d5fb79e04173b8aa623b0108819a https://git.kernel.org/stable/c/d9b549b6951ba178ec14339a031cae65f4e43fe1 https://git.kernel.org/stable/c/cec2ceb35ce7bc874c43812bb39200d6cf691b87 https://git.kernel.org/stable/c/8052d0587fb14b85539c3a14a226586c0c3d6b4c https://git.kernel.org/stable/c/b7eba260a34e854e2487b8363c11976f082df00d https://git.kernel.org/stable/c/70e9a5760abfb6338d63994d4de6b0778ec795d6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: clear page->private in free_pages_prepare() Several subsystems (slub, shmem, ttm, etc.) use page->private but don't clear it before freeing pages. When these pages are later allocated as high-order pages and split via split_page(), tail pages retain stale page->private values. This causes a use-after-free in the swap subsystem. The swap code uses page->private to track swap count continuations, assuming freshly allocated pages have page->private == 0. When stale values are present, swap_count_continued() incorrectly assumes the continuation list is valid and iterates over uninitialized page->lru containing LIST_POISON values, causing a crash: KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107] RIP: 0010:__do_sys_swapoff+0x1151/0x1860 Fix this by clearing page->private in free_pages_prepare(), ensuring all freed pages have clean state regardless of previous use. | 2026-05-08 | 7.8 | CVE-2026-43303 | https://git.kernel.org/stable/c/23b82b7a26182ad840ae67d390d7ec9771e8c00f https://git.kernel.org/stable/c/d757c793853ec5483eb41ec2942c300b8fa720fb https://git.kernel.org/stable/c/ac1ea219590c09572ed5992dc233bbf7bb70fef9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: accel: adxl380: Avoid reading more entries than present in FIFO The interrupt handler reads FIFO entries in batches of N samples, where N is the number of scan elements that have been enabled. However, the sensor fills the FIFO one sample at a time, even when more than one channel is enabled. Therefore,the number of entries reported by the FIFO status registers may not be a multiple of N; if this number is not a multiple, the number of entries read from the FIFO may exceed the number of entries actually present. To fix the above issue, round down the number of FIFO entries read from the status registers so that it is always a multiple of N. | 2026-05-08 | 7.8 | CVE-2026-43307 | https://git.kernel.org/stable/c/a40f316085985f916ba1599fc303fdbc6a078e86 https://git.kernel.org/stable/c/a8e88edfd69df7b63c882aa53e61e7c078806ad7 https://git.kernel.org/stable/c/f42ddb2945ae4ce2b6f1c2e7aae9f14455a734d3 https://git.kernel.org/stable/c/c1b14015224cfcccd5356333763f2f4f401bd810 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Properly mark live registers for indirect jumps For a `gotox rX` instruction the rX register should be marked as used in the compute_insn_live_regs() function. Fix this. | 2026-05-08 | 7.8 | CVE-2026-43321 | https://git.kernel.org/stable/c/7beae54111c34ca63357ef120e115889b915beb5 https://git.kernel.org/stable/c/d1aab1ca576c90192ba961094d51b0be6355a4d6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: USB: dummy-hcd: Fix interrupt synchronization error This fixes an error in synchronization in the dummy-hcd driver. The error has a somewhat involved history. The synchronization mechanism was introduced by commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"), which added an emulated "interrupts enabled" flag together with code emulating synchronize_irq() (it waits until all current handler callbacks have returned). But the emulated interrupt-disable occurred too late, after the driver containing the handler callback routines had been told that it was unbound and no more callbacks would occur. Commit 4a5d797a9f9c ("usb: gadget: dummy_hcd: fix gpf in gadget_setup") tried to fix this by moving the synchronize_irq() emulation code from dummy_stop() to dummy_pullup(), which runs before the unbind callback. There still were races, though, because the emulated interrupt-disable still occurred too late. It couldn't be moved to dummy_pullup(), because that routine can be called for reasons other than an impending unbind. Therefore commits 7dc0c55e9f30 ("USB: UDC core: Add udc_async_callbacks gadget op") and 04145a03db9d ("USB: UDC: Implement udc_async_callbacks in dummy-hcd") added an API allowing the UDC core to tell dummy-hcd exactly when emulated interrupts and their callbacks should be disabled. That brings us to the current state of things, which is still wrong because the emulated synchronize_irq() occurs before the emulated interrupt-disable! That's no good, beause it means that more emulated interrupts can occur after the synchronize_irq() emulation has run, leading to the possibility that a callback handler may be running when the gadget driver is unbound. To fix this, we have to move the synchronize_irq() emulation code yet again, to the dummy_udc_async_callbacks() routine, which takes care of enabling and disabling emulated interrupt requests. The synchronization will now run immediately after emulated interrupts are disabled, which is where it belongs. | 2026-05-08 | 7.8 | CVE-2026-43324 | https://git.kernel.org/stable/c/d847f375b1bcea713143bc02720d13d2d01b012a https://git.kernel.org/stable/c/cbf7df5e5d27cd5bea92ee9a75a4b28dbcc718d4 https://git.kernel.org/stable/c/5aa776c8615bea3b1eaeec87b0788375800ead4f https://git.kernel.org/stable/c/94d4fab1dd9e64f45449bcc7d6a5acf796b13015 https://git.kernel.org/stable/c/5687a09776069bd915560021c9728ca528440128 https://git.kernel.org/stable/c/8bcd80219d8e10e660bf29b20e41bb8beb4e4cb7 https://git.kernel.org/stable/c/2ca9e46f8f1f5a297eb0ac83f79d35d5b3a02541 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: strictly check for maximum number of actions The maximum number of flowtable hardware offload actions in IPv6 is: * ethernet mangling (4 payload actions, 2 for each ethernet address) * SNAT (4 payload actions) * DNAT (4 payload actions) * Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing) for QinQ. * Redirect (1 action) Which makes 17, while the maximum is 16. But act_ct supports for tunnels actions too. Note that payload action operates at 32-bit word level, so mangling an IPv6 address takes 4 payload actions. Update flow_action_entry_next() calls to check for the maximum number of supported actions. While at it, rise the maximum number of actions per flow from 16 to 24 so this works fine with IPv6 setups. | 2026-05-08 | 7.8 | CVE-2026-43329 | https://git.kernel.org/stable/c/ead66c77303f760f6c30be96e2e20d5a77cef614 https://git.kernel.org/stable/c/fe9018d3e94329f1951b00805a8640bc06f56ead https://git.kernel.org/stable/c/5382bb03e9c33b089d60788478b922a2dca284cc https://git.kernel.org/stable/c/57c78bd2e2dd08897acd35b2bf8bcef322e36f5e https://git.kernel.org/stable/c/504c9456699dcf4d15195ef34a0fa94a80bfc877 https://git.kernel.org/stable/c/879959a7a2be814dd57568655eafa3d8f4d0309e https://git.kernel.org/stable/c/76522fcdbc3a02b568f5d957f7e66fc194abb893 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: caam - fix overflow on long hmac keys When a key longer than block size is supplied, it is copied and then hashed into the real key. The memory allocated for the copy needs to be rounded to DMA cache alignment, as otherwise the hashed key may corrupt neighbouring memory. The copying is performed using kmemdup, however this leads to an overflow: reading more bytes (aligned_len - keylen) from the keylen source buffer. Fix this by replacing kmemdup with kmalloc, followed by memcpy. | 2026-05-08 | 7.8 | CVE-2026-43330 | https://git.kernel.org/stable/c/31022cfde5235c45fa765f0aabeff5f0652852f2 https://git.kernel.org/stable/c/c2fb4984fe09fc176fe4c12d5e3edf626df6511d https://git.kernel.org/stable/c/aa545df011338df13f0833fc1fabcb15c0521959 https://git.kernel.org/stable/c/cebc5ebd958346195b77f42d0cd5141b4e448fae https://git.kernel.org/stable/c/80688afb9c35b3934ce2d6be9973758915e2e0ef |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix thermal zone device registration error path If thermal_zone_device_register_with_trips() fails after registering a thermal zone device, it needs to wait for the tz->removal completion like thermal_zone_device_unregister(), in case user space has managed to take a reference to the thermal zone device's kobject, in which case thermal_release() may not be called by the error path itself and tz may be freed prematurely. Add the missing wait_for_completion() call to the thermal zone device registration error path. | 2026-05-08 | 7.8 | CVE-2026-43332 | https://git.kernel.org/stable/c/9e796001af97a1f7368d5114b7a8533dd98d797a https://git.kernel.org/stable/c/604da9c04c218362e1c1457304ebeb9c199d537c https://git.kernel.org/stable/c/c4c7219e93319bba9ba0765dee597784c78f63c5 https://git.kernel.org/stable/c/4d390f0e507dfb16d58f83a58d78d1150dc8b9d7 https://git.kernel.org/stable/c/9e07e3b81807edd356e1f794cffa00a428eff443 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: lib/crypto: chacha: Zeroize permuted_state before it leaves scope Since the ChaCha permutation is invertible, the local variable 'permuted_state' is sufficient to compute the original 'state', and thus the key, even after the permutation has been done. While the kernel is quite inconsistent about zeroizing secrets on the stack (and some prominent userspace crypto libraries don't bother at all since it's not guaranteed to work anyway), the kernel does try to do it as a best practice, especially in cases involving the RNG. Thus, explicitly zeroize 'permuted_state' before it goes out of scope. | 2026-05-08 | 7.5 | CVE-2026-43336 | https://git.kernel.org/stable/c/e90ee961af515a484f091678ce58a4c3f7b73b02 https://git.kernel.org/stable/c/b416a4245f04a450c67a13e6d96056c37c5b33fe https://git.kernel.org/stable/c/bd62d9b44464a6c20a34a74068e7a784d0afa04a https://git.kernel.org/stable/c/066c760acead1fb743bae294dbd89f479ae43b9b https://git.kernel.org/stable/c/1d761e5a7340c46479fb2399598f331e4fe2c633 https://git.kernel.org/stable/c/1933249263c3a98df79992f61a566476e4163bcc https://git.kernel.org/stable/c/91999af43ca2125e3b2c18fcfc02912ada02efc3 https://git.kernel.org/stable/c/e5046823f8fa3677341b541a25af2fcb99a5b1e0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible UaF in addrconf_permanent_addr() The mentioned helper try to warn the user about an exceptional condition, but the message is delivered too late, accessing the ipv6 after its possible deletion. Reorder the statement to avoid the possible UaF; while at it, place the warning outside the idev->lock as it needs no protection. | 2026-05-08 | 7.8 | CVE-2026-43339 | https://git.kernel.org/stable/c/eec49a33611f20336b357b3953df44f1a02049e8 https://git.kernel.org/stable/c/bacc7f31085c9820922f00bc7d79756ffa13123a https://git.kernel.org/stable/c/7bfafa1b0cd582983ebec6bb20f0a435528fe567 https://git.kernel.org/stable/c/7d9f2f4aabd116ca68fbdab5d8fb8dac74c2ea1e https://git.kernel.org/stable/c/25357b670afb5b517096da783abaa5cc4bf8359e https://git.kernel.org/stable/c/3cd4efb5df72843dfac892d0b3c7a4a8bd926b65 https://git.kernel.org/stable/c/2d88ed7fa000e19c2dc0fa31b3a849e3f5bca5c1 https://git.kernel.org/stable/c/fd63f185979b047fb22a0dfc6bd94d0cab6a6a70 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ipa: fix event ring index not programmed for IPA v5.0+ For IPA v5.0+, the event ring index field moved from CH_C_CNTXT_0 to CH_C_CNTXT_1. The v5.0 register definition intended to define this field in the CH_C_CNTXT_1 fmask array but used the old identifier of ERINDEX instead of CH_ERINDEX. Without a valid event ring, GSI channels could never signal transfer completions. This caused gsi_channel_trans_quiesce() to block forever in wait_for_completion(). At least for IPA v5.2 this resolves an issue seen where runtime suspend, system suspend, and remoteproc stop all hanged forever. It also meant the IPA data path was completely non functional. | 2026-05-08 | 7.5 | CVE-2026-43345 | https://git.kernel.org/stable/c/ae8343a19ccb051d519dbb3a9082ddea9f0551d3 https://git.kernel.org/stable/c/2bf18b643c4656413f7cfd5615af60a6b4e261da https://git.kernel.org/stable/c/2d2dc166d55148cfcf8ae67b415f8d6d110e6fca https://git.kernel.org/stable/c/34c988bb04cbdf093d2134e179433da49ffcd044 https://git.kernel.org/stable/c/56007972c0b1e783ca714d6f1f4d6e66e531d21f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arm64: dts: qcom: monaco: Reserve full Gunyah metadata region We observe spurious "Synchronous External Abort" exceptions (ESR=0x96000010) and kernel crashes on Monaco-based platforms. These faults are caused by the kernel inadvertently accessing hypervisor-owned memory that is not properly marked as reserved. >From boot log, The Qualcomm hypervisor reports the memory range at 0x91a80000 of size 0x80000 (512 KiB) as hypervisor-owned: qhee_hyp_assign_remove_memory: 0x91a80000/0x80000 -> ret 0 However, the EFI memory map provided by firmware only reserves the subrange 0x91a40000-0x91a87fff (288 KiB). The remaining portion (0x91a88000-0x91afffff) is incorrectly reported as conventional memory (from efi debug): efi: 0x000091a40000-0x000091a87fff [Reserved...] efi: 0x000091a88000-0x0000938fffff [Conventional...] As a result, the allocator may hand out PFNs inside the hypervisor owned region, causing fatal aborts when the kernel accesses those addresses. Add a reserved-memory carveout for the Gunyah hypervisor metadata at 0x91a80000 (512 KiB) and mark it as no-map so Linux does not map or allocate from this area. For the record: Hyp version: gunyah-e78adb36e debug (2025-11-17 05:38:05 UTC) UEFI Ver: 6.0.260122.BOOT.MXF.1.0.c1-00449-KODIAKLA-1 | 2026-05-08 | 7.5 | CVE-2026-43347 | https://git.kernel.org/stable/c/edde62571f7602d83243ca51729ce42d22ea04d2 https://git.kernel.org/stable/c/59bd9088336d2bb7e713dcf4df5cbda86bb3c611 https://git.kernel.org/stable/c/85d98669fa7f1d3041d962515e45ee6e392db6f8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: require a full NFS mode SID before reading mode bits parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS mode SID and reads sid.sub_auth[2] to recover the mode bits. That assumes the ACE carries three subauthorities, but compare_sids() only compares min(a, b) subauthorities. A malicious server can return an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still matches sid_unix_NFS_mode and then drives the sub_auth[2] read four bytes past the end of the ACE. Require num_subauth >= 3 before treating the ACE as an NFS mode SID. This keeps the fix local to the special-SID mode path without changing compare_sids() semantics for the rest of cifsacl. | 2026-05-08 | 7.6 | CVE-2026-43350 | https://git.kernel.org/stable/c/b53b8e98c23310294fc45fc686db5ee860311896 https://git.kernel.org/stable/c/c8eef12af1cc73031639ea7cf16e0b10e2536b0b https://git.kernel.org/stable/c/38a69f08ee82c450d3e4168707fff2e317dc3ff7 https://git.kernel.org/stable/c/f8488c07bea2431ee12a6067d736578064fa46b4 https://git.kernel.org/stable/c/2757ad3e4b6f9e0fed4c7739594e702abc5cab21 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue The logic used to abort the DMA ring contains several flaws: 1. The driver unconditionally issues a ring abort even when the ring has already stopped. 2. The completion used to wait for abort completion is never re-initialized, resulting in incorrect wait behavior. 3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which resets hardware ring pointers and disrupts the controller state. 4. If the ring is already stopped, the abort operation should be considered successful without attempting further action. Fix the abort handling by checking whether the ring is running before issuing an abort, re-initializing the completion when needed, ensuring that RING_CTRL_ENABLE remains asserted during abort, and treating an already stopped ring as a successful condition. | 2026-05-08 | 7.8 | CVE-2026-43352 | https://git.kernel.org/stable/c/003df94bcc9227e8e930abd03ac7f63ac10033dc https://git.kernel.org/stable/c/5549611888f5ca2db5e8e692b57f30626ddf9898 https://git.kernel.org/stable/c/b795e68bf3073d67bebbb5a44d93f49efc5b8cc7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Fix race in DMA ring dequeue The HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for multiple transfers that timeout around the same time. However, the function is not serialized and can race with itself. When a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes incomplete transfers, and then restarts the ring. If another timeout triggers a parallel call into the same function, the two instances may interfere with each other - stopping or restarting the ring at unexpected times. Add a mutex so that hci_dma_dequeue_xfer() is serialized with respect to itself. | 2026-05-08 | 7.8 | CVE-2026-43353 | https://git.kernel.org/stable/c/b684b420a5bb0ea1b0e13abfdb8ce41c5266e62e https://git.kernel.org/stable/c/4faa1e9c67a2229f6749190aedaf88ce0391efd2 https://git.kernel.org/stable/c/1dca8aee80eea76d2aae21265de5dd64f6ba0f09 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/kbuf: check if target buffer list is still legacy on recycle There's a gap between when the buffer was grabbed and when it potentially gets recycled, where if the list is empty, someone could've upgraded it to a ring provided type. This can happen if the request is forced via io-wq. The legacy recycling is missing checking if the buffer_list still exists, and if it's of the correct type. Add those checks. | 2026-05-08 | 7.8 | CVE-2026-43366 | https://git.kernel.org/stable/c/a7b33671e418fca507feebd1d56e7f4952a4b25c https://git.kernel.org/stable/c/439a6728ec4641ffad1ca796622c19bc525e570f https://git.kernel.org/stable/c/f3fb54e7a8b4aadcc2836ee463eec8c88709b8aa https://git.kernel.org/stable/c/50ad880db3013c6fee0ef13781762a39e2e7ef83 https://git.kernel.org/stable/c/97b57f69fee1b61b41acbf37e7720cac9d389fa4 https://git.kernel.org/stable/c/c2c185be5c85d37215397c8e8781abf0a69bec1f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix potential overflow of shmem scatterlist length When a scatterlists table of a GEM shmem object of size 4 GB or more is populated with pages allocated from a folio, unsigned int .length attribute of a scatterlist may get overflowed if total byte length of pages allocated to that single scatterlist happens to reach or cross the 4GB limit. As a consequence, users of the object may suffer from hitting unexpected, premature end of the object's backing pages. [278.780187] ------------[ cut here ]------------ [278.780377] WARNING: CPU: 1 PID: 2326 at drivers/gpu/drm/i915/i915_mm.c:55 remap_sg+0x199/0x1d0 [i915] ... [278.780654] CPU: 1 UID: 0 PID: 2326 Comm: gem_mmap_offset Tainted: G S U 6.17.0-rc1-CI_DRM_16981-ged823aaa0607+ #1 PREEMPT(voluntary) [278.780656] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER [278.780658] Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P LP5x T3 RVP, BIOS MTLPFWI1.R00.3471.D91.2401310918 01/31/2024 [278.780659] RIP: 0010:remap_sg+0x199/0x1d0 [i915] ... [278.780786] Call Trace: [278.780787] <TASK> [278.780788] ? __apply_to_page_range+0x3e6/0x910 [278.780795] ? __pfx_remap_sg+0x10/0x10 [i915] [278.780906] apply_to_page_range+0x14/0x30 [278.780908] remap_io_sg+0x14d/0x260 [i915] [278.781013] vm_fault_cpu+0xd2/0x330 [i915] [278.781137] __do_fault+0x3a/0x1b0 [278.781140] do_fault+0x322/0x640 [278.781143] __handle_mm_fault+0x938/0xfd0 [278.781150] handle_mm_fault+0x12c/0x300 [278.781152] ? lock_mm_and_find_vma+0x4b/0x760 [278.781155] do_user_addr_fault+0x2d6/0x8e0 [278.781160] exc_page_fault+0x96/0x2c0 [278.781165] asm_exc_page_fault+0x27/0x30 ... That issue was apprehended by the author of a change that introduced it, and potential risk even annotated with a comment, but then never addressed. When adding folio pages to a scatterlist table, take care of byte length of any single scatterlist not exceeding max_segment. (cherry picked from commit 06249b4e691a75694c014a61708c007fb5755f60) | 2026-05-08 | 7.8 | CVE-2026-43368 | https://git.kernel.org/stable/c/aeb7255531ba4a5c3a64938577170d08b78de399 https://git.kernel.org/stable/c/1c956f0fccc26fefcbb507516c49d1db41c40471 https://git.kernel.org/stable/c/eae4bf4107571283031db96ce132e951615e2ae4 https://git.kernel.org/stable/c/21a301f12d18797bf889c15497f922edfdaece3a https://git.kernel.org/stable/c/029ae067431ab9d0fca479bdabe780fa436706ea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix use-after-free race in VM acquire Replace non-atomic vm->process_info assignment with cmpxchg() to prevent race when parent/child processes sharing a drm_file both try to acquire the same VM after fork(). (cherry picked from commit c7c573275ec20db05be769288a3e3bb2250ec618) | 2026-05-08 | 7.8 | CVE-2026-43370 | https://git.kernel.org/stable/c/ae87aea330c24f462fc7058ed543ba8bc6798447 https://git.kernel.org/stable/c/46d309996bd9251792d7dafdbaf615cf202b4447 https://git.kernel.org/stable/c/e61e355cbe49e585097eee28c15b862bfb1c0668 https://git.kernel.org/stable/c/c658c1c85ec235b7ecfbf8dbfee385b1332088f4 https://git.kernel.org/stable/c/904025fa8bba1d028adade33346372b4ac1a9249 https://git.kernel.org/stable/c/7885eb335d8f9e9942925d57e300a85e3f82ded4 https://git.kernel.org/stable/c/94b7782d0c8024f5b88454241c8d4777076c3786 https://git.kernel.org/stable/c/2c1030f2e84885cc58bffef6af67d5b9d2e7098f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ncsi: fix skb leak in error paths Early return paths in NCSI RX and AEN handlers fail to release the received skb, resulting in a memory leak. Specifically, ncsi_aen_handler() returns on invalid AEN packets without consuming the skb. Similarly, ncsi_rcv_rsp() exits early when failing to resolve the NCSI device, response handler, or request, leaving the skb unfreed. | 2026-05-08 | 7.5 | CVE-2026-43373 | https://git.kernel.org/stable/c/9891d7f4f1ede473c54b49776ae07755083eef06 https://git.kernel.org/stable/c/fef5aa6e3bcf3c8053307642663a63b7362d7552 https://git.kernel.org/stable/c/81d6aee32f8f7bbc175c05dbf61f4430bfb88c4a https://git.kernel.org/stable/c/59962588197863d0d746879f193905c0c6b3df49 https://git.kernel.org/stable/c/553366c271479c0d571dd1bb5d1bcde4747fb82e https://git.kernel.org/stable/c/b70c4e5e711931cdd56e6e905737b72f1e649189 https://git.kernel.org/stable/c/87138dde2d6937b12b967f28fe598a7d59000ae4 https://git.kernel.org/stable/c/5c3398a54266541610c8d0a7082e654e9ff3e259 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: nexthop: fix percpu use-after-free in remove_nh_grp_entry When removing a nexthop from a group, remove_nh_grp_entry() publishes the new group via rcu_assign_pointer() then immediately frees the removed entry's percpu stats with free_percpu(). However, the synchronize_net() grace period in the caller remove_nexthop_from_groups() runs after the free. RCU readers that entered before the publish still see the old group and can dereference the freed stats via nh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a use-after-free on percpu memory. Fix by deferring the free_percpu() until after synchronize_net() in the caller. Removed entries are chained via nh_list onto a local deferred free list. After the grace period completes and all RCU readers have finished, the percpu stats are safely freed. | 2026-05-08 | 7.8 | CVE-2026-43374 | https://git.kernel.org/stable/c/abf4feaee6405f1441929c6ebe7a250f2cd170a7 https://git.kernel.org/stable/c/ab5ebab9664214ba41a7633cb4e72f128204f924 https://git.kernel.org/stable/c/9e08ad731862b22a87cc55f752e16d66cdc9e231 https://git.kernel.org/stable/c/b2662e7593e94ae09b1cf7ee5f09160a3612bcb2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: Fix rcu_tasks stall in threaded busypoll I was debugging a NIC driver when I noticed that when I enable threaded busypoll, bpftrace hangs when starting up. dmesg showed: rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 10658 jiffies old. rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 40793 jiffies old. rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 131273 jiffies old. rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 402058 jiffies old. INFO: rcu_tasks detected stalls on tasks: 00000000769f52cd: .N nvcsw: 2/2 holdout: 1 idle_cpu: -1/64 task:napi/eth2-8265 state:R running task stack:0 pid:48300 tgid:48300 ppid:2 task_flags:0x208040 flags:0x00004000 Call Trace: <TASK> ? napi_threaded_poll_loop+0x27c/0x2c0 ? __pfx_napi_threaded_poll+0x10/0x10 ? napi_threaded_poll+0x26/0x80 ? kthread+0xfa/0x240 ? __pfx_kthread+0x10/0x10 ? ret_from_fork+0x31/0x50 ? __pfx_kthread+0x10/0x10 ? ret_from_fork_asm+0x1a/0x30 </TASK> The cause is that in threaded busypoll, the main loop is in napi_threaded_poll rather than napi_threaded_poll_loop, where the latter rarely iterates more than once within its loop. For rcu_softirq_qs_periodic inside napi_threaded_poll_loop to report its qs state, the last_qs must be 100ms behind, and this can't happen because napi_threaded_poll_loop rarely iterates in threaded busypoll, and each time napi_threaded_poll_loop is called last_qs is reset to latest jiffies. This patch changes so that in threaded busypoll, last_qs is saved in the outer napi_threaded_poll, and whether busy_poll_last_qs is NULL indicates whether napi_threaded_poll_loop is called for busypoll. This way last_qs would not reset to latest jiffies on each invocation of napi_threaded_poll_loop. | 2026-05-08 | 7.5 | CVE-2026-43385 | https://git.kernel.org/stable/c/52459201d0df3fdbb1d281738b7b772e2cacb49c https://git.kernel.org/stable/c/1a86a1f7d88996085934139fa4c063b6299a2dd3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: Use u32 for non-negative values in ceph_monmap_decode() This patch fixes unnecessary implicit conversions that change signedness of blob_len and num_mon in ceph_monmap_decode(). Currently blob_len and num_mon are (signed) int variables. They are used to hold values that are always non-negative and get assigned in ceph_decode_32_safe(), which is meant to assign u32 values. Both variables are subsequently used as unsigned values, and the value of num_mon is further assigned to monmap->num_mon, which is of type u32. Therefore, both variables should be of type u32. This is especially relevant for num_mon. If the value read from the incoming message is very large, it is interpreted as a negative value, and the check for num_mon > CEPH_MAX_MON does not catch it. This leads to the attempt to allocate a very large chunk of memory for monmap, which will most likely fail. In this case, an unnecessary attempt to allocate memory is performed, and -ENOMEM is returned instead of -EINVAL. | 2026-05-08 | 7.5 | CVE-2026-43405 | https://git.kernel.org/stable/c/ee5588e2bc41acb73f6676c0520420c107cd0140 https://git.kernel.org/stable/c/86f7060cd638d6eb042e8ed780fb83a59ca0dcb3 https://git.kernel.org/stable/c/5f2806684b05bd24d05c091083b8e2517ba8ffac https://git.kernel.org/stable/c/b268984ae88cb0dcd7a8e8263962c748448e26e8 https://git.kernel.org/stable/c/ba0a4df8c563536857dcbf7b4dbd0f2a15f57ace https://git.kernel.org/stable/c/08bc6173fd611ad5a40f472bf5f15b92aea0fe40 https://git.kernel.org/stable/c/770444611f047dbfd4517ec0bc1b179d40c2f346 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: add a bunch of missing ceph_path_info initializers ceph_mdsc_build_path() must be called with a zero-initialized ceph_path_info parameter, or else the following ceph_mdsc_free_path_info() may crash. Example crash (on Linux 6.18.12): virt_to_cache: Object is not a Slab page! WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6732 kmem_cache_free+0x316/0x400 [...] Call Trace: [...] ceph_open+0x13d/0x3e0 do_dentry_open+0x134/0x480 vfs_open+0x2a/0xe0 path_openat+0x9a3/0x1160 [...] cache_from_obj: Wrong slab cache. names_cache but object is from ceph_inode_info WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6746 kmem_cache_free+0x2dd/0x400 [...] kernel BUG at mm/slub.c:634! Oops: invalid opcode: 0000 [#1] SMP NOPTI RIP: 0010:__slab_free+0x1a4/0x350 Some of the ceph_mdsc_build_path() callers had initializers, but others had not, even though they were all added by commit 15f519e9f883 ("ceph: fix race condition validating r_parent before applying state"). The ones without initializer are suspectible to random crashes. (I can imagine it could even be possible to exploit this bug to elevate privileges.) Unfortunately, these Ceph functions are undocumented and its semantics can only be derived from the code. I see that ceph_mdsc_build_path() initializes the structure only on success, but not on error. Calling ceph_mdsc_free_path_info() after a failed ceph_mdsc_build_path() call does not even make sense, but that's what all callers do, and for it to be safe, the structure must be zero-initialized. The least intrusive approach to fix this is therefore to add initializers everywhere. | 2026-05-08 | 7.8 | CVE-2026-43408 | https://git.kernel.org/stable/c/644b47f0574fd82aeb9d00317eca8d1f2a525c8c https://git.kernel.org/stable/c/8be8911f590813e6f90bc6407ced1b23e50bc5da https://git.kernel.org/stable/c/453df1f4535842bf17ff1885a225e153d7ee3374 https://git.kernel.org/stable/c/43323a5934b660afae687e8e4e95ac328615a5c4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rust_binder: avoid reading the written value in offsets array When sending a transaction, its offsets array is first copied into the target proc's vma, and then the values are read back from there. This is normally fine because the vma is a read-only mapping, so the target process cannot change the value under us. However, if the target process somehow gains the ability to write to its own vma, it could change the offset before it's read back, causing the kernel to misinterpret what the sender meant. If the sender happens to send a payload with a specific shape, this could in the worst case lead to the receiver being able to privilege escalate into the sender. The intent is that gaining the ability to change the read-only vma of your own process should not be exploitable, so remove this TOCTOU read even though it's unexploitable without another Binder bug. | 2026-05-08 | 7.8 | CVE-2026-43433 | https://git.kernel.org/stable/c/e19afb53f7723b3bd22224f2b0c7dcfa70bb973f https://git.kernel.org/stable/c/3672141c93b7a0c0132bf5d5021a4b7f1d663aaa https://git.kernel.org/stable/c/4cb9e13fec0de7c942f5f927469beb8e48ddd20f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rust_binder: check ownership before using vma When installing missing pages (or zapping them), Rust Binder will look up the vma in the mm by address, and then call vm_insert_page (or zap_page_range_single). However, if the vma is closed and replaced with a different vma at the same address, this can lead to Rust Binder installing pages into the wrong vma. By installing the page into a writable vma, it becomes possible to write to your own binder pages, which are normally read-only. Although you're not supposed to be able to write to those pages, the intent behind the design of Rust Binder is that even if you get that ability, it should not lead to anything bad. Unfortunately, due to another bug, that is not the case. To fix this, store a pointer in vm_private_data and check that the vma returned by vma_lookup() has the right vm_ops and vm_private_data before trying to use the vma. This should ensure that Rust Binder will refuse to interact with any other VMA. The plan is to introduce more vma abstractions to avoid this unsafe access to vm_ops and vm_private_data, but for now let's start with the simplest possible fix. C Binder performs the same check in a slightly different way: it provides a vm_ops->close that sets a boolean to true, then checks that boolean after calling vma_lookup(), but this is more fragile than the solution in this patch. (We probably still want to do both, but the vm_ops->close callback will be added later as part of the follow-up vma API changes.) It's still possible to remap the vma so that pages appear in the right vma, but at the wrong offset, but this is a separate issue and will be fixed when Rust Binder gets a vm_ops->close callback. | 2026-05-08 | 7.8 | CVE-2026-43434 | https://git.kernel.org/stable/c/20a01f20d1f4064d90a8627aa41b5987f0220bb9 https://git.kernel.org/stable/c/5a472d04fb4b9115fb7d1535bd885cea450f14db https://git.kernel.org/stable/c/8ef2c15aeae07647f530d30f6daaf79eb801bcd1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime (runtime = s->runtime at line 2157). After releasing the stream lock at line 2169, the code accesses runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size (lines 2170-2178) - all referencing the linked stream's runtime without any lock or refcount protecting its lifetime. A concurrent close() on the linked stream's fd triggers snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private() → snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime). No synchronization prevents kfree(runtime) from completing while the drain path dereferences the stale pointer. Fix by caching the needed runtime fields (no_period_wakeup, rate, buffer_size) into local variables while still holding the stream lock, and using the cached values after the lock is released. | 2026-05-08 | 7.8 | CVE-2026-43437 | https://git.kernel.org/stable/c/9baee36e8c5443411c4629afabafaff8a46a23fd https://git.kernel.org/stable/c/fc71f888994569f87d5bee20b1ac6c9c1e3a7a79 https://git.kernel.org/stable/c/629cf09464cf98670996ea5c191dc9743e6f3f00 https://git.kernel.org/stable/c/ae8f8d30d334bad5b1b3cdb1eb8a0b771f55e432 https://git.kernel.org/stable/c/4a758e9a1f5ed722f83c4dd35f867fe811553bcb https://git.kernel.org/stable/c/c2f64e05a0587a83ec42dbd6b7a7ded79b2ff694 https://git.kernel.org/stable/c/9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched_ext: Remove redundant css_put() in scx_cgroup_init() The iterator css_for_each_descendant_pre() walks the cgroup hierarchy under cgroup_lock(). It does not increment the reference counts on yielded css structs. According to the cgroup documentation, css_put() should only be used to release a reference obtained via css_get() or css_tryget_online(). Since the iterator does not use either of these to acquire a reference, calling css_put() in the error path of scx_cgroup_init() causes a refcount underflow. Remove the unbalanced css_put() to prevent a potential Use-After-Free (UAF) vulnerability. | 2026-05-08 | 7.8 | CVE-2026-43438 | https://git.kernel.org/stable/c/cc095cd305fddbe25a968e4a78436ff9476cf0f6 https://git.kernel.org/stable/c/6eaaa67d6998f6c30c462b140db8c062e07ec473 https://git.kernel.org/stable/c/bf50f3285eda8a0173625fcdb5f183f96e1008cd https://git.kernel.org/stable/c/1336b579f6079fb8520be03624fcd9ba443c930b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If bonding ARP/NS validation is enabled, an IPv6 NS/NA packet received on a slave can reach bond_validate_na(), which calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can crash in __ipv6_chk_addr_and_flags(). BUG: kernel NULL pointer dereference, address: 00000000000005d8 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170 Call Trace: <IRQ> ipv6_chk_addr+0x1f/0x30 bond_validate_na+0x12e/0x1d0 [bonding] ? __pfx_bond_handle_frame+0x10/0x10 [bonding] bond_rcv_validate+0x1a0/0x450 [bonding] bond_handle_frame+0x5e/0x290 [bonding] ? srso_alias_return_thunk+0x5/0xfbef5 __netif_receive_skb_core.constprop.0+0x3e8/0xe50 ? srso_alias_return_thunk+0x5/0xfbef5 ? update_cfs_rq_load_avg+0x1a/0x240 ? srso_alias_return_thunk+0x5/0xfbef5 ? __enqueue_entity+0x5e/0x240 __netif_receive_skb_one_core+0x39/0xa0 process_backlog+0x9c/0x150 __napi_poll+0x30/0x200 ? srso_alias_return_thunk+0x5/0xfbef5 net_rx_action+0x338/0x3b0 handle_softirqs+0xc9/0x2a0 do_softirq+0x42/0x60 </IRQ> <TASK> __local_bh_enable_ip+0x62/0x70 __dev_queue_xmit+0x2d3/0x1000 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? packet_parse_headers+0x10a/0x1a0 packet_sendmsg+0x10da/0x1700 ? kick_pool+0x5f/0x140 ? srso_alias_return_thunk+0x5/0xfbef5 ? __queue_work+0x12d/0x4f0 __sys_sendto+0x1f3/0x220 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x101/0xf80 ? exc_page_fault+0x6e/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to bond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate() and avoid the path to ipv6_chk_addr(). | 2026-05-08 | 7.5 | CVE-2026-43441 | https://git.kernel.org/stable/c/49dbfcb70eca5f6f9043594e1e323c74c39e3863 https://git.kernel.org/stable/c/cf6099ef493b94e140b0fad52482a78853115318 https://git.kernel.org/stable/c/c78f01abe535853f13f0b26cd5b1d2f19bf52e2f https://git.kernel.org/stable/c/95faa1459b83fa544191e82ccc73856f03b7741f https://git.kernel.org/stable/c/c9c238066fb254dabf65e27379f93c56112c5b96 https://git.kernel.org/stable/c/30021e969d48e5819d5ae56936c2f34c0f7ce997 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops When IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY, the boundary check for 128-byte SQE operations in io_init_req() validated the logical SQ head position rather than the physical SQE index. The existing check: !(ctx->cached_sq_head & (ctx->sq_entries - 1)) ensures the logical position isn't at the end of the ring, which is correct for NO_SQARRAY rings where physical == logical. However, when sq_array is present, an unprivileged user can remap any logical position to an arbitrary physical index via sq_array. Setting sq_array[N] = sq_entries - 1 places a 128-byte operation at the last physical SQE slot, causing the 128-byte memcpy in io_uring_cmd_sqe_copy() to read 64 bytes past the end of the SQE array. Replace the cached_sq_head alignment check with a direct validation of the physical SQE index, which correctly handles both sq_array and NO_SQARRAY cases. | 2026-05-08 | 7.1 | CVE-2026-43442 | https://git.kernel.org/stable/c/1f794f9bed3e5cf7250a3b4daf112a72ed1513e9 https://git.kernel.org/stable/c/6f02c6b196036dbb6defb4647d8707d29b7fe95b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iavf: fix PTP use-after-free during reset Commit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") introduced a worker to cache PHC time, but failed to stop it during reset or disable. This creates a race condition where `iavf_reset_task()` or `iavf_disable_vf()` free adapter resources (AQ) while the worker is still running. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, it accesses freed memory/locks, leading to a crash. Fix this by calling `iavf_ptp_release()` before tearing down the adapter. This ensures `ptp_clock_unregister()` synchronously cancels the worker and cleans up the chardev before the backing resources are destroyed. | 2026-05-08 | 7.8 | CVE-2026-43447 | https://git.kernel.org/stable/c/1b034f2429ce6b45ce74dc266175d277acafc5c4 https://git.kernel.org/stable/c/90cc8b2add29b57288025b51c70bc647e7cccb12 https://git.kernel.org/stable/c/efc54fb13d79117a825fef17364315a58682c7ec |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix for duplicate device in netdev hooks When handling NETDEV_REGISTER notification, duplicate device registration must be avoided since the device may have been added by nft_netdev_hook_alloc() already when creating the hook. | 2026-05-08 | 7.8 | CVE-2026-43454 | https://git.kernel.org/stable/c/6d2a95c6890577cc3eab2b20018e16850d7fb094 https://git.kernel.org/stable/c/2041cdb078041611510fc189410bc70b29f688fb https://git.kernel.org/stable/c/b7cdc5a97d02c943f4bdde4d5767ad0c13cad92b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bonding: fix type confusion in bond_setup_by_slave() kernel BUG at net/core/skbuff.c:2306! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306 RSP: 0018:ffffc90004aff760 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e RDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900 RBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000 R10: 00000000961a63e0 R11: 0000000000000000 R12: ffff88807e3c8780 R13: 00000000961a6560 R14: dffffc0000000000 R15: 00000000961a63e0 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe1a0ed8df0 CR3: 000000002d816000 CR4: 00000000003526f0 Call Trace: <TASK> ipgre_header+0xdd/0x540 net/ipv4/ip_gre.c:900 dev_hard_header include/linux/netdevice.h:3439 [inline] packet_snd net/packet/af_packet.c:3028 [inline] packet_sendmsg+0x3ae5/0x53c0 net/packet/af_packet.c:3108 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa54/0xc30 net/socket.c:2592 ___sys_sendmsg+0x190/0x1e0 net/socket.c:2646 __sys_sendmsg+0x170/0x220 net/socket.c:2678 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe1a0e6c1a9 When a non-Ethernet device (e.g. GRE tunnel) is enslaved to a bond, bond_setup_by_slave() directly copies the slave's header_ops to the bond device: bond_dev->header_ops = slave_dev->header_ops; This causes a type confusion when dev_hard_header() is later called on the bond device. Functions like ipgre_header(), ip6gre_header(),all use netdev_priv(dev) to access their device-specific private data. When called with the bond device, netdev_priv() returns the bond's private data (struct bonding) instead of the expected type (e.g. struct ip_tunnel), leading to garbage values being read and kernel crashes. Fix this by introducing bond_header_ops with wrapper functions that delegate to the active slave's header_ops using the slave's own device. This ensures netdev_priv() in the slave's header functions always receives the correct device. The fix is placed in the bonding driver rather than individual device drivers, as the root cause is bond blindly inheriting header_ops from the slave without considering that these callbacks expect a specific netdev_priv() layout. The type confusion can be observed by adding a printk in ipgre_header() and running the following commands: ip link add dummy0 type dummy ip addr add 10.0.0.1/24 dev dummy0 ip link set dummy0 up ip link add gre1 type gre local 10.0.0.1 ip link add bond1 type bond mode active-backup ip link set gre1 master bond1 ip link set gre1 up ip link set bond1 up ip addr add fe80::1/64 dev bond1 | 2026-05-08 | 7.8 | CVE-2026-43456 | https://git.kernel.org/stable/c/9baf26a91565b7bb2b1d9f99aaf884a2b28c2f6d https://git.kernel.org/stable/c/6ac890f1d60ac3707ee8dae15a67d9a833e49956 https://git.kernel.org/stable/c/95597d11dc8bddb2b9a051c9232000bfbb5e43ba https://git.kernel.org/stable/c/950803f7254721c1c15858fbbfae3deaaeeecb11 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-core: flush delayed work before removing DAIs and widgets When a sound card is unbound while a PCM stream is open, a use-after-free can occur in snd_soc_dapm_stream_event(), called from the close_delayed_work workqueue handler. During unbind, snd_soc_unbind_card() flushes delayed work and then calls soc_cleanup_card_resources(). Inside cleanup, snd_card_disconnect_sync() releases all PCM file descriptors, and the resulting PCM close path can call snd_soc_dapm_stream_stop() which schedules new delayed work with a pmdown_time timer delay. Since this happens after the flush in snd_soc_unbind_card(), the new work is not caught. soc_remove_link_components() then frees DAPM widgets before this work fires, leading to the use-after-free. The existing flush in soc_free_pcm_runtime() also cannot help as it runs after soc_remove_link_components() has already freed the widgets. Add a flush in soc_cleanup_card_resources() after snd_card_disconnect_sync() (after which no new PCM closes can schedule further delayed work) and before soc_remove_link_dais() and soc_remove_link_components() (which tear down the structures the delayed work accesses). | 2026-05-08 | 7.3 | CVE-2026-43459 | https://git.kernel.org/stable/c/bf80a89da97285d9b877e0c6995e870d46b8025c https://git.kernel.org/stable/c/3887e514978d28216246360b46a9cb534969eb5a https://git.kernel.org/stable/c/231568afbc0cd25b8fb2a94ebf9738eabe1cf007 https://git.kernel.org/stable/c/317a9298c54bb00319da73e5a7179f00e67fcbdf https://git.kernel.org/stable/c/eab71e11ce2447c1e01809cbc11eab4234cf8dc8 https://git.kernel.org/stable/c/7d33e6140945482a07f8089ee86e13e02553ffdb https://git.kernel.org/stable/c/c054f0607c8bb1b1aa529bc109e4149298a1cccd https://git.kernel.org/stable/c/95bc5c225513fc3c4ce169563fb5e3929fbb938b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: amlogic: spifc-a4: Fix DMA mapping error handling Fix three bugs in aml_sfc_dma_buffer_setup() error paths: 1. Unnecessary goto: When the first DMA mapping (sfc->daddr) fails, nothing needs cleanup. Use direct return instead of goto. 2. Double-unmap bug: When info DMA mapping failed, the code would unmap sfc->daddr inline, then fall through to out_map_data which would unmap it again, causing a double-unmap. 3. Wrong unmap size: The out_map_info label used datalen instead of infolen when unmapping sfc->iaddr, which could lead to incorrect DMA sync behavior. | 2026-05-08 | 7.8 | CVE-2026-43461 | https://git.kernel.org/stable/c/0a83d6c9e149a176340190fa9cbadf2266db4c9a https://git.kernel.org/stable/c/c0b88f1176074f80140ed77fce909f254b7180ab https://git.kernel.org/stable/c/b20b437666e1cb26a7c499d1664e8f2a0ac67000 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: spacemit: Fix error handling in emac_tx_mem_map() The DMA mappings were leaked on mapping error. Free them with the existing emac_free_tx_buf() function. | 2026-05-08 | 7.5 | CVE-2026-43462 | https://git.kernel.org/stable/c/c34ebd7b24ea70be3c6fdb6936f79f593f37df60 https://git.kernel.org/stable/c/edeaba385318f60ec1b32470da4d5eb800294d16 https://git.kernel.org/stable/c/86292155bea578ebab0ca3b65d4d87ecd8a0e9ea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The referenced commit in the fixes tag corrected the assumption in the mlx5 driver that the XDP buffer layout doesn't change during a program execution. However, this fix introduced another issue: the dropped fragments still need to be counted on the driver side to avoid page fragment reference counting issues. Such issue can be observed with the test_xdp_native_adjst_tail_shrnk_data selftest when using a payload of 3600 and shrinking by 256 bytes (an upcoming selftest patch): the last fragment gets released by the XDP code but doesn't get tracked by the driver. This results in a negative pp_ref_count during page release and the following splat: WARNING: include/net/page_pool/helpers.h:297 at mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core], CPU#12: ip/3137 Modules linked in: [...] CPU: 12 UID: 0 PID: 3137 Comm: ip Not tainted 6.19.0-rc3+ #12 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core] [...] Call Trace: <TASK> mlx5e_dealloc_rx_wqe+0xcb/0x1a0 [mlx5_core] mlx5e_free_rx_descs+0x7f/0x110 [mlx5_core] mlx5e_close_rq+0x50/0x60 [mlx5_core] mlx5e_close_queues+0x36/0x2c0 [mlx5_core] mlx5e_close_channel+0x1c/0x50 [mlx5_core] mlx5e_close_channels+0x45/0x80 [mlx5_core] mlx5e_safe_switch_params+0x1a5/0x230 [mlx5_core] mlx5e_change_mtu+0xf3/0x2f0 [mlx5_core] netif_set_mtu_ext+0xf1/0x230 do_setlink.isra.0+0x219/0x1180 rtnl_newlink+0x79f/0xb60 rtnetlink_rcv_msg+0x213/0x3a0 netlink_rcv_skb+0x48/0xf0 netlink_unicast+0x24a/0x350 netlink_sendmsg+0x1ee/0x410 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x232/0x280 ___sys_sendmsg+0x78/0xb0 __sys_sendmsg+0x5f/0xb0 [...] do_syscall_64+0x57/0xc50 This patch fixes the issue by doing page frag counting on all the original XDP buffer fragments for all relevant XDP actions (XDP_TX , XDP_REDIRECT and XDP_PASS). This is basically reverting to the original counting before the commit in the fixes tag. As frag_page is still pointing to the original tail, the nr_frags parameter to xdp_update_skb_frags_info() needs to be calculated in a different way to reflect the new nr_frags. | 2026-05-08 | 7.5 | CVE-2026-43464 | https://git.kernel.org/stable/c/c74557495efb4bd0adefdfc8678ecdbc82a06da3 https://git.kernel.org/stable/c/03cb50e5b74fce8bf6d92b860371b66253cf0f8d https://git.kernel.org/stable/c/a6413e6f6c9d9bb9833324cb3753582f7bc0f2fa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xprtrdma: Decrement re_receiving on the early exit paths In the event that rpcrdma_post_recvs() fails to create a work request (due to memory allocation failure, say) or otherwise exits early, we should decrement ep->re_receiving before returning. Otherwise we will hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and the completion will never be triggered. On a system with high memory pressure, this can appear as the following hung task: INFO: task kworker/u385:17:8393 blocked for more than 122 seconds. Tainted: G S E 6.19.0 #3 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000 Workqueue: xprtiod xprt_autoclose [sunrpc] Call Trace: <TASK> __schedule+0x48b/0x18b0 ? ib_post_send_mad+0x247/0xae0 [ib_core] schedule+0x27/0xf0 schedule_timeout+0x104/0x110 __wait_for_common+0x98/0x180 ? __pfx_schedule_timeout+0x10/0x10 wait_for_completion+0x24/0x40 rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma] xprt_rdma_close+0x12/0x40 [rpcrdma] xprt_autoclose+0x5f/0x120 [sunrpc] process_one_work+0x191/0x3e0 worker_thread+0x2e3/0x420 ? __pfx_worker_thread+0x10/0x10 kthread+0x10d/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x273/0x2b0 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 | 2026-05-08 | 7.5 | CVE-2026-43469 | https://git.kernel.org/stable/c/7ea69259a60a364f56cf4aa9e2eafb588d1c762b https://git.kernel.org/stable/c/8cb6b5d8296b1f99a8d36849901ebabfe3f749db https://git.kernel.org/stable/c/74c39a47856bddcde7874f2196a00143b5cd0af9 https://git.kernel.org/stable/c/49f53ee4e25297d886f14e31f355ad1c2735ddfb https://git.kernel.org/stable/c/8127b5fec04757c2a41ed65bca0b3266968efd3b https://git.kernel.org/stable/c/dc3ebd7e2d73dbd4d317785735ffa6c4a6384ddf https://git.kernel.org/stable/c/7b6275c80a0c81c5f8943272292dfe67730ce849 |
| betterdocs--BetterDocs Pro | The BetterDocs Pro plugin for WordPress is vulnerable to SQL Injection via the `get_current_letter_docs` and `docs_sort_by_letter` AJAX actions in all versions up to, and including, 3.7.0. This is due to the `limit` POST parameter being interpolated directly into a SQL query string before being passed to `$wpdb->prepare()`, which only parameterizes other variables. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The Encyclopedia feature must be enabled in BetterDocs Pro settings for the vulnerability to be exploitable. | 2026-05-07 | 7.5 | CVE-2026-4348 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5c0f02ad-f5f1-42b1-8116-e391aaa85430?source=cve https://betterdocs.co/changelog/ |
| CISA--manage.get.gov | manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30. | 2026-05-07 | 7.6 | CVE-2026-43510 | url url url url url url |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to access internal services or metadata endpoints through browser-driven requests. | 2026-05-05 | 7.7 | CVE-2026-43527 | GitHub Security Advisory (GHSA-53vx-pmqw-863c) Patch Commit (1) Patch Commit (2) Patch Commit (3) Patch Commit (4) VulnCheck Advisory: OpenClaw < 2026.4.14 - Server-Side Request Forgery via Private Network Navigation |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise application behavior. | 2026-05-05 | 7.3 | CVE-2026-43531 | GitHub Security Advisory (GHSA-7wv4-cc7p-jhxc) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.9 - Environment Variable Injection via Workspace .env File |
| OpenClaw--OpenClaw | OpenClaw versions 2026.4.7 before 2026.4.10 fail to normalize Discord event cover image parameters in sandbox media processing. Attackers can bypass media normalization to inject host-local media references into channel action paths expecting normalized media. | 2026-05-05 | 7.7 | CVE-2026-43532 | GitHub Security Advisory (GHSA-c9h3-5p7r-mrjh) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.7 < 2026.4.10 - Sandbox Media Normalization Bypass via Discord Event Cover Image |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement. | 2026-05-05 | 7.7 | CVE-2026-43573 | GitHub Security Advisory (GHSA-527m-976r-jf79) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - SSRF Policy Bypass in Existing-Session Browser Interaction Routes |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that allows attackers to pivot to untrusted second-hop targets. The webSocketDebuggerUrl response field is not properly validated, enabling attackers to redirect connections to arbitrary hosts and perform SSRF-style attacks. | 2026-05-06 | 7.7 | CVE-2026-43576 | GitHub Security Advisory (GHSA-f7fh-qg34-x2xh) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.5 - Second-hop SSRF via CDP /json/version WebSocket URL |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation without complete SSRF policy enforcement. Browser press/type style interactions, including pressKey and type submit flows, can bypass post-action security checks to execute unauthorized navigation. | 2026-05-06 | 7.7 | CVE-2026-43580 | GitHub Security Advisory (GHSA-536q-mj95-h29h) Patch Commit (1) Patch Commit (2) Patch Commit (3) VulnCheck Advisory: OpenClaw < 2026.4.10 - Incomplete Navigation Guard Coverage in Browser Interactions |
| horsicq--DIE-engine | Detect-It-Easy prior to 3.21 contains a path traversal vulnerability that allows attackers to write arbitrary files to the filesystem by crafting malicious archive entries with relative traversal sequences or absolute paths. Attackers can exploit insufficient path normalization during archive extraction to write files outside the intended extraction directory and achieve persistent code execution by overwriting user startup scripts. | 2026-05-04 | 7.1 | CVE-2026-43616 | https://github.com/horsicq/DIE-engine/releases/tag/3.21 https://github.com/horsicq/Detect-It-Easy https://github.com/horsicq/Formats/commit/56cdf50ee3c72c56284e2819b23e98332842d259 https://github.com/horsicq/XArchive/commit/6a2aa84c2fd120b704f76bb5c5ee3e9b5a7a0fcc https://github.com/horsicq/DIE-engine/commit/cbbe1688e58ffd430d284bf65f336973f083db69 https://github.com/horsicq/DIE-engine/commit/7fd300b926daf19707b2a36f0abe8b60a51308ee https://www.vulncheck.com/advisories/detect-it-easy-path-traversal-arbitrary-file-write |
| electerm--electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.9, a code execution (RCE) vulnerability exists in electerm's SFTP open with system editor or "Edit with custom editor" feature. When a user opts to edit a file using open with system editor or open with a custom editor, the filename is passed directly into a command line without sanitization. A malicious actor controlling the SSH server or user OS can exploit this by crafting a filename containing shell metacharacters. If a victim subsequently attempts to edit this file, the injected commands are executed on their machine with the user's privileges. This could allow the attacker to run arbitrary code, install malware, or move laterally within the network. This issue has been patched in version 3.7.9. | 2026-05-08 | 7.8 | CVE-2026-43943 | https://github.com/electerm/electerm/security/advisories/GHSA-q4p8-8j9m-8hxj https://github.com/electerm/electerm/commit/24ce7103e264cffe6eb5476c0506a2379e6f8333 https://github.com/electerm/electerm/releases/tag/v3.7.9 |
| NixOS--Nix | An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0). | 2026-05-05 | 7.5 | CVE-2026-44028 | https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407 https://github.com/NixOS/nix/security/advisories/GHSA-vh5x-56v6-4368 https://www.openwall.com/lists/oss-security/2026/05/04/33 https://www.openwall.com/lists/oss-security/2026/05/04/32 https://lix.systems/blog/2026-05-05-lix-unsigned-integer-overflow/ |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAW_GIT_DIR to manipulate trusted OpenClaw runtime behavior during source-update or installer flows. | 2026-05-06 | 7.8 | CVE-2026-44114 | GitHub Security Advisory (GHSA-hxvm-xjvf-93f3) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.20 - Environment Variable Namespace Collision via Workspace dotenv |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata. | 2026-05-06 | 7.8 | CVE-2026-44118 | GitHub Security Advisory (GHSA-r6xh-pqhr-v4xh) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.22 - Owner Context Spoofing via Bearer Token Header |
| gitpython-developers--GitPython | GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \n becomes \n\t), but Git still accepts an indented [core] stanza as a section header - so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49. | 2026-05-07 | 7.8 | CVE-2026-44244 | https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67 https://github.com/gitpython-developers/GitPython/releases/tag/3.1.49 |
| MervinPraison--PraisonAI | PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. This issue has been patched in version 4.6.34. | 2026-05-08 | 7.3 | CVE-2026-44338 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6rmh-7xcm-cpxj |
| Postorius project--Postorius | Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026. | 2026-05-07 | 7.2 | CVE-2026-44742 | https://gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868b https://gitlab.com/mailman/postorius/-/merge_requests/972 https://gitlab.com/mailman/postorius/-/issues/620 https://www.openwall.com/lists/oss-security/2026/05/07/3 |
| wproyal--Royal Addons for Elementor Addons and Templates Kit for Elementor | The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wpr_update_form_action_meta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a publicly leaked nonce that allows unauthenticated access to the AJAX handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-05 | 7.2 | CVE-2026-4803 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c91a14d3-bc41-4490-888c-486ad2994095?source=cve https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L73 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/plugin.php#L613 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L21 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-submissions-cpt.php#L23 https://plugins.trac.wordpress.org/changeset/3503219/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php |
| strategy11team--AWP Classifieds | The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the 'regions' parameter array keys in versions up to, and including, 4.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-05 | 7.5 | CVE-2026-5100 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7908d167-f831-4ed0-b754-2b390b5c3b2c?source=cve https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1240 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1258 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1269 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1276 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L63 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L70 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L168 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L174 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/class-awpcp.php#L339 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/class-awpcp.php#L342 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L795 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L804 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L881 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L887 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L890 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L895 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L902 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L903 |
| wpmudev--Forminator Forms Contact Form, Payment Form & Custom Form Builder | The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 1.52.1 via the 'upload-1[file][file_path]' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Successful exploitation requires a publicly accessible form with a File Upload field where Save and Continue is enabled in that form's Behavior settings and the Save and Continue email notification is configured to attach uploaded files in Email Notifications. | 2026-05-05 | 7.5 | CVE-2026-5192 | https://www.wordfence.com/threat-intel/vulnerabilities/id/788422c4-e070-48aa-a85d-a5d5a25a6a1d?source=cve https://plugins.trac.wordpress.org/changeset/3500671/forminator |
| Ivanti--Endpoint Manager Mobile | An Improper Access Control in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to invoke arbitrary methods. | 2026-05-07 | 7 | CVE-2026-5788 | https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs |
| fast-uri--fast-uri | fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later. | 2026-05-04 | 7.5 | CVE-2026-6321 | https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6 https://cna.openjsf.org/security-advisories.html |
| fast-uri--fast-uri | fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later. | 2026-05-05 | 7.5 | CVE-2026-6322 | https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc https://cna.openjsf.org/security-advisories.html |
| MAXHUB--MAXHUB Pivot client application | This vulnerability, in the MAXHUB Pivot client application versions prior to v1.36.2, may allow an attacker to obtain encrypted tenant email addresses and related metadata from any tenant. Due to the presence of a hardcoded AES key within the application, the encrypted data can be decrypted, enabling access to tenant email addresses and associated information in cleartext. Furthermore, an attacker may be able to cause a denial-of-service condition by enrolling multiple unauthorized devices into a tenant via MQTT, potentially disrupting tenant operations. | 2026-05-07 | 7.3 | CVE-2026-6411 | https://www.maxhub.com/en/support/ https://www.cisa.gov/news-events/ics-advisories/icsa-26-127-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-127-01.json |
| www[.]pgbouncer[.]org--PgBouncer | An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed SCRAM authentication packet. | 2026-05-09 | 7.5 | CVE-2026-6664 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| www[.]pgbouncer[.]org--PgBouncer | An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed SCRAM authentication packet. | 2026-05-09 | 7.5 | CVE-2026-6664 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| MongoDB Inc.--MongoDB C Driver | The MongoDB C Driver's Cyrus SASL integration performs unsafe string copying during username canonicalization, enabling a heap buffer overflow before any authentication or network traffic. This may be triggered by passing untrusted input in the username of a MongoDB URI with authMechanism=GSSAPI. | 2026-05-06 | 7.8 | CVE-2026-6691 | https://jira.mongodb.org/browse/CDRIVER-6134 |
| Ivanti--Endpoint Manager Mobile | An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution. | 2026-05-07 | 7.2 | CVE-2026-6973 | https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US |
| thedark--Auto Affiliate Links | The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the 'url' POST parameter in the aal_url_stats_save_action() function and a complete absence of output escaping in aal_display_clicks(), where the stored value is echoed directly into an anchor element's href attribute and inner text without esc_url(), esc_attr(), or esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts into the admin statistics page that execute in an administrator's browser when the page is visited, leveraging a publicly exposed nonce and an unauthenticated AJAX endpoint registered via the wp_ajax_nopriv_ hook. | 2026-05-08 | 7.2 | CVE-2026-7330 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6c8ed84e-3504-42e3-821d-794198d7adda?source=cve https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.6/aal_stats.php#L225 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/trunk/aal_stats.php#L225 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.8/aal_stats.php#L225 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/trunk/aal_stats.php#L304 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.8/aal_stats.php#L304 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/trunk/aal_stats.php#L278 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.8/aal_stats.php#L278 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.6/aal_stats.php#L304 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.6/aal_stats.php#L278 https://plugins.trac.wordpress.org/changeset/3519003/wp-auto-affiliate-links/trunk/aal_stats.php https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-auto-affiliate-links/tags/6.8.8&new_path=%2Fwp-auto-affiliate-links/tags/6.8.8.1 |
| latepoint--LatePoint Calendar Booking Plugin for Appointments and Events | The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation. | 2026-05-06 | 7.2 | CVE-2026-7332 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c03ddcf0-6955-4645-b311-c3833ca61455?source=cve https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/activities_controller.php#L214 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/activities_controller.php#L214 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L260 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/stripe_connect_controller.php#L260 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/activities_helper.php#L83 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/activities_helper.php#L83 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/controllers/activities_controller.php#L214 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/controllers/stripe_connect_controller.php#L260 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/helpers/activities_helper.php#L83 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3522933%40latepoint%2Ftrunk&old=3516282%40latepoint%2Ftrunk&sfp_email=&sfph_mail= |
| GeoVision Inc.--GV-LPC2011/LPC2211 | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. Reflected XXS via the error message for requesting non-existing page. | 2026-05-04 | 7.4 | CVE-2026-7371 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| Yarbo--Firmware | A hidden, persistent backdoor was found in Yarbo firmware v2.3.9 that provides remote, unauthenticated (or weakly authenticated) access to privileged functionality. The backdoor is undocumented, cannot be disabled via user-facing settings, and survives factory reset and ordinary firmware updates. | 2026-05-07 | 7.2 | CVE-2026-7413 | https://github.com/Bin4ry/yarbo-nat-in-my-back-yard https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000000111111111111111111111110000000000000000000000000000000000000000000000000000000111 |
| PrefectHQ--prefect | A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been published and may be used. Upgrading to version 3.6.14 is able to address this issue. This patch is called f8afecadf88ea5f73694dafa3a365b9d8fae1ad6. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-04 | 7.3 | CVE-2026-7723 | VDB-360899 | PrefectHQ prefect WebSocket Endpoint in missing authentication VDB-360899 | CTI Indicators (IOB, IOC, IOA) Submit #807256 | PerfectHQ Perfect <=3.6.13 Missing Critical Step in Authentication https://gist.github.com/nedlir/f1ab8aa038aafbcc6beeef21fab1d74f https://github.com/PrefectHQ/prefect/pull/20372 https://github.com/PrefectHQ/prefect/commit/f8afecadf88ea5f73694dafa3a365b9d8fae1ad6 https://github.com/PrefectHQ/prefect/releases/tag/3.6.14 https://github.com/PrefectHQ/prefect/ |
| Shandong Hoteam Software--PDM Product Data Management System | A vulnerability was determined in Shandong Hoteam Software PDM Product Data Management System up to 8.3.9. This affects the function GetQueryMachineGridOnePageData of the file /Base/BaseService.asmx/DataService. This manipulation of the argument SortOrder causes sql injection. The attack can be initiated remotely. Upgrading to version 8.3.10 is able to mitigate this issue. You should upgrade the affected component. | 2026-05-04 | 7.3 | CVE-2026-7727 | VDB-360902 | Shandong Hoteam Software PDM Product Data Management System DataService GetQueryMachineGridOnePageData sql injection VDB-360902 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #803268 | Shandong Hoteam Software Co., Ltd. PDM <8.3.10 SQL Injection https://ucn9h68n9289.feishu.cn/wiki/KvbxwRlmRihO8ZkT1E1c64pdngh https://en.hoteamsoft.com/pdm |
| n/a--funadmin | A flaw has been found in funadmin up to 7.1.0-rc6. This affects the function UploadService::chunkUpload of the file app/common/service/UploadService.php of the component Frontend Chunked Upload Endpoint. This manipulation of the argument File causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 59. To fix this issue, it is recommended to deploy a patch. | 2026-05-04 | 7.3 | CVE-2026-7733 | VDB-360908 | funadmin Frontend Chunked Upload Endpoint UploadService.php chunkUpload unrestricted upload VDB-360908 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807559 | FunAdmin v<=V7.1.0-rc6 Unrestricted Upload https://gitee.com/funadmin/funadmin/issues/IJ8NXT https://gitee.com/funadmin/funadmin/pulls/59 https://gitee.com/funadmin/funadmin/ |
| osrg--GoBGP | A vulnerability was found in osrg GoBGP up to 4.3.0. Affected is the function PathAttributeAigp.DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component AIGP Attribute Parser. Performing a manipulation results in buffer overflow. It is possible to initiate the attack remotely. Upgrading to version 4.4.0 is able to address this issue. The patch is named 51ad1ada06cb41ce47b7066799981816f50b7ced. The affected component should be upgraded. | 2026-05-04 | 7.3 | CVE-2026-7735 | VDB-360910 | osrg GoBGP AIGP Attribute bgp.go PathAttributeAigp.DecodeFromBytes buffer overflow VDB-360910 | CTI Indicators (IOB, IOC, IOA) Submit #807600 | GoBGP 4.3.0 Improper Input Validation https://github.com/osrg/gobgp/commit/51ad1ada06cb41ce47b7066799981816f50b7ced https://github.com/osrg/gobgp/releases/tag/v4.4.0 https://github.com/osrg/gobgp/ |
| osrg--GoBGP | A vulnerability was determined in osrg GoBGP up to 4.3.0. Affected by this vulnerability is the function parseRibEntry of the file pkg/packet/mrt/mrt.go. Executing a manipulation can lead to integer underflow. It is possible to launch the attack remotely. Upgrading to version 4.4.0 addresses this issue. This patch is called 76d911046344a3923cbe573364197aa081944592. It is suggested to upgrade the affected component. | 2026-05-04 | 7.3 | CVE-2026-7736 | VDB-360911 | osrg GoBGP mrt.go parseRibEntry integer underflow VDB-360911 | CTI Indicators (IOB, IOC, IOA) Submit #807604 | osrg GoBGP <= 4.3.0 Integer Underflow https://github.com/osrg/gobgp/commit/76d911046344a3923cbe573364197aa081944592 https://github.com/osrg/gobgp/releases/tag/v4.4.0 https://github.com/osrg/gobgp/ |
| @fastify/accepts-serializer--@fastify/accepts-serializer | @fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option. | 2026-05-04 | 7.5 | CVE-2026-7768 | https://cna.openjsf.org/security-advisories.html https://github.com/fastify/fastify-accepts-serializer/security/advisories/GHSA-qxhc-wx3p-2wmg |
| HashiCorp--Boundary | Boundary Community Edition and Boundary Enterprise ("Boundary") workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5. | 2026-05-04 | 7.5 | CVE-2026-7776 | https://discuss.hashicorp.com/t/hcsec-2026-11-boundary-workers-vulnerable-to-denial-of-service-during-tls-handshake |
| RTGS2017--NagaAgent | A vulnerability has been found in RTGS2017 NagaAgent up to 5.1.0. This issue affects some unknown processing of the file apiserver/routes/extensions.py of the component Skills Endpoint. Such manipulation of the argument Name leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 7.3 | CVE-2026-7784 | VDB-360981 | RTGS2017 NagaAgent Skills Endpoint extensions.py path traversal VDB-360981 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807744 | RTGS2017 NagaAgent 5.10 Path Traversal https://github.com/RTGS2017/NagaAgent/issues/311 https://github.com/RTGS2017/NagaAgent/ |
| A-G-U-P-T-A--wireshark-mcp | A security flaw has been discovered in A-G-U-P-T-A wireshark-mcp edaf604416fbc94a201b4043092d4a1b09a12275/400c3da70074f22f3cce7ccb65304cafc7089c89. This affects the function quick_capture of the file pyshark_mcp.py. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 7.3 | CVE-2026-7785 | VDB-360985 | A-G-U-P-T-A wireshark-mcp pyshark_mcp.py quick_capture os command injection VDB-360985 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807745 | A-G-U-P-T-A wireshark-mcp 400c3da70074f22f3cce7ccb65304cafc7089c89 Command Injection https://github.com/A-G-U-P-T-A/wireshark-mcp/issues/1 https://github.com/A-G-U-P-T-A/wireshark-mcp/ |
| Axle-Bucamp--MCP-Docusaurus | A security flaw has been discovered in Axle-Bucamp MCP-Docusaurus up to 404bc028e15ec304c9a045528560f4b5f27a17e0. The affected element is the function update_document/continue_document/delete_document/get_content of the file app/routes/document.py. Performing a manipulation of the argument DOCS_DIR/path results in path traversal. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 7.3 | CVE-2026-7788 | VDB-360994 | Axle-Bucamp MCP-Docusaurus document.py get_content path traversal VDB-360994 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807746 | Axle-Bucamp MCP-Docusaurus 404bc028e15ec304c9a045528560f4b5f27a17e0 Path Traversal https://github.com/Axle-Bucamp/MCP-Docusaurus/issues/2 https://github.com/Axle-Bucamp/MCP-Docusaurus/ |
| Amazon--Workspaces | Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a local non-admin authenticated user to place arbitrary files into arbitrary locations bypassing file system permission protections, leading to local privilege escalation to SYSTEM. | 2026-05-04 | 7.8 | CVE-2026-7791 | https://aws.amazon.com/security/security-bulletins/2026-025-aws/ |
| UsamaK98--python-notebook-mcp | A flaw has been found in UsamaK98 python-notebook-mcp up to a05a232815809a7e425b5fa7be26e0d4369894c2. Impacted is the function create_notebook/read_notebook/edit_cell/add_cell of the file server.py. This manipulation causes path traversal. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 7.3 | CVE-2026-7810 | VDB-361070 | UsamaK98 python-notebook-mcp server.py add_cell path traversal VDB-361070 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807748 | UsamaK98 python-notebook-mcp a05a232815809a7e425b5fa7be26e0d4369894c2 Path Traversal https://github.com/UsamaK98/python-notebook-mcp/issues/5 https://github.com/UsamaK98/python-notebook-mcp/ |
| 54yyyu--code-mcp | A vulnerability has been found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The affected element is the function is_safe_path of the file src/code_mcp/server.py of the component MCP File Handler. Such manipulation leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 7.3 | CVE-2026-7811 | VDB-361071 | 54yyyu code-mcp MCP File server.py is_safe_path path traversal VDB-361071 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807751 | 54yyyu code-mcp 4cfc4643541a110c906d93635b391bf7e357f4a8 Path Traversal https://github.com/54yyyu/code-mcp/issues/4 https://github.com/54yyyu/code-mcp/ |
| 54yyyu--code-mcp | A vulnerability was found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The impacted element is the function git_operation of the file src/code_mcp/server.py of the component MCP Tool. Performing a manipulation of the argument operation results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 7.3 | CVE-2026-7812 | VDB-361072 | 54yyyu code-mcp MCP Tool server.py git_operation command injection VDB-361072 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807752 | 54yyyu code-mcp 4cfc4643541a110c906d93635b391bf7e357f4a8 Command Injection https://github.com/54yyyu/code-mcp/issues/5 https://github.com/54yyyu/code-mcp/ |
| Ivanti--Endpoint Manager Mobile | Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about EPMM appliance and impacting on the integrity of the newly enrolled device identity. | 2026-05-07 | 7.4 | CVE-2026-7821 | https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US |
| IObit--Advanced SystemCare | A security flaw has been discovered in IObit Advanced SystemCare 19. This affects an unknown part of the file ASC.exe of the component Service. The manipulation results in symlink following. Attacking locally is a requirement. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. | 2026-05-05 | 7 | CVE-2026-7832 | VDB-361111 | IObit Advanced SystemCare Service ASC.exe symlink VDB-361111 | CTI Indicators (IOB, IOC, IOA) Submit #797630 | IObit Advanced SystemCare 19 Link Following https://github.com/usernameone101/Writeups/blob/main/IObit%20Zero%20Day%20(Updated%20v2).pdf |
| EFM--ipTIME C200 | A weakness has been identified in EFM ipTIME C200 up to 1.092. This vulnerability affects the function sub_408F90 of the file /cgi/iux_set.cgi of the component ApplyRestore Endpoint. This manipulation of the argument RestoreFile causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-05 | 7.2 | CVE-2026-7833 | VDB-361112 | EFM ipTIME C200 ApplyRestore Endpoint iux_set.cgi sub_408F90 command injection VDB-361112 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807786 | iptime c200 1.092 Command Injection https://github.com/glkfc/IoT-Vulnerability/blob/main/iptime/c200/sub_409054_vulnerability_report_EN.md |
| D-Link--DI-8100 | A vulnerability was identified in D-Link DI-8100 16.07.26A1. This affects the function sprintf of the file yyxz.asp. The manipulation of the argument ID leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2026-05-05 | 7.2 | CVE-2026-7851 | VDB-361128 | D-Link DI-8100 yyxz.asp sprintf stack-based overflow VDB-361128 | CTI Indicators (IOB, IOC, IOA) Submit #807798 | D-Link DI-8100 16.07.26A1 Denial of Service https://github.com/draw-ctf/report/blob/main/DI-8100/yyxz_dlink_asp_overflow.md https://www.dlink.com/ |
| D-Link--DI-8100 | A flaw has been found in D-Link DI-8100 16.07.26A1. This affects an unknown part of the file /url_member.asp of the component Web Management Interface. Executing a manipulation of the argument Name can lead to buffer overflow. The attack can be launched remotely. The exploit has been published and may be used. | 2026-05-05 | 7.2 | CVE-2026-7856 | VDB-361133 | D-Link DI-8100 Web Management url_member.asp buffer overflow VDB-361133 | CTI Indicators (IOB, IOC, IOA) Submit #807849 | D-Link DI-8100 16.07.26A1 Denial of Service https://github.com/draw-ctf/report/blob/main/DI-8100/url_member_asp_overflow.md https://www.dlink.com/ |
| D-Link--DI-8100 | A vulnerability has been found in D-Link DI-8100 16.07.26A1. This vulnerability affects the function sprintf of the file /user_group.asp of the component CGI Handler. The manipulation leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2026-05-05 | 7.2 | CVE-2026-7857 | VDB-361134 | D-Link DI-8100 CGI user_group.asp sprintf buffer overflow VDB-361134 | CTI Indicators (IOB, IOC, IOA) Submit #807853 | D-Link DI-8100 16.07.26A1 Denial of Service https://github.com/draw-ctf/report/blob/main/DI-8100/user_group_asp_overflow.md https://www.dlink.com/ |
| PicoTronica--e-Clinic Healthcare System ECHS | A flaw has been found in PicoTronica e-Clinic Healthcare System ECHS 5.7. The impacted element is an unknown function of the file /cdemos/echs/priv/echs.js. This manipulation of the argument ADMIN_KEY causes hard-coded credentials. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 5.7.1 is sufficient to resolve this issue. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-06 | 7.3 | CVE-2026-8032 | VDB-361358 | PicoTronica e-Clinic Healthcare System ECHS echs.js hard-coded credentials VDB-361358 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800792 | PicoTronica e-Clinic Healthcare System (ECHS) v5.7 Improper Privilege Management https://docs.google.com/document/d/1w1veNs8I3nxsVxbSiIgJmt-4S5a0rW0bvjDvEe7iDr0/edit?usp=sharing |
| SourceCodester--Pharmacy Sales and Inventory System | A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /ajax.php?action=save_user. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used. | 2026-05-07 | 7.3 | CVE-2026-8083 | VDB-361837 | SourceCodester Pharmacy Sales and Inventory System ajax.php save_user sql injection VDB-361837 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807848 | sourcecodester Pharmacy Sales and Inventory System V1.0 SQL injection https://github.com/zhi-cyber/cve-2/issues/1 https://www.sourcecodester.com/ |
| code-projects--Feedback System | A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of the argument email leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2026-05-07 | 7.3 | CVE-2026-8098 | VDB-361851 | code-projects Feedback System checklogin.php sql injection VDB-361851 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808126 | code-projects FEEDBACK SYSTEM V1.0 SQL Injection https://github.com/redshadowword-cell/CVE/issues/3 https://code-projects.org/ |
| SourceCodester--Comment System | A flaw has been found in SourceCodester Comment System 1.0. This issue affects some unknown processing of the file post_comment.php. This manipulation of the argument Name causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-05-08 | 7.3 | CVE-2026-8126 | VDB-361916 | SourceCodester Comment System post_comment.php sql injection VDB-361916 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808686 | sourcecodester Comment System V1.0 SQL Injection https://github.com/redshadowword-cell/CVE/issues/7 https://www.sourcecodester.com/ |
| SourceCodester--SUP Online Shopping | A vulnerability was found in SourceCodester SUP Online Shopping 1.0. The affected element is an unknown function of the file /admin/viewmsg.php. Performing a manipulation of the argument msgid results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2026-05-08 | 7.3 | CVE-2026-8128 | VDB-361918 | SourceCodester SUP Online Shopping viewmsg.php sql injection VDB-361918 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808772 | sourcecodester SUP Online Shopping V1.0 SQL Injection https://github.com/redshadowword-cell/CVE/issues/9 https://www.sourcecodester.com/ |
| SourceCodester--SUP Online Shopping | A vulnerability was determined in SourceCodester SUP Online Shopping 1.0. The impacted element is an unknown function of the file wishlist.php. Executing a manipulation of the argument delwlistid can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2026-05-08 | 7.3 | CVE-2026-8129 | VDB-361919 | SourceCodester SUP Online Shopping wishlist.php sql injection VDB-361919 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808773 | sourcecodester SUP Online Shopping V1.0 SQL Injection https://github.com/redshadowword-cell/CVE/issues/10 https://www.sourcecodester.com/ |
| SourceCodester--SUP Online Shopping | A vulnerability was identified in SourceCodester SUP Online Shopping 1.0. This affects an unknown function of the file /admin/message.php. The manipulation of the argument seenid leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2026-05-08 | 7.3 | CVE-2026-8130 | VDB-361920 | SourceCodester SUP Online Shopping message.php sql injection VDB-361920 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808774 | sourcecodester SUP Online Shopping V1.0 SQL Injection https://github.com/redshadowword-cell/CVE/issues/11 https://www.sourcecodester.com/ |
| SourceCodester--SUP Online Shopping | A security flaw has been discovered in SourceCodester SUP Online Shopping 1.0. This impacts an unknown function of the file /admin/replymsg.php. The manipulation of the argument msgid results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-08 | 7.3 | CVE-2026-8131 | VDB-361921 | SourceCodester SUP Online Shopping replymsg.php sql injection VDB-361921 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808775 | sourcecodester SUP Online Shopping V1.0 sql https://github.com/redshadowword-cell/CVE/issues/12 https://www.sourcecodester.com/ |
| CodeAstro--Leave Management System | A weakness has been identified in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /login.php. This manipulation of the argument txt_username causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-08 | 7.3 | CVE-2026-8132 | VDB-361922 | CodeAstro Leave Management System login.php sql injection VDB-361922 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808784 | codeastro Leave Management System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/64 https://codeastro.com/ |
| zyx0814--FilePress | A security vulnerability has been detected in zyx0814 FilePress up to 2.2.0. Affected by this vulnerability is an unknown functionality of the file dzz/shares/admin.php of the component Shares Filelist API. Such manipulation of the argument order leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The name of the patch is e20ec58414103f781858f2951d178e19b1736664. A patch should be applied to remediate this issue. | 2026-05-08 | 7.3 | CVE-2026-8133 | VDB-361923 | zyx0814 FilePress Shares Filelist API admin.php sql injection VDB-361923 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808819 | zyx0814 FilePress <=2.2.0 SQL Injection https://github.com/zyx0814/FilePress/issues/70 https://github.com/zyx0814/FilePress/pull/71 https://github.com/xiaohaiyang-ai/Web-Security-Research/tree/main/FilePress/Shares-API-PreAuth-SQLi https://github.com/zyx0814/FilePress/commit/e20ec58414103f781858f2951d178e19b1736664 https://github.com/zyx0814/FilePress/ |
| Industrial Application Software IAS--Canias ERP | A vulnerability was identified in Industrial Application Software IAS Canias ERP 8.03. This issue affects the function iasServerRemoteInterface.doAction of the component Java RMI Session Management. Such manipulation leads to improper authentication. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 7.3 | CVE-2026-8216 | VDB-362433 | Industrial Application Software IAS Canias ERP Java RMI Session Management iasServerRemoteInterface.doAction improper authentication VDB-362433 | CTI Indicators (IOB, IOC, IOA) Submit #808244 | Industrial Application Software - IAS Canias ERP 8.03-- Improper Authentication (CWE-287) https://hawktrace.com/blog/caniaserp |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Rocketsoft--Rocket LMS | Rocket LMS 1.1 contains a persistent cross-site scripting vulnerability in the support ticket module that allows authenticated users to inject malicious script code through the title parameter. Attackers can submit support tickets with embedded HTML/JavaScript payloads that execute in the browsers of other users viewing the message history, enabling session hijacking and phishing attacks. | 2026-05-10 | 6.4 | CVE-2021-47907 | ExploitDB-50677 Official Product Homepage VulnCheck Advisory: Rocket LMS 1.1 Persistent Cross-Site Scripting via Support Tickets |
| Accesspressthemes--AccessPress Social Icons | AccessPress Social Icons 1.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering JavaScript payloads into the 'icon title' field. Attackers can store XSS payloads like image tags with onerror event handlers that execute when the plugin page is viewed, affecting all users who access the plugin interface. | 2026-05-10 | 6.4 | CVE-2021-47910 | ExploitDB-50515 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin AccessPress Social Icons 1.8.2 Stored XSS |
| Soliloquywp--Slider by Soliloquy | Slider by Soliloquy 2.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the title parameter. Attackers can add JavaScript payloads in the title field when creating or editing sliders, which executes in the browsers of users viewing the slider on both administrative and frontend pages. | 2026-05-10 | 6.4 | CVE-2021-47922 | ExploitDB-50563 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Slider by Soliloquy 2.6.2 Stored XSS |
| Etoilewebdesign--Ultimate Product Catalog | Ultimate Product Catalog 5.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the price parameter. Attackers can submit POST requests to post.php with HTML/JavaScript payloads in the price field to execute arbitrary code when the product is viewed. | 2026-05-10 | 6.4 | CVE-2021-47924 | ExploitDB-50534 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Ultimate Product Catalog 5.8.2 Stored XSS via price |
| Cmdbuild--CMDBuild | CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file attachments in the classes endpoint, which execute when other users view the affected records or preview attachments. | 2026-05-10 | 6.4 | CVE-2021-47925 | ExploitDB-50527 Official Product Homepage Product Reference VulnCheck Advisory: CMDBuild 3.3.2 Multiple Stored Cross-Site Scripting |
| Form2Email--Contact Form to Email | Contact Form to Email 1.3.24 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating forms with script tags in the form name field. Attackers can craft form names containing JavaScript code that executes when other logged-in users access the form management page, enabling session hijacking or credential theft. | 2026-05-10 | 6.4 | CVE-2021-47926 | ExploitDB-50524 Official Product Homepage VulnCheck Advisory: WordPress Contact Form to Email 1.3.24 Stored XSS |
| Wpsymposiumpro--WP Symposium Pro | WordPress Plugin WP Symposium Pro 2021.10 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting insufficient sanitization of the forum name parameter. Attackers can submit POST requests to the admin setup page with JavaScript payloads in the wps_admin_forum_add_name parameter, which are stored and executed when the forum is accessed. | 2026-05-10 | 6.4 | CVE-2021-47927 | ExploitDB-50514 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin WP Symposium Pro 2021.10 Stored XSS via wps_admin_forum_add_name |
| Filterable-Portfolio--Filterable Portfolio Gallery | Filterable Portfolio Gallery 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by entering payloads in the title field. Attackers can store JavaScript code like image tags with onerror handlers that execute when the gallery is previewed, affecting all users viewing the page. | 2026-05-10 | 6.4 | CVE-2021-47929 | ExploitDB-50458 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Filterable Portfolio Gallery 1.0 Stored XSS |
| Exponentcms--Exponent CMS | Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing endpoint. Attackers can inject iframe payloads with embedded SVG onload events to execute arbitrary JavaScript, and the application also exposes database credentials in responses and lacks brute-force protection on authentication endpoints. | 2026-05-10 | 6.4 | CVE-2021-47931 | ExploitDB-50611 Official Product Homepage VulnCheck Advisory: Exponent CMS 2.6 Multiple Vulnerabilities Stored XSS Authentication |
| Projectsend--Projectsend | Projectsend r1295 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input in the 'name' parameter of files-edit.php. Attackers can inject JavaScript payloads through the file name field that execute in the browser when the file is viewed by other users, particularly affecting System Administrator users on the Dashboard page. | 2026-05-10 | 6.4 | CVE-2021-47947 | ExploitDB-50240 Official Product Homepage Product Reference VulnCheck Advisory: Projectsend r1295 Stored Cross-Site Scripting via files-edit.php |
| Ampps--Advanced Guestbook | Advanced Guestbook 2.4.4 contains a persistent cross-site scripting vulnerability in the smilies administration interface that allows authenticated attackers to inject malicious scripts by manipulating the s_emotion parameter. Attackers can submit POST requests to admin.php with JavaScript code in the s_emotion field, which executes when administrators view the smilies tab. | 2026-05-10 | 6.4 | CVE-2021-47950 | ExploitDB-49875 Official Product Homepage VulnCheck Advisory: Advanced Guestbook 2.4.4 Persistent XSS via Smilies |
| picture-gallery--Picture Gallery | WordPress Picture Gallery 1.4.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Edit Content URL field in the Access Control settings. Attackers can enter JavaScript payloads in the plugin options that are stored in the database and executed when the functionality is triggered, enabling session hijacking or credential theft. | 2026-05-10 | 6.4 | CVE-2021-47951 | ExploitDB-50187 Product Reference VulnCheck Advisory: WordPress Picture Gallery 1.4.2 Stored XSS via Edit Content URL |
| Moodle--Moodle LMS | Moodle LMS 4.0 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Attackers can inject JavaScript code via the search field in course/search.php to execute arbitrary scripts in users' browsers and steal session cookies. | 2026-05-10 | 6.1 | CVE-2022-50943 | ExploitDB-51115 Official Product Homepage Product Reference VulnCheck Advisory: Moodle LMS 4.0 Cross-Site Scripting via course search.php |
| 3dady--real-time web stats | WordPress 3dady real-time web stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input fields. Attackers can insert JavaScript payloads in the dady_input_text or dady2_input_text fields via the plugin options panel to execute arbitrary code when the page is viewed. | 2026-05-10 | 6.4 | CVE-2022-50945 | ExploitDB-51021 Official Product Homepage VulnCheck Advisory: WordPress 3dady Real-Time Web Stats 1.0 Stored XSS |
| netroics--Netroics Blog Posts Grid | WordPress Plugin Netroics Blog Posts Grid 1.0 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject script payloads through the testimonial title field that execute in the browsers of other users viewing the draft post, enabling cookie theft and session hijacking. | 2026-05-10 | 6.4 | CVE-2022-50946 | ExploitDB-51008 Product Reference VulnCheck Advisory: WordPress Plugin Netroics Blog Posts Grid 1.0 Stored XSS |
| RadiusTheme--Testimonial Slider and Showcase | WordPress Plugin Testimonial Slider and Showcase 2.2.6 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject JavaScript payloads through the testimonial title field that execute in the browsers of users viewing the draft post, enabling cookie theft and session hijacking. | 2026-05-10 | 6.4 | CVE-2022-50947 | ExploitDB-51007 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Testimonial Slider and Showcase 2.2.6 Stored XSS |
| Motopress--Motopress Hotel Booking Lite | Motopress Hotel Booking Lite 4.2.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting payloads in accommodation type fields. Attackers can inject script tags through the title and excerpt parameters when creating accommodation types, which execute in the browser when visitors access the accommodations page. | 2026-05-10 | 6.4 | CVE-2022-50948 | ExploitDB-50951 Official Product Homepage VulnCheck Advisory: Motopress Hotel Booking Lite 4.2.4 Stored Cross-Site Scripting |
| A-J-Evolution--Videos sync PDF | WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized nom, pdf, mp4, webm, and ogg parameters. Attackers can inject payloads like autofocus onfocus event handlers through the plugin options panel to execute arbitrary JavaScript when administrators view or edit video settings. | 2026-05-10 | 6.4 | CVE-2022-50949 | ExploitDB-50874 Official Product Homepage VulnCheck Advisory: WordPress Plugin Videos sync PDF 1.7.4 Stored XSS |
| cab-fare-calculator--cab-fare-calculator | WordPress Plugin cab-fare-calculator 1.0.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the controller parameter in tblight.php. Attackers can supply path traversal sequences through the controller GET parameter to include and execute files outside the intended controllers directory. | 2026-05-10 | 6.2 | CVE-2022-50954 | ExploitDB-50843 Official Product Homepage VulnCheck Advisory: WordPress Plugin cab-fare-calculator 1.0.3 Local File Inclusion |
| amministrazione-aperta--amministrazione-aperta | WordPress Plugin amministrazione-aperta 3.7.3 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in the open parameter. Attackers can supply file paths through the open GET parameter in dispatcher.php to include and read sensitive files accessible to the web server. | 2026-05-10 | 6.2 | CVE-2022-50956 | ExploitDB-50838 Official Product Homepage VulnCheck Advisory: WordPress Plugin amministrazione-aperta 3.7.3 Local File Read |
| avatar_uploader--avatar_uploader | Drupal avatar_uploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avatar_uploader.pages.inc to execute arbitrary JavaScript in victim browsers. | 2026-05-10 | 6.1 | CVE-2022-50957 | ExploitDB-50841 Product Reference VulnCheck Advisory: Drupal avatar_uploader 7.x-1.0-beta8 Reflected XSS |
| jetpack--Jetpack | WordPress Plugin Jetpack 9.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the post_id parameter. Attackers can craft URLs to the grunion-form-view.php endpoint with script payloads in the post_id parameter to execute arbitrary JavaScript in victim browsers. | 2026-05-10 | 6.1 | CVE-2022-50958 | ExploitDB-50735 Product Reference VulnCheck Advisory: WordPress Plugin Jetpack 9.1 Cross Site Scripting via grunion-form-view.php |
| wpdevart--Contact Form Builder | WordPress Contact Form Builder 1.6.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting the form_id parameter. Attackers can craft malicious URLs to code_generator.php with script payloads in the form_id parameter to execute arbitrary JavaScript in victim browsers. | 2026-05-10 | 6.1 | CVE-2022-50959 | ExploitDB-50734 Product Reference VulnCheck Advisory: WordPress Contact Form Builder 1.6.1 Cross-Site Scripting via code_generator.php |
| Varun Sridharan--International Sms For Contact Form | WordPress International Sms For Contact Form 7 Integration version 1.2 contains a reflected cross-site scripting vulnerability in the page parameter of the admin settings interface. Attackers can inject malicious scripts through the page parameter in class-sms-log-display.php to execute arbitrary JavaScript in administrator browsers. | 2026-05-10 | 6.1 | CVE-2022-50960 | ExploitDB-50719 Product Reference VulnCheck Advisory: WordPress International Sms Contact Form 7 Integration 1.2 XSS |
| IP2Location--IP2Location Country Blocker | WordPress Plugin IP2Location Country Blocker 2.26.7 contains a stored cross-site scripting vulnerability that allows authenticated users to inject arbitrary JavaScript code through the Frontend Settings interface. Attackers can inject malicious scripts in the URL field of the Display page settings that execute when administrators or other authenticated users visit the plugin settings page. | 2026-05-10 | 6.4 | CVE-2022-50961 | ExploitDB-50709 Product Reference VulnCheck Advisory: WordPress Plugin IP2Location Country Blocker 2.26.7 Stored XSS |
| uBidAuction--uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the orders/myOrders module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | 2026-05-10 | 6.1 | CVE-2022-50962 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 myOrders Reflected XSS |
| uBidAuction--uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/active module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | 2026-05-10 | 6.1 | CVE-2022-50963 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 myAuctions active Reflected XSS |
| uBidAuction--uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/loose module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | 2026-05-10 | 6.1 | CVE-2022-50964 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 myAuctions loose Reflected XSS |
| uBidAuction--uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the posts/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | 2026-05-10 | 6.1 | CVE-2022-50965 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 posts manage Reflected XSS |
| uBidAuction--uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the news/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | 2026-05-10 | 6.1 | CVE-2022-50966 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 news manage Reflected XSS |
| uBidAuction--uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the tickets/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | 2026-05-10 | 6.1 | CVE-2022-50967 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 tickets manage Reflected XSS |
| uBidAuction--uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | 2026-05-10 | 6.1 | CVE-2022-50968 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 auctions manage Reflected XSS |
| uBidAuction--uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the backend/mailingLog/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | 2026-05-10 | 6.1 | CVE-2022-50969 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 mailingLog manage Reflected XSS |
| Spondonit--AmazCart CMS | AmazCart CMS 3.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search functionality. Attackers can enter script tags in the search box to execute arbitrary JavaScript that fires when search history is viewed or results are displayed. | 2026-05-05 | 6.1 | CVE-2023-54349 | ExploitDB-51219 Official Product Homepage Product Reference VulnCheck Advisory: AmazCart CMS 3.4 Reflected Cross-Site Scripting via Search |
| Mikrotik--RouterOS | RouterOS provides various services that rely on correct verification of client and server certificates to secure confidentiality and integrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X), among others. The vulnerability lies in shared certificate validation logic which uses the system certificate store that is shared and equally trusted by all system services. This causes confusion of scope, allowing any certificate authority present in the system-wide trust store to be trusted in any context (with some exceptions), allowing partial or full authentication bypass in CAPsMAN, OpenVPN, Dot1X and potentially others. | 2026-05-05 | 6.5 | CVE-2025-42611 | https://www.cert.si/en/cve-2025-42611/ |
| Medtronic--MyCareLink Patient Monitor 24950 | Medtronic MyCareLink Patient Monitor has an internal serial interface, which allows an attacker with physical access to access a login prompt via a UART terminal. | 2026-05-07 | 6.8 | CVE-2025-4386 | https://www.medtronic.com/en-us/e/product-security/security-bulletins/mycarelink-patient-monitor-vulnerabilities.html https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-205-01 |
| Medtronic--MyCareLink Patient Monitor 24950 | Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials to modify encrypted drive data. | 2026-05-07 | 6.8 | CVE-2025-4397 | https://www.medtronic.com/en-us/e/product-security/security-bulletins/mycarelink-patient-monitor-vulnerabilities.html https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-205-01 https://www.medtronic.com/en-us/e/product-security/security-bulletins/mycarelink-8-7-18.html https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-219-01 |
| Qualcomm, Inc.--Snapdragon | Transient DOS when processing target power rate tables during channel configuration. | 2026-05-04 | 6.5 | CVE-2025-47401 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Transient DOS when processing a malformed Fast Transition response frame with an invalid header structure during wireless roaming. | 2026-05-04 | 6.5 | CVE-2025-47403 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption when dynamically changing the size of a previously allocated buffer while its contents are being modified. | 2026-05-04 | 6.5 | CVE-2025-47404 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Information Disclosure while processing IOCTL handler callbacks without verifying buffer size. | 2026-05-04 | 6.1 | CVE-2025-47406 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Apache Software Foundation--Apache CloudStack | Due to multiple time-of-check time-of-use race conditions in the resource count check and increment logic, as well as missing validations, users of the platform are able to exceed the allocation limits configured for their accounts/domains. This can be used by an attacker to degrade the infrastructure's resources and lead to denial of service conditions. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue. | 2026-05-08 | 6.5 | CVE-2025-69233 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| Hikvision--HikCentral Professional | There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission. | 2026-05-09 | 6.8 | CVE-2026-1749 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-hikcentral-professional/ |
| Cisco--Cisco IoT Field Network Director (IoT-FND) | A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to retrieve files that they do not have permission to access. This vulnerability is due to insufficient file access checks. An attacker could exploit this vulnerability by submitting crafted input in the web-based management interface. A successful exploit could allow the attacker to read files that they are not authorized to access. | 2026-05-06 | 6.5 | CVE-2026-20168 | cisco-sa-iot-fnd-dos-n8N26Q4u |
| Cisco--Cisco IoT Field Network Director (IoT-FND) | A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to access files and execute commands on a remote router. This vulnerability is due to insufficient input validation of user-supplied data. An attacker could exploit this vulnerability by submitting crafted input in the web-based management interface. A successful exploit could allow the attacker to create, read, or delete files and execute limited commands in user EXEC mode on a remote router. | 2026-05-06 | 6.4 | CVE-2026-20169 | cisco-sa-iot-fnd-dos-n8N26Q4u |
| WProyal--Royal Elementor Addons | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WProyal Royal Elementor Addons allows Stored XSS. This issue affects Royal Elementor Addons: from n/a before 1.7.1053. | 2026-05-07 | 6.5 | CVE-2026-27421 | https://patchstack.com/database/wordpress/plugin/royal-elementor-addons/vulnerability/wordpress-royal-elementor-addons-plugin-1-7-1053-cross-site-scripting-xss-vulnerability?_s_id=cve |
| traccar--traccar | Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas through exported fields. When a manager or administrator opens the exported CSV file in spreadsheet software, this can cause formula execution and lead to command execution or data exfiltration. This has been patched in version 6.13.0. | 2026-05-05 | 6.5 | CVE-2026-27644 | https://github.com/traccar/traccar/security/advisories/GHSA-745r-9qgj-x7m7 https://github.com/traccar/traccar/blob/v6.11.1/src/main/java/org/traccar/reports/CsvExportProvider.java#L89-L91 |
| jegstudio--Gutenverse Ultimate WordPress FSE Blocks Addons & Ecosystem | The Gutenverse - Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'separatorIconSVG' parameter in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-05 | 6.4 | CVE-2026-2868 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cc540e5c-180f-4743-b1fb-608aa0e3ae79?source=cve https://plugins.trac.wordpress.org/changeset/3507804/gutenverse |
| jegstudio--Gutenverse Ultimate WordPress FSE Blocks Addons & Ecosystem | The Gutenverse - Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.5.3 via the import_images() function. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-05-05 | 6.4 | CVE-2026-2948 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ac909a4b-d949-42eb-871a-963bc6242c12?source=cve https://plugins.trac.wordpress.org/changeset/3507804/gutenverse |
| gofiber--fiber | Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key and receive the wrong cached response. This can cause response mix-up for query-dependent endpoints and may expose data intended for a different request. This issue is fixed after version 3.1.0. | 2026-05-05 | 6.5 | CVE-2026-30246 | https://github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8 https://github.com/gofiber/fiber/blob/main/middleware/cache/cache_test.go#L599-L621 https://github.com/gofiber/fiber/blob/main/middleware/cache/config.go#L90-L92 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in the X.Org X server. This out-of-bounds read vulnerability in the XKB geometry processing, specifically within the `CheckSetGeom()` and `XkbAddGeomKeyAlias` functions, allows an attacker to read uninitialized or out-of-bounds memory. An attacker with a connection to the X11 server, either locally or remotely, can exploit this without user interaction. This could lead to the disclosure of memory contents or cause a denial of service by crashing the server. | 2026-05-05 | 6.1 | CVE-2026-34000 | https://access.redhat.com/security/cve/CVE-2026-34000 RHBZ#2451107 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in the X.Org X server. This vulnerability, an out-of-bounds read, affects the XKB (X Keyboard Extension) modifier map handling. An attacker with access to the X11 server can exploit this by sending a malformed request, which causes the server to read beyond its intended memory boundaries. This can lead to the exposure of sensitive information or cause the server to crash, resulting in a denial of service. | 2026-05-05 | 6.1 | CVE-2026-34002 | https://access.redhat.com/security/cve/CVE-2026-34002 RHBZ#2451112 |
| edge22--GenerateBlocks | The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that the user has the edit_posts capability but does not verify the user has permission to access the specific post or its associated data referenced by attacker-controlled id parameters in dynamic tag content. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive information from arbitrary posts including author email addresses and non-protected post meta values by crafting dynamic tag payloads such as {{post_meta id:<target>|key:<meta_key>}} and {{post_title id:<target>|link:author_email}}. | 2026-05-05 | 6.5 | CVE-2026-3454 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0297d524-e016-4f8d-920c-d58c62edb2a0?source=cve https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tags.php#L424 https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tags.php#L501 https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tag-callbacks.php#L64 https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tag-callbacks.php#L364 https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/class-meta-handler.php#L335 https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tags.php#L392 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3495827%40generateblocks%2Ftrunk&old=3415721%40generateblocks%2Ftrunk&sfp_email=&sfph_mail= |
| Oracle Corporation--Oracle OCI CLI of Oracle Open Source Projects | Vulnerability in the Oracle OCI CLI product of Oracle Open Source Projects. The supported versions that is affected is 3.77. Easily exploitable vulnerability allows unauthenticated attacker with network access to compromise Oracle OCI CLI. Successful attacks of this vulnerability can result in Oracle OCI CLI allowing users to place imported files outside the intended directory. | 2026-05-06 | 6.1 | CVE-2026-35254 | Oracle Advisory |
| Oracle Corporation--Oracle Cloud Native Environment Command Line Interface | Vulnerability in the Oracle Cloud Native Environment Command Line Interface product of Oracle Open Source Projects. The supported versions that is affected is v2.3.2. Easily exploitable vulnerability allows unauthenticated attacker to compromise Oracle Cloud Native Environment Command Line Interface product via a malicious environment variable. Successful attacks of this vulnerability can result in Oracle Cloud Native Environment Command Line Interface allowing users to execute arbitrary code. | 2026-05-06 | 6.6 | CVE-2026-35255 | Oracle Advisory |
| OpenStack--Cyborg | In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service. | 2026-05-07 | 6.3 | CVE-2026-40214 | https://bugs.launchpad.net/openstack-cyborg/+bug/2144056 https://www.openwall.com/lists/oss-security/2026/05/07/6 https://security.openstack.org/ossa/OSSA-2026-011.html |
| pglombardo--PasswordPusher | Password Pusher is an open source application to communicate sensitive information over the web. Prior to versions 1.69.3 and 2.4.2, a security issue in OSS PasswordPusher allowed unauthenticated creation of file-type pushes through a generic JSON API create path under certain configurations. This could bypass the intended authentication boundary for file push creation. This issue has been patched in versions 1.69.3 and 2.4.2. | 2026-05-08 | 6.5 | CVE-2026-41308 | https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-qfh8-f79c-x86c https://github.com/pglombardo/PasswordPusher/pull/4381 https://github.com/pglombardo/PasswordPusher/commit/45dc2512875231ef45ecd5dfc8c3c8185f882bf4 |
| ironfede--openmcdf | OpenMcdf is a fully .NET / C# library to manipulate Compound File Binary File Format files, also known as Structured Storage. Prior to version 3.1.3, OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary (CFB) document. A crafted CFB file with a cycle in the LeftSiblingID / RightSiblingID chain causes Storage.EnumerateEntries() and Storage.OpenStream() to loop indefinitely, consuming the calling thread with no possibility of recovery via try/catch. This issue has been patched in version 3.1.3. | 2026-05-08 | 6.2 | CVE-2026-41511 | https://github.com/openmcdf/openmcdf/security/advisories/GHSA-jxpf-xq2m-q525 https://github.com/openmcdf/openmcdf/commit/24f445a557fc4f46461cf6d02d296cce16c293a0 https://github.com/openmcdf/openmcdf/releases/tag/v3.1.3 |
| th30d4y--IP | In th30d4y/IP from version 1.0.1 to before version 2.0.1, a DOM-Based Cross-Site Scripting (XSS) vulnerability was identified in an IP Reputation Checker application. Unsanitized user input was directly rendered in the browser, allowing attackers to execute arbitrary JavaScript. This issue has been patched in version 2.0.1. | 2026-05-08 | 6.1 | CVE-2026-41575 | https://github.com/th30d4y/IP/security/advisories/GHSA-j7wv-7j97-9qh9 |
| marko-js--marko | Marko is a declarative, HTML-based language for building web apps. Prior to marko version 5.38.36 and prior to @marko/runtime-tags 6.0.164, when dynamic text is interpolated into a <script> or <style> tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker able to place input inside a <script> or <style> block could break out of the tag with </SCRIPT>, </Style>, etc. and inject arbitrary HTML/JavaScript, resulting in cross-site scripting. This issue has been patched in marko version 5.38.36 and @marko/runtime-tags 6.0.164. | 2026-05-08 | 6.4 | CVE-2026-41591 | https://github.com/marko-js/marko/security/advisories/GHSA-x9fj-57fh-c8wq |
| lxc--incus | Incus is a system container and virtual machine manager. Prior to version 7.0.0, a missing error handling could lead an authenticated Incus user to cause a daemon crash through the import of a truncated storage bucket backup file. This issue has been patched in version 7.0.0. | 2026-05-07 | 6.5 | CVE-2026-41647 | https://github.com/lxc/incus/security/advisories/GHSA-fwj8-62r8-8p8m https://github.com/lxc/incus/releases/tag/v7.0.0 |
| NaturalIntelligence--fast-xml-parser | fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0. | 2026-05-07 | 6.1 | CVE-2026-41650 | https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-gh4j-gqv2-49f6 https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.6.0 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the ecard_preview.php endpoint does not validate that the ecard_template POST parameter is a safe filename before passing it to ECard::getEcardTemplate(). An authenticated user can supply a path traversal payload (e.g., ../config.php) to read arbitrary files accessible to the web server process, including adm_my_files/config.php which contains database credentials. This issue has been patched in version 5.0.9. | 2026-05-07 | 6.5 | CVE-2026-41655 | https://github.com/Admidio/admidio/security/advisories/GHSA-m3vp-3jjm-gpmx https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio inventory module enforces authorization for destructive operations (delete, retire, reinstate) only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for item_delete, item_retire, item_reinstate, item_picture_upload, item_picture_save, and item_picture_delete perform CSRF validation but never check whether the requesting user is an inventory administrator. Any authenticated user who can access the inventory module can permanently delete any inventory item and all its associated data. This issue has been patched in version 5.0.9. | 2026-05-07 | 6.5 | CVE-2026-41658 | https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, an unauthenticated attacker can execute arbitrary JavaScript in any Admidio user's browser through a reflected XSS in system/msg_window.php. The endpoint passes user input through htmlspecialchars(), which does not encode square brackets. A subsequent call to Language::prepareTextPlaceholders() converts those brackets into HTML angle brackets, producing executable markup. This issue has been patched in version 5.0.9. | 2026-05-07 | 6.1 | CVE-2026-41661 | https://github.com/Admidio/admidio/security/advisories/GHSA-gq27-fc8w-vcmp https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint (/modules/sso/index.php/oidc/introspect) always returns {"active": true} for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or completely fabricated. The endpoint performs no authentication of the calling resource server and no validation of the submitted token. Any resource server that relies on this introspection endpoint to validate access tokens will accept all requests as authorized, enabling complete authentication bypass. Additionally, the OIDC token revocation endpoint (/oidc/revoke) returns {"revoked": true} without actually revoking any token, preventing resource servers from invalidating compromised credentials. This issue has been patched in version 5.0.9. | 2026-05-07 | 6.8 | CVE-2026-41671 | https://github.com/Admidio/admidio/security/advisories/GHSA-9xx5-cv6j-x533 https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| lxc--incus | Incus is a system container and virtual machine manager. Prior to version 7.0.0, backup.GetInfo() trusts the inline backup/index.yaml config when present and only falls back to parsing the legacy backup/container/backup.yaml file if result.Config == nil. As a result, an archive can carry a valid inline config that passes the initial import preflight while also carrying a malformed legacy backup/container/backup.yaml file that is reparsed later from the restored file system. ParseConfigYamlFile() accepts YAML documents with no container section, and multiple downstream consumers then dereference. Container without checking for nil. Confirmed examples in the instance restore and import flow include backup.UpdateInstanceConfig() and internalImportFromBackup(). An authenticated user with permission to import instance backups may be able to crash the Incus daemon with a crafted backup archive whose inline backup/index.yaml is valid but whose extracted legacy backup.yaml omits container. The crash occurs in the restore path after archive extraction has begun. This issue has been patched in version 7.0.0. | 2026-05-07 | 6.5 | CVE-2026-41684 | https://github.com/lxc/incus/security/advisories/GHSA-x5r6-jr56-89pv https://github.com/lxc/incus/releases/tag/v7.0.0 |
| ellite--Wallos | Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and body, then use Wallos to send server-side requests to allowlisted internal automation services. When such a target exposes deployment or execution APIs, this can further enable adjacent-service RCE, but that downstream result is conditional on the target service. At time of publication, there are no publicly available patches. | 2026-05-07 | 6 | CVE-2026-41689 | https://github.com/ellite/Wallos/security/advisories/GHSA-jx6w-832g-42wv |
| i18next--i18next-http-backend | Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 3.0.5 interpolate the lng and ns values directly into the configured loadPath / addPath URL template without any encoding, validation, or path sanitisation. When an application exposes the language-code selection to user-controlled input (the default - i18next-browser-languagedetector reads ?lng= query params, cookies, localStorage, and request headers), an attacker can inject characters that change the structure of the outgoing request URL. This is a single URL-injection vulnerability. The attacker-controlled value is neutralised before it is used as part of an output URL string; the attack shape covers both path traversal and broader URL-structure injection - both are closed by the one interpolateUrl sanitisation fix. This issue has been fixed in version 3.0.5. If users cannot upgrade immediately, they can work around the issue by sanitising lng / ns before they reach i18next (strip .., /, \, ?, #, %, whitespace, and control characters; cap the length). | 2026-05-07 | 6.5 | CVE-2026-41691 | https://github.com/i18next/i18next-http-backend/security/advisories/GHSA-q89c-q3h5-w34g https://github.com/i18next/i18next-http-backend/commit/4cee84f229c637b9c182366d3156f726d407a621 |
| locize--i18next-locize-backend | i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLanguagesPath URL templates with no path-component validation and no encoding. When an application exposes any of these values to user-controlled input (?lng= / ?ns= query parameters via i18next-browser-languagedetector, cookies, request headers, or a URL-derived projectId), a crafted value can change the structure of the outgoing request URL. Affected call sites in lib/index.js (pre-patch): the interpolate() helper is used at the five URL-build sites - _readAny/read (line 415 for private, 426 for public), getLanguages (lines 271 and 296), and writePage (lines 616 and 622) for the missing-key and update POST paths. The helper interpolate in lib/utils.js substitutes raw values with no encoding. This issue has been patched in version 9.0.2. | 2026-05-08 | 6.5 | CVE-2026-41885 | https://github.com/locize/i18next-locize-backend/security/advisories/GHSA-mgcp-mfp8-3q45 |
| givanz--Vvveb | Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or auto-submitted form that causes victims to execute attacker-controlled JavaScript in the context of the Vvveb origin, as the gating function isEditor() performs no session, role, or token verification and the view handler injects raw HTML POST body content without sanitization. | 2026-05-07 | 6.1 | CVE-2026-41929 | https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g https://github.com/givanz/Vvveb/commit/54a9e846fb94192f1b31ae81d81d25c874662e6a https://www.vulncheck.com/advisories/vvveb-unauthenticated-reflected-xss-via-visual-editor |
| langgenius--dify | Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit insufficient permission verification in the chat-messages endpoints to access files without ownership validation, bypassing workspace separation and signed URL protections to retrieve sensitive file contents through workflow processing. | 2026-05-05 | 6.5 | CVE-2026-41950 | https://github.com/langgenius/dify/releases/tag/1.14.0 https://huntr.com/bounties/181136ec-d957-4b75-8ea7-6fa7b8abd01d https://www.vulncheck.com/advisories/dify-authorization-bypass-via-file-uuid |
| MapServer--MapServer | MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into the browser of any user who opens a crafted WMS URL. The vulnerability is triggered via FORMAT=application/openlayers combined with an unsanitized SRS parameter in WMS 1.3.0 requests. This issue has been patched in version 8.6.2. | 2026-05-08 | 6.1 | CVE-2026-42030 | https://github.com/MapServer/MapServer/security/advisories/GHSA-4g9f-ph64-hg2x https://github.com/MapServer/MapServer/releases/tag/rel-8-6-2 |
| patrickhener--goshs | goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: * on the OPTIONS preflight handler (httpserver/server.go), any website can write arbitrary files to a goshs instance through the victim's browser - bypassing network isolation (e.g. localhost, internal network). This issue has been patched in version 2.0.2. | 2026-05-04 | 6.5 | CVE-2026-42091 | https://github.com/patrickhener/goshs/security/advisories/GHSA-rhf7-wvw3-vjvm https://github.com/patrickhener/goshs/commit/0e715b94e10c3d1aa552276000f15f104dee2f32 https://github.com/patrickhener/goshs/releases/tag/v2.0.2 |
| titraio--titra | titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscribe via DDP and receive sensitive configuration fields such as google_secret, openai_apikey, and google_clientid. At time of publication no public patch is available. | 2026-05-04 | 6.5 | CVE-2026-42092 | https://github.com/titraio/titra/security/advisories/GHSA-4h9p-49hg-vppw |
| GreycLab--CImg | CImg Library is a C++ library for image processing. Prior to commit 4ca26bc, there is an integer overflow vulnerability in the W*H*D size computation inside _load_pnm() that can bypass the memory allocation guard. A crafted PNM/PGM/PPM file with large dimension values causes the overflow to wrap around, allocating an undersized buffer and potentially triggering a heap buffer overflow. Any application using CImg to load untrusted image files is affected. This issue has been patched via commit 4ca26bc. | 2026-05-04 | 6.1 | CVE-2026-42144 | https://github.com/GreycLab/CImg/security/advisories/GHSA-4663-63fm-44gc https://github.com/GreycLab/CImg/issues/478 https://github.com/GreycLab/CImg/commit/4ca26bce4d8c61fcd1507d5f9401b9fb1222c27d https://github.com/GreycLab/CImg/releases/tag/v.3.7.5 |
| Erudika--scoold | Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.67.0, Scoold allows the admins configuration value to be modified through /api/config/set/admins with a forged Bearer token that is accepted as an admin API token. Once that setting is changed, the target email address is written to the application configuration file. The change does not become active immediately in the current process, because the ADMINS set is loaded once at startup. After a Scoold restart, though, the selected user is recognized as an administrator and gains access to the admin panel. This issue gives an attacker a reliable persistence path: write their own email into scoold.admins, wait for a restart or trigger one operationally, and the account comes back as admin. This issue has been patched in version 1.67.0. | 2026-05-08 | 6.7 | CVE-2026-42176 | https://github.com/Erudika/scoold/security/advisories/GHSA-7qfx-c234-xg4g https://github.com/Erudika/scoold/releases/tag/1.67.0 |
| LemmyNet--lemmy | Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services. This issue has been patched in version 0.19.18. | 2026-05-08 | 6.3 | CVE-2026-42180 | https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948 https://github.com/LemmyNet/lemmy/releases/tag/0.19.18 |
| LemmyNet--lemmy | Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction. As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users. This issue has been patched in version 0.19.18. | 2026-05-08 | 6.5 | CVE-2026-42181 | https://github.com/LemmyNet/lemmy/security/advisories/GHSA-h6hf-9846-xwrq https://github.com/LemmyNet/lemmy/releases/tag/0.19.18 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the incomplete SSRF fix in Admidio's fetch_metadata.php validates the resolved IP address but passes the original hostname-based URL to curl_init(), leaving a DNS rebinding TOCTOU window that allows redirecting requests to internal IPs. This issue has been patched in version 5.0.9. | 2026-05-07 | 6.8 | CVE-2026-42194 | https://github.com/Admidio/admidio/security/advisories/GHSA-hcjj-chvw-fmw9 https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| becheran--grid | Grid is a data structure grid for rust. From version 0.17.0 to before version 1.0.1, an integer overflow in Grid::expand_rows() can corrupt the relationship between the grid's logical dimensions and its backing storage. After the internal invariant is broken, the safe API get() may invoke get_unchecked() with an invalid index, resulting in Undefined Behavior. This issue has been patched in version 1.0.1. | 2026-05-08 | 6.2 | CVE-2026-42199 | https://github.com/becheran/grid/security/advisories/GHSA-38c5-483c-4qqp https://github.com/becheran/grid/commit/be213bd3528727148bef2d523c89e95d1fd9c072 https://github.com/becheran/grid/releases/tag/v1.0.1 |
| almirhodzic--nova-toggle-5 | nova-toggle-5 enables fliping booleans in the index. Prior to version 1.3.0, the toggle endpoint (POST/nova-vendor/nova-toggle/toggle/{resource}/{resourceId}) was protected only by web + auth:<guard> middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource - including users who do not have access to Nova itself (for example, frontend customers sharing the web guard with the Nova admin area). The endpoint also accepted an arbitrary attribute parameter, which meant a valid caller could toggle any boolean column on the underlying model - not just columns exposed as Toggle fields on the resource. This issue has been patched in version 1.3.0. | 2026-05-08 | 6.5 | CVE-2026-42202 | https://github.com/almirhodzic/nova-toggle-5/security/advisories/GHSA-f5c8-m5vw-rmgq https://github.com/almirhodzic/nova-toggle-5/releases/tag/v1.3.0 |
| halfgaar--FlashMQ | FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.1, a remote client with retained publish permission can crash the FlashMQ broker when both set_retained_message_defer_timeout and set_retained_message_defer_timeout_spread are configured to non-default values, resulting in denial of service. If anonymous retained publishing is allowed, no authentication is required; otherwise, the attacker needs the corresponding publish permission. This issue has been patched in version 1.26.1. | 2026-05-08 | 6.5 | CVE-2026-42209 | https://github.com/halfgaar/FlashMQ/security/advisories/GHSA-2789-vfcg-5922 https://github.com/halfgaar/FlashMQ/issues/167 https://github.com/halfgaar/FlashMQ/commit/193b6e7767889511cfa8e933908ea5e6a1077a1f https://github.com/halfgaar/FlashMQ/releases/tag/v1.26.1 |
| 0xJacky--nginx-ui | Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired() through the X-Node-Secret header (or node_secret query parameter), causing the request to be treated as authenticated via the trusted-node path and associated with the init user. This issue has been patched in version 2.3.8. | 2026-05-04 | 6.5 | CVE-2026-42220 | https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-7jrr-xw9c-mj39 https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8 |
| 0xJacky--nginx-ui | Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler (api/settings/settings.go:24-65) serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag is only enforced during writes (via ProtectedFill in SaveSettings) and is completely ignored during reads. This exposes 40+ protected fields including JwtSecret (enabling auth token forgery), NodeSecret (enabling cluster node impersonation), OIDC ClientSecret (enabling OAuth account takeover), and the IP whitelist configuration. This issue has been patched in version 2.3.8. | 2026-05-04 | 6.5 | CVE-2026-42223 | https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-q4w7-56hr-83rm https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8 |
| onyx-dot-app--onyx | Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/{file_id} endpoint allows any authenticated user to download any other user's uploaded files by providing the file UUID. The endpoint verifies the caller is authenticated but never checks that the file belongs to them. An attacker who knows or obtains a file UUID can access confidential documents, chat attachments, and other files uploaded by any user in the system. This issue has been patched in versions 3.0.9, 3.1.6, and 3.2.6. | 2026-05-08 | 6.5 | CVE-2026-42277 | https://github.com/onyx-dot-app/onyx/security/advisories/GHSA-vg3h-35f7-7w6r |
| Syslifters--sysreptor | SysReptor is a fully customizable pentest reporting platform. From version 2026.4 to before version 2026.27, the endpoints for reading and creating sharing links for personal notes is not properly authorized. This allows authenticated attackers who obtain the note ID of victim users to list and create sharing links to those users' personal notes. This gives attackers read and write access to notes of other users. This exploit works in both SysReptor Professional and Community. In Community it has, however, no impact because all users have superuser permissions and can list personal notes of other users at /admin/pentests/usernotebookpage/. This issue has been patched in version 2026.27. | 2026-05-08 | 6.8 | CVE-2026-42291 | https://github.com/Syslifters/sysreptor/security/advisories/GHSA-pcpr-q2qj-3v43 https://github.com/Syslifters/sysreptor/releases/tag/2026.27 |
| labring--FastGPT | FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts is vulnerable to DNS rebinding (TOCTOU - Time-of-Check to Time-of-Use). The function resolves the hostname via dns.resolve4()/dns.resolve6() and checks resolved IPs against private ranges, but the actual HTTP request happens in a separate call with a new DNS resolution, allowing the DNS record to change between validation and fetch. At time of publication, there are no publicly available patches. | 2026-05-08 | 6.3 | CVE-2026-42344 | https://github.com/labring/FastGPT/security/advisories/GHSA-cc8x-jrqv-hmwh |
| gitroomhq--postiz-app | Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4-v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulnerability: isSafePublicHttpsUrl() resolves DNS to validate the target IP, but subsequent fetch() calls resolve DNS independently. An attacker controlling a DNS server can exploit this gap via DNS rebinding to redirect requests to internal network addresses. This issue has been patched in version 2.21.7. | 2026-05-08 | 6.5 | CVE-2026-42346 | https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-f7jj-p389-4w45 https://github.com/gitroomhq/postiz-app/commit/071143dcb01cdeb9d5d7019892f4c6ff7b19dbeb https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7 |
| GeoVision Inc.--GV-LPC2011/LPC2211 | A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to credentials leak. An attacker can visit a webpage to trigger this vulnerability. | 2026-05-04 | 6.5 | CVE-2026-42367 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains an authorization bypass vulnerability allowing operator.write message-tool paths to access Matrix profile persistence requiring admin-level authority. Attackers can exploit insufficient access controls to mutate persistent profile configuration through non-owner message-tool runs. | 2026-05-05 | 6.5 | CVE-2026-42433 | GitHub Security Advisory (GHSA-7jp6-r74r-995q) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - Unauthorized Matrix Profile Config Persistence Access via operator.write Message Tools |
| grimmory-tools--grimmory | Grimmory is a self-hosted digital library. Prior to version 2.3.1, a stored cross-site scripting (XSS) vulnerability in Grimmory's browser-based EPUB reader allows an attacker to embed arbitrary JavaScript in a crafted EPUB file. When a victim opens the book, the script executes in their browser with full access to the Grimmory application's session context. This can enable session token theft and account takeover, including administrative access if an administrator opens the affected book. This issue has been patched in version 2.3.1. | 2026-05-08 | 6.3 | CVE-2026-42451 | https://github.com/grimmory-tools/grimmory/security/advisories/GHSA-frv6-5wq5-9p24 http://github.com/grimmory-tools/grimmory/releases/tag/v2.3.1 |
| chainguard-dev--apko | apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g. EC), the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK database and fetches repository keys. This issue has been patched in version 1.2.7. | 2026-05-09 | 6.5 | CVE-2026-42576 | https://github.com/chainguard-dev/apko/security/advisories/GHSA-m7hm-vm4x-28jf https://github.com/chainguard-dev/apko/commit/6604826b19e36e9bc6e196592800fad93738f4a1 https://github.com/chainguard-dev/apko/releases/tag/v1.2.7 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with config read access can exploit this to obtain provider API keys, gateway authentication material, and channel credentials that should have been redacted. | 2026-05-05 | 6.5 | CVE-2026-43528 | GitHub Security Advisory (GHSA-8372-7vhw-cm6q) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.14 - Redaction Bypass via sourceConfig and runtimeConfig Aliases |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages from different senders to inherit the final sender's authorization context. Attackers can exploit this by sending multiple queued messages to drain batches using a more privileged sender's context, causing earlier messages to execute with elevated permissions. | 2026-05-05 | 6.8 | CVE-2026-43535 | GitHub Security Advisory (GHSA-jwrq-8g5x-5fhm) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.14 - Authorization Context Reuse in Collect-Mode Queue Batches |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains a path traversal vulnerability in the screen_record tool's outPath parameter that bypasses workspace-only filesystem guards. Attackers can exploit this by specifying an outPath outside the workspace boundary to write files to unintended locations on the system. | 2026-05-05 | 6.5 | CVE-2026-43567 | GitHub Security Advisory (GHSA-jf25-7968-h2h5) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - Path Traversal in screen_record outPath Parameter |
| OpenClaw--OpenClaw | OpenClaw versions 2026.4.5 before 2026.4.10 contain a privilege escalation vulnerability allowing write-scoped operators to modify persistent memory dreaming settings. Attackers with write-scoped gateway access can toggle admin-class configuration mutations through the /dreaming endpoint to escalate privileges. | 2026-05-05 | 6.5 | CVE-2026-43568 | GitHub Security Advisory (GHSA-5gjc-grvm-m88j) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.5 < 2026.4.10 - Privilege Escalation via Memory Dreaming Configuration in /dreaming Endpoint |
| OpenClaw--OpenClaw | OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside the intended repository directory. | 2026-05-05 | 6.5 | CVE-2026-43570 | GitHub Security Advisory (GHSA-cr8r-7g2h-6wr6) Patch Commit (1) Patch Commit (2) VulnCheck Advisory: OpenClaw 2026.3.22 < 2026.4.5 - Symlink Traversal in Remote Marketplace Repository Path Handling |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this logic flaw if they know an approval id. | 2026-05-05 | 6.5 | CVE-2026-43574 | GitHub Security Advisory (GHSA-49cg-279w-m73x) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.12 - Improper Authorization via Empty Approver Lists |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.9 contains a file read vulnerability allowing attackers to bypass navigation guards through browser act/evaluate interactions. Attackers can pivot into the local CDP origin and create or read disallowed file:// pages despite direct navigation policy restrictions. | 2026-05-06 | 6.5 | CVE-2026-43577 | GitHub Security Advisory (GHSA-qmwg-qprg-3j38) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.9 - Arbitrary File Read via Browser Interaction Routes |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains an insufficient access control vulnerability in Nostr plugin HTTP profile routes that allows operators with write permissions to persist profile configuration without requiring admin authority. Attackers with operator.write scope can modify Nostr profile settings through unprotected mutation endpoints to gain unauthorized configuration persistence. | 2026-05-06 | 6.5 | CVE-2026-43579 | GitHub Security Advisory (GHSA-f3h5-h452-vp3j) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - Insufficient Access Control in Nostr Profile Mutation Routes |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation policy that allows attackers to bypass hostname validation through DNS rebinding attacks. Attackers can exploit inconsistent hostname resolution between validation and actual network requests to pivot to internal resources via unallowlisted hostname URLs. | 2026-05-06 | 6.3 | CVE-2026-43582 | GitHub Security Advisory (GHSA-xq94-r468-qwgj) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - DNS Rebinding SSRF via Hostname Validation Bypass |
| roxnor--ElementsKit Elementor Addons Advanced Widgets & Templates Addons for Elementor | The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `Live_Action::reset()` function in all versions up to, and including, 3.8.2 The function is hooked to the WordPress `init` action and triggers when both `post` and `action=elementor` GET parameters are present, with no authentication or nonce verification. This makes it possible for unauthenticated attackers to overwrite the Elementor content (`_elementor_data`) of any `elementskit_widget` custom post type by visiting a specially crafted URL. The widget's custom designs, text, and configurations are permanently replaced with a blank template. | 2026-05-05 | 6.5 | CVE-2026-4362 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7740fdfb-65b2-4d27-935f-b0e73487f0c4?source=cve https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/live-action.php#L27 https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/live-action.php#L10 https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/init.php#L37 https://plugins.trac.wordpress.org/changeset/3499543/elementskit-lite/trunk/modules/widget-builder/live-action.php https://plugins.trac.wordpress.org/changeset?old_path=%2Felementskit-lite/tags/3.8.2&new_path=%2Felementskit-lite/tags/3.9.0 |
| wpkube--Subscribe To Comments Reloaded | The Subscribe To Comments Reloaded plugin for WordPress is vulnerable to unauthorized modification of data due to a leaked secret key and usage of a weak hash generation algorithm in all versions up to, and including, 240119. This makes it possible for unauthenticated attackers to extract the global key from any public post page, forge authorization keys and manage comment subscription preferences for arbitrary users | 2026-05-05 | 6.5 | CVE-2026-4409 | https://www.wordfence.com/threat-intel/vulnerabilities/id/91f9235e-f578-475f-92c3-34062d6d1e3d?source=cve https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/wp_subscribe_reloaded.php#L1613 https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/utils/stcr_utils.php#L164 https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/templates/user.php#L37 |
| labring--FastGPT | FastGPT is an AI Agent building platform. Prior to version 4.14.17, FastGPT had an inconsistent SSRF protection gap in MCP tool URL handling. The direct MCP preview/run endpoints already rejected internal/private network URLs, but the MCP tool create/update endpoints could still save an internal MCP server URL. That stored URL could later be used by workflow execution without revalidating the destination. An authenticated user with permission to create or manage MCP toolsets could store an internal endpoint such as http://localhost:3000/mcp and later cause the FastGPT backend workflow runner to connect to that internal destination. This issue has been patched in version 4.14.17. | 2026-05-08 | 6.3 | CVE-2026-44284 | https://github.com/labring/FastGPT/security/advisories/GHSA-cxxj-99f7-f5wq https://github.com/labring/FastGPT/pull/6826 https://github.com/labring/FastGPT/commit/c1c6b9520d976d25ed945b5bc4e0768149e6db69 https://github.com/labring/FastGPT/releases/tag/v4.14.17 |
| MervinPraison--PraisonAI | PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection. This issue has been patched in version 4.6.34. | 2026-05-08 | 6.3 | CVE-2026-44337 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3643-7v76-5cj2 |
| vim--vim | Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450. | 2026-05-08 | 6.6 | CVE-2026-45130 | https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv https://github.com/vim/vim/commit/92993329178cb1f72d700fff45ca86e1c2d369f8 https://github.com/vim/vim/releases/tag/v9.2.0450 |
| Hex-Rays--IDA | Hex-Rays IDA Pro 9.2 and 9.3 before 9.3sp2 does not block Clang dependency-file generation (via argument injection), which allows attackers to place their code into a plugins directory if the victim uses an attacker-supplied .i64 file. | 2026-05-09 | 6.5 | CVE-2026-45181 | https://blog.calif.io/p/using-ida-to-find-bugs-in-ida-with https://docs.hex-rays.com/release-notes/9_3sp2 |
| KDE--Kdenlive | Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project file is used. | 2026-05-09 | 6.5 | CVE-2026-45184 | https://commits.kde.org/kdenlive/94042ddd259551e4a7a5f6672329752972c84685 https://commits.kde.org/kdenlive/c3999aacc6da54756f3df8aab03b900459562ecd https://kde.org/info/security/advisory-20260508-1.txt |
| shapedplugin--Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel | The WP Carousel Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted fancybox `data-caption` attributes in all versions up to, and including, 2.7.10. This is due to the `fancybox-config.js` script reading the carousel container's `id` attribute directly from the DOM to construct a jQuery selector without sanitization. When a Contributor crafts an HTML block with a malformed carousel container ID (containing characters invalid for jQuery selectors), the custom fancybox configuration throws a JavaScript error and fails to initialize. This causes the bundled fancybox library (v3.5.7) to fall back to its default caption handling, which renders the `data-caption` attribute content as raw HTML. Since WordPress allows `data-*` attributes through `wp_kses_post()`, this makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks an image in the crafted carousel lightbox. | 2026-05-05 | 6.4 | CVE-2026-4665 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e75815a3-2414-47f3-b0c4-e5d3e2cb369d?source=cve https://plugins.trac.wordpress.org/browser/wp-carousel-free/tags/2.7.10/public/js/fancybox-config.js#L3 https://plugins.trac.wordpress.org/browser/wp-carousel-free/trunk/public/js/fancybox-config.js#L3 https://plugins.trac.wordpress.org/changeset/3506878/wp-carousel-free/trunk/public/js/fancybox.js |
| commonninja--Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website | The Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'chartid' shortcode attribute in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-05 | 6.4 | CVE-2026-4730 | https://www.wordfence.com/threat-intel/vulnerabilities/id/491c7680-d270-41ed-a756-9397a0bd86bc?source=cve https://wordpress.org/plugins/charts-ninja-graphs-and-charts https://plugins.trac.wordpress.org/browser/charts-ninja-graphs-and-charts/tags/2.1.0/chartsninja.php#L24 https://plugins.trac.wordpress.org/browser/charts-ninja-graphs-and-charts/trunk/chartsninja.php#L24 |
| croixhaug--Appointment Booking Calendar Simply Schedule Appointments Booking Plugin | The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.6.10.6. This is due to a flawed authorization logic in the nonce_permissions_check() method combined with the public exposure of a site-wide reusable nonce. The plugin exposes a public_nonce value through the /wp-json/ssa/v1/embed-inner endpoint, which is accessible to unauthenticated users. The appointment deletion endpoint at /wp-json/ssa/v1/appointments/{id}/delete and /wp-json/ssa/v1/appointments/bulk use a permission check that accepts requests containing both an X-WP-Nonce header (with any arbitrary value) and an X-PUBLIC-Nonce header (with the valid public nonce). When the X-WP-Nonce validation fails, the function falls back to validating the X-PUBLIC-Nonce without properly rejecting the request. Since the public_nonce is exposed to all unauthenticated visitors and is site-wide (not user-specific or appointment-specific), attackers can obtain it and use it to view details of arbitrary appointments, including the public_edit_url, or delete arbitrary appointments by ID. This makes it possible for unauthenticated attackers to view, delete or modify any appointment in the system, disclosing sensitive appointment data, causing service disruption, and loss of booking records. | 2026-05-07 | 6.5 | CVE-2026-4807 | https://www.wordfence.com/threat-intel/vulnerabilities/id/436ab843-7729-4d57-9c9e-2ede2f101ddb?source=cve https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/includes/lib/td-util/class-td-api-model.php#L361 https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/includes/lib/td-util/class-td-api-model.php#L110 https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/includes/class-appointment-model.php#L698 https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/includes/class-shortcodes.php#L889 https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/booking-app-new/iframe-inner.php#L444 https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/includes/class-bootstrap.php#L151 https://plugins.trac.wordpress.org/changeset/3511993/simply-schedule-appointments/trunk/includes |
| wproyal--Royal Addons for Elementor Addons and Templates Kit for Elementor | The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that exploitation requires that an administrator has previously configured the Instagram Feed widget with a valid Instagram access token on the site. | 2026-05-05 | 6.4 | CVE-2026-5159 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ee96d8c5-baf0-4c5c-9ace-e88bbb95ee0a?source=cve https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5528-L5530 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1050/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5528-L5530 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5623-L5625 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1050/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5623-L5625 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L2181-L2193 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1050/modules/instagram-feed/widgets/wpr-instagram-feed.php#L2181-L2193 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3514368%40royal-elementor-addons%2Ftrunk&old=3503219%40royal-elementor-addons%2Ftrunk&sfp_email=&sfph_mail= |
| mirceatm--NMR Strava activities | The NMR Strava activities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `strava_nmr_connect` shortcode in all versions up to, and including, 1.0.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-08 | 6.4 | CVE-2026-5341 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7e033919-ca00-4789-8635-b4189e1499ef?source=cve https://plugins.trac.wordpress.org/browser/nmr-strava-activities/tags/1.0.14/nmr-strava-activities.php#L247 https://plugins.trac.wordpress.org/browser/nmr-strava-activities/tags/1.0.14/nmr-strava-activities.php#L259 https://plugins.trac.wordpress.org/browser/nmr-strava-activities/tags/1.0.15/nmr-strava-activities.php#L240 https://plugins.trac.wordpress.org/browser/nmr-strava-activities/tags/1.0.15/nmr-strava-activities.php#L251 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3524779%40nmr-strava-activities%2Ftrunk&old=3520018%40nmr-strava-activities%2Ftrunk&sfp_email=&sfph_mail= |
| bitacre--WP-Clippy | The WP-Clippy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `clippy` shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-05 | 6.4 | CVE-2026-5505 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ec49ed83-a09d-460d-be34-0fb79032b543?source=cve https://plugins.trac.wordpress.org/browser/wp-clippy/tags/1.0.0/wp-clippy.php#L23 https://plugins.trac.wordpress.org/browser/wp-clippy/trunk/wp-clippy.php#L23 https://plugins.trac.wordpress.org/browser/wp-clippy/tags/1.0.0/wp-clippy.php#L26 https://plugins.trac.wordpress.org/browser/wp-clippy/trunk/wp-clippy.php#L26 |
| servmask--All-in-One WP Migration Unlimited Extension | The All-in-One WP Migration Unlimited Extension plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.83. This is due to the 'Ai1wmve_Schedules_Controller::save' handler for 'admin_post_ai1wm_schedule_event_save' not verifying user capabilities before saving schedule data. This makes it possible for authenticated attackers, with subscriber-level access and above, to create scheduled export jobs and send backup notifications to attacker-controlled email addresses. Because such notifications include the random backup filename, full site backups can subsequently be downloaded from the target site, resulting in sensitive information exposure. | 2026-05-06 | 6.5 | CVE-2026-5753 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a8a31080-c124-49be-b9d1-7bc5abe7cbda?source=cve https://help.servmask.com/knowledgebase/unlimited-extension-changelog/ |
| DivvyDrive Information Technologies Inc.--DivvyDrive | Cross-Site request forgery (CSRF) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross Site Request Forgery. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2. | 2026-05-07 | 6.5 | CVE-2026-5791 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182 |
| roxnor--EmailKit Email Customizer for WooCommerce & WP | The EmailKit plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to and including 1.6.5. This is due to a flawed path traversal validation in the create_template() method of the CheckForm class, where realpath() is called on the allowed base directory (wp-content/uploads/emailkit/templates/) which may not exist, causing it to return false. In PHP 8.x, strpos($real_path, false) implicitly converts false to an empty string, and strpos() with an empty needle always returns 0, causing the check strpos(...) !== 0 to evaluate to false and bypassing the path validation entirely. This makes it possible for authenticated attackers, with Author-level access and above, to read arbitrary files from the server, including sensitive files such as wp-config.php, by supplying an absolute path to the emailkit-editor-template REST API parameter. | 2026-05-05 | 6.5 | CVE-2026-5957 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ae58e5b0-b587-4503-8519-c5a50245891a?source=cve https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/Api/CheckForm.php#L166 https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/Api/CheckForm.php#L170 https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/EmailSettings/MetformEmailSettings.php#L252 https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L170 https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L163 https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/Api/CheckForm.php#L163 https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L166 https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/EmailSettings/MetformEmailSettings.php#L252 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3511701%40emailkit%2Ftrunk&old=3496714%40emailkit%2Ftrunk&sfp_email=&sfph_mail= |
| wpmudev--Forminator Forms Contact Form, Payment Form & Custom Form Builder | The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listen_for_saving_export_schedule() function in library/class-export.php failing to perform a capability check before saving the scheduled export configuration, unlike the parallel listen_for_csv_export() function which correctly verifies user permissions. This makes it possible for authenticated attackers with subscriber-level access to configure a scheduled export job that emails all form submissions to an attacker-controlled email address, resulting in sensitive data exfiltration. | 2026-05-07 | 6.5 | CVE-2026-6214 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d7b8d42c-bceb-456e-a682-358e8df831e3?source=cve https://plugins.trac.wordpress.org/browser/forminator/trunk/library/class-export.php#L178 https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/library/class-export.php#L178 https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/classes/class-admin-l10n.php#L448 https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/classes/class-admin-l10n.php#L448 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3512045%40forminator%2Ftrunk&old=3510688%40forminator%2Ftrunk&sfp_email=&sfph_mail= |
| sszdh--Simple Owl Shortcodes | The Simple Owl Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'num' attribute of the 'owls_wrapper' shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-05 | 6.4 | CVE-2026-6255 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e33a2f27-20c2-4963-9558-1eead0515690?source=cve https://plugins.trac.wordpress.org/browser/simple-owl-shortcodes/tags/2.1.1/inc/owls_wrapper.php#L11 https://plugins.trac.wordpress.org/browser/simple-owl-shortcodes/trunk/inc/owls_wrapper.php#L11 |
| MuffinGroup--Betheme | The Betheme theme for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 28.4. This is due to the upload_icons() function workflow using a user-controlled upload path (`mfn-icon-upload`) in a filesystem move operation without constraining it to the uploads directory. This makes it possible for authenticated attackers, with contributor-level access and above, to move/delete arbitrary local files via path traversal. | 2026-05-05 | 6.5 | CVE-2026-6262 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3486f114-5625-4751-a25e-2c5ab7b15b38?source=cve https://support.muffingroup.com/changelog/ |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in Keylime. An attacker with root access on an enrolled monitored machine, where the Keylime agent runs, can exploit a vulnerability in the Keylime verifier. The verifier uses a hardcoded challenge nonce for Trusted Platform Module (TPM) quote attestation instead of a cryptographically random value. This allows the attacker to stockpile valid TPM quotes and replay them to evade detection after compromising the system. This issue affects only the push model deployment. | 2026-05-06 | 6.3 | CVE-2026-6420 | https://access.redhat.com/security/cve/CVE-2026-6420 RHBZ#2458889 |
| iovamihai--Affiliate Program Suite SliceWP Affiliates | The Affiliate Program Suite - SliceWP Affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.2.7. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'slicewp_affiliate_url' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-06 | 6.4 | CVE-2026-6672 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5b9e92ea-49fc-420d-9d0e-29bcf78843bd?source=cve https://plugins.trac.wordpress.org/changeset/3517135/slicewp |
| zingaya--Zingaya Click-to-Call | The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email', 'first_name', 'last_name', and 'phone' parameters on the plugin's sign-up admin page in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-05-05 | 6.1 | CVE-2026-6696 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5bdd515c-6b52-467c-9446-6ae9b3b75e50?source=cve https://wordpress.org/plugins/zingaya-click-to-call/ https://plugins.trac.wordpress.org/browser/zingaya-click-to-call/tags/1.0/zingaya-admin.php#L62 https://plugins.trac.wordpress.org/browser/zingaya-click-to-call/tags/1.0/zingaya-admin.php#L71 https://plugins.trac.wordpress.org/browser/zingaya-click-to-call/tags/1.0/zingaya-admin.php#L79 https://plugins.trac.wordpress.org/browser/zingaya-click-to-call/tags/1.0/zingaya-admin.php#L104 |
| foux--Publish 2 Ping.fm | The Publish 2 Ping.fm plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the '/wp-admin/options-general.php?page=admin.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-05 | 6.1 | CVE-2026-6702 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c0dc5349-139a-4bf3-8503-0e75b132c68c?source=cve https://plugins.trac.wordpress.org/browser/publish-2-pingfm/trunk/php/admin.php#L136 https://plugins.trac.wordpress.org/browser/publish-2-pingfm/tags/1.1/php/admin.php#L136 https://plugins.trac.wordpress.org/browser/publish-2-pingfm/trunk/php/admin.php#L76 https://plugins.trac.wordpress.org/browser/publish-2-pingfm/tags/1.1/php/admin.php#L76 https://plugins.trac.wordpress.org/browser/publish-2-pingfm/trunk/php/prefs.php#L219 https://plugins.trac.wordpress.org/browser/publish-2-pingfm/tags/1.1/php/prefs.php#L219 |
| phpsandeepkumar--Blog Settings | The Blog Settings plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-05-05 | 6.1 | CVE-2026-6704 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d28e5374-dd34-4745-a20b-059e9846d96d?source=cve https://wordpress.org/plugins/blog-settings/ https://plugins.trac.wordpress.org/browser/blog-settings/tags/1.0/blog-settings.php#L173 https://plugins.trac.wordpress.org/browser/blog-settings/tags/1.0/blog-settings.php#L46 |
| Rapid7--Velociraptor | Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org. However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org. | 2026-05-06 | 6.8 | CVE-2026-6863 | https://docs.velociraptor.app/announcements/advisories/cve-2026-6863/ |
| latepoint--LatePoint Calendar Booking Plugin for Appointments and Events | The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint - where raw POST parameters (first_name, last_name, phone, notes) bypass sanitization because OsCustomerModel does not override params_to_sanitize(), causing set_data() to store unsanitized values verbatim in the database - combined with insufficient output escaping in generate_preview(), which injects those stored values into notification template HTML via str_replace() without any esc_html() call before echoing the result. This makes it possible for authenticated attackers with customer-level access or above to inject arbitrary web scripts into the admin notification preview panel that execute in an administrator's or agent's browser whenever a notification template referencing customer variables such as {{customer_full_name}}, {{customer_first_name}}, {{customer_last_name}}, {{customer_phone}}, or {{customer_notes}} is previewed. | 2026-05-06 | 6.4 | CVE-2026-7457 | https://www.wordfence.com/threat-intel/vulnerabilities/id/628b3f53-decd-47ac-a2d1-339ade1e6944?source=cve https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/misc/process_action.php#L606 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/misc/process_action.php#L606 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customer_cabinet_controller.php#L318 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customer_cabinet_controller.php#L318 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/replacer_helper.php#L276 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/replacer_helper.php#L276 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/misc/process_action.php#L606 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/controllers/customer_cabinet_controller.php#L318 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/helpers/replacer_helper.php#L276 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3522933%40latepoint%2Ftrunk&old=3516282%40latepoint%2Ftrunk&sfp_email=&sfph_mail= |
| wowdevs--Sky Addons Elementor Addons with Widgets & Templates | The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sky-custom-scripts` custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with `capability_type => 'post'` and `show_in_rest => true`, combined with insufficient input sanitization on the `sky_script_content` meta field and lack of output escaping when rendering scripts on the frontend. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via the REST API that execute on every frontend page for all site visitors. | 2026-05-08 | 6.4 | CVE-2026-7475 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cfaa8ffd-549e-4803-aa17-d1317a606e7a?source=cve https://plugins.trac.wordpress.org/browser/sky-elementor-addons/tags/3.3.2/includes/custom-scripts/class-custom-scripts-data.php#L128 https://plugins.trac.wordpress.org/browser/sky-elementor-addons/tags/3.3.2/includes/custom-scripts/class-custom-scripts-loader.php#L270 https://plugins.trac.wordpress.org/browser/sky-elementor-addons/trunk/includes/custom-scripts/class-custom-scripts-data.php#L134 https://plugins.trac.wordpress.org/browser/sky-elementor-addons/tags/3.3.3/includes/custom-scripts/class-custom-scripts-data.php#L134 https://plugins.trac.wordpress.org/browser/sky-elementor-addons/trunk/includes/custom-scripts/class-custom-scripts-loader.php#L237 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3521696%40sky-elementor-addons%2Ftrunk&old=3517772%40sky-elementor-addons%2Ftrunk&sfp_email=&sfph_mail= |
| oleksandrz--E2Pdf Export Pdf Tool for WordPress | The E2Pdf - Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the `e2pdf-download` shortcode in all versions up to, and including, 1.32.17. This is due to insufficient input sanitization and output escaping on the shortcode attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-08 | 6.4 | CVE-2026-7650 | https://www.wordfence.com/threat-intel/vulnerabilities/id/36310ab1-f84e-4154-b782-51254c476d79?source=cve https://wordpress.org/plugins/e2pdf https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.00/classes/model/e2pdf-shortcode.php#L157 https://plugins.trac.wordpress.org/browser/e2pdf/trunk/classes/model/e2pdf-shortcode.php#L172 https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.18/classes/model/e2pdf-shortcode.php#L172 https://plugins.trac.wordpress.org/changeset/3522046/e2pdf/trunk/classes/model/e2pdf-shortcode.php |
| crocodilestick--Calibre-Web-Automated | A vulnerability was detected in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this vulnerability is the function generate_auth_token of the file cps/kobo_auth.py of the component Kobo auth-token Route. The manipulation results in improper authorization. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.0.7 addresses this issue. The patch is identified as 9f50bb2c16160564c9f8777dc2ceed3eb95e4807. The affected component should be upgraded. | 2026-05-04 | 6.3 | CVE-2026-7713 | VDB-360889 | crocodilestick Calibre-Web-Automated Kobo auth-token Route kobo_auth.py generate_auth_token improper authorization VDB-360889 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806403 | crocodilestick Calibre-Web-Automated v1.0.0-v4.0.6 IDOR in auth-token generation leading to account takeover https://github.com/crocodilestick/Calibre-Web-Automated/issues/1303 https://github.com/new-usemame/Calibre-Web-NextGen/pull/18 https://gist.github.com/menelausx/ef98aa78ed2869ccaa316ff45ed1a440 https://github.com/new-usemame/Calibre-Web-NextGen/commit/9f50bb2c16160564c9f8777dc2ceed3eb95e4807 https://github.com/new-usemame/Calibre-Web-NextGen/releases/tag/v4.0.7 https://github.com/crocodilestick/Calibre-Web-Automated/ |
| crocodilestick--Calibre-Web-Automated | A flaw has been found in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this issue is some unknown functionality of the file cps/cwa_functions.py of the component Admin Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-05-04 | 6.5 | CVE-2026-7714 | VDB-360890 | crocodilestick Calibre-Web-Automated Admin Endpoint cwa_functions.py missing authentication VDB-360890 | CTI Indicators (IOB, IOC, IOA) Submit #806468 | crocodilestick Calibre-Web-Automated v1.0.0-v4.0.6 Denial of Service https://github.com/crocodilestick/Calibre-Web-Automated/issues/1304 https://github.com/crocodilestick/Calibre-Web-Automated/pull/1308 https://gist.github.com/menelausx/1b45c952d352a2ebdc01cd8d5aa88e87 https://github.com/crocodilestick/Calibre-Web-Automated/ |
| ravenwits--mcp-server-arangodb | A vulnerability has been found in ravenwits mcp-server-arangodb up to 0.4.7. This affects the function arango_backup of the file src/tools.ts of the component MCP Interface. Such manipulation of the argument outputDir leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 6.3 | CVE-2026-7715 | VDB-360891 | ravenwits mcp-server-arangodb MCP tools.ts arango_backup path traversal VDB-360891 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806913 | ravenwits mcp-server-arangodb 0.4.7 Path Traversal https://github.com/ravenwits/mcp-server-arangodb/issues/7 https://github.com/BruceJqs/public_exp/issues/34 https://github.com/ravenwits/mcp-server-arangodb/ |
| code-projects--Gym Management System In PHP | A vulnerability was found in code-projects Gym Management System In PHP and Windows NT 1.0. This vulnerability affects unknown code of the file /index.php. Performing a manipulation of the argument day results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2026-05-04 | 6.3 | CVE-2026-7716 | VDB-360892 | code-projects Gym Management System In PHP/Windows NT index.php sql injection VDB-360892 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807105 | Code-projects Gym Management System In PHP 1.0 SQL injection https://github.com/QAp89/CVE/blob/main/SQL1.md https://code-projects.org/ |
| Totolink--WA300 | A vulnerability was identified in Totolink WA300 5.2cu.7112_B20190227. Impacted is the function setWebWlanIdx of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument webWlanIdx leads to command injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2026-05-04 | 6.3 | CVE-2026-7718 | VDB-360894 | Totolink WA300 POST Request cstecgi.cgi setWebWlanIdx command injection VDB-360894 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807196 | Totolink WA300 WA300 V5.2cu.7112_B20190227 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-WA300-setWebWlanIdx-34553a41781f800ab40ae0c3d68c78a6?pvs=73 https://www.totolink.net/ |
| Totolink--WA300 | A weakness has been identified in Totolink WA300 5.2cu.7112_B20190227. The impacted element is the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument langType causes command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. | 2026-05-04 | 6.3 | CVE-2026-7720 | VDB-360896 | Totolink WA300 POST Request cstecgi.cgi setLanguageCfg command injection VDB-360896 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807198 | Totolink WA300 WA300 V5.2cu.7112_B20190227 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-WA300-setLanguageCfg-34553a41781f8007b6c5c7964d424286 https://www.totolink.net/ |
| Totolink--WA300 | A security vulnerability has been detected in Totolink WA300 5.2cu.7112_B20190227. This affects the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument hostTime leads to command injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2026-05-04 | 6.3 | CVE-2026-7721 | VDB-360897 | Totolink WA300 cstecgi.cgi NTPSyncWithHost command injection VDB-360897 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807199 | Totolink WA300 WA300 V5.2cu.7112_B20190227 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-WA300-NTPSyncWithHost-34553a41781f80808f3cfd14e1c603e7 https://www.totolink.net/ |
| PrefectHQ--prefect | A vulnerability was found in PrefectHQ prefect up to 3.6.25.dev6. Affected by this issue is some unknown functionality of the file src/prefect/runner/storage.py of the component GitRepository Pull Handler. The manipulation of the argument commit_sha/directories results in argument injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. Upgrading to version 3.6.25.dev7 can resolve this issue. The patch is identified as 6a9d9918716ce4ee0297b69f3046f7067ef1faae. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-04 | 6.3 | CVE-2026-7725 | VDB-360901 | PrefectHQ prefect GitRepository Pull storage.py argument injection VDB-360901 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807356 | PerfectHQ Perfect <= 3.6.24 Argument Injection https://gist.github.com/nedlir/c37d90dda5f715790eafc970b2ef0c8a https://github.com/PrefectHQ/prefect/pull/21384 https://github.com/PrefectHQ/prefect/commit/6a9d9918716ce4ee0297b69f3046f7067ef1faae https://github.com/PrefectHQ/prefect/releases/tag/3.6.25.dev7 https://github.com/PrefectHQ/prefect/ |
| ryanjoachim--mcp-rtfm | A vulnerability was identified in ryanjoachim mcp-rtfm 0.1.0. This vulnerability affects the function get_doc_content/read_doc/update_doc of the component MCP Interface. Such manipulation of the argument docFile leads to path traversal. The attack can be launched remotely. The exploit is publicly available and might be used. The name of the patch is e6f0686fc36012f78236e7fed172c81444904b0b. It is best practice to apply a patch to resolve this issue. | 2026-05-04 | 6.3 | CVE-2026-7728 | VDB-360903 | ryanjoachim mcp-rtfm MCP update_doc path traversal VDB-360903 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807538 | ryanjoachim mcp-rtfm 0.1.0, Commit 054fe515735cb477d4640c20930c04b243e443fc Path Traversal https://github.com/ryanjoachim/mcp-rtfm/issues/5 https://github.com/BruceJqs/public_exp/issues/35 https://github.com/ryanjoachim/mcp-rtfm/commit/e6f0686fc36012f78236e7fed172c81444904b0b https://github.com/ryanjoachim/mcp-rtfm/ |
| pixelsock--directus-mcp | A security flaw has been discovered in pixelsock directus-mcp 1.0.0. This issue affects the function validateUrl of the file index.ts of the component MCP Interface. Performing a manipulation of the argument fileUrl results in server-side request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance. | 2026-05-04 | 6.3 | CVE-2026-7729 | VDB-360904 | pixelsock directus-mcp MCP index.ts validateUrl server-side request forgery VDB-360904 | CTI Indicators (IOB, IOC, IOA) Submit #807539 | pixelsock directus-mcp 1.0.0, Commit 77758625355d105364eeaeac9afec2f743fe369b Server-Side Request Forgery https://github.com/pixelsock/directus-mcp/issues/13 https://github.com/pixelsock/directus-mcp/pull/14 https://github.com/BruceJqs/public_exp/issues/36 https://github.com/pixelsock/directus-mcp/ |
| privsim--mcp-test-runner | A weakness has been identified in privsim mcp-test-runner 0.2.0. Impacted is the function child_process.spawn of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument command can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 6.3 | CVE-2026-7730 | VDB-360905 | privsim mcp-test-runner MCP index.ts child_process.spawn os command injection VDB-360905 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807541 | privsim mcp-test-runner 0.2.0, Commit 83c84ed053f534774f7de935aeaa7698a5e5f9dc Command Injection https://github.com/privsim/mcp-test-runner/issues/24 https://github.com/BruceJqs/public_exp/issues/37 https://github.com/privsim/mcp-test-runner/ |
| code-projects--BloodBank Managing System | A security vulnerability has been detected in code-projects BloodBank Managing System 1.0. The affected element is an unknown function of the file get_state.php. The manipulation of the argument G_STATE_ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2026-05-04 | 6.3 | CVE-2026-7731 | VDB-360906 | code-projects BloodBank Managing System get_state.php sql injection VDB-360906 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807557 | Code-projects BLOODBANK MANAGING SYSTEM IN PHP 1.0 SQL injection https://github.com/QAp89/CVE/blob/main/SQL3.md https://code-projects.org/ |
| code-projects--BloodBank Managing System | A vulnerability was detected in code-projects BloodBank Managing System 1.0. The impacted element is an unknown function of the file request_blood.php. The manipulation results in unrestricted upload. The attack can be executed remotely. The exploit is now public and may be used. | 2026-05-04 | 6.3 | CVE-2026-7732 | VDB-360907 | code-projects BloodBank Managing System request_blood.php unrestricted upload VDB-360907 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807558 | Code-projects BLOODBANK MANAGING SYSTEM IN PHP 1.0 arbitrary file upload leading to RCE vulnerability https://github.com/QAp89/CVE/blob/main/Arbitrary%20file%20upload%20leading%20to%20RCE1.md https://code-projects.org/ |
| puchunjie--doc-tools-mcp | A security flaw has been discovered in puchunjie doc-tools-mcp 1.0.18. This affects the function create_document/open_document of the file src/mcp-server.ts of the component MCP Interface. The manipulation of the argument filePath results in path traversal. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 6.3 | CVE-2026-7738 | VDB-360913 | puchunjie doc-tools-mcp MCP mcp-server.ts open_document path traversal VDB-360913 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807642 | puchunjie @puchunjie/doc-tools-mcp 1.0.18, Commit c96df45a16710a3eec41a7a94c32b81468db28ea Path Traversal https://github.com/puchunjie/doc-tools-mcp/issues/4 https://github.com/BruceJqs/public_exp/issues/38 https://github.com/puchunjie/doc-tools-mcp/ |
| CodeAstro--Online Classroom | A vulnerability was detected in CodeAstro Online Classroom 1.0. Impacted is an unknown function of the file /OnlineClassroom/studentlogin. Performing a manipulation of the argument sid results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2026-05-04 | 6.3 | CVE-2026-7741 | VDB-360916 | CodeAstro Online Classroom studentlogin sql injection VDB-360916 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807692 | codeastro Online Classroom V1.0 SQL Injection https://github.com/yuji0903/silver-guide/issues/18 https://codeastro.com/ |
| CodeAstro--Online Classroom | A flaw has been found in CodeAstro Online Classroom 1.0. The affected element is an unknown function of the file /OnlineClassroom/facultylogin. Executing a manipulation of the argument fid can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. | 2026-05-04 | 6.3 | CVE-2026-7742 | VDB-360917 | CodeAstro Online Classroom facultylogin sql injection VDB-360917 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807694 | codeastro Online Classroom V1.0 SQL Injection https://github.com/yuji0903/silver-guide/issues/19 https://codeastro.com/ |
| CodeAstro--Online Classroom | A vulnerability has been found in CodeAstro Online Classroom 1.0. The impacted element is an unknown function of the file /OnlineClassroom/studentdetails. The manipulation of the argument deleteid leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2026-05-04 | 6.3 | CVE-2026-7743 | VDB-360918 | CodeAstro Online Classroom studentdetails sql injection VDB-360918 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807695 | codeastro Online Classroom V1.0 SQL Injection https://github.com/yuji0903/silver-guide/issues/20 https://codeastro.com/ |
| CodeAstro--Online Classroom | A vulnerability was found in CodeAstro Online Classroom 1.0. This affects an unknown function of the file /OnlineClassroom/addnewstudent. The manipulation of the argument fname results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used. | 2026-05-04 | 6.3 | CVE-2026-7744 | VDB-360919 | CodeAstro Online Classroom addnewstudent sql injection VDB-360919 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807696 | codeastro Online Classroom V1.0 SQL Injection https://github.com/yuji0903/silver-guide/issues/21 https://codeastro.com/ |
| CodeAstro--Online Classroom | A vulnerability was determined in CodeAstro Online Classroom 1.0. This impacts an unknown function of the file /OnlineClassroom/facultydetails. This manipulation of the argument deleteid causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-04 | 6.3 | CVE-2026-7745 | VDB-360920 | CodeAstro Online Classroom facultydetails sql injection VDB-360920 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807697 | codeastro Online Classroom V1.0 SQL Injection https://github.com/yuji0903/silver-guide/issues/22 https://codeastro.com/ |
| SourceCodester--Web-based Pharmacy Product Management System | A vulnerability was identified in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected is an unknown function of the file /product_expiry/edit-admin.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2026-05-04 | 6.3 | CVE-2026-7746 | VDB-360921 | SourceCodester Web-based Pharmacy Product Management System edit-admin.php sql injection VDB-360921 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807693 | SourceCodester Web-based Pharmacy Product Management System V1.0 SQL Injection https://github.com/mjh134/CVE/issues/1 https://www.sourcecodester.com/ |
| CodeCanyon--Perfex CRM | A vulnerability was detected in CodeCanyon Perfex CRM up to 3.4.1. This affects the function Clients::project of the file application/controllers/Clients.php of the component Tenant Handler. The manipulation of the argument ID results in authorization bypass. The attack may be performed from remote. The exploit is now public and may be used. | 2026-05-04 | 6.3 | CVE-2026-7782 | VDB-360979 | CodeCanyon Perfex CRM Tenant Clients.php project authorization VDB-360979 | CTI Indicators (IOB, IOC, IOA) Submit #807683 | Canyon Perfex CRM CRM 3.4.1 Improper Authorization https://bytium.com/insights/perfex-crm-3-4-1-cross-tenant-broken-access-control-on-project-discussion-comments |
| CodeCanyon--Perfex CRM | A flaw has been found in CodeCanyon Perfex CRM up to 3.4.1. This vulnerability affects the function AbstractKanban::applySortQuery of the file application/services/AbstractKanban.php of the component Admin Kanban Endpoint. This manipulation of the argument this causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2026-05-04 | 6.3 | CVE-2026-7783 | VDB-360980 | CodeCanyon Perfex CRM Admin Kanban Endpoint AbstractKanban.php applySortQuery sql injection VDB-360980 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807743 | CodeCanyon Perfex CRM 3.4.1 SQL Injection https://bytium.com/insights/blind-sql-injection-in-perfex-crm-3-4-1 |
| itsourcecode--Courier Management System | A vulnerability was identified in itsourcecode Courier Management System 1.0. This impacts an unknown function of the file /print_pdets.php. The manipulation of the argument ids leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2026-05-05 | 6.3 | CVE-2026-7822 | VDB-361074 | itsourcecode Courier Management System print_pdets.php sql injection VDB-361074 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807773 | itsourcecode Courier Management System V1.0 SQL Injection https://github.com/ltranquility/submit/issues/14 https://itsourcecode.com/ |
| chatchat-space--Langchain-Chatchat | A vulnerability was detected in chatchat-space Langchain-Chatchat up to 0.3.1.3. This vulnerability affects the function files/list_files/retrieve_file/retrieve_file_content/delete_file of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Compatible File Service. The manipulation results in missing authentication. The attacker must have access to the local network to execute the attack. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 6.3 | CVE-2026-7844 | VDB-361123 | chatchat-space Langchain-Chatchat Compatible File Service openai_routes.py delete_file missing authentication VDB-361123 | CTI Indicators (IOB, IOC, IOA) Submit #807790 | chatchat-space Langchain-Chatchat 0.3.1.3 Missing Authorization / CWE-862 https://github.com/chatchat-space/Langchain-Chatchat/issues/5465 https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-4-Missing-Auth-File-Endpoints.md https://github.com/chatchat-space/Langchain-Chatchat/ |
| MongoDB Inc.--MongoDB Server | An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads the first element on each stage's input pipeline array without first verifying that the array is non-empty. Supplying an empty pipeline causes a null pointer dereference and crashes the server. This issue affects MongoDB Server 8.2 versions prior to 8.2.7. | 2026-05-07 | 6.5 | CVE-2026-8063 | https://jira.mongodb.org/browse/SERVER-121851 |
| router-for-me--CLIProxyAPI | A vulnerability has been found in router-for-me CLIProxyAPI 6.9.29. Affected by this issue is some unknown functionality of the file internal/api/handlers/management/api_tools.go of the component API Interface. The manipulation of the argument url leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-07 | 6.3 | CVE-2026-8081 | VDB-361836 | router-for-me CLIProxyAPI api_tools.go server-side request forgery VDB-361836 | CTI Indicators (IOB, IOC, IOA) Submit #807811 | router-for-me CLIProxyAPI 6.9.29 Server-Side Request Forgery https://github.com/m3ngx1ng/cve/blob/main/CLIProxyAPI-SSRF.md |
| CodeAstro--Online Classroom | A security flaw has been discovered in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /askquery.php. The manipulation of the argument squeryx results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. | 2026-05-07 | 6.3 | CVE-2026-8097 | VDB-361849 | CodeAstro Online Classroom askquery.php sql injection VDB-361849 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808115 | codeastro Online Classroom V1.0 SQL Injection http://github.com/suze233/CVE/issues/1 https://codeastro.com/ |
| 8421bit--MiniClaw | A vulnerability was found in 8421bit MiniClaw up to 223c16a1088e138838dcbd18cd65a37c35ac5a84. Affected is the function executeCognitivePulse of the file src/kernel.ts. Performing a manipulation results in os command injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 028f62216dee9f64833d0f1cfda7c217067ceba8. To fix this issue, it is recommended to deploy a patch. | 2026-05-07 | 6.3 | CVE-2026-8112 | VDB-361900 | 8421bit MiniClaw kernel.ts executeCognitivePulse os command injection VDB-361900 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808166 | 8421bit MiniClaw 0 OS Command Injection https://github.com/8421bit/MiniClaw/issues/4 https://github.com/8421bit/MiniClaw/pull/7 https://github.com/8421bit/MiniClaw/commit/028f62216dee9f64833d0f1cfda7c217067ceba8 https://github.com/8421bit/MiniClaw/ |
| n/a--JeecgBoot | A vulnerability was identified in JeecgBoot up to 3.9.1. Affected by this issue is some unknown functionality of the file /sys/dict/loadTreeData of the component JSON Object Handler. The manipulation of the argument condition leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor confirms (translated from Chinese): "It should have been fixed; a batch of issues were recently resolved." | 2026-05-07 | 6.3 | CVE-2026-8114 | VDB-361902 | JeecgBoot JSON Object loadTreeData sql injection VDB-361902 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808186 | https://github.com/jeecgboot/JeecgBoot <=3.91 SQL Injection https://github.com/jeecgboot/JeecgBoot/issues/9571 https://github.com/jeecgboot/JeecgBoot/ |
| huangjunsen0406--xiaozhi-mcphub | A weakness has been identified in huangjunsen0406 xiaozhi-mcphub up to 1.0.3. This vulnerability affects unknown code of the file src/controllers/dxtController.ts. This manipulation of the argument manifest.name causes path traversal. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-07 | 6.3 | CVE-2026-8116 | VDB-361904 | huangjunsen0406 xiaozhi-mcphub dxtController.ts path traversal VDB-361904 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808260 | huangjunsen0406 xiaozhi-mcphub 1.0.3 Path Traversal https://github.com/huangjunsen0406/xiaozhi-mcphub/issues/29 https://github.com/huangjunsen0406/xiaozhi-mcphub/ |
| code-projects--Simple Chat System | A vulnerability was detected in code-projects Simple Chat System 1.0. This vulnerability affects unknown code of the file sendMessage.php. The manipulation of the argument type/length/business parameter validity results in sql injection. The attack may be launched remotely. The exploit is now public and may be used. | 2026-05-08 | 6.3 | CVE-2026-8125 | VDB-361915 | code-projects Simple Chat System sendMessage.php sql injection VDB-361915 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808679 | code-projects Simple Chat System v1.0 SQL Injection https://github.com/MICHEY-Ben/cve/issues/1 https://code-projects.org/ |
| n/a--eladmin | A vulnerability has been found in eladmin up to 2.7. Impacted is the function checkLevel of the file /rest/UserController.java of the component Users API Endpoint. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-08 | 6.3 | CVE-2026-8127 | VDB-361917 | eladmin Users API Endpoint UserController.java checkLevel access control VDB-361917 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808771 | eladmin 2.7 Improper Access Controls https://github.com/elunez/eladmin/issues/897 |
| UGREEN--CM933 | A security vulnerability has been detected in UGREEN CM933 1.1.59.4319. The impacted element is an unknown function of the component Administrative Interface. Such manipulation leads to missing authentication. The attack requires being on the local network. You should upgrade the affected component. The vendor replied: "We have successfully confirmed and reproduced the issue. We take this matter very seriously and have incorporated the fix into our development schedule. The issue is scheduled to be resolved in the release version coming in late April." | 2026-05-09 | 6.3 | CVE-2026-8185 | VDB-362337 | UGREEN CM933 Administrative missing authentication VDB-362337 | CTI Indicators (IOB, IOC) Submit #793588 | UGREEN CM933 Managed Network Switch 1.1.59.4319 CWE-306: Missing Authentication for Critical Function |
| Wavlink--NU516U1 | A vulnerability has been found in Wavlink NU516U1 M16U1_V240425. Affected is the function change_wifi_password of the file /cgi-bin/adm.cgi. The manipulation of the argument wl_channel/wl_Pass/EncrypType leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure. | 2026-05-09 | 6.3 | CVE-2026-8188 | VDB-362340 | Wavlink NU516U1 adm.cgi change_wifi_password os command injection VDB-362340 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800727 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_1/1.md |
| Wavlink--NU516U1 | A vulnerability was found in Wavlink NU516U1 M16U1_V240425. Affected by this vulnerability is the function wzdrepeater of the file /cgi-bin/adm.cgi. The manipulation of the argument wlan_bssid/sel_Automode/sel_EncrypTyp results in os command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure. | 2026-05-09 | 6.3 | CVE-2026-8189 | VDB-362341 | Wavlink NU516U1 adm.cgi wzdrepeater os command injection VDB-362341 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800728 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_2/2.md |
| Wavlink--NU516U1 | A vulnerability was determined in Wavlink NU516U1 M16U1_V240425. Affected by this issue is the function wan of the file /cgi-bin/adm.cgi. This manipulation of the argument ppp_username/ppp_passwd/rwan_ip/rwan_mask/rwan_gateway is directly passed by the attacker/so we can control the ppp_username/ppp_passwd/rwan_ip/rwan_mask/rwan_gateway causes os command injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure. | 2026-05-09 | 6.3 | CVE-2026-8190 | VDB-362342 | Wavlink NU516U1 adm.cgi wan os command injection VDB-362342 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800729 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_3/3.md |
| Wavlink--NU516U1 | A vulnerability was identified in Wavlink NU516U1 M16U1_V240425. This affects the function wifi_region of the file /cgi-bin/adm.cgi. Such manipulation of the argument skiplist1/skiplist2 leads to os command injection. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure. | 2026-05-09 | 6.3 | CVE-2026-8191 | VDB-362343 | Wavlink NU516U1 adm.cgi wifi_region os command injection VDB-362343 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800730 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_4/4.md |
| Wavlink--NU516U1 | A security flaw has been discovered in Wavlink NU516U1 M16U1_V240425. This vulnerability affects the function wzdap of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument EncrypType/wl_Pass is directly passed by the attacker/so we can control the EncrypType/wl_Pass results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure. | 2026-05-09 | 6.3 | CVE-2026-8192 | VDB-362344 | Wavlink NU516U1 adm.cgi wzdap os command injection VDB-362344 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800731 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_5/5.md |
| n/a--Akaunting | A weakness has been identified in Akaunting 3.1.21. This issue affects some unknown processing of the file config/dompdf.php of the component Invoice PDF Rendering. Executing a manipulation can lead to server-side request forgery. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-09 | 6.3 | CVE-2026-8193 | VDB-362345 | Akaunting Invoice PDF Rendering dompdf.php server-side request forgery VDB-362345 | CTI Indicators (IOB, IOC, IOA) Submit #800984 | akaunting 3.1.21 Server-Side Request Forgery https://drive.google.com/file/d/1zC8gMYeIfZi3CsK6RXBQINU_mllXH_6n/view?usp=drive_link |
| Industrial Application Software IAS--Canias ERP | A security flaw has been discovered in Industrial Application Software IAS Canias ERP 8.03. Impacted is the function Runtime.getRuntime.exec of the component RMI Interface. Performing a manipulation of the argument troiaCode results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 6.3 | CVE-2026-8217 | VDB-362434 | Industrial Application Software IAS Canias ERP RMI Runtime.getRuntime.exec os command injection VDB-362434 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808262 | Industrial Application Software - IAS Canias ERP 8.03-- Code Injection - Remote Code Execution - (CWE-94/CWE-78) https://hawktrace.com/blog/caniaserp https://gist.github.com/0xb1lal/6ccc2356e7e0a26f7b8a6bd6f0d84bbb |
| Wavlink--NU516U1 | A weakness has been identified in Wavlink NU516U1 240425. This issue affects the function wzdapMesh of the file /cgi-bin/adm.cgi. This manipulation causes os command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure. | 2026-05-10 | 6.3 | CVE-2026-8227 | VDB-362444 | Wavlink NU516U1 adm.cgi wzdapMesh os command injection VDB-362444 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800732 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_6/6.md |
| Wavlink--NU516U1 | A security vulnerability has been detected in Wavlink NU516U1 240425. Impacted is the function advance of the file /cgi-bin/wireless.cgi. Such manipulation of the argument wlan_conf/Channel/skiplist/ieee_80211h leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure. | 2026-05-10 | 6.3 | CVE-2026-8228 | VDB-362445 | Wavlink NU516U1 wireless.cgi advance os command injection VDB-362445 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800733 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_7/7.md |
| Wavlink--NU516U1 | A vulnerability was detected in Wavlink NU516U1 240425. The affected element is the function WifiBasic of the file /cgi-bin/wireless.cgi. Performing a manipulation of the argument AuthMethod/EncrypType results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure. | 2026-05-10 | 6.3 | CVE-2026-8229 | VDB-362446 | Wavlink NU516U1 wireless.cgi WifiBasic os command injection VDB-362446 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800734 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_8/8.md |
| Wavlink--NU516U1 | A flaw has been found in Wavlink NU516U1 240425. The impacted element is the function sys_login1 of the file /cgi-bin/login.cgi. Executing a manipulation of the argument ipaddr can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure. | 2026-05-10 | 6.3 | CVE-2026-8230 | VDB-362447 | Wavlink NU516U1 login.cgi sys_login1 os command injection VDB-362447 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800735 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_9/9.md |
| CodeAstro--Online Catering Ordering System | A vulnerability has been found in CodeAstro Online Catering Ordering System 1.0. This affects an unknown function of the file /deleteorder.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2026-05-10 | 6.3 | CVE-2026-8231 | VDB-362448 | CodeAstro Online Catering Ordering System deleteorder.php sql injection VDB-362448 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808783 | codeastro Online Catering Ordering System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/63 https://codeastro.com/ |
| Opencart--OpenCart | OpenCart 3.0.36 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiting malicious pages. Attackers can craft CSRF payloads that change victim email addresses and account information, then use password reset functionality to gain unauthorized access to compromised accounts. | 2026-05-10 | 5.3 | CVE-2021-47946 | ExploitDB-49407 Official Product Homepage Product Reference VulnCheck Advisory: OpenCart 3.0.36 Account Takeover via Cross Site Request Forgery |
| invoicing--Payments Plugin GetPaid | WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during payment form creation, which gets stored in the database and executed in the browser when the form is viewed. | 2026-05-10 | 5.4 | CVE-2021-47948 | ExploitDB-50246 Product Reference VulnCheck Advisory: WordPress GetPaid Plugin 2.4.6 HTML Injection via Help Text |
| Getaawp--WordPress Plugin AAWP | WordPress Plugin AAWP 3.16 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the tab parameter. Attackers can craft URLs with XSS payloads in the tab parameter of the aawp-settings admin page to execute arbitrary JavaScript in the context of authenticated users. | 2026-05-10 | 5.4 | CVE-2022-50970 | ExploitDB-50643 Official Product Homepage VulnCheck Advisory: WordPress Plugin AAWP 3.16 Reflected XSS via tab Parameter |
| Hitachi--Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900 | Improper restriction of excessive authentication attempts vulnerability in Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28. This issue affects Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28 : before DKCMAIN Ver 88-08-16-xx/00, GUM Ver. 88-08-20/00, before DKCMAIN Ver 93-07-26-xx/00, GUM Ver. 93-07-26/00, before DKCMAIN Ver A3-04-02-xx/00, EMS Ver. A3-04-02/00, before DKCMAIN Ver A3-03-41-xx/00, EMS Ver. A3-03-41/00, before DKCMAIN Ver A3-03-03-xx/00, EMS Ver. A3-03-02/00. | 2026-05-07 | 5.3 | CVE-2025-2514 | https://www.hitachi.com/products/it/storage-solutions/sec_info/2026/2026_306.html |
| HCL--BigFix Service Management (SM) | HCL BigFix Service Management (SM) is vulnerable to information exposure due to improper error handling within its reporting module. It was observed that supplying an invalid or out-of-range value to the consumer_company parameter during a report-viewing request causes the application to trigger an unhandled exception. | 2026-05-06 | 5.3 | CVE-2025-31960 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL--DFXAnalytics | HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability where the Content-Security-Policy does not define strict directives for object-src and base-uri, which could allow an attacker to exploit injection vectors such as Cross-Site Scripting (XSS) | 2026-05-06 | 5.3 | CVE-2025-31970 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130569 |
| WEN Themes--WEN Logo Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WEN Themes WEN Logo Slider allows DOM-Based XSS. This issue affects WEN Logo Slider: from n/a through 3.4.0. | 2026-05-07 | 5.9 | CVE-2025-62127 | https://patchstack.com/database/wordpress/plugin/wen-logo-slider/vulnerability/wordpress-wen-logo-slider-plugin-3-4-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Magepeople inc.--Bus Ticket Booking with Seat Reservation | Missing Authorization vulnerability in Magepeople inc. Bus Ticket Booking with Seat Reservation allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bus Ticket Booking with Seat Reservation: from n/a before 5.6.8. | 2026-05-07 | 5.3 | CVE-2025-66105 | https://patchstack.com/database/wordpress/plugin/bus-ticket-booking-with-seat-reservation/vulnerability/wordpress-bus-ticket-booking-with-seat-reservation-plugin-5-6-8-broken-access-control-vulnerability?_s_id=cve |
| WPGraphQL--WPGraphQL | Cross-Site Request Forgery (CSRF) vulnerability in WPGraphQL allows Cross Site Request Forgery. This issue affects WPGraphQL: from n/a through 2.5.3. | 2026-05-07 | 5.4 | CVE-2025-68604 | https://patchstack.com/database/wordpress/plugin/wp-graphql/vulnerability/wordpress-wpgraphql-plugin-2-5-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device. This vulnerability exists because error messages are observed when the affected API endpoint is called. An attacker could exploit this vulnerability by sending a series of crafted requests to the affected endpoint and analyzing the differentiated responses. A successful exploit could allow the attacker to compile a list of valid usernames on an affected system. | 2026-05-06 | 5.3 | CVE-2026-20195 | cisco-sa-ise-unauth-bypass-uxjRXGpb |
| Cisco--Cisco Webex Meetings | A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has addressed this vulnerability in Cisco Slido and no customer action is needed. This vulnerability existed because of the presence of an insecure direct object reference. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by sending a crafted request to the vulnerable API endpoint. A successful exploit could have allowed the attacker to view the social profiles of other users or affect quiz and poll results. | 2026-05-06 | 5.4 | CVE-2026-20219 | cisco-sa-slido-idor-CpsFmKxN |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing IOCTL command when device is in power-save state. | 2026-05-04 | 5.5 | CVE-2026-25266 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| WProyal--Royal Elementor Addons | Missing Authorization vulnerability in WProyal Royal Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Royal Elementor Addons: from n/a before 1.7.1053. | 2026-05-07 | 5.3 | CVE-2026-25436 | https://patchstack.com/database/wordpress/plugin/royal-elementor-addons/vulnerability/wordpress-royal-elementor-addons-plugin-1-7-1053-broken-access-control-vulnerability?_s_id=cve |
| weDevs--Happy Addons for Elementor | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs Happy Addons for Elementor allows Retrieve Embedded Sensitive Data. This issue affects Happy Addons for Elementor: from n/a through 3.20.8. | 2026-05-07 | 5.3 | CVE-2026-25468 | https://patchstack.com/database/wordpress/plugin/happy-elementor-addons/vulnerability/wordpress-happy-addons-for-elementor-plugin-3-20-8-sensitive-data-exposure-vulnerability?_s_id=cve |
| wpmudev--Forminator Forms Contact Form, Payment Form & Custom Form Builder | The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public payment flow. This makes it possible for unauthenticated attackers to submit high-value paid forms as completed by reusing a previously succeeded low-value Stripe PaymentIntent, resulting in underpayment/payment bypass conditions. | 2026-05-05 | 5.3 | CVE-2026-2729 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1afb94ab-b3ba-4598-8ff4-f9ffc6717371?source=cve https://plugins.trac.wordpress.org/changeset/3500669/forminator |
| YITH--YITH WooCommerce Wishlist | Authorization Bypass Through User-Controlled Key vulnerability in YITH YITH WooCommerce Wishlist allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects YITH WooCommerce Wishlist: from n/a through 4.12.0. | 2026-05-07 | 5.3 | CVE-2026-27329 | https://patchstack.com/database/wordpress/plugin/yith-woocommerce-wishlist/vulnerability/wordpress-yith-woocommerce-wishlist-plugin-4-12-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| bPlugins--PDF Poster | Missing Authorization vulnerability in bPlugins PDF Poster allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDF Poster: from n/a through 2.4.1. | 2026-05-07 | 5.3 | CVE-2026-27416 | https://patchstack.com/database/wordpress/plugin/pdf-poster/vulnerability/wordpress-pdf-poster-plugin-2-4-1-broken-access-control-vulnerability?_s_id=cve |
| traccar--traccar | Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML content into exported files. If another user exports and opens the affected KML or GPX file, this can corrupt the file structure and spoof exported location data. This issue is fixed in version 6.13.0. | 2026-05-05 | 5.4 | CVE-2026-27693 | https://github.com/traccar/traccar/security/advisories/GHSA-32pj-vrqc-x656 https://github.com/traccar/traccar/blob/v6.11.0/src/main/java/org/traccar/reports/GpxExportProvider.java#L52-L54 |
| traccar--traccar | Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store crafted HTML in these fields, which is then rendered in notification emails sent to other users with access to the affected devices. This can lead to phishing or spoofed email content. This issue is fixed in version 6.13.0. | 2026-05-05 | 5.4 | CVE-2026-27694 | https://github.com/traccar/traccar/security/advisories/GHSA-6hfr-mj4m-hrvv |
| elabftw--elabftw | eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with an attacker-controlled TOTP secret and bypass the additional factor. This could result in unauthorized account access. This issue is fixed in version 5.4.2. | 2026-05-05 | 5.9 | CVE-2026-28510 | https://github.com/elabftw/elabftw/security/advisories/GHSA-x5wv-c9q4-fj65 https://github.com/elabftw/elabftw/commit/8b7a575aef128870861187eaa2b2f0f08654ecf9 |
| n/a--Pluck CMS | Cross Site Scripting vulnerability in Pluck CMS before v.4.7.21dev allows a remote attacker to escalate privileges via the editpage.php and the sanitizePageContent function | 2026-05-04 | 5.7 | CVE-2026-31205 | https://github.com/pluck-cms/pluck/blob/main/data/inc/functions.all.php#L207 https://github.com/pluck-cms/pluck/blob/main/data/inc/editpage.php https://github.com/pluck-cms/pluck/issues/141 https://medium.com/@nakah_/pluck-cms-stored-xss-in-page-editor-cve-2026-31205-3b0526743e1d?postPublishedType=initial |
| mercadopago--Mercado Pago payments for WooCommerce | The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mp_pix_image' WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to retrieve PIX payment QR code images for arbitrary orders. PIX QR codes contain sensitive merchant information including PIX keys (which may be CPF/CNPJ personal identifiers), transaction amounts, merchant name and city, and MercadoPago transaction references. | 2026-05-06 | 5.3 | CVE-2026-3208 | https://www.wordfence.com/threat-intel/vulnerabilities/id/986e0252-b94d-4ac8-9083-0218fa8a651e?source=cve https://plugins.trac.wordpress.org/browser/woocommerce-mercadopago/tags/8.7.10/src/Gateways/PixGateway.php#L358 https://plugins.trac.wordpress.org/browser/woocommerce-mercadopago/tags/8.7.10/src/Gateways/PixGateway.php#L92 https://plugins.trac.wordpress.org/changeset?old_path=%2Fwoocommerce-mercadopago/tags/8.7.11&new_path=%2Fwoocommerce-mercadopago/tags/8.7.12 |
| EZVIZ--EZVIZ APP | Some EZVIZ products utilize older versions of cloud feature modules with legacy API interfaces, which pose a data transmission risk. Attackers can exploit this by eavesdropping on network requests to obtain data.Users are advised to upgrade the app to the latest version and enable the video encryption feature. | 2026-05-09 | 5.3 | CVE-2026-32683 | https://www.ezviz.com/inter/trust-center/security/security-notice/2026.05.08 https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-cloud-function-modules-of-some-hikvisi/ |
| Red Hat--Fast Datapath for RHEL 7 | A flaw was found in Open vSwitch. When Open vSwitch is configured with a conntrack flow using FTP helpers over the userspace datapath, a remote attacker can send a specially crafted FTP stream with an EPASV command exceeding 255 characters. This heap access error can lead to a crash, resulting in a Denial of Service (DoS) for the affected system. | 2026-05-05 | 5.9 | CVE-2026-34956 | https://access.redhat.com/security/cve/CVE-2026-34956 RHBZ#2453459 |
| ZTE--ZTE PROCESS Guard service | There is a local privilege escalation vulnerability in the ZTE PROCESS Guard service of the cloud computer client, which may allow local arbitrary code execution, privilege escalation and path traversal bypass. | 2026-05-06 | 5.2 | CVE-2026-40001 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/1477954674427011121 |
| ZTE--ZX297520V3 BootROM | ZTE ZX297520V3 BootROM contains a vulnerability that allows arbitrary memory writes via USB. Attackers can exploit the lack of target address validation in the USB download mode to write data to any location in BootROM runtime memory, thereby overwriting the stack, hijacking the execution flow, bypassing the Secure Boot signature verification mechanism, and achieving unauthorized code execution. | 2026-05-07 | 5.1 | CVE-2026-40003 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2144487415169560645 |
| ZTE--ZXCLOUD iRAI | There exists an openssl.cnf privilege escalation vulnerability in ZTE Cloud PC client uSmartview. An attacker can execute arbitrary code locally and escalate privileges. | 2026-05-07 | 5.5 | CVE-2026-40004 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/3126272076755775573 |
| PHPOffice--PhpSpreadsheet | PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example ". @", "@ ", or "x@"), the formatter replaces @ with the cell value and adds the extra characters, causing the formatted value to differ from the original and bypassing HTML escaping entirely. An attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and displayed to other users can achieve stored cross-site scripting. This issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4. | 2026-05-06 | 5.4 | CVE-2026-40296 | https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-hrmw-qprp-wgmc |
| open-telemetry--opentelemetry-dotnet | OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spans could experience avoidable memory growth under sustained unique remote endpoint values, increasing process memory usage over time and degrading availability. This issue is fixed in version 1.15.3, which introduces a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size. | 2026-05-06 | 5.3 | CVE-2026-41310 | https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-88hf-wf7h-7w4m https://github.com/open-telemetry/opentelemetry-dotnet/pull/7081 |
| istio--istio | Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod makes an unauthenticated HTTP GET request to that URL without filtering out localhost or link local ips. This can result in sensitive data being distributed to Envoy proxies via xDS configuration. This issue has been patched in versions 1.28.6 and 1.29.2. | 2026-05-07 | 5 | CVE-2026-41413 | https://github.com/istio/istio/security/advisories/GHSA-fgw5-hp8f-xfhc https://github.com/istio/istio/releases/tag/1.28.6 https://github.com/istio/istio/releases/tag/1.29.2 |
| netty--netty | Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final. | 2026-05-06 | 5.3 | CVE-2026-41417 | https://github.com/netty/netty/security/advisories/GHSA-v8h7-rr48-vmmv |
| open-telemetry--opentelemetry-dotnet-contrib | OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instance metadata service and reads the response body into memory without any size limit. An attacker who controls the configured endpoint, or who can intercept traffic to it via a man-in-the-middle attack, can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. As a workaround, disable the Azure VM resource detector or use network-level controls such as firewall rules, mTLS, or a service mesh to prevent man-in-the-middle attacks on the Azure VM instance metadata endpoint. This issue is fixed in version 1.15.1-beta.1, which streams responses rather than buffering them entirely in memory and ignores responses larger than 4 MiB. | 2026-05-06 | 5.9 | CVE-2026-41483 | https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-vc24-j8c5-2vw4 https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4121 |
| open-telemetry--opentelemetry-dotnet-contrib | OpenTelemetry.Exporter.OneCollector is a .NET exporter that sends telemetry to a OneCollector back-end over HTTP. In versions 1.15.0 and earlier, when a request to the configured back-end or collector results in an unsuccessful HTTP 4xx or 5xx response, the HttpJsonPostTransport class reads the entire response body into memory with no upper bound on the number of bytes consumed in order to include the error response in operator logs. An attacker who controls the configured endpoint, or who can intercept traffic to it via a man-in-the-middle attack, can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. As a workaround, use network-level controls such as firewall rules, mTLS, or a service mesh to prevent man-in-the-middle attacks on the configured back-end or collector endpoint. This issue is fixed in version 1.15.1, which limits the number of bytes read from the response body in an error condition to 4 MiB. | 2026-05-06 | 5.3 | CVE-2026-41484 | https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-55m9-299j-53c7 https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4117 |
| czlonkowski--n8n-mcp | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.11, when n8n-mcp runs in HTTP transport mode, incoming requests to the POST /mcp endpoint had their request metadata written to server logs regardless of the authentication outcome. In deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of: bearer tokens from the Authorization header, per-tenant API keys from the, x-n8n-key header in multi-tenant setups, JSON-RPC request payloads sent to the MCP endpoint. Access control itself was not bypassed - unauthenticated requests were correctly rejected with 401 Unauthorized - but sensitive values from those rejected requests could still be persisted in logs. This issue has been patched in version 2.47.11. | 2026-05-08 | 5.3 | CVE-2026-41495 | https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-pfm2-2mhg-8wpx https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.47.11 |
| enchant97--note-mark | Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM's soft-delete scope does not reach the raw "JOIN books ..." clauses used by the note and asset queries. This issue has been patched in version 0.19.3. | 2026-05-04 | 5.3 | CVE-2026-41572 | https://github.com/enchant97/note-mark/security/advisories/GHSA-3gr9-485j-v4xf https://github.com/enchant97/note-mark/releases/tag/v0.19.3 |
| projectdiscovery--nuclei | Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's expression evaluation engine makes it possible for a malicious target server to inject and execute supported DSL expressions. This happens when HTTP response data containing helper/function syntax gets reused by multi-step templates. If the -env-vars / -ev option is explicitly enabled, this can expose host environment variables. That option is off by default, so standard configurations are not affected by the information disclosure risk. This issue has been patched in version 3.8.0. | 2026-05-08 | 5.3 | CVE-2026-41645 | https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-jm34-66cf-qpvr https://github.com/projectdiscovery/nuclei/pull/7221 https://github.com/projectdiscovery/nuclei/pull/7321 https://github.com/projectdiscovery/nuclei/commit/6c803c74d193f85f8a6d9803ce493fd302cad0eb https://github.com/projectdiscovery/nuclei/commit/d2217320162d5782ca7cb95bef9dda17063818f3 https://github.com/projectdiscovery/nuclei/releases/tag/v3.8.0 |
| projectdiscovery--nuclei | Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require() function, bypassing the default local file access restriction. This issue has been patched in version 3.8.0. | 2026-05-08 | 5.5 | CVE-2026-41646 | https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-29rg-wmcw-hpf4 https://github.com/projectdiscovery/nuclei/pull/7332 https://github.com/projectdiscovery/nuclei/commit/6f2ade6a9b427c284c15a43445f9c7f055e60e5d |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, Role::stopMembership() does not verify whether removing a user from the administrator role leaves zero administrators. The deprecated Membership::stopMembership() contains this safety check, but the current code path bypasses it. Any administrator can remove the last remaining other administrator, locking the entire system out of administrative access. The exploit does not require concurrent requests; sequential removals produce the same result. This issue has been patched in version 5.0.9. | 2026-05-07 | 5.2 | CVE-2026-41662 | https://github.com/Admidio/admidio/security/advisories/GHSA-c7xm-r6vj-8vg6 https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| freescout-help-desk--freescout | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user holding the PERM_EDIT_USERS permission (intended for general user-profile editing) can read and modify the notification subscriptions of any other user, including admins, by sending a single POST request. This is a sibling of CVE-2025-48472's notification authorization bypass - the prior fix did not cover this code path. A non-admin attacker can silently disable an admin's email/browser/mobile notifications, suppressing security alerts and conversation-assignment notices. This issue has been patched in version 1.8.217. | 2026-05-07 | 5.4 | CVE-2026-41903 | https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-f489-qxv6-gvgg https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217 |
| givanz--Vvveb | Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. Attackers can access the cron controller without authentication and retrieve the exposed secret key from the response, enabling them to trigger scheduled task execution outside of the intended schedule. | 2026-05-07 | 5.3 | CVE-2026-41928 | https://github.com/givanz/Vvveb/commit/517bc09faf44136e72de391aacc8b90a706f7ae7 https://www.vulncheck.com/advisories/vvveb-information-disclosure-via-cron-controller |
| givanz--Vvveb | Vvveb before version 1.0.8.2 contains an information disclosure vulnerability that allows unauthenticated attackers to obtain sensitive server information by triggering unhandled exceptions in the password-reset module. Attackers can access the admin password-reset endpoint to trigger a fatal error caused by a missing namespace import, which exposes the absolute server file path, internal class namespaces, line numbers, and source code excerpts through the debug exception handler rendered to unauthenticated requests. | 2026-05-06 | 5.3 | CVE-2026-41931 | https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 https://github.com/givanz/Vvveb/security/advisories/GHSA-xgvg-r47g-786r https://www.vulncheck.com/advisories/vvveb-information-disclosure-via-debug-exception-handler |
| novafacile--novagallery | novaGallery is a php image gallery. Prior to version 2.1.1, a path traversal vulnerability has been identified in novaGallery. This allows unauthenticated users to read image files outside the intended gallery root directory. This issue has been patched in version 2.1.1. | 2026-05-08 | 5.3 | CVE-2026-42028 | https://github.com/novafacile/novagallery/security/advisories/GHSA-wv5j-98c7-frm9 https://github.com/novafacile/novagallery/commit/46fe7b0f79f429e18c8cff3f92360c4513732ba6 https://github.com/novafacile/novagallery/releases/tag/v2.1.1 |
| EvoMap--evolver | Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The vulnerability exists in the _applyUpdate() and _updateRecord() functions which use Object.assign() to merge user-controlled data without filtering dangerous keys like __proto__, constructor, or prototype. This issue has been patched in version 1.69.3. | 2026-05-04 | 5.2 | CVE-2026-42077 | https://github.com/EvoMap/evolver/security/advisories/GHSA-2cjr-5v3h-v2w4 https://github.com/EvoMap/evolver/releases/tag/v1.69.3 |
| GreycLab--CImg | CImg Library is a C++ library for image processing. Prior to commit c3aacf5, the nb_colors field read from the BMP file header is used directly to compute an allocation size without validating it against the remaining file size. A crafted BMP file with a large nb_colors value triggers an out-of-memory condition, crashing any application that uses CImg to load untrusted BMP files. This issue has been patched via commit c3aacf5. | 2026-05-04 | 5.5 | CVE-2026-42146 | https://github.com/GreycLab/CImg/security/advisories/GHSA-g54r-qmgx-c6fv https://github.com/GreycLab/CImg/issues/477 https://github.com/GreycLab/CImg/commit/c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3 https://github.com/GreycLab/CImg/releases/tag/v.3.7.5 |
| WeblateOrg--wlc | wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0. | 2026-05-08 | 5.1 | CVE-2026-42150 | https://github.com/WeblateOrg/wlc/security/advisories/GHSA-gx2m-mcc2-r4p3 https://github.com/WeblateOrg/wlc/pull/1327 https://github.com/WeblateOrg/wlc/commit/0f3e58f6d7457b05d48ef40f579a172c4c8b8469 https://github.com/WeblateOrg/wlc/releases/tag/2.0.0 |
| suitenumerique--people | People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user (including users with no current domain access) to the Owner role. The exploit requires a single authenticated HTTP request and grants full domain ownership immediately, without any acceptance step from the target. This issue has been patched in version 1.25.0. | 2026-05-08 | 5.5 | CVE-2026-42185 | https://github.com/suitenumerique/people/security/advisories/GHSA-42cf-rv2h-v8rf https://github.com/suitenumerique/people/commit/6a51b96d8e907483fa8fc489d8714cc35fb4099b https://github.com/suitenumerique/people/releases/tag/v1.25.0 |
| redwoodjs--sdk | RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the victim's session cookie attached. This issue has been patched in version 1.2.3. | 2026-05-08 | 5.3 | CVE-2026-42190 | https://github.com/redwoodjs/sdk/security/advisories/GHSA-m2m6-cff5-3w7c https://github.com/redwoodjs/sdk/releases/tag/v1.2.3 |
| useplunk--plunk | Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email body content created by authenticated project members is stored and later rendered in the admin dashboard using React's dangerouslySetInnerHTML without any HTML sanitization. This allows a lower-privileged member to embed malicious scripts in a campaign's email body that execute in the context of any admin or other member who views the campaign, potentially enabling session hijacking or unauthorized actions on their behalf. This issue has been patched in version 0.9.0. | 2026-05-08 | 5.4 | CVE-2026-42192 | https://github.com/useplunk/plunk/security/advisories/GHSA-mjqc-qrv3-24hq https://github.com/useplunk/plunk/releases/tag/v0.9.0 |
| G-Research--ParquetSharp | ParquetSharp is a .NET library for reading and writing Apache Parquet files. From version 18.1.0 to before version 23.0.0.1, DecimalConverter.ReadDecimal makes a stackalloc using what might be an attacker-supplied value. If an attacker declares a decimal column with some unreasonable width, this could lead to a stack overflow. In a service environment, this would potentially take down a service. This affects applications using ParquetSharp to read untrusted Parquet files in a network service. This issue has been patched in version 23.0.0.1. | 2026-05-07 | 5.3 | CVE-2026-42241 | https://github.com/G-Research/ParquetSharp/security/advisories/GHSA-rrjr-v56m-ww88 https://github.com/G-Research/ParquetSharp/releases/tag/23.0.0.1 |
| solidtime-io--solidtime | solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller's organization. This issue has been patched in version 0.12.1. | 2026-05-08 | 5.8 | CVE-2026-42279 | https://github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwr https://github.com/solidtime-io/solidtime/commit/b73aa543fdf5b61c37447307ab7277451296832c https://github.com/solidtime-io/solidtime/releases/tag/v0.12.1 |
| OpenStack--Horizon | An issue was discovered in OpenStack Horizon 25.6 and 25.7 before 25.7.3. There is a write operation to the session storage backend before authentication and thus storage can be exhausted by unauthenticated requests. This is a regression of the CVE-2014-8124 fix. | 2026-05-05 | 5.3 | CVE-2026-43002 | https://bugs.launchpad.net/horizon/+bug/2150331 https://www.openwall.com/lists/oss-security/2026/05/05/7 https://security.openstack.org/ossa/OSSA-2026-009.html |
| OpenClaw--OpenClaw | OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Microsoft Teams SSO invoke handler that fails to apply sender allowlist checks. Attackers can bypass sender authorization by sending SSO invoke requests that are processed without proper validation, allowing unauthorized access to Teams SSO signin functionality. | 2026-05-05 | 5.3 | CVE-2026-43572 | GitHub Security Advisory (GHSA-gc9r-867r-j85f) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.10 < 2026.4.14 - Missing Sender Authorization in Microsoft Teams SSO Invoke Handler |
| OpenClaw--OpenClaw | OpenClaw versions 2026.4.10 before 2026.4.14 fail to persist session context during delivery queue recovery for media replay. Attackers can exploit recovered queued outbound media to bypass group tool policy enforcement and weaken channel media restrictions after service restart or recovery. | 2026-05-06 | 5.3 | CVE-2026-43583 | GitHub Security Advisory (GHSA-r77c-2cmr-7p47) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.10 < 2026.4.14 - Loss of Group Tool-Policy Context in Delivery Queue Recovery |
| electerm--electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, the getConstants() IPC handler in src/app/lib/ipc-sync.js serialises the entire process.env object and sends it to the renderer. The data is stored as window.pre.env and is accessible from any JavaScript running in the renderer (e.g., via the DevTools console or a compromised webview context). An attacker who achieves any JavaScript execution within the renderer can trivially exfiltrate these secrets to a remote server, leading to cloud account compromise, supply chain attacks, and lateral movement. At time of publication, there are no publicly available patches. | 2026-05-08 | 5.5 | CVE-2026-43942 | https://github.com/electerm/electerm/security/advisories/GHSA-37j4-88rp-2f6h |
| NixOS--Nix | An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" directory traversal. The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 (introduced in 2.24.7); | 2026-05-05 | 5.3 | CVE-2026-44029 | https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407 https://www.openwall.com/lists/oss-security/2026/05/04/33 https://github.com/NixOS/nix/security/advisories/GHSA-gr92-w2r5-qw5p |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and write files outside the local mount root. | 2026-05-06 | 5.3 | CVE-2026-44112 | GitHub Security Advisory (GHSA-wppj-c6mr-83jj) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.22 - Symlink Swap Race Condition in OpenShell FS Bridge Writes |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell filesystem bridge that allows attackers to read files outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and access unauthorized file contents. | 2026-05-06 | 5.3 | CVE-2026-44113 | GitHub Security Advisory (GHSA-5h3g-6xhh-rg6p) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.22 - Time-of-Check/Time-of-Use Race Condition in OpenShell FS Bridge |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests. | 2026-05-06 | 5.8 | CVE-2026-44117 | GitHub Security Advisory (GHSA-c4qg-j8jg-42q5) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.20 - Server-Side Request Forgery in QQBot Direct Media Upload |
| ZTE--ZXCLOUD iRAI | ZTE Cloud PC client uSmartView contains a DLL hijacking vulnerability; since uSmartViewServiceAgent.exe runs with SYSTEM privileges, successful hijacking enables local arbitrary code execution, privilege escalation, and memory corruption.contains a DLL hijacking vulnerability; since uSmartViewServiceAgent.exe runs with SYSTEM privileges, successful hijacking enables local arbitrary code execution, privilege escalation, and memory corruption. | 2026-05-07 | 5.7 | CVE-2026-44406 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/8107253322107965601 |
| ZcashFoundation--zebra | ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks. This issue has been patched in zebrad version 4.4.0, zebra-chain version 7.0.0, and zebra-network version 6.0.0. | 2026-05-08 | 5.3 | CVE-2026-44500 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-438q-jx8f-cccv |
| publishpress--Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories | The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper' attribute of the [futureaction] shortcode in all versions up to, and including, 4.10.0. This is due to insufficient input sanitization on the wrapper attribute. The plugin uses esc_html() to escape the value, but esc_html() only encodes HTML entities and does not prevent attribute injection when the value is used as an HTML tag name in a sprintf() call. An attacker can inject event handler attributes via spaces in the wrapper value. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Since it is also possible for administrators to make this functionality available to lower-privileged users, this introduces the possibility of abuse by contributors. | 2026-05-05 | 5.5 | CVE-2026-5247 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9acf80aa-8354-4430-9836-18fa17854521?source=cve https://plugins.trac.wordpress.org/browser/post-expirator/trunk/src/Modules/Expirator/Controllers/ShortcodeController.php#L173 https://plugins.trac.wordpress.org/browser/post-expirator/tags/4.9.4/src/Modules/Expirator/Controllers/ShortcodeController.php#L173 https://github.com/publishpress/publishpress-future/releases |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kyle Agronick for reporting this issue. | 2026-05-05 | 5.3 | CVE-2026-5766 | Django security archive Django releases announcements Django security releases issued: 6.0.5 and 5.2.14 |
| wpmudev--Forminator Forms Contact Form, Payment Form & Custom Form Builder | The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the `processRequest()` method in `Forminator_Admin_Module_Edit_Page` (admin/abstracts/class-admin-module-edit-page.php) dispatching sensitive module-management actions - including export, delete, clone, delete-entries, publish/draft, and bulk variants - after only a nonce check, without ever verifying that the current user holds the `manage_forminator_modules` capability. The nonce used (`forminator_form_request`) is unconditionally embedded in the global `forminatorData` JavaScript object and localized on every Forminator admin page, including Templates and Reports pages accessible to users who explicitly lack module-management permissions. Because `processRequest()` is invoked during the `admin_menu` action hook - which fires before WordPress enforces page-level capability checks - a user whose Forminator role is restricted to Templates or Reports can craft a valid POST request targeting any published module and successfully trigger the vulnerable actions. This makes it possible for authenticated attackers with subscriber-level access (or any custom low-privilege Forminator role) to export the complete internal configuration of arbitrary forms/polls/quizzes (including notification routing, integration credentials, and conditional logic), delete modules, delete all submissions/votes, clone modules, or bulk-change publish/draft status. | 2026-05-07 | 5.3 | CVE-2026-6222 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e860aa70-b8ef-4b2a-a035-b01efce30a79?source=cve https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/abstracts/class-admin-module-edit-page.php#L1008 https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/abstracts/class-admin-module-edit-page.php#L1008 https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/abstracts/class-admin-module-edit-page.php#L951 https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/abstracts/class-admin-module-edit-page.php#L951 https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/classes/class-admin-data.php#L141 https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/classes/class-admin-data.php#L141 https://plugins.trac.wordpress.org/browser/forminator/tags/1.52/admin/abstracts/class-admin-module-edit-page.php#L988 |
| www[.]pgbouncer[.]org--PgBouncer | A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE field. | 2026-05-09 | 5.9 | CVE-2026-6666 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| Velocidex--velociraptor | An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request. | 2026-05-06 | 5 | CVE-2026-7573 | https://docs.velociraptor.app/announcements/advisories/cve-2026-7573/ |
| latepoint--LatePoint Calendar Booking Plugin for Appointments and Events | The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer's email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined with the guest booking flow's ability to overwrite an existing customer's email through phone-based merge without authentication. This makes it possible for unauthenticated attackers to overwrite the email address of a non-super-admin WordPress user account that is not yet linked to a LatePoint customer, enabling full account takeover by subsequently triggering the standard WordPress password-reset flow to the attacker-controlled address granted the plugin is configured with WordPress user integration enabled, phone-based contact merging, and customer authentication disabled. Administrator accounts on single-site installs are not affected. | 2026-05-09 | 5.3 | CVE-2026-7652 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bdaa32cd-a148-4554-9fd5-f5b0a5b2d1c3?source=cve https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/steps_helper.php#L1940 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/customer_helper.php#L238 https://plugins.trac.wordpress.org/browser/latepoint/trunk/latepoint.php#L1165 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/latepoint.php#L1165 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/steps_helper.php#L1972 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/steps_helper.php#L1972 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/steps_helper.php#L1940 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/steps_helper.php#L1940 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/customer_helper.php#L238 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/customer_helper.php#L238 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/latepoint.php#L1165 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/steps_helper.php#L1972 https://plugins.trac.wordpress.org/changeset/3522933/latepoint/trunk/latepoint.php https://plugins.trac.wordpress.org/changeset?old_path=%2Flatepoint/tags/5.5.0&new_path=%2Flatepoint/tags/5.5.1 |
| PrefectHQ--prefect | A vulnerability was detected in PrefectHQ prefect up to 3.6.21. This impacts the function endswith of the file /api/health of the component Health Check API. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit is now public and may be used. Upgrading to version 3.6.22 will fix this issue. The patch is named e21617125335025b4b27e7d6f0ca028e8e8f3b79. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-04 | 5.3 | CVE-2026-7722 | VDB-360898 | PrefectHQ prefect Health Check API health endswith improper authentication VDB-360898 | CTI Indicators (IOB, IOC, IOA) Submit #807255 | PrefectHQ Perfect <=3.6.21 Improper Authentication https://gist.github.com/nedlir/f576abbb0e491dc9bb7e106c140dda04 https://github.com/PrefectHQ/prefect/pull/21063 https://github.com/PrefectHQ/prefect/commit/e21617125335025b4b27e7d6f0ca028e8e8f3b79 https://github.com/PrefectHQ/prefect/releases/tag/3.6.22 https://github.com/PrefectHQ/prefect/ |
| PrefectHQ--prefect | A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validate_restricted_url of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.6.28.dev2 addresses this issue. The identifier of the patch is 7c70ac54a5e101431d83b9f2681ec88d5e0021ed. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-04 | 5 | CVE-2026-7724 | VDB-360900 | PrefectHQ prefect Webhook/Notification validate_restricted_url toctou VDB-360900 | CTI Indicators (IOB, IOC, IOA) Submit #807303 | PerfectHQ Perfect >=3.6.26 Time-of-check Time-of-use https://linear.app/prefect/issue/OSS-7874/fix-dns-rebinding-toctou-bypass-in-validate-restricted-url https://github.com/PrefectHQ/prefect/pull/21591 https://gist.github.com/nedlir/fa99777e8989414585d08c3625bf044a https://github.com/PrefectHQ/prefect/commit/7c70ac54a5e101431d83b9f2681ec88d5e0021ed https://github.com/PrefectHQ/prefect/releases/tag/3.6.28.dev2 https://github.com/PrefectHQ/prefect/ |
| osrg--GoBGP | A vulnerability has been found in osrg GoBGP up to 4.3.0. This impacts the function SRv6L3ServiceAttribute.DecodeFromBytes of the file pkg/packet/bgp/prefix_sid.go of the component SRv6 L3 Service. Such manipulation of the argument data leads to denial of service. The attack may be performed from remote. Upgrading to version 4.4.0 will fix this issue. The name of the patch is f9f7b55ec258e514be0264871fa645a2c3edad11. You should upgrade the affected component. | 2026-05-04 | 5.3 | CVE-2026-7734 | VDB-360909 | osrg GoBGP SRv6 L3 Service prefix_sid.go SRv6L3ServiceAttribute.DecodeFromBytes denial of service VDB-360909 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807581 | GoBGP 4.3.0 Infinite Loop https://github.com/osrg/gobgp/commit/f9f7b55ec258e514be0264871fa645a2c3edad11 https://github.com/osrg/gobgp/releases/tag/v4.4.0 https://github.com/osrg/gobgp/ |
| osrg--GoBGP | A vulnerability was identified in osrg GoBGP up to 4.3.0. Affected by this issue is the function BMPPeerUpNotification.ParseBody/BMPStatisticsReport.ParseBody of the file pkg/packet/bmp/bmp.go of the component BMP Parser. The manipulation leads to out-of-bounds read. The attack can be initiated remotely. Upgrading to version 4.4.0 can resolve this issue. The identifier of the patch is bc77597d42335c78464bc8e15a471d887bbdf260. Upgrading the affected component is recommended. | 2026-05-04 | 5.3 | CVE-2026-7737 | VDB-360912 | osrg GoBGP BMP Parser bmp.go BMPStatisticsReport.ParseBody out-of-bounds VDB-360912 | CTI Indicators (IOB, IOC, IOA) Submit #807605 | osrg GoBGP <= 4.3.0 Out-of-Bounds Read https://github.com/osrg/gobgp/commit/bc77597d42335c78464bc8e15a471d887bbdf260 https://github.com/osrg/gobgp/releases/tag/v4.4.0 https://github.com/osrg/gobgp/ |
| runZero--Platform | An issue that could allow a dashboard configuration to be viewed from outside of the authorized organization scope has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N (5.0, Medium). This issue was fixed in version v4.0.260416.0 of the runZero Platform. | 2026-05-05 | 5 | CVE-2026-7778 | https://www.runzero.com/advisories/runzero-platform-dashboard-configuration-exposure-cve-2026-7778/ https://help.runzero.com/docs/release-notes/#402604160 |
| PicoTronica--e-Clinic Healthcare System ECHS | A vulnerability was detected in PicoTronica e-Clinic Healthcare System ECHS 5.7. The affected element is an unknown function of the file /cdemos/echs/api/v2/patient-records of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 5.7.1 is sufficient to fix this issue. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-06 | 5.3 | CVE-2026-8031 | VDB-361357 | PicoTronica e-Clinic Healthcare System ECHS API Endpoint patient-records missing authentication VDB-361357 | CTI Indicators (IOB, IOC, IOA) Submit #800781 | PicoTronica e-Clinic Healthcare System (ECHS) v5.7 Exposure of Private Personal Information to an Unauthorized Acto https://docs.google.com/document/d/1FByC9x21c5503cQg6lkxjffIwWlEAHtHi_83vk2eUdk/edit?usp=sharing |
| PicoTronica--e-Clinic Healthcare System ECHS | A vulnerability has been found in PicoTronica e-Clinic Healthcare System ECHS 5.7. This affects an unknown function of the file /cdemos/echs/api/v2/ of the component Response Header Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. Upgrading to version 5.7.1 mitigates this issue. It is suggested to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-06 | 5.3 | CVE-2026-8033 | VDB-361359 | PicoTronica e-Clinic Healthcare System ECHS Response Header v2 information disclosure VDB-361359 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800793 | PicoTronica e-Clinic Healthcare System (ECHS) v5.7 Information Disclosure https://docs.google.com/document/d/1dBJAAYyNpktnOBSCJPJGUMdfjb-Vj3PTy5oNj8RjeQ8/edit?usp=sharing |
| OSGeo--gdal | A vulnerability was identified in OSGeo gdal up to 3.13.0dev-4. This issue affects the function SWnentries of the file frmts/hdf4/hdf-eos/SWapi.c. Such manipulation of the argument DimensionName leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. Upgrading to version 3.12.4RC1 is capable of addressing this issue. The name of the patch is 9491e794f1757f08063ea2f7a274ad2994afa636. It is advisable to upgrade the affected component. | 2026-05-07 | 5.3 | CVE-2026-8086 | VDB-361839 | OSGeo gdal SWapi.c SWnentries heap-based overflow VDB-361839 | CTI Indicators (IOB, IOC, IOA) Submit #808038 | OSGeo GDAL 3.13.0dev Heap-based Buffer Overflow https://github.com/OSGeo/gdal/issues/14356 https://github.com/OSGeo/gdal/pull/14361 https://github.com/biniamf/pocs/tree/main/gdal-swinqdims_bof https://github.com/OSGeo/gdal/commit/9491e794f1757f08063ea2f7a274ad2994afa636 https://github.com/OSGeo/gdal/releases/tag/v3.12.4RC1 https://github.com/OSGeo/gdal/ |
| OSGeo--gdal | A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldName results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.13.0RC1 is recommended to address this issue. The patch is named 184f77dbcc74118c062c05e464c88161d3c37b9b. You should upgrade the affected component. | 2026-05-07 | 5.3 | CVE-2026-8087 | VDB-361840 | OSGeo gdal GDapi.c GDnentries heap-based overflow VDB-361840 | CTI Indicators (IOB, IOC, IOA) Submit #808039 | OSGeo GDAL 3.13.0dev Heap-based Buffer Overflow https://github.com/OSGeo/gdal/issues/14363 https://github.com/biniamf/pocs/tree/main/gdal-gdinqfields_bof https://github.com/OSGeo/gdal/commit/184f77dbcc74118c062c05e464c88161d3c37b9b https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1 https://github.com/OSGeo/gdal/ |
| gyoridavid--short-video-maker | A security flaw has been discovered in gyoridavid short-video-maker up to 1.3.4. This affects an unknown part of the file src/server/routers/rest.ts of the component REST API. The manipulation of the argument req.params.tmpFile results in path traversal. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-07 | 5.3 | CVE-2026-8115 | VDB-361903 | gyoridavid short-video-maker REST API rest.ts path traversal VDB-361903 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808258 | gyoridavid short-video-maker 1.3.4 Path Traversal https://github.com/gyoridavid/short-video-maker/issues/73 https://github.com/gyoridavid/short-video-maker/ |
| n/a--Open5GS | A vulnerability was detected in Open5GS up to 2.7.7. This affects the function ogs_sbi_client_send_via_scp_or_sepp in the library lib/sbi/client.c of the component NF. Performing a manipulation results in out-of-bounds read. The attack is possible to be carried out remotely. The patch is named d5bc487fcf9ea87d2b03f2ef95123af344773bfb. It is suggested to install a patch to address this issue. | 2026-05-09 | 5.3 | CVE-2026-8186 | VDB-362338 | Open5GS NF client.c ogs_sbi_client_send_via_scp_or_sepp out-of-bounds VDB-362338 | CTI Indicators (IOB, IOC, IOA) Submit #800024 | Open5GS 2.7.7 Out-of-bounds Read (CWE-125) / Denial of Service (CWE-400) https://github.com/open5gs/open5gs/issues/4491 https://github.com/open5gs/open5gs/pull/4496 https://github.com/open5gs/open5gs/commit/d5bc487fcf9ea87d2b03f2ef95123af344773bfb https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A flaw has been found in Open5GS up to 2.7.7. This impacts the function _gtpv1_u_recv_cb of the file src/upf/gtp-path.c of the component UPF. Executing a manipulation can lead to resource consumption. The attack may be performed from remote. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-09 | 5.3 | CVE-2026-8187 | VDB-362339 | Open5GS UPF gtp-path.c _gtpv1_u_recv_cb resource consumption VDB-362339 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800025 | Open5GS 2.7.7 Denial of Service (DoS) (CWE-400) https://github.com/open5gs/open5gs/issues/4492 https://github.com/open5gs/open5gs/ |
| logtivity--Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity | The Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity plugin for WordPress is vulnerable to Authentication Bypass to Information Disclosure in versions up to, and including, 3.3.6. This is due to a logic flaw in the verifyAuthorization method where requests without an Authorization header skip Bearer token validation and fall through to an unconditional return true statement, bypassing all authentication checks. This makes it possible for unauthenticated attackers to access the /wp-json/logtivity/v1/options REST API endpoint and retrieve all plugin configuration options, including the logtivity_site_api_key which can be used to impersonate the site in API calls to the Logtivity service. | 2026-05-09 | 5.3 | CVE-2026-8198 | https://www.wordfence.com/threat-intel/vulnerabilities/id/65ca20b0-0831-4f60-9021-679be6c145ef?source=cve https://plugins.trac.wordpress.org/browser/logtivity/tags/3.3.7/Core/Services/Logtivity_Rest_Endpoints.php#L78 https://plugins.trac.wordpress.org/browser/logtivity/tags/3.3.7/Core/Services/Logtivity_Rest_Endpoints.php#L47 https://plugins.trac.wordpress.org/browser/logtivity/tags/3.3.6/Core/Services/Logtivity_Rest_Endpoints.php#L78 https://plugins.trac.wordpress.org/browser/logtivity/tags/3.3.6/Core/Services/Logtivity_Rest_Endpoints.php#L47 https://plugins.trac.wordpress.org/changeset/3507386/ |
| aandrew-me--tgpt | A security vulnerability has been detected in aandrew-me tgpt up to 2.11.1 on Linux/macOS. Affected by this vulnerability is the function helper.Update of the file helper.go of the component Update Handler. The manipulation leads to command injection. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-09 | 5.3 | CVE-2026-8210 | VDB-362418 | aandrew-me tgpt Update helper.go helper.Update command injection VDB-362418 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #803594 | aandrew-me tgpt v2.11.1 Command Injection https://drive.google.com/file/d/19wRsehbhotZXgE1TjenFtS3w-zRtp-PW/view?usp=sharing |
| OSGeo--gdal | A flaw has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this vulnerability is the function SWSDfldsrch of the file frmts/hdf4/hdf-eos/SWapi.c. Executing a manipulation can lead to heap-based buffer overflow. The attack requires local access. The exploit has been published and may be used. Upgrading to version 3.13.0RC1 addresses this issue. This patch is called 3e04c0385630e4d42517046d9a4967dfccfeb7fd. The affected component should be upgraded. | 2026-05-09 | 5.3 | CVE-2026-8212 | VDB-362429 | OSGeo gdal SWapi.c SWSDfldsrch heap-based overflow VDB-362429 | CTI Indicators (IOB, IOC, IOA) Submit #808127 | OSGeo GDAL 3.13.0dev Out-of-Bounds Read https://github.com/OSGeo/gdal/issues/14398 https://github.com/biniamf/pocs/tree/main/gdal-swsdfldsrch_oob-read https://github.com/OSGeo/gdal/commit/3e04c0385630e4d42517046d9a4967dfccfeb7fd https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1 https://github.com/OSGeo/gdal/ |
| OSGeo--gdal | A vulnerability has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this issue is the function GDSDfldsrch of the file frmts/hdf4/hdf-eos/GDapi.c of the component Grid File Handler. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 3.13.0RC1 can resolve this issue. The identifier of the patch is 3e04c0385630e4d42517046d9a4967dfccfeb7fd. It is suggested to upgrade the affected component. | 2026-05-09 | 5.3 | CVE-2026-8213 | VDB-362430 | OSGeo gdal Grid File GDapi.c GDSDfldsrch heap-based overflow VDB-362430 | CTI Indicators (IOB, IOC, IOA) Submit #808128 | OSGeo GDAL 3.13.0dev Out-of-Bounds Read https://github.com/OSGeo/gdal/issues/14399 https://github.com/biniamf/pocs/tree/main/gdal-gdsdfldsrch_oob-read https://github.com/OSGeo/gdal/commit/3e04c0385630e4d42517046d9a4967dfccfeb7fd https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1 https://github.com/OSGeo/gdal/ |
| Industrial Application Software IAS--Canias ERP | A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. This affects the function doAction of the component RMI Interface. The manipulation of the argument sessionId results in improper authentication. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 5.3 | CVE-2026-8214 | VDB-362431 | Industrial Application Software IAS Canias ERP RMI doAction improper authentication VDB-362431 | CTI Indicators (IOB, IOC, IOA) Submit #808238 | Industrial Application Software - IAS Canias ERP 8.03-- Information Disclosure https://hawktrace.com/blog/caniaserp/ https://gist.github.com/0xb1lal/3ef872a445310c5866d07d6a5b1803fa |
| Industrial Application Software IAS--Canias ERP | A vulnerability was determined in Industrial Application Software IAS Canias ERP 8.03. This vulnerability affects the function iasRequestFileEvent of the component RMI Interface. This manipulation of the argument m_strSourceFileName causes path traversal. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 5.3 | CVE-2026-8215 | VDB-362432 | Industrial Application Software IAS Canias ERP RMI iasRequestFileEvent path traversal VDB-362432 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808242 | Industrial Application Software - IAS Canias ERP 8.03-- Directory traversal / Arbitrary file read https://hawktrace.com/blog/caniaserp/ https://gist.github.com/0xb1lal/3885c69998516685e3ea833403b9db2b |
| n/a--Open5GS | A vulnerability has been found in Open5GS up to 2.7.7. Affected is the function pcf_nbsf_management_handle_register of the file src/pcf/nbsf-handler.c of the component sm-policies Endpoint. Such manipulation leads to denial of service. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 5.3 | CVE-2026-8222 | VDB-362439 | Open5GS sm-policies Endpoint nbsf-handler.c pcf_nbsf_management_handle_register denial of service VDB-362439 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808427 | Open5gs PCF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4437 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability was found in Open5GS up to 2.7.7. Affected by this vulnerability is the function pcf_sess_sbi_discover_and_send of the component sm-policies Endpoint. Performing a manipulation results in denial of service. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 5.3 | CVE-2026-8223 | VDB-362440 | Open5GS sm-policies Endpoint pcf_sess_sbi_discover_and_send denial of service VDB-362440 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808442 | Open5gs PCF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4438 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability was determined in Open5GS up to 2.7.7. Affected by this issue is the function pcf_sess_set_ipv6prefix of the file /src/pcf/context.c of the component PCF. Executing a manipulation of the argument SmPolicyContextData.ipv6AddressPrefix can lead to denial of service. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 5.3 | CVE-2026-8224 | VDB-362441 | Open5GS PCF context.c pcf_sess_set_ipv6prefix denial of service VDB-362441 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808443 | Open5gs PCF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4439 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability was identified in Open5GS up to 2.7.7. This affects the function pcf_npcf_smpolicycontrol_handle_delete of the file src/pcf/sm-sm.c of the component delete Endpoint. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 5.3 | CVE-2026-8225 | VDB-362442 | Open5GS delete Endpoint sm-sm.c pcf_npcf_smpolicycontrol_handle_delete denial of service VDB-362442 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808444 | Open5gs PCF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4440 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A security flaw has been discovered in Open5GS up to 2.7.7. This vulnerability affects the function ogs_pcc_rule_install_flow_from_media in the library /lib/proto/types.c. The manipulation results in denial of service. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 5.3 | CVE-2026-8226 | VDB-362443 | Open5GS types.c ogs_pcc_rule_install_flow_from_media denial of service VDB-362443 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808445 | Open5gs PCF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4441 https://github.com/open5gs/open5gs/ |
| 8421bit--MiniClaw | A vulnerability was detected in 8421bit MiniClaw 0.8.0/0.9.0. This issue affects the function resolveSkillScriptPath of the file src/kernel.ts of the component System Command Handler. The manipulation results in os command injection. The exploit is now public and may be used. The patch is identified as 223c16a1088e138838dcbd18cd65a37c35ac5a84. It is best practice to apply a patch to resolve this issue. | 2026-05-10 | 5.5 | CVE-2026-8235 | VDB-362455 | 8421bit MiniClaw System kernel.ts resolveSkillScriptPath os command injection VDB-362455 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #809001 | 8421bit MiniClaw 0 OS Command Injection https://github.com/8421bit/MiniClaw/issues/6 https://github.com/8421bit/MiniClaw/pull/7 https://github.com/8421bit/MiniClaw/issues/6#issue-4290453729 https://github.com/8421bit/MiniClaw/commit/223c16a1088e138838dcbd18cd65a37c35ac5a84 https://github.com/8421bit/MiniClaw/ |
| Industrial Application Software IAS--Canias ERP | A vulnerability has been found in Industrial Application Software IAS Canias ERP 8.03. The affected element is the function iasGetServerInfoEvent of the component RMI Interface. Such manipulation leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 5.3 | CVE-2026-8241 | VDB-362457 | Industrial Application Software IAS Canias ERP RMI iasGetServerInfoEvent improper authorization VDB-362457 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808270 | Industrial Application Software - IAS Canias ERP 8.03-- Exposure of Sensitive Information to an Unauthorized Actor https://hawktrace.com/blog/caniaserp https://gist.github.com/0xb1lal/6f3f050f08cff569ecbde586e63c6bea |
| Industrial Application Software IAS--Canias ERP | A vulnerability was determined in Industrial Application Software IAS Canias ERP 8.03. This affects an unknown function of the component JNLP Deployment Endpoint. Executing a manipulation can lead to use of hard-coded cryptographic key . The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 5.3 | CVE-2026-8243 | VDB-362459 | Industrial Application Software IAS Canias ERP JNLP Deployment Endpoint hard-coded key VDB-362459 | CTI Indicators (IOB, IOC, TTP) Submit #808296 | Industrial Application Software - IAS Canias ERP 8.03-- Use of Hard-coded Cryptographic Key (CWE-321) |
| Industrial Application Software IAS--Canias ERP | A vulnerability was identified in Industrial Application Software IAS Canias ERP 8.03. This impacts an unknown function of the component Login RMI Interface. The manipulation of the argument clientVersion leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 5.3 | CVE-2026-8244 | VDB-362460 | Industrial Application Software IAS Canias ERP Login RMI improper authentication VDB-362460 | CTI Indicators (IOB, IOC, IOA) Submit #808326 | Industrial Application Software - IAS Canias ERP 8.03-- Improper Authentication (CWE-287), (CWE-200) https://gist.github.com/0xb1lal/758bbc5e4d82efea248e675da934ac69 |
| Opencart--OpenCart | OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick authenticated users into submitting hidden forms with new password values in the 'password' and 'confirm' parameters to hijack accounts. | 2026-05-10 | 4.3 | CVE-2021-47953 | ExploitDB-49970 VulnCheck Advisory: OpenCart 3.0.3.7 Cross-Site Request Forgery via account/password |
| curtain--Curtain | WordPress Plugin Curtain 1.0.2 contains a cross-site request forgery vulnerability that allows attackers to activate or deactivate site maintenance mode by crafting malicious requests. Attackers can trick authenticated administrators into submitting forged requests to the options-general.php page with curtain parameters to toggle maintenance mode without valid nonce validation. | 2026-05-10 | 4.3 | CVE-2022-50955 | ExploitDB-50842 Official Product Homepage VulnCheck Advisory: WordPress Plugin Curtain 1.0.2 Cross-site Request Forgery |
| HCL Software--BigFix Service Management (SM) | HCL BigFix Service Management (SM) is vulnerable to insufficiently protected credentials for a short duration while communicating with a backend, internal application which could allow an attacker to potentially misuse them, if exfiltrated. . | 2026-05-06 | 4.8 | CVE-2025-31976 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL Software--BigFix Service Management (SM) | HCL BigFix Service Management (SM) does not adequately sanitize or safely render spreadsheet files (CSV, XLS, XLSX) before processing or distributing them. An attacker could populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content. | 2026-05-06 | 4.6 | CVE-2025-31978 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL--BigFix Service Management (SM) | HCL BigFix Service Management (SM) is affected by use of a vulnerable WSGI Server was identified. Deploying an outdated or insecure WSGI server may expose the application to known security weaknesses, potentially increasing the risk of exploitation and unauthorized access. | 2026-05-06 | 4.6 | CVE-2025-52613 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| timwhitlock--Loco Translate | The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the `fsReference` AJAX route. This is due to the `findSourceFile()` method normalizing user-supplied `ref` paths containing `../` directory traversal sequences without validating that the resolved path remains within the intended bundle or content directory. This makes it possible for authenticated attackers, with Translator-level access and above (custom `loco_admin` capability required, granted to the `translator` role and administrators by default), to read arbitrary `.php`, `.js`, `.json`, and `.twig` files from the server filesystem outside the intended translation directory. Files named wp-config.php are excluded. | 2026-05-05 | 4.9 | CVE-2026-1921 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f9ff3058-a08c-40ed-b756-81e703b2277a?source=cve https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.1/src/ajax/FsReferenceController.php#L12 https://plugins.trac.wordpress.org/browser/loco-translate/trunk/src/ajax/FsReferenceController.php#L12 https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.1/src/ajax/FsReferenceController.php#L92 https://plugins.trac.wordpress.org/browser/loco-translate/trunk/src/ajax/FsReferenceController.php#L92 https://plugins.trac.wordpress.org/changeset/3482475/loco-translate/trunk/tpl/admin/config/version.php https://plugins.trac.wordpress.org/changeset?old_path=%2Floco-translate/tags/2.8.2&new_path=%2Floco-translate/tags/2.8.3 |
| Cisco--Cisco Enterprise Chat and Email | A vulnerability in the Lite Agent feature of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct browser-based attacks. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Agent. This vulnerability is due to inadequate validation of file contents during file upload operations. An attacker could exploit this vulnerability by uploading a file that contains malicious scripts or HTML code, which the application could make available to other users to access. A successful exploit could allow the attacker to execute the contents of that file in the browser of a user and conduct browser-based attacks. | 2026-05-06 | 4.3 | CVE-2026-20172 | cisco-sa-ece-lite-agent-BCgSN8eb |
| Cisco--Cisco Prime Infrastructure | A vulnerability in the log file download functionality of Cisco Prime Infrastructure could allow an authenticated, remote attacker to download arbitrary log files from the server. This vulnerability is due to insufficient authorization checks on the download service API. An attacker could exploit this vulnerability by submitting a crafted URL request to an affected device. A successful exploit could allow the attacker to download sensitive log files that they would otherwise not have authorization to access. To exploit this vulnerability, the attacker must have valid credentials to access the web-based management interface of the affected device. | 2026-05-06 | 4.3 | CVE-2026-20189 | cisco-sa-pi-unauth-infodiscl-LFnLgmey |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in the RADIUS Policy API endpoints of Cisco ISE could allow an authenticated, remote attacker with read-only Administrator privileges to gain unauthorized access to sensitive information on an affected device. This vulnerability is due to improper role-based access control (RBAC) permissions on the RADIUS Policy API endpoints. An attacker could exploit this vulnerability by bypassing the web-based management interface and directly calling an affected endpoint. A successful exploit could allow the attacker to gain unauthorized read access to sensitive RADIUS Policy details that are restricted for their role. | 2026-05-06 | 4.3 | CVE-2026-20193 | cisco-sa-ise-unauth-bypass-uxjRXGpb |
| techjewel--Ninja Tables Easy Data Table Builder | The Ninja Tables - Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized database table creation due to missing authorization checks on the `createFluentCartTable` function in all versions up to, and including, 5.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary Ninja Tables in the database which can lead to database pollution and resource exhaustion. | 2026-05-06 | 4.3 | CVE-2026-2306 | https://www.wordfence.com/threat-intel/vulnerabilities/id/592d42eb-4025-44af-a519-672656ad8b0e?source=cve https://plugins.trac.wordpress.org/browser/ninja-tables/trunk/app/Modules/FluentCart/Handlers/FluentCartHandler.php#L44 https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.2.6/app/Modules/FluentCart/Handlers/FluentCartHandler.php#L44 https://plugins.trac.wordpress.org/browser/ninja-tables/trunk/app/Modules/FluentCart/FluentCartModule.php#L23 https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.2.6/app/Modules/FluentCart/FluentCartModule.php#L23 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3453522%40ninja-tables%2Ftrunk&old=3447894%40ninja-tables%2Ftrunk&sfp_email=&sfph_mail= |
| PluginUs.Net--BEAR | Cross-Site Request Forgery (CSRF) vulnerability in PluginUs.Net BEAR allows Cross Site Request Forgery. This issue affects BEAR: from n/a through 1.1.5. | 2026-05-07 | 4.3 | CVE-2026-27415 | https://patchstack.com/database/wordpress/plugin/woo-bulk-editor/vulnerability/wordpress-bear-plugin-1-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Oracle Corporation--Oracle Macaron Tool of Oracle Open Source Projects | Vulnerability in the Oracle Macoron Tool product of Oracle Open Source Projects. The supported versions that is affected is v0.22.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Macaron Tool. Successful attacks of this vulnerability can result in Oracle Macaron Tool failing host address validation. | 2026-05-06 | 4.7 | CVE-2026-35253 | Oracle Advisory |
| wpeverest--User Registration & Membership Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `embed_form_action()` function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to append shortcode content to arbitrary pages they do not own or have permission to edit. | 2026-05-05 | 4.3 | CVE-2026-3601 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c8798fb2-4cab-4960-9e32-fd74bb4a5091?source=cve https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/class-ur-ajax.php#L1003 https://plugins.trac.wordpress.org/browser/user-registration/tags/5.1.2/includes/class-ur-ajax.php#L1003 https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/admin/class-ur-admin-assets.php#L370 https://plugins.trac.wordpress.org/browser/user-registration/tags/5.1.2/includes/admin/class-ur-admin-assets.php#L370 https://plugins.trac.wordpress.org/changeset/3485702/user-registration/trunk/includes/class-ur-ajax.php?contextall=1 |
| Spring--Spring Cloud Config | When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater. | 2026-05-07 | 4.4 | CVE-2026-41004 | https://spring.io/security/cve-2026-41004 |
| go-git--go-git | go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha.2. | 2026-05-08 | 4.7 | CVE-2026-41506 | https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963 https://github.com/go-git/go-git/releases/tag/v5.18.0 https://github.com/go-git/go-git/releases/tag/v6.0.0-alpha.2 |
| WeblateOrg--weblate | Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but DRF API tokens ("wlu_*" prefix) stored in "authtoken_token" are not revoked. This issue has been patched in version 5.17.1. | 2026-05-07 | 4.2 | CVE-2026-41519 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6j8j-4qp3-36p2 https://github.com/WeblateOrg/weblate/pull/19057 https://github.com/WeblateOrg/weblate/commit/649a2da81700542f95c0807b3c625fc3bb0eaf95 https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type (HTML encoding), allowing path traversal characters (../) to pass through unfiltered. Combined with the absence of CSRF protection on this endpoint and SameSite=Lax session cookies, a low-privileged attacker can trick a documents administrator into clicking a crafted link that registers an arbitrary server file (e.g., install/config.php containing database credentials) into a documents folder accessible to the attacker. This issue has been patched in version 5.0.9. | 2026-05-07 | 4.5 | CVE-2026-41656 | https://github.com/Admidio/admidio/security/advisories/GHSA-m9h6-8pqm-xrhf https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the contacts_data.php endpoint uses a weaker permission check (isAdministratorUsers(), requiring only rol_edit_user=true) than the frontend UI (contacts.php) which correctly requires the stronger isAdministrator() (requiring rol_administrator=true) and the contacts_show_all system setting. A user manager who is not a full administrator can directly request contacts_data.php?mem_show_filter=3 to retrieve all user records across all organizations in the Admidio instance, bypassing multi-tenant organization isolation. This issue has been patched in version 5.0.9. | 2026-05-07 | 4.9 | CVE-2026-41657 | https://github.com/Admidio/admidio/security/advisories/GHSA-g8p8-94f2-28gr https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| lxc--incus | Incus is a system container and virtual machine manager. Prior to version 7.0.0, uploads of large amount of data by authenticated users can run the Incus server out of disk space, potentially taking down the host system. The impact here is limited for anyone using storage.images_volume and storage.backups_volume as those users will have large uploads be stored on those volumes rather than directly on the host filesystem. This is the default behavior on IncusOS. This issue has been patched in version 7.0.0. | 2026-05-07 | 4.3 | CVE-2026-41685 | https://github.com/lxc/incus/security/advisories/GHSA-98vh-x9cx-9cfp https://github.com/lxc/incus/releases/tag/v7.0.0 |
| ellite--Wallos | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.8.1, the SSRF protection in endpoints/subscription/add.php (line 42) and endpoints/payments/add.php (line 40) uses an inline IP validation check (FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) that does not block CGNAT addresses (100.64.0.0/10, RFC 6598). The includes/ssrf_helper.php file explicitly defines is_cgnat_ip() to cover this gap (used by notification endpoints), but the logo/icon URL fetching in subscription and payment endpoints performs its own inline validation that misses this range. This allows authenticated users to perform Blind SSRF to internal services in Tailscale, Carrier-Grade NAT, and other environments using 100.64.0.0/10 addresses. This issue has been patched in version 4.8.1. | 2026-05-07 | 4.3 | CVE-2026-41687 | https://github.com/ellite/Wallos/security/advisories/GHSA-4v59-hghw-7gc2 https://github.com/ellite/Wallos/commit/e79f28be6be0435fbc93563fb3c0e62206b48e85 https://github.com/ellite/Wallos/releases/tag/v4.8.1 |
| i18next--i18nextify | i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute {{key}} interpolation tokens inside src and href attribute values with the raw string returned by i18next.t(). The substitution logic in src/localize.js (the replaceInside handler) only guards against a duplicated http:// origin prefix - it does not validate the URL scheme of the substituted value. A translated value such as javascript:alert(1) or data:text/html,<script>...</script> is applied unchanged to the live DOM attribute when an attacker can influence the content of a translation file or the translation-backend response - for example, via a compromised translation CDN, user-contributed locales, a MITM on a plain-HTTP backend, or write access to the translation JSON. This issue was patched in version 4.0.8. | 2026-05-07 | 4.7 | CVE-2026-41692 | https://github.com/i18next/i18nextify/security/advisories/GHSA-6457-mxpq-4fqq https://github.com/i18next/i18nextify/commit/16f23dbcdcf893673587f7a03355bf7ce0a0e49e |
| flarum--framework | Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri() LESS features in the custom_less setting, but the same restriction was never applied to other settings registered as LESS config variables (for example theme_primary_color and theme_secondary_color, as well as any key registered via Extend\Settings::registerLessConfigVar()). Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary @import directive into the compiled forum.css. Because the underlying LESS parser honours @import (inline) '<path>', an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery). This issue has been patched in versions 1.8.16 and 2.0.0-rc.1. | 2026-05-08 | 4.9 | CVE-2026-41887 | https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878 https://github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410 https://github.com/flarum/framework/releases/tag/v1.8.16 https://github.com/flarum/framework/releases/tag/v2.0.0-rc.1 |
| icip-cas--PPTAgent | PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, PPTAgent is vulnerable to arbitrary file write and directory creation via markdown_table_to_image. This issue has been patched via commit 418491a. | 2026-05-04 | 4.6 | CVE-2026-42078 | https://github.com/icip-cas/PPTAgent/security/advisories/GHSA-hrcw-xc63-g29m https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00 |
| icip-cas--PPTAgent | PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, there is an arbitrary file write vulnerability via `save_generated_slides`. This issue has been patched via commit 418491a. | 2026-05-04 | 4.6 | CVE-2026-42080 | https://github.com/icip-cas/PPTAgent/security/advisories/GHSA-pxhg-7xr2-w7xg https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00 |
| OpenC3--cosmos | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, OpenC3 COSMOS contains a design flaw in the save_tool_config() function that allows saving tool configuration files at arbitrary locations inside the shared /plugins directory tree by supplying crafted configuration filenames. Although the implementation sufficiently mitigates standard path traversal attacks, by canonicalizing filename to an absolute path, all plugins share this same root directory. That enables users to create arbitrary file structures and overwrite existing configuration files within the shared /plugins directory. This issue has been patched in versions 6.10.5 and 7.0.0-rc3. | 2026-05-04 | 4.3 | CVE-2026-42085 | https://github.com/OpenC3/cosmos/security/advisories/GHSA-4jvx-93h3-f45h https://github.com/OpenC3/cosmos/commit/9957a9fa460c0c0cf5cdbf6a5931bbdd025246a5 https://github.com/OpenC3/cosmos/commit/e6efccbd148ba0e3361c5891027f2373aa140d42 https://github.com/OpenC3/cosmos/releases/tag/v6.10.5 https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3 |
| OpenC3--cosmos | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0, the Command Sender UI uses an unsafe eval() function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim's session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage. This issue has been patched in version 7.0.0. | 2026-05-04 | 4.6 | CVE-2026-42086 | https://github.com/OpenC3/cosmos/security/advisories/GHSA-ffq5-qpvf-xq7x |
| xwiki-contrib--macro-plantuml | PlantUML Macro is a macro for rendering UML diagrams from simple textual schemes. Prior to version 2.4.1, the PlantUML Macro is vulnerable to Server-Side Request Forgery (SSRF). The macro allows users to specify an alternative PlantUML server via the server parameter. However, the application does not validate the supplied URL. An attacker can supply an internal IP address or a malicious external URL. The XWiki server will attempt to connect to this URL to "render" the diagram. This issue has been patched in version 2.4.1. | 2026-05-04 | 4.4 | CVE-2026-42140 | https://github.com/xwiki-contrib/macro-plantuml/security/advisories/GHSA-42fc-7w97-8vrc https://github.com/xwiki-contrib/macro-plantuml/commit/c8b19bda93058794e04c8862fc7ca85c59b5fe5c https://jira.xwiki.org/browse/PLANTUML-25 |
| onyx-dot-app--onyx | Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/{chat_session_id} endpoint lets any authenticated user stop any other user's active chat session. The endpoint checks authentication but never verifies the session belongs to the caller. An attacker who knows a chat session UUID can kill another user's LLM generation mid-stream. This issue has been patched in versions 3.0.9, 3.1.6, and 3.2.6. | 2026-05-08 | 4.3 | CVE-2026-42276 | https://github.com/onyx-dot-app/onyx/security/advisories/GHSA-rw6w-hp62-gc8w |
| czlonkowski--n8n-mcp | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.13, when n8n-mcp runs in HTTP transport mode, authenticated MCP tools/call requests had their full arguments and JSON-RPC params written to server logs by the request dispatcher and several sibling code paths before any redaction. When a tool call carries credential material - most notably n8n_manage_credentials.data - the raw values can be persisted in logs. In deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of: bearer tokens and OAuth credentials sent through n8n_manage_credentials, per-tenant API keys and webhook auth headers embedded in tool arguments, arbitrary secret-bearing payloads passed to any MCP tool. The issue requires authentication (AUTH_TOKEN accepted by the server), so unauthenticated callers cannot trigger it; the runtime exposure is also reduced by an existing console-silencing layer in HTTP mode, but that layer is fragile and the values are still constructed and passed into the logger. This issue has been patched in version 2.47.13. | 2026-05-08 | 4.3 | CVE-2026-42282 | https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-wg4g-395p-mqv3 https://github.com/czlonkowski/n8n-mcp/commit/59b665bda36797823df238aeaf20adb862c9f451 https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.47.13 |
| vim--vim | Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383. | 2026-05-08 | 4.4 | CVE-2026-42307 | https://github.com/vim/vim/security/advisories/GHSA-85ch-p2qr-m5gx https://github.com/vim/vim/commit/405e2fb6d54d5653523809e2853d99d1c000a5fc https://github.com/vim/vim/releases/tag/v9.2.0383 |
| Mintplex-Labs--anything-llm | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user's chat response within the same workspace because the route validates workspace membership but does not enforce ownership of the targeted chat row. As a result, an authenticated user can access another user's private assistant response in audio form if the chatId is known or guessed. This constitutes an insecure direct object reference (IDOR) affecting private chat response content exposed through the TTS endpoint. This issue has been patched in version 1.12.1. | 2026-05-08 | 4.3 | CVE-2026-42456 | https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jwqg-jfg3-x5vv https://github.com/Mintplex-Labs/anything-llm/commit/4f3f77119d342e5489d1ba7533ad6d51bdcd565f https://github.com/Mintplex-Labs/anything-llm/releases/tag/v1.12.1 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.15 contains an arbitrary file read vulnerability in the QMD backend memory_get function that allows callers to read any Markdown files within the workspace root. Attackers with access to the memory tool can bypass path restrictions by providing arbitrary workspace Markdown paths to read files outside canonical memory locations or indexed QMD result sets. | 2026-05-06 | 4.3 | CVE-2026-44111 | GitHub Security Advisory (GHSA-f934-5rqf-xx47) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.15 - Arbitrary Markdown File Read via QMD memory_get |
| WeblateOrg--weblate | Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. This issue has been patched in version 5.17.1. | 2026-05-07 | 4.3 | CVE-2026-44263 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-gcg5-86jr-f7jg https://github.com/WeblateOrg/weblate/pull/19258 https://github.com/WeblateOrg/weblate/commit/6cf892c7bd50b667a65a99d716a90694f7d9f203 https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1 |
| WeblateOrg--weblate | Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1. | 2026-05-07 | 4.3 | CVE-2026-44264 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-5cmv-3rc4-7279 https://github.com/WeblateOrg/weblate/pull/19259 https://github.com/WeblateOrg/weblate/commit/85abc9df88b7464f4c0e794aef752e45f4230f75 https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1 |
| kimai--kimai | Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upload PDF invoice templates, which can call pdfContext.setOption('associated_files', ...) inside the sandboxed Twig render. This is forwarded to mPDF's SetAssociatedFiles(), whose writer calls file_get_contents($entry['path']) during PDF output and embeds the bytes as a FlateDecode stream in the PDF. Any file readable by the PHP worker is returned to the attacker inside the rendered invoice. This issue has been patched in version 2.56.0. | 2026-05-08 | 4.1 | CVE-2026-44298 | https://github.com/kimai/kimai/security/advisories/GHSA-h5fh-7hwr-97mw https://github.com/kimai/kimai/releases/tag/2.56.0 |
| ZTE--ZXCLOUD iRAI | A remote denial-of-service vulnerability exists in the ZTE Cloud PC client uSmartview, which may lead to memory corruption and remote denial of service. | 2026-05-07 | 4.7 | CVE-2026-44407 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/4783596796997009530 |
| techjewel--Fluent Forms Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments() method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without verifying that the resolved path stays inside the WordPress uploads directory: a strpos() prefix check on the raw URL can be bypassed with traversal sequences, wp_normalize_path() does not resolve ".\..\" segments, and file_exists() then resolves them at the kernel level. This makes it possible for authenticated attackers with administrator access to read arbitrary files readable by the web-server user - including wp-config.php with its database credentials and authentication salts - by submitting a form whose admin notification is configured to attach a file-upload field and supplying a crafted URL of the shape <upload_baseurl>/../../<target> as the file-field value. The resolved file is attached to the outbound admin-notification email via wp_mail(). While the email can be triggered by unauthenticated users, the email recipient is not user-controlled. | 2026-05-06 | 4.9 | CVE-2026-6344 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0101113b-70c2-4db4-b6b1-b2412f6e1214?source=cve https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L121 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L130 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L133 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L135 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L137 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L151 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Hooks/Ajax.php#L17 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Modules/SubmissionHandler/SubmissionHandler.php#L17 https://plugins.trac.wordpress.org/changeset/3513845/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php |
| n/a--PgBouncer | PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter. | 2026-05-09 | 4.3 | CVE-2026-6667 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| xavortm--DX Sources | The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settings_page_build function. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a forged request that modifies the plugin's configuration options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-05 | 4.3 | CVE-2026-6700 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b3c96e57-0300-4ea7-a0c6-5d060b6e979d?source=cve https://plugins.trac.wordpress.org/browser/dx-sources/trunk/inc/settings.class.php#L46 https://plugins.trac.wordpress.org/browser/dx-sources/tags/2.0.1/inc/settings.class.php#L46 https://plugins.trac.wordpress.org/browser/dx-sources/trunk/inc/settings.class.php#L79 https://plugins.trac.wordpress.org/browser/dx-sources/tags/2.0.1/inc/settings.class.php#L79 |
| kazunii--addfreespace | The addfreespace plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-05 | 4.3 | CVE-2026-6701 | https://www.wordfence.com/threat-intel/vulnerabilities/id/40eaeb28-c721-4977-951d-582b7dc2bd12?source=cve https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace.php#L45 https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace.php#L45 https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace_functions.php#L30 https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace_functions.php#L30 https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace_functions.php#L59 https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace_functions.php#L59 https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace.php#L312 https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace.php#L312 https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace_functions.php#L83 https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace_functions.php#L83 |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmad Sadeddin for reporting this issue. | 2026-05-05 | 4.3 | CVE-2026-6907 | Django security archive Django releases announcements Django security releases issued: 6.0.5 and 5.2.14 |
| Velocidex--velociraptor | An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx file to the parse_evtx VQL plugin. | 2026-05-06 | 4.4 | CVE-2026-7572 | https://docs.velociraptor.app/announcements/advisories/cve-2026-7572/ |
| n/a--Open5GS | A security flaw has been discovered in Open5GS up to 2.7.7. Affected is the function udm_nudr_dr_handle_subscription_authentication of the file /src/udm/nudr-handler.c of the component authentication-subscription Endpoint. Performing a manipulation results in denial of service. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 4.3 | CVE-2026-7779 | VDB-360976 | Open5GS authentication-subscription Endpoint nudr-handler.c udm_nudr_dr_handle_subscription_authentication denial of service VDB-360976 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806249 | Open5gs UDM v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4418 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A weakness has been identified in Open5GS up to 2.7.7. Affected by this vulnerability is the function udm_state_operational of the file /src/udm/udm-sm.c of the component smf-registrations Endpoint. Executing a manipulation can lead to denial of service. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 4.3 | CVE-2026-7780 | VDB-360977 | Open5GS smf-registrations Endpoint udm-sm.c udm_state_operational denial of service VDB-360977 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806250 | Open5gs UDM v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4419 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A security vulnerability has been detected in Open5GS up to 2.7.7. Affected by this issue is the function udm_nudm_uecm_handle_amf_registration_update of the file /src/udm/nudm-handler.c of the component amf-3gpp-access Endpoint. The manipulation leads to denial of service. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 4.3 | CVE-2026-7781 | VDB-360978 | Open5GS amf-3gpp-access Endpoint nudm-handler.c udm_nudm_uecm_handle_amf_registration_update denial of service VDB-360978 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806251 | Open5gs UDM v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4420 https://github.com/open5gs/open5gs/ |
| FlowiseAI--Flowise | A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the component User Controller Handler. This manipulation of the argument userId/organizationId/workspaceId/email causes authorization bypass. The attack may be initiated remotely. The affected component should be upgraded. | 2026-05-06 | 4.3 | CVE-2026-8027 | VDB-361274 | FlowiseAI Flowise User Controller authorization VDB-361274 | CTI Indicators (IOB, IOC, IOA) Submit #777657 | FlowiseAI Flowise <= 3.0.12 Authorization Bypass Through User-Controlled Key (CWE-639) https://gist.github.com/YLChen-007/3584e6ffa0bba6367328ecf0b46b0e4b |
| 8421bit--MiniClaw | A vulnerability was determined in 8421bit MiniClaw up to 43905b934cf76489ab28e4d17da28ee97970f91f. Affected by this vulnerability is the function isPathInside of the file src/kernel.ts of the component executeSkillScript. Executing a manipulation can lead to path traversal. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. This patch is called e8bd4e17e9428260f2161378356affc5ce90d6ed. It is advisable to implement a patch to correct this issue. | 2026-05-07 | 4.3 | CVE-2026-8113 | VDB-361901 | 8421bit MiniClaw executeSkillScript kernel.ts isPathInside path traversal VDB-361901 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808167 | 8421bit MiniClaw 0 Path Traversal https://github.com/8421bit/MiniClaw/issues/5 https://github.com/8421bit/MiniClaw/pull/8 https://github.com/8421bit/MiniClaw/commit/e8bd4e17e9428260f2161378356affc5ce90d6ed https://github.com/8421bit/MiniClaw/ |
| SourceCodester--Pizzafy Ecommerce System | A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. This issue affects some unknown processing of the file /admin/index.php. Such manipulation of the argument page leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-05-07 | 4.3 | CVE-2026-8117 | VDB-361905 | SourceCodester Pizzafy Ecommerce System index.php cross site scripting VDB-361905 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808327 | sourcecodester Pizzafy Ecommerce System V1.0 Cross Site Scripting https://github.com/redshadowword-cell/CVE/issues/5 https://www.sourcecodester.com/ |
| n/a--Open5GS | A flaw has been found in Open5GS up to 2.7.7. The affected element is the function nssf_nnrf_nsselection_handle_get_from_amf_or_vnssf of the file /src/nssf/nnssf-handler.c of the component NSSF. Executing a manipulation can lead to denial of service. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-08 | 4.3 | CVE-2026-8120 | VDB-361907 | Open5GS NSSF nnssf-handler.c denial of service VDB-361907 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808421 | Open5gs NSSF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4432 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability has been found in Open5GS up to 2.7.7. The impacted element is the function ogs_sbi_parse_plmn_list in the library /lib/sbi/conv.c of the component NSSF. The manipulation leads to denial of service. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-08 | 4.3 | CVE-2026-8121 | VDB-361908 | Open5GS NSSF conv.c ogs_sbi_parse_plmn_list denial of service VDB-361908 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808422 | Open5gs NSSF v2.7.7 Denial of Service Submit #808424 | Open5gs NSSF v2.7.7 Denial of Service (Duplicate) https://github.com/open5gs/open5gs/issues/4433 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability was found in Open5GS up to 2.7.7. This affects the function ogs_sbi_discovery_option_add_service_names in the library /lib/sbi/message.c of the component NSSF. The manipulation results in denial of service. The attack may be performed from remote. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-08 | 4.3 | CVE-2026-8122 | VDB-361909 | Open5GS NSSF message.c ogs_sbi_discovery_option_add_service_names denial of service VDB-361909 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808425 | Open5gs NSSF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4435 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability was determined in Open5GS up to 2.7.7. This impacts the function ogs_sbi_discovery_option_add_snssais in the library /lib/sbi/message.c of the component NSSF. This manipulation causes denial of service. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-08 | 4.3 | CVE-2026-8123 | VDB-361910 | Open5GS NSSF message.c ogs_sbi_discovery_option_add_snssais denial of service VDB-361910 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808426 | Open5gs NSSF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4436 https://github.com/open5gs/open5gs/ |
| n/a--osTicket | A security vulnerability has been detected in osTicket up to 1.18.3. Impacted is an unknown function of the file include/class.dispatcher.php of the component Dispatcher. The manipulation of the argument _method leads to cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-05-09 | 4.3 | CVE-2026-8194 | VDB-362346 | osTicket Dispatcher class.dispatcher.php cross-site request forgery VDB-362346 | CTI Indicators (IOB, IOC, IOA) Submit #802755 | osTicket 1.18.3 Cross-Site Request Forgery https://github.com/osTicket/osTicket/pull/6945 https://github.com/az10b/security-advisories/blob/main/csrf_bypass_osTicket.md https://github.com/osTicket/osTicket/ |
| n/a--JeecgBoot | A vulnerability was detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/CommonController.java of the component SVG File Handler. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-09 | 4.3 | CVE-2026-8195 | VDB-362347 | JeecgBoot SVG File CommonController.java cross site scripting VDB-362347 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #803528 | jeecgboot JeecgBoot 3.9.1 Doubled Character XSS Manipulations https://github.com/xpp3901/CVE_APPLY/blob/main/V-006_SVG_Stored_XSS/README.md |
| codelibs--Fess | A vulnerability was detected in codelibs Fess up to 15.5.1. Affected by this issue is the function update of the file org/codelibs/fess/app/web/admin/design/AdminDesignAction.java of the component JSP File Handler. The manipulation of the argument content results in code injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-09 | 4.7 | CVE-2026-8211 | VDB-362419 | codelibs Fess JSP File AdminDesignAction.java update code injection VDB-362419 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #804293 | CodeLibs Fess 15.5.1 Arbitrary File Write https://bv3acdnplbr.feishu.cn/docx/Kk1tdEAfAoV6kZxVozUc8UA4nog?from=from_copylink |
| Dotouch--XproUPF | A vulnerability was determined in Dotouch XproUPF 2.0.0-release-088aa7c4. Affected is an unknown function of the component UPF. This manipulation causes improper access controls. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The vendor was contacted early about this disclosure. | 2026-05-10 | 4.6 | CVE-2026-8233 | VDB-362450 | Dotouch XproUPF access control VDB-362450 | CTI Indicators (IOB, IOC, TTP) Submit #808799 | Dotouch XproUPF v2.0.0-release-088aa7c4 imp |
| n/a--Open5GS | A vulnerability was detected in Open5GS up to 2.7.7. The affected element is the function update_authorized_pcc_rule_and_qos of the file /src/smf/npcf-handler.c of the component SMF. The manipulation results in denial of service. The attack may be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 4.3 | CVE-2026-8248 | VDB-362545 | Open5GS SMF npcf-handler.c update_authorized_pcc_rule_and_qos denial of service VDB-362545 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808472 | Open5gs SMF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4442 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A flaw has been found in Open5GS up to 2.7.7. The impacted element is the function update_authorized_pcc_rule_and_qos of the file /src/smf/npcf-handler.c of the component SMF. This manipulation causes denial of service. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 4.3 | CVE-2026-8249 | VDB-362546 | Open5GS SMF npcf-handler.c update_authorized_pcc_rule_and_qos denial of service VDB-362546 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808473 | Open5gs SMF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4443 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability has been found in Open5GS up to 2.7.7. This affects the function smf_n4_build_qos_flow_to_modify_list of the file /src/smf/n4-build.c of the component SMF. Such manipulation leads to denial of service. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 4.3 | CVE-2026-8250 | VDB-362547 | Open5GS SMF n4-build.c smf_n4_build_qos_flow_to_modify_list denial of service VDB-362547 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808476 | Open5gs SMF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4444 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability was found in Open5GS up to 2.7.7. This impacts the function update_authorized_pcc_rule_and_qos of the file /src/smf/npcf-handler.c of the component SMF. Performing a manipulation results in denial of service. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 4.3 | CVE-2026-8251 | VDB-362548 | Open5GS SMF npcf-handler.c update_authorized_pcc_rule_and_qos denial of service VDB-362548 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808480 | Open5gs SMF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4445 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability was determined in Open5GS up to 2.7.7. Affected is the function smf_nsmf_handle_create_data_in_hsmf of the component SMF. Executing a manipulation can lead to null pointer dereference. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 4.3 | CVE-2026-8252 | VDB-362549 | Open5GS SMF smf_nsmf_handle_create_data_in_hsmf null pointer dereference VDB-362549 | CTI Indicators (IOB, IOC, IOA) Submit #808482 | Open5gs SMF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4446 https://github.com/open5gs/open5gs/ |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| HCL Software--BigFix Service Management (SM) | HCL BigFix Service Management (SM) application fails to strip EXIF metadata from uploaded images. This could lead to confidentiality and privacy risks if sensitive location information is unintentionally shared. . | 2026-05-06 | 3.5 | CVE-2025-31959 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL Software--BigFix Service Management (SM) | HCL BigFix Service Management (SM) is susceptible to a Root File System Not Mounted as Read-Only. An improperly configured root file system may allow unintended modifications to critical system components, potentially increasing the risk of system compromise or unauthorized changes. | 2026-05-06 | 3.9 | CVE-2025-31974 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL Software--BigFix Service Management (SM) | HCL BigFix Service Management (SM) had directories that were not linked or publicly visible but could be accessed directly. This could allow an increased risk of information disclosure or misuse of sensitive functionality. | 2026-05-06 | 3.7 | CVE-2025-31982 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL--BigFix Service Management (SM) | HCL BigFix Service Management (SM) is affected by a security misconfiguration vulnerability due to CSP header. This could allow attackers to inject malicious scripts increasing the risk of cross-site scripting (XSS) and potential exposure of sensitive information. | 2026-05-06 | 3.7 | CVE-2025-31983 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL--BigFix Service Management (SM) | HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure "X-Content-Type-Options" header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly. | 2026-05-06 | 3.7 | CVE-2025-31984 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL--DFXAnalytics | HCL DFXAnalytics is affected by a Using Components with Known Vulnerabilities flaw where the application utilizes unpatched libraries or sub-components, which could allow an attacker to identify and exploit publicly known security vulnerabilities to gain unauthorized access or compromise the application. | 2026-05-06 | 3.7 | CVE-2025-59851 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130569 |
| HCL--DFXAnalytics | HCL DFXAnalytics is affected by an Insufficient Transport Layer Protection vulnerability where data is transmitted over the network without encryption, which could allow an attacker to compromise the confidentiality, integrity, and authentication of sensitive information. | 2026-05-06 | 3.7 | CVE-2025-59852 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130569 |
| HCL--DFXAnalytics | HCL DFXAnalytics is affected by an Improper Error Handling vulnerability where the application exposes detailed stack traces in responses, which could allow an attacker to gain insights into the application's internal structure, code logic, and environment configurations. | 2026-05-06 | 3.1 | CVE-2025-59853 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130569 |
| HCL--DFXAnalytics | HCL DFXAnalytics is affected by an Insecure Security Header Configuration vulnerability where the application utilizes the outdated X-XSS-Protection header, which could allow an attacker to exploit browser-specific rendering flaws or bypass security controls that should instead be managed by a robust Content Security Policy (CSP). | 2026-05-06 | 3.1 | CVE-2025-59854 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130569 |
| Dell--PowerScale OneFS | Dell PowerScale OneFS versions 9.5.0.0 through 9.5.1.6, 9.6.0.0 through 9.7.1.13, 9.8.0.0 through 9.10.1.5 and 9.11.0.0 through 9.12.0.1 contains an Insufficient Logging vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering. | 2026-05-08 | 3.3 | CVE-2026-32803 | https://www.dell.com/support/kbdoc/en-us/000461228/dsa-2026-172-security-update-for-dell-powerscale-onefs-insufficient-logging-vulnerability |
| kimai--kimai | Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the edit_team permission to modify any team, not just teams they are authorized to manage. This issue has been patched in version 2.54.0. | 2026-05-08 | 3.3 | CVE-2026-41498 | https://github.com/kimai/kimai/security/advisories/GHSA-jv9x-w4gm-hwcm https://github.com/kimai/kimai/releases/tag/2.54.0 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, several administrative operations in Admidio's preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because SameSite=Lax cookies travel with top-level GET navigations, an attacker forces an authenticated admin to trigger these actions from a malicious page. This issue has been patched in version 5.0.9. | 2026-05-07 | 3.5 | CVE-2026-41663 | https://github.com/Admidio/admidio/security/advisories/GHSA-rw74-vc9h-534j https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| jgraph--drawio | draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to open a popup on the attacker-controlled host instead of gitlab.com. This can lead to credential fishing and session state token exfiltration. This issue has been patched in version 29.7.9. | 2026-05-08 | 3.4 | CVE-2026-42195 | https://github.com/jgraph/drawio/security/advisories/GHSA-8x7j-m8px-7p8x https://github.com/jgraph/drawio/issues/493 https://github.com/jgraph/drawio/releases/tag/v29.7.9 |
| mutt--mutt | mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest. | 2026-05-04 | 3.7 | CVE-2026-43859 | https://github.com/muttmua/mutt/commit/834c5a2ed0479e51e8662a31caed129f136f4805 |
| mutt--mutt | mutt before 2.3.2 sometimes truncates the hash_passwd by one byte for IMAP auth_cram MD5 digest. | 2026-05-04 | 3.7 | CVE-2026-43860 | https://github.com/muttmua/mutt/commit/834c5a2ed0479e51e8662a31caed129f136f4805 |
| mutt--mutt | mutt before 2.3.2 does not check for '\0' in url_pct_decode. | 2026-05-04 | 3.7 | CVE-2026-43861 | https://github.com/muttmua/mutt/commit/12f54fe3b61f761c096fe95e95d5e3072af00ed2 |
| mutt--mutt | In mutt before 2.3.2, the imap_auth_gss security level is mishandled. | 2026-05-04 | 3.7 | CVE-2026-43862 | https://github.com/muttmua/mutt/commit/f547a849cdacb512800a5f477c27de217e1c8151 |
| mutt--mutt | mutt before 2.3.2 has an infinite loop in data_object_to_stream in crypt-gpgme.c. | 2026-05-04 | 3.7 | CVE-2026-43863 | https://github.com/muttmua/mutt/commit/fdc04a171777327218a1e78db504926c388b48c4 |
| Postfix--Postfix | Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number. | 2026-05-04 | 3.7 | CVE-2026-43964 | https://www.mail-archive.com/postfix-announce@postfix.org/msg00110.html |
| Paramiko--Paramiko | In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm. | 2026-05-05 | 3.4 | CVE-2026-44405 | https://github.com/paramiko/paramiko/commit/a4489456b6f65281e172380cc4826cee5e851dbb https://ostif.org/wp-content/uploads/2026/05/25-11-2415-REP_paramiko-security-audit_v1.1.pdf |
| torproject--Tor | Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011. | 2026-05-07 | 3.7 | CVE-2026-44597 | https://forum.torproject.org/c/news/tor-release-announcement/28 https://www.openwall.com/lists/oss-security/2026/05/06/8 https://gitlab.torproject.org/tpo/core/tor/-/work_items/41254 https://gitlab.torproject.org/tpo/core/tor/-/commit/8f98054b1982d00a14639864d03e9afd90b87481 |
| torproject--Tor | Tor before 0.4.9.7 can attempt or accept BEGIN_DIR via conflux legs, aka TROVE-2026-008. | 2026-05-07 | 3.7 | CVE-2026-44599 | https://forum.torproject.org/c/news/tor-release-announcement/28 https://www.openwall.com/lists/oss-security/2026/05/06/8 https://gitlab.torproject.org/tpo/core/tor/-/work_items/41243 https://gitlab.torproject.org/tpo/core/tor/-/commit/50f90ba849088247734786922855c22661c6fa03 |
| torproject--Tor | Tor before 0.4.9.7 mishandles accounting of the conflux out-of-order queue during the clearing of a queue, aka TROVE-2026-010. | 2026-05-07 | 3.7 | CVE-2026-44600 | https://forum.torproject.org/c/news/tor-release-announcement/28 https://www.openwall.com/lists/oss-security/2026/05/06/8 https://gitlab.torproject.org/tpo/core/tor/-/work_items/41251 https://gitlab.torproject.org/tpo/core/tor/-/commit/a198185ed863677d60eec120126730628dac35bb |
| torproject--Tor | Tor before 0.4.9.7, when circuit queue memory pressure exists, can experience a client crash because of a double close of a circuit, aka TROVE-2026-009. | 2026-05-07 | 3.7 | CVE-2026-44601 | https://forum.torproject.org/c/news/tor-release-announcement/28 https://www.openwall.com/lists/oss-security/2026/05/06/8 https://gitlab.torproject.org/tpo/core/tor/-/work_items/41237 https://gitlab.torproject.org/tpo/core/tor/-/commit/d4e3f6a440b58c2be661decf20c09548704907dc |
| torproject--Tor | Tor before 0.4.9.7 has a NULL pointer dereference when a CERT cell is received out of order, aka TROVE-2026-006. | 2026-05-07 | 3.7 | CVE-2026-44602 | https://forum.torproject.org/c/news/tor-release-announcement/28 https://www.openwall.com/lists/oss-security/2026/05/06/8 https://gitlab.torproject.org/tpo/core/tor/-/work_items/41240 https://gitlab.torproject.org/tpo/core/tor/-/commit/df7d5174ef41814d806c8ede776e230cd30ac12b |
| torproject--Tor | Tor before 0.4.9.7 has an out-of-bounds read by one byte via a malformed BEGIN cell, aka TROVE-2026-007. | 2026-05-07 | 3.7 | CVE-2026-44603 | https://forum.torproject.org/c/news/tor-release-announcement/28 https://www.openwall.com/lists/oss-security/2026/05/06/8 https://gitlab.torproject.org/tpo/core/tor/-/work_items/41245 https://gitlab.torproject.org/tpo/core/tor/-/commit/1703df3d439c83c2184e259fad1cfa19240f9c89 |
| OpenStack--Ironic | In OpenStack Ironic through 35.x, instance_info['ks_template'] is rendered without sandboxing. | 2026-05-08 | 3 | CVE-2026-44916 | https://bugs.launchpad.net/ironic/+bug/2148307 |
| Syslifters--sysreptor | SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If the SysReptor installation has the "Forgot Password" functionality enabled (non-default), they can reset the Superusers' passwords and authenticate, if the Superuser has no MFA enabled. User managers can then access the Django backend (/admin) or manipulate the settings of the SysReptor installation. Note that user managers have the ability to access all pentest projects by assigning themselves "Project Admin" permissions. This is intentional and by design. This issue has been patched in version 2026.29. | 2026-05-08 | 3.8 | CVE-2026-44987 | https://github.com/Syslifters/sysreptor/security/advisories/GHSA-6x8f-v3cf-cvr3 https://github.com/Syslifters/sysreptor/releases/tag/2026.29 |
| justdan96--tsMuxer | A weakness has been identified in justdan96 tsMuxer up to 2.7.0. This vulnerability affects the function HevcVpsUnit::setFPS of the file /AFLplusplus/tsMuxer_prev/tsMuxer/hevc.cpp. This manipulation of the argument track_id causes denial of service. The attack requires local access. The exploit has been made available to the public and could be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-04 | 3.3 | CVE-2026-7739 | VDB-360914 | justdan96 tsMuxer hevc.cpp setFPS denial of service VDB-360914 | CTI Indicators (IOB, IOC, IOA) Submit #807647 | tsMuxer git-7f8667d crash https://github.com/justdan96/tsMuxer/issues/895 https://github.com/user-attachments/files/16812270/poc1.zip https://github.com/justdan96/tsMuxer/ |
| justdan96--tsMuxer | A security vulnerability has been detected in justdan96 tsMuxer up to 2.7.0. This issue affects the function VvcVpsUnit::setFPS of the file tsMuxer/vvc.cpp. Such manipulation of the argument track_id leads to denial of service. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-04 | 3.3 | CVE-2026-7740 | VDB-360915 | justdan96 tsMuxer vvc.cpp setFPS denial of service VDB-360915 | CTI Indicators (IOB, IOC, IOA) Submit #807651 | tsMuxer git-7f8667d crash https://github.com/justdan96/tsMuxer/issues/899 https://github.com/user-attachments/files/16812319/poc5.zip https://github.com/justdan96/tsMuxer/ |
| FlowiseAI--Flowise | A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in information disclosure. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is told to be difficult. You should upgrade the affected component. | 2026-05-06 | 3.7 | CVE-2026-8026 | VDB-361273 | FlowiseAI Flowise API Response account.service.ts login information disclosure VDB-361273 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #777656 | FlowiseAI Flowise <= 3.0.12 Exposure of Sensitive Information (CWE-200) https://gist.github.com/YLChen-007/50a553f09aa1c7c04ce18cec13986a91 |
| FlowiseAI--Flowise | A vulnerability was detected in FlowiseAI Flowise up to 3.0.12. This affects the function verify of the file packages/server/src/enterprise/services/account.service.ts of the component Endpoint. Performing a manipulation results in information disclosure. Remote exploitation of the attack is possible. The attack is considered to have high complexity. It is indicated that the exploitability is difficult. The exploit is now public and may be used. Upgrading the affected component is recommended. | 2026-05-06 | 3.7 | CVE-2026-8028 | VDB-361276 | FlowiseAI Flowise Endpoint account.service.ts verify information disclosure VDB-361276 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #777659 | FlowiseAI Flowise <= 3.0.12 Exposure of Sensitive Information (CWE-200) https://gist.github.com/YLChen-007/1d52497b0221835f99367be61612746b |
| OSGeo--gdal | A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4. This vulnerability affects the function memmove of the file frmts/hdf4/hdf-eos/SWapi.c of the component HDF-EOS Grid File Handler. This manipulation causes out-of-bounds read. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.13.0RC1 is able to resolve this issue. Patch name: a791f70f8eaec540974ec989ca6fb00266b7646c. Upgrading the affected component is advised. | 2026-05-07 | 3.3 | CVE-2026-8084 | VDB-361838 | OSGeo gdal HDF-EOS Grid File SWapi.c memmove out-of-bounds VDB-361838 | CTI Indicators (IOB, IOC, IOA) Submit #808034 | OSGeo GDAL 3.13.0dev Out-of-Bounds Read https://github.com/biniamf/pocs/tree/main/gdal_swfinfo_dimlist_oob-rw https://github.com/OSGeo/gdal/issues/14378 https://github.com/biniamf/pocs/blob/main/gdal_swfinfo_dimlist_oob-rw https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1 https://github.com/OSGeo/gdal/ |
| OSGeo--gdal | A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.13.0RC1 is sufficient to fix this issue. This patch is called a791f70f8eaec540974ec989ca6fb00266b7646c. The affected component should be upgraded. | 2026-05-07 | 3.3 | CVE-2026-8088 | VDB-361841 | OSGeo gdal GDapi.c GDfieldinfo out-of-bounds VDB-361841 | CTI Indicators (IOB, IOC, IOA) Submit #808040 | OSGeo GDAL 3.13.0dev Out-of-Bounds Read https://github.com/OSGeo/gdal/issues/14379 https://github.com/biniamf/pocs/tree/main/gdal-gdapi-gdfinfo-dimlist-oob-read https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1 https://github.com/OSGeo/gdal/ |
| n/a--Open5GS | A vulnerability was detected in Open5GS up to 2.7.7. Impacted is the function ogs_sbi_stream_find_by_id in the library /lib/sbi/nghttp2-server.c of the component NSSF. Performing a manipulation results in denial of service. Attacking locally is a requirement. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-08 | 3.3 | CVE-2026-8119 | VDB-361906 | Open5GS NSSF nghttp2-server.c ogs_sbi_stream_find_by_id denial of service VDB-361906 | CTI Indicators (IOB, IOC, IOA) Submit #808420 | Open5gs NSSF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4431 https://github.com/open5gs/open5gs/ |
| n/a--GPAC | A security vulnerability has been detected in GPAC up to 26.02.0. This affects the function sidx_box_read of the file src/isomedia/box_code_base.c. The manipulation leads to allocation of resources. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The identifier of the patch is 442e2299530138d8f874fd885c565ba98a6318ba. It is suggested to install a patch to address this issue. | 2026-05-08 | 3.3 | CVE-2026-8124 | VDB-361914 | GPAC box_code_base.c sidx_box_read allocation of resources VDB-361914 | CTI Indicators (IOB, IOC, IOA) Submit #808611 | gpac latest Denial of Service (DoS) https://github.com/gpac/gpac/issues/3519 https://github.com/gpac/gpac/commit/442e2299530138d8f874fd885c565ba98a6318ba https://github.com/gpac/gpac/ |
| n/a--JeecgBoot | A flaw has been found in JeecgBoot 3.9.1. The impacted element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/LoginController.java of the component mLogin Endpoint. This manipulation causes authorization bypass. The attack is possible to be carried out remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-09 | 3.7 | CVE-2026-8196 | VDB-362348 | JeecgBoot mLogin Endpoint LoginController.java authorization VDB-362348 | CTI Indicators (IOB, IOC, IOA) Submit #803529 | jeecgboot JeecgBoot 3.9.1 Authorization Bypass https://github.com/xpp3901/CVE_APPLY/tree/main/V-009_mLogin_Captcha_Bypass |
| Dotouch--XproUPF | A vulnerability was found in Dotouch XproUPF 2.0.0-release-088aa7c4. This impacts the function vlib_worker_loop in the library /usr/xpro/upf/tools/libs/libvlib.so of the component UPF Process. The manipulation results in denial of service. The vendor was contacted early about this disclosure. | 2026-05-10 | 3.5 | CVE-2026-8232 | VDB-362449 | Dotouch XproUPF UPF Process libvlib.so vlib_worker_loop denial of service VDB-362449 | CTI Indicators (IOB, IOC, IOA) Submit #808794 | Dotouch XproUPF v2.0.0-release-088aa7c4 Denial of Service |
| Industrial Application Software IAS--Canias ERP | A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. The impacted element is the function doAction of the component Login RMI Interface. Performing a manipulation results in observable response discrepancy. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is regarded as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 3.7 | CVE-2026-8242 | VDB-362458 | Industrial Application Software IAS Canias ERP Login RMI doAction response discrepancy VDB-362458 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808295 | Industrial Application Software - IAS Canias ERP 8.03-- Observable Response Discrepancy (CWE-204) https://hawktrace.com/blog/caniaserp https://gist.github.com/0xb1lal/85422a63c10a001c75a22365457de624 |
| HCL Software--BigFix Service Management (SM) | HHCL BigFix Service Management (SM) is affected by a Cross‑Site Request Forgery (CSRF) vulnerability. This could lead to unauthorized changes or exposure of sensitive data. | 2026-05-06 | 2.6 | CVE-2025-31957 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL--BigFix Service Management (SM) | HCL BigFix Service Management (SM) is affected by an Information Disclosure - Server Banner issue was identified. Exposed server banners may reveal software versions and system details, potentially aiding attackers in targeting known vulnerabilities. | 2026-05-06 | 2.6 | CVE-2025-31975 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL--BigFix RunBookAI | HCL BigFix RunBookAI is affected by a Continued availability of Less-Secure "Input Text" Vulnerability . A component contains a security weakness in its input handling implementation, increasing the risk of misconfiguration and operational errors. | 2026-05-06 | 2.7 | CVE-2025-62345 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130444 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the member assignment DataTables endpoint (members_assignment_data.php) includes hidden profile fields (BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY) in its SQL search condition regardless of field visibility settings. While the JSON output correctly suppresses hidden columns via isVisible() checks, the server-side search operates at the SQL level before any visibility filtering. This allows a role leader with assign-only permissions to infer hidden PII values by observing which users appear in search results for specific values. This issue has been patched in version 5.0.9. | 2026-05-07 | 2.7 | CVE-2026-41659 | https://github.com/Admidio/admidio/security/advisories/GHSA-68pr-7prh-mpv4 https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains a time-of-check-time-of-use vulnerability in the validateScriptFileForShellBleed function that allows local attackers to bypass workspace boundary checks. An attacker with workspace write access can race-condition swap the target file between validation and preflight read, causing the validator to inspect a different file identity than the one that passed the initial boundary check. | 2026-05-05 | 2.5 | CVE-2026-43529 | GitHub Security Advisory (GHSA-gj9q-8w99-mp8j) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - Time-of-Check-Time-of-Use (TOCTOU) Race Condition in exec Script Preflight Validator |
| mutt--mutt | mutt before 2.3.2 has a show_sig_summary NULL pointer dereference. | 2026-05-04 | 2.5 | CVE-2026-43864 | https://github.com/muttmua/mutt/commit/ebfa2969042d89303d15334193fcc32866c8a8df |
| uriparser--uriparser | In uriparser before 1.0.2, there is pointer difference truncation to int in various places. | 2026-05-08 | 2.9 | CVE-2026-44927 | https://github.com/uriparser/uriparser/pull/304 |
| uriparser--uriparser | In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal. | 2026-05-08 | 2.9 | CVE-2026-44928 | https://github.com/uriparser/uriparser/pull/305 |
| GrapheneOS--GrapheneOS | GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayload optimization, because an application can let system_server transmit UDP traffic on its behalf. This occurs when the "Block connections without VPN" and "Always-on VPN" settings are enabled. | 2026-05-09 | 2.2 | CVE-2026-45182 | https://lowlevel.fun/posts/tiny-udp-cannon-android-vpn-bypass/ https://grapheneos.org/releases#2026050400 https://cyberinsider.com/grapheneos-fixes-android-vpn-leak-google-refused-to-patch/ |
| libexpat project--libexpat | In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input. | 2026-05-10 | 2.9 | CVE-2026-45186 | https://github.com/libexpat/libexpat/pull/1216 |
| chatchat-space--Langchain-Chatchat | A flaw has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. This issue affects the function PIL.Image.tobytes of the file libs/chatchat-server/chatchat/webui_pages/dialogue/dialogue.py of the component Vision Chat Paste Image Handler. This manipulation of the argument paste_image.image_data causes use of weak hash. The attacker needs to be present on the local network. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 2.6 | CVE-2026-7845 | VDB-361124 | chatchat-space Langchain-Chatchat Vision Chat Paste Image dialogue.py PIL.Image.tobytes weak hash VDB-361124 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807794 | chatchat-space Langchain-Chatchat 0.3.1.3 Weak Hash / CWE-328 https://github.com/chatchat-space/Langchain-Chatchat/issues/5462 https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-1-tobytes-Hash-Collision.md https://github.com/chatchat-space/Langchain-Chatchat/ |
| chatchat-space--Langchain-Chatchat | A vulnerability has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. Impacted is the function files of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component OpenAI-Compatible File Upload API. Such manipulation of the argument file.filename leads to time-of-check time-of-use. Access to the local network is required for this attack to succeed. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 2.6 | CVE-2026-7846 | VDB-361125 | chatchat-space Langchain-Chatchat OpenAI-Compatible File Upload API openai_routes.py files toctou VDB-361125 | CTI Indicators (IOB, IOC, IOA) Submit #807795 | chatchat-space Langchain-Chatchat 0.3.1.3 TOCTOU Race Condition / CWE-367 https://github.com/chatchat-space/Langchain-Chatchat/issues/5463 https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-2-Silent-File-Overwrite.md https://github.com/chatchat-space/Langchain-Chatchat/ |
| chatchat-space--Langchain-Chatchat | A vulnerability was found in chatchat-space Langchain-Chatchat up to 0.3.1.3. The affected element is the function _get_file_id of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Uploaded File Handler. Performing a manipulation results in insufficiently random values. Access to the local network is required for this attack. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 2.6 | CVE-2026-7847 | VDB-361126 | chatchat-space Langchain-Chatchat Uploaded File openai_routes.py _get_file_id random values VDB-361126 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807796 | chatchat-space Langchain-Chatchat 0.3.1.3 Use of Insufficiently Random Values / CWE-330 https://github.com/chatchat-space/Langchain-Chatchat/issues/5464 https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-3-Predictable-File-ID.md https://github.com/chatchat-space/Langchain-Chatchat/ |
| SourceCodester--Pharmacy Sales and Inventory System | A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /index.php?page=users. Executing a manipulation of the argument Name can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used. | 2026-05-08 | 2.4 | CVE-2026-8136 | VDB-361925 | SourceCodester Pharmacy Sales and Inventory System index.php users cross site scripting VDB-361925 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808839 | SourceCodester Pharmacy Sales and Inventory System V1.0 cross site scripting https://github.com/timeflies123/cve/issues/1 https://www.sourcecodester.com/ |
| Devs Palace--ERP Online | A weakness has been identified in Devs Palace ERP Online up to 4.0.0. The affected element is an unknown function of the file /inventory/purchase_return_save. Executing a manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 2.4 | CVE-2026-8218 | VDB-362435 | Devs Palace ERP Online purchase_return_save cross site scripting VDB-362435 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808252 | Devs Palace ERP Online 4.0.0 Code Injection Submit #808259 | Devs Palace ERP Online 4.0.0 Code Injection in "inventory/purchase_return_save" (Duplicate) https://olografix.org/acme/_poc/ERP_Online-POC1.gif |
| Devs Palace--ERP Online | A security vulnerability has been detected in Devs Palace ERP Online up to 4.0.0. The impacted element is an unknown function of the file /inventory/supplier-save. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 2.4 | CVE-2026-8219 | VDB-362436 | Devs Palace ERP Online supplier-save cross site scripting VDB-362436 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808257 | Devs Palace ERP Online 4.0.0 Code Injection in "/inventory/supplier-save" https://olografix.org/acme/_poc/ERP_Online-POC1.gif |
| Devs Palace--ERP Online | A vulnerability was detected in Devs Palace ERP Online up to 4.0.0. This affects an unknown function of the file /inventory/customer-save. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 2.4 | CVE-2026-8220 | VDB-362437 | Devs Palace ERP Online customer-save cross site scripting VDB-362437 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808261 | Devs Palace ERP Online 4.0.0 Code Injection in "inventory/customer-save" https://olografix.org/acme/_poc/ERP_Online-POC1.gif |
| Devs Palace--ERP Online | A flaw has been found in Devs Palace ERP Online up to 4.0.0. This impacts an unknown function of the file /inventory/item-save. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 2.4 | CVE-2026-8221 | VDB-362438 | Devs Palace ERP Online item-save cross site scripting VDB-362438 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808263 | Devs Palace ERP Online 4.0.0 Code Injection in "inventory/item-save" https://olografix.org/acme/_poc/ERP_Online-POC1.gif |
| Devs Palace--ERP Online | A vulnerability was identified in Devs Palace ERP Online up to 4.0.0. Affected by this vulnerability is an unknown functionality of the file /inventory/purchase_save. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 2.4 | CVE-2026-8253 | VDB-362550 | Devs Palace ERP Online purchase_save cross site scripting VDB-362550 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808277 | Devs Palace ERP Online 4.0.0 Code Injection https://olografix.org/acme/_poc/ERP_Online-POC1.gif |
| Devs Palace--ERP Online | A security flaw has been discovered in Devs Palace ERP Online up to 4.0.0. Affected by this issue is some unknown functionality of the file /inventory/sales_save. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 2.4 | CVE-2026-8254 | VDB-362551 | Devs Palace ERP Online sales_save cross site scripting VDB-362551 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808279 | Devs Palace ERP Online 4.0.0 Code Injection https://olografix.org/acme/_poc/ERP_Online-POC1.gif |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| CHORNY--Apache::Session | Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted. | 2026-05-08 | not yet calculated | CVE-2013-10075 | https://rt.cpan.org/Public/Bug/Display.html?id=83525 |
| www[.]thruk[.]org--Thruk Monitoring | In Thruk Monitoring through 2.46.3, the login field of the login form is vulnerable to reflected XSS. This vulnerability can be exploited by unauthenticated remote attackers to target users of the monitoring interface. | 2026-05-08 | not yet calculated | CVE-2022-23961 | https://herolab.usd.de/security-advisories/ https://herolab.usd.de/security-advisories/usd-2021-0034/ |
| www[.]avast[.]com—Avast/AVG Windows Anti Rootkit driver | The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xc4a3. | 2026-05-08 | not yet calculated | CVE-2022-26522 | https://www.avast.com/bug-bounty https://www.sentinelone.com/labs/vulnerabilities-in-avast-and-avg-put-millions-at-risk/ |
| www[.]avast[.]com--Avast/AVG Windows Anti Rootkit driver | The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xbb94. | 2026-05-08 | not yet calculated | CVE-2022-26523 | https://www.avast.com/bug-bounty https://www.sentinelone.com/labs/vulnerabilities-in-avast-and-avg-put-millions-at-risk/ |
| www[.]nokia[.]com--Nokia Broadcast Message Center (BMC) | Nokia Broadcast Message Center (BMC) before 13.1 allows an unauthenticated remote attacker to do OS command injection as root via shell metacharacters in the Log Scanner Search Pattern field. | 2026-05-08 | not yet calculated | CVE-2022-45899 | https://nokia.com https://www.exploit-db.com/exploits/51896 |
| n/a--Alkacon OpenCms | A Cross Site Scripting vulnerability in Alkacon OpenCms before 10.5.1 exists via cmis-online/type. | 2026-05-08 | not yet calculated | CVE-2023-42343 | https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/ |
| n/a--Alkacon OpenCms | Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet. | 2026-05-08 | not yet calculated | CVE-2023-42344 | https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/ |
| n/a--Alkacon OpenCms | A Cross Site Scripting vulnerability in Alkacon OpenCms before 16 exists via updateModelGroups.jsp. | 2026-05-08 | not yet calculated | CVE-2023-42345 | https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/ |
| n/a--Alkacon OpenCms | Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host. | 2026-05-08 | not yet calculated | CVE-2023-42346 | https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/ |
| www[.]gl-inet[.]com—Gl.iNet devices v.4x | Certain GL.iNet devices with 4.x firmware allow authentication bypass (resulting in administrative control of the device) via a username that is both a valid SQL statement and a valid regular expression. For example, this affects version 4.3.7 on GL-MT3000 GL-AR300M GL-B1300 GL-AX1800 GL-AR750S GL-MT2500 GL-AXT1800 GL-X3000 and GL-SFT1200. | 2026-05-08 | not yet calculated | CVE-2023-46453 | https://www.exploit-db.com/exploits/51865 |
| n/a-- Prusa PrusaSlicer v2.6.1 | In libslic3r/GCode/PostProcessor.cpp in Prusa PrusaSlicer through 2.6.1, a crafted 3mf project file can execute arbitrary code on a host where the project is sliced and G-code exported. | 2026-05-08 | not yet calculated | CVE-2023-47268 | https://help.prusa3d.com/article/post-processing-scripts_283913 https://www.prusa3d.com/page/prusaslicer_424/ https://slic3r.org/download/ https://raw.githubusercontent.com/vulncheck-oss/0day.today.archive/main/local-exploits/39547.txt |
| mikrotik[.]com—RouterOS v.6.40.5 to 6.49.10 | Mikrotik RouterOS (x86) 6.40.5 through 6.49.10 (fixed in 7) allows a remote attacker to cause a denial of service (device crash) via crafted packet data to the SMB service on TCP port 445. | 2026-05-08 | not yet calculated | CVE-2024-27686 | https://github.com/ice-wzl/RouterOS-SMB-DOS-POC https://www.exploit-db.com/exploits/51931 |
| n/a-- Matrix Switcher v1.1.2 | /cgi-bin/time.cgi in Atlona AT-OME-MS42 Matrix Switcher 1.1.2 allow remote authenticated users to execute arbitrary commands as root via a POST request that carries a serverName parameter. | 2026-05-08 | not yet calculated | CVE-2024-30167 | https://exchange.xforce.ibmcloud.com/vulnerabilities/285733 |
| n/a--PMS (Prison Management System) PHP v1.0 | Prison Management System Using PHP v1.0 was discovered to contain a SQL injection vulnerability via the username on the Admin login page. | 2026-05-08 | not yet calculated | CVE-2024-33288 | https://www.sourcecodester.com/sql/17287/prison-management-system.html https://www.exploit-db.com/exploits/52017 |
| n/a--SOPlanning v1.52.00 | SOPlanning 1.52.00 is vulnerable to SQL Injection by an authenticated user via projets.php with statut[]. | 2026-05-08 | not yet calculated | CVE-2024-33722 | https://github.com/fuzzlove/soplanning-1.52-exploits |
| n/a--SOPlanning v1.52.00 | SOPlanning 1.52.00 is vulnerable to Cross Site Scripting (XSS) via the groupe_id parameter to process/groupe_save.php. | 2026-05-08 | not yet calculated | CVE-2024-33724 | https://github.com/fuzzlove/soplanning-1.52-exploits |
| n/a-- BYOB (Build Your Own Botnet) 2.0 | A Command Injection issue in the payload build page in BYOB (Build Your Own Botnet) 2.0 allows attackers to execute arbitrary commands on the server via a crafted build parameter. This occurs in freeze in core/generators.py. | 2026-05-08 | not yet calculated | CVE-2024-45257 | https://github.com/malwaredllc/byob https://blog.chebuya.com/posts/unauthenticated-remote-command-execution-on-byob/ https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/byob_unauth_rce.rb |
| n/a--yeti-platform | A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute code on the application server. | 2026-05-08 | not yet calculated | CVE-2024-46507 | https://rhinosecuritylabs.com/research/cve-2024-46507-yeti-server-side-template-injection-ssti/ |
| n/a--yeti-platform | yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed (by setting YETI_AUTH_SECRET_KEY to a value other than SECRET). | 2026-05-08 | not yet calculated | CVE-2024-46508 | https://rhinosecuritylabs.com/research/cve-2024-46507-yeti-server-side-template-injection-ssti/ |
| n/a--LibreNMS | LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory(). | 2026-05-08 | not yet calculated | CVE-2024-51092 | https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/librenms_authenticated_rce_cve_2024_51092.rb https://github.com/librenms/librenms/security/advisories/GHSA-x645-6pf9-xwxw |
| bitcoincore[.]org—bitcoincore v28.x | Bitcoin Core through 28.x has a security issue, the details of which are not disclosed. The earliest affected version is 0.14. | 2026-05-05 | not yet calculated | CVE-2024-52911 | https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures https://bitcoincore.org https://bitcoincore.org/en/2026/05/05/disclose-cve-2024-52911/ |
| linqpad[.]net—Linqpad Pro | LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution. | 2026-05-08 | not yet calculated | CVE-2024-53326 | https://www.linqpad.net/ https://trustedsec.com/blog/discovering-a-deserialization-vulnerability-in-linqpad |
| 3onedata--GW1101-1D(RS-485)-TB-P | 3onedata modbus gateway device model GW1101-1D(RS-485)-TB-P (hardware version V2.2.0) allows authenticated users to execute arbitrary shell commands in the context of the root user by providing payload in the "IP address" field of the diagnosis test tools. This issue has been resolved in firmware version 3.0.59B2024080600R4353 | 2026-05-04 | not yet calculated | CVE-2025-13605 | https://cert.pl/en/posts/2026/05/CVE-2025-13605 |
| PHP Group--PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements. | 2026-05-10 | not yet calculated | CVE-2025-14179 | https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm |
| HCLSoftware--BigFix WebUI | An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers. | 2026-05-09 | not yet calculated | CVE-2025-15633 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130587 |
| HCLSoftware--BigFix WebUI | A missing authorization vulnerability in HCL BigFix WebUI allows an authenticated user without proper permissions to view sensitive environmental information via direct URL access to the unauthorized page. | 2026-05-09 | not yet calculated | CVE-2025-15634 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130587 |
| ispconfig[.]com--ISPConfig 3.3.0 | ISPConfig 3.3.0 is vulnerable to Cross Site Scripting (XSS) via the system status webpage. | 2026-05-05 | not yet calculated | CVE-2025-52206 | http://ispconfig.com https://www.ispconfig.org/blog/ispconfig-3-3-0p2-released-security-update/ |
| n/a--AstrBot 3.5.15 | AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT. | 2026-05-08 | not yet calculated | CVE-2025-55449 | https://github.com/AstrBotDevs/AstrBot https://github.com/Marven11/CVE-2025-55449-AstrBot-RCE |
| jupyter-server--jupyter_server | Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary external domains via values such as `///example.com`. An attacker can use a crafted login URL to redirect users to a malicious site and facilitate phishing attacks. This issue is fixed in version 2.18.0. | 2026-05-05 | not yet calculated | CVE-2025-61669 | https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w |
| www[.]npmjs[.]com—NPM Package Parse-ini v1.0.6 | npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js(). | 2026-05-07 | not yet calculated | CVE-2025-63703 | https://www.npmjs.com/package/parse-ini?activeTab=code https://gist.github.com/6en6ar/bdc8e0d472406ab98431f10273cbdbf3 |
| www[.]npmjs[.]com—NPM Package Parse-string | NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object. | 2026-05-07 | not yet calculated | CVE-2025-63704 | https://www.npmjs.com/package/query-string-parser?activeTab=readme https://github.com/victorteokw/query-string-parser/issues/3 https://gist.github.com/6en6ar/d62f614dbb2b1032b5e45a56fe26ec8b |
| www[.]npmjs[.]com—NPM Package Node v1.0.15 | NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js. | 2026-05-07 | not yet calculated | CVE-2025-63705 | https://www.npmjs.com/package/node-ts-ocr https://gist.github.com/6en6ar/a2ac44da0f4e580190be3e66cfbb9a4a |
| www[.]npmjs[.]com—NPM Package npn v1.0.1 | NPM package next-npm-version1.0.1 is vulnerable to Command injection. | 2026-05-07 | not yet calculated | CVE-2025-63706 | https://github.com/afeiship/next-npm-version/issues/1 https://www.npmjs.com/package/@jswork/next-npm-version https://gist.github.com/6en6ar/607368f1fc8fe429f03c6e0d9486ba72 |
| n/a--youtubeRegex | Regex Denial of Service in youtube-regex npm package through version 1.0.5. | 2026-05-07 | not yet calculated | CVE-2025-65122 | https://github.com/regexhq/youtube-regex/issues/14 https://gist.github.com/6en6ar/66ef99397068c0a5e0d963bc47d7172c |
| Apache Software Foundation--Apache CloudStack | The CloudStack Backup plugin has an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and has access to specific APIs can list backups from any account in the environment. This vulnerability does not allow them to see the contents of the backup. Users are recommended to upgrade to version 4.22.0.1, which fixes the issue. | 2026-05-08 | not yet calculated | CVE-2025-66170 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| Apache Software Foundation--Apache CloudStack | The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any other user of the environment. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue. | 2026-05-08 | not yet calculated | CVE-2025-66171 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| Apache Software Foundation--Apache CloudStack | The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other user's backups and attach the volume to their own VMs. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue. | 2026-05-08 | not yet calculated | CVE-2025-66172 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| www[.]Samsung[.]com--Samsung Mobile Processor | An issue was discovered in MM in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, W920, W930, W1000, Modem 5123, and Modem 5300. Incorrect handling of 5G NR NAS registration accept messages leads to a Denial of Service. | 2026-05-05 | not yet calculated | CVE-2025-66369 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-66369/ |
| n/a--Sidekiq-cron | Sidekiq-cron thru 2.3.1, an open-source scheduling add-on for Sidekiq, is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL being rended from cron.erb. | 2026-05-07 | not yet calculated | CVE-2025-67202 | https://github.com/sidekiq-cron/sidekiq-cron/issues/569 https://github.com/sidekiq-cron/sidekiq-cron/releases/tag/v2.4.0 |
| Dolibarr--dolibarr | Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the "computed value" field is passed to PHP's `eval()` function without adequate sanitization, allowing authenticated administrators to execute arbitrary PHP code on the server. As of time of publication, no patched versions are available. | 2026-05-08 | not yet calculated | CVE-2025-67486 | https://medium.com/@abduxalilovjavohir/dolibarr-erp-authenticated-remote-code-execution-via-eval-injection-in-user-extrafields-dfc305d0118e https://github.com/Dolibarr/dolibarr/blob/22.0.2/htdocs/core/lib/functions.lib.php |
| n/a--IKUS Rdiffweb | IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify other users data and, in some cases, perform privileged actions. This issue may enable cross-tenant access. Fixed in version 2.10.6. | 2026-05-04 | not yet calculated | CVE-2025-67796 | https://gitlab.com/ikus-soft/rdiffweb https://gitlab.com/ikus-soft/rdiffweb#2106-2025-10-02 |
| www[.]bitrix24[.]com—bitrix24 | Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website. | 2026-05-08 | not yet calculated | CVE-2025-67886 | https://www.bitrix24.com/self-hosted/ https://seclists.org/fulldisclosure/2025/Dec/21 https://karmainsecurity.com/pocs/CVE-2025-67886.php https://dev.1c-bitrix.ru/learning/course/?COURSE_ID=43&LESSON_ID=3055 https://dev.1c-bitrix.ru/api_help/translate/index.php |
| www[.]bitrix24[.]com—bitrix24 | 1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website. | 2026-05-08 | not yet calculated | CVE-2025-67887 | https://www.1c-bitrix.ru/support/index.php https://dev.1c-bitrix.ru/learning/course/?COURSE_ID=43&LESSON_ID=3055 https://dev.1c-bitrix.ru/api_help/translate/index.php https://seclists.org/fulldisclosure/2025/Dec/22 https://karmainsecurity.com/pocs/CVE-2025-67887.php |
| wiki[.]centos-webpanel[.]com—Control Web Panel | An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject and execute arbitrary OS commands with the privileges of root on the web server. Softaculous or SitePad must be present. | 2026-05-08 | not yet calculated | CVE-2025-67888 | https://wiki.centos-webpanel.com/cwp-security-instructions https://karmainsecurity.com/KIS-2025-09 |
| n/a--RayVentory Scan Engine | RayVentory Scan Engine through 12.6 Update 8 allows attackers to gain privileges if they control the value of the PATH environment variable. NOTE: this is disputed because ability of an attacker to control the environment is a site-specific misconfiguration. | 2026-05-08 | not yet calculated | CVE-2025-69599 | https://support.raynet.de/hc/en-us/articles/19518792826132-RVY200865-RayVentory-12-6 https://github.com/Wise-Security/CVE-2025-69599 |
| n/a--Netgate pfSense CE | Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute PHP code. | 2026-05-08 | not yet calculated | CVE-2025-69690 | https://www.linkedin.com/in/nelson-adhepeau/ https://seclists.org/fulldisclosure/2026/Feb/16 |
| n/a--Netgate pfSense CE | Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code. | 2026-05-08 | not yet calculated | CVE-2025-69691 | https://www.linkedin.com/in/nelson-adhepeau/ https://seclists.org/fulldisclosure/2026/Feb/16 |
| Assimp[.]com--Assimp v6.0.2 | Buffer Overflow vulnerability exists in Assimp versions up to 6.0.2 in the FBX Importer. The vulnerability occurs in aiMaterial::AddBinaryProperty, where a property key string from a crafted FBX file is copied into a fixed-size heap buffer using strcpy() without runtime length validation | 2026-05-04 | not yet calculated | CVE-2025-70067 | http://assimp.com https://github.com/assimp/assimp https://gist.github.com/GunP4ng/b6653184a4c5c3e608e6368227397505 |
| Assimp[.]com--Assimp v6.0.2 | An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXConverter.cpp and ConvertMeshMultiMaterial() method | 2026-05-04 | not yet calculated | CVE-2025-70069 | http://assimp.com https://gist.github.com/GunP4ng/9080ae7f0470c889a59cc3bfca445223 |
| Assimp[.]com--Assimp v6.0.2 | An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXMeshGeometry.cpp, MeshGeometry::MeshGeometry() | 2026-05-04 | not yet calculated | CVE-2025-70070 | http://assimp.com https://gist.github.com/GunP4ng/a2118ba977b10074a4477322afa7b763 |
| Assimp[.]com--Assimp v6.0.2 | An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXParser.cpp, ParseVectorDataArray() | 2026-05-04 | not yet calculated | CVE-2025-70071 | http://assimp.com https://gist.github.com/GunP4ng/6d80919905037929ce9266ccd207b9ea |
| Assimp[.]com--Assimp v6.0.2 | An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXConverter.cpp, FBXConverter::ConvertMeshMultiMaterial() components | 2026-05-04 | not yet calculated | CVE-2025-70072 | http://assimp.com https://gist.github.com/GunP4ng/cdaf0cb89dc6f1d09a9e88fa1135894e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: ensure sb->s_fs_info is always cleaned up When hfsplus was converted to the new mount api a bug was introduced by changing the allocation pattern of sb->s_fs_info. If setup_bdev_super() fails after a new superblock has been allocated by sget_fc(), but before hfsplus_fill_super() takes ownership of the filesystem-specific s_fs_info data it was leaked. Fix this by freeing sb->s_fs_info in hfsplus_kill_super(). | 2026-05-06 | not yet calculated | CVE-2025-71271 | https://git.kernel.org/stable/c/0bcfebb83b5460d5be4e5c9dfb19cdaf3d4cb1db https://git.kernel.org/stable/c/1e38d32bb04d85a2c81204a85a34878a497128c8 https://git.kernel.org/stable/c/126fb0ce99431126b44a6c360192668c818f641f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: most: core: fix resource leak in most_register_interface error paths The function most_register_interface() did not correctly release resources if it failed early (before registering the device). In these cases, it returned an error code immediately, leaking the memory allocated for the interface. Fix this by initializing the device early via device_initialize() and calling put_device() on all error paths. The most_register_interface() is expected to call put_device() on error which frees the resources allocated in the caller. The put_device() either calls release_mdev() or dim2_release(), depending on the caller. Switch to using device_add() instead of device_register() to handle the split initialization. | 2026-05-06 | not yet calculated | CVE-2025-71272 | https://git.kernel.org/stable/c/a49028a796d7b94f8e3ab9bd34b18f36be235459 https://git.kernel.org/stable/c/af0b99b2214a10554adb5b868240d23af6e64e71 https://git.kernel.org/stable/c/2f483f3817fb0e4209ac5de928778b1da0cc8574 https://git.kernel.org/stable/c/1f4c9d8a1021281750c6cda126d6f8a40cc24e71 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: Use devm_kmemdup() in rtw_set_supported_band() Simplify the code by using device managed memory allocations. This also fixes a memory leak in rtw_register_hw(). The supported bands were not freed in the error path. Copied from commit 145df52a8671 ("wifi: rtw89: Convert rtw89_core_set_supported_band to use devm_*"). | 2026-05-06 | not yet calculated | CVE-2025-71273 | https://git.kernel.org/stable/c/9b5418070ee8468fac9e8bf641c83d46b85bff30 https://git.kernel.org/stable/c/ad9b80ee310ed734482a2e5da874b67f88ac0ef8 https://git.kernel.org/stable/c/1bd90e0a99fdc8dc5deb3c92bf865e4496b4b311 https://git.kernel.org/stable/c/2ba12401cc1f2d970fa2e7d5b15abde3f5abd40d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rpmsg: core: fix race in driver_override_show() and use core helper The driver_override_show function reads the driver_override string without holding the device_lock. However, the store function modifies and frees the string while holding the device_lock. This creates a race condition where the string can be freed by the store function while being read by the show function, leading to a use-after-free. To fix this, replace the rpmsg_string_attr macro with explicit show and store functions. The new driver_override_store uses the standard driver_set_override helper. Since the introduction of driver_set_override, the comments in include/linux/rpmsg.h have stated that this helper must be used to set or clear driver_override, but the implementation was not updated until now. Because driver_set_override modifies and frees the string while holding the device_lock, the new driver_override_show now correctly holds the device_lock during the read operation to prevent the race. Additionally, since rpmsg_string_attr has only ever been used for driver_override, removing the macro simplifies the code. | 2026-05-06 | not yet calculated | CVE-2025-71274 | https://git.kernel.org/stable/c/392c6b68334aa0e0ae9aba95c0a366bcb0d92f5d https://git.kernel.org/stable/c/d66b8074c555e8abb0ae19eea1c9f3635498bdde https://git.kernel.org/stable/c/47615557447185917afa432b7958f87583c417cb https://git.kernel.org/stable/c/90c8353f471821d7ccd4fe573a2402e056192494 https://git.kernel.org/stable/c/7654e6e3cd6bdee9602f6063b3c670bd556d7e61 https://git.kernel.org/stable/c/2e4a70f3c30910427e5ea848b799066d67b963d5 https://git.kernel.org/stable/c/954557957177c3c13d7c655976665b1170da5e50 https://git.kernel.org/stable/c/42023d4b6d2661a40ee2dcf7e1a3528a35c638ca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: qrtr: Drop the MHI auto_queue feature for IPCR DL channels MHI stack offers the 'auto_queue' feature, which allows the MHI stack to auto queue the buffers for the RX path (DL channel). Though this feature simplifies the client driver design, it introduces race between the client drivers and the MHI stack. For instance, with auto_queue, the 'dl_callback' for the DL channel may get called before the client driver is fully probed. This means, by the time the dl_callback gets called, the client driver's structures might not be initialized, leading to NULL ptr dereference. Currently, the drivers have to workaround this issue by initializing the internal structures before calling mhi_prepare_for_transfer_autoqueue(). But even so, there is a chance that the client driver's internal code path may call the MHI queue APIs before mhi_prepare_for_transfer_autoqueue() is called, leading to similar NULL ptr dereference. This issue has been reported on the Qcom X1E80100 CRD machines affecting boot. So to properly fix all these races, drop the MHI 'auto_queue' feature altogether and let the client driver (QRTR) manage the RX buffers manually. In the QRTR driver, queue the RX buffers based on the ring length during probe and recycle the buffers in 'dl_callback' once they are consumed. This also warrants removing the setting of 'auto_queue' flag from controller drivers. Currently, this 'auto_queue' feature is only enabled for IPCR DL channel. So only the QRTR client driver requires the modification. | 2026-05-06 | not yet calculated | CVE-2025-71285 | https://git.kernel.org/stable/c/7bdff9b9b0c65ac7105416fe3a40686832515e20 https://git.kernel.org/stable/c/8c464e00e0754e016816b1860fa9592dcad80eb2 https://git.kernel.org/stable/c/51731792a25cb312ca94cdccfa139eb46de1b2ef |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls The size of the data behind of scontrol->ipc_control_data for bytes controls is: [1] sizeof(struct sof_ipc4_control_data) + // kernel only struct [2] sizeof(struct sof_abi_hdr)) + payload The max_size specifies the size of [2] and it is coming from topology. Change the function to take this into account and allocate adequate amount of memory behind scontrol->ipc_control_data. With the change we will allocate [1] amount more memory to be able to hold the full size of data. | 2026-05-06 | not yet calculated | CVE-2025-71286 | https://git.kernel.org/stable/c/59fe643f21b9d59bcbedb0dfbf988ee455c23736 https://git.kernel.org/stable/c/491956b45b5f4933632ea6d8a8bdfdf045ab81e1 https://git.kernel.org/stable/c/a704a1a4394b5877b9adc31b2c3165ad0b541896 https://git.kernel.org/stable/c/1237cd9ff198cb882402572f29569e5247190974 https://git.kernel.org/stable/c/a653820700b81c9e6f05ac23b7969ecec1a18e85 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: memory: mtk-smi: fix device leak on larb probe Make sure to drop the reference taken when looking up the SMI device during larb probe on late probe failure (e.g. probe deferral) and on driver unbind. | 2026-05-06 | not yet calculated | CVE-2025-71287 | https://git.kernel.org/stable/c/04057b86fdac3d4847913a97dc6552c0bff9b85e https://git.kernel.org/stable/c/357e16a7fc9c1fef2ea37dce9bb6b9bcb1d1687d https://git.kernel.org/stable/c/b9eccd59697f7e1cb9a714501d9af826e7f7e073 https://git.kernel.org/stable/c/1f23a48ff2b8ab47e514f7c84a4b1dbf9b848168 https://git.kernel.org/stable/c/f69535b77fa0518ad39870c00dd2995439ed5c34 https://git.kernel.org/stable/c/1288bb394d464975cea18f69940f206e235e0fe7 https://git.kernel.org/stable/c/9dae65913b32d05dbc8ff4b8a6bf04a0e49a8eb6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: memory: mtk-smi: fix device leaks on common probe Make sure to drop the reference taken when looking up the SMI device during common probe on late probe failure (e.g. probe deferral) and on driver unbind. | 2026-05-06 | not yet calculated | CVE-2025-71288 | https://git.kernel.org/stable/c/b8b2cf42b94c0a8efe43279643935256a6f58b9f https://git.kernel.org/stable/c/b16599fedf49fd42d174fba342a0b56103df3169 https://git.kernel.org/stable/c/984992f31cfb71b25cd0a72ef51ceb5dd6f187e8 https://git.kernel.org/stable/c/b44d090d6ca159d94b59ad4cc44ffdaca094df82 https://git.kernel.org/stable/c/9704564a70399c2787f5a7c5d347add721056e9d https://git.kernel.org/stable/c/6cfa038bddd710f544076ea2ef7792fc82fbedd6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: handle attr_set_size() errors when truncating files If attr_set_size() fails while truncating down, the error is silently ignored and the inode may be left in an inconsistent state. | 2026-05-06 | not yet calculated | CVE-2025-71289 | https://git.kernel.org/stable/c/6dfea43d11513b7f2892529de55e8f0855108a2c https://git.kernel.org/stable/c/576248a34b927e93b2fd3fff7df735ba73ad7d01 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: misc: ti_fpc202: fix a potential memory leak in probe function Use for_each_child_of_node_scoped() to simplify the code and ensure the device node reference is automatically released when the loop scope ends. | 2026-05-06 | not yet calculated | CVE-2025-71290 | https://git.kernel.org/stable/c/d2975604bf1ba36ffc5a08fe8da97fd63b91c4f1 https://git.kernel.org/stable/c/dd16f314cb10e6807c74402efdfa2cccc1f15907 https://git.kernel.org/stable/c/dad9f13d967b4e53e8eaf5f9c690f8e778ad9802 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read() In the function bcm_vk_read(), the pointer entry is checked, indicating that it can be NULL. If entry is NULL and rc is set to -EMSGSIZE, the following code may cause null-pointer dereferences: struct vk_msg_blk tmp_msg = entry->to_h_msg[0]; set_msg_id(&tmp_msg, entry->usr_msg_id); tmp_msg.size = entry->to_h_blks - 1; To prevent these possible null-pointer dereferences, copy to_h_msg, usr_msg_id, and to_h_blks from iter into temporary variables, and return these temporary variables to the application instead of accessing them through a potentially NULL entry. | 2026-05-06 | not yet calculated | CVE-2025-71291 | https://git.kernel.org/stable/c/741c5a3a0cd893a4218fc0fc8c18403e54fcfb22 https://git.kernel.org/stable/c/ece3722169ba93734bfd1f06255e8ab7f19fe964 https://git.kernel.org/stable/c/aa97ccc3dc1eba9f4537f0410e9dbb0b05ccf2fb https://git.kernel.org/stable/c/3842f93e6e29d5cc1dcb9e5bda70587b444bed69 https://git.kernel.org/stable/c/20f2d9dbe5e972516f8f9948d7ae5b95d1ad77bd https://git.kernel.org/stable/c/ba75ecb97d3f4e95d59002c13afb6519205be6cb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: jfs: nlink overflow in jfs_rename If nlink is maximal for a directory (-1) and inside that directory you perform a rename for some child directory (not moving from the parent), then the nlink of the first directory is first incremented and later decremented. Normally this is fine, but when nlink = -1 this causes a wrap around to 0, and then drop_nlink issues a warning. After applying the patch syzbot no longer issues any warnings. I also ran some basic fs tests to look for any regressions. | 2026-05-06 | not yet calculated | CVE-2025-71292 | https://git.kernel.org/stable/c/2108829a59f081e822fdab8c2cd7131deb8aa8a1 https://git.kernel.org/stable/c/b4330a0d0947fbdc9d445cbbeabd8cc910a8c9ca https://git.kernel.org/stable/c/a3d66089e50a6e0142f8884471f74292102ea9aa https://git.kernel.org/stable/c/f70fcbc2ac7c24f087a2c895c5753aa730b1e479 https://git.kernel.org/stable/c/5d77c36cd4b698649f5c30c5f6c084f4f61d1880 https://git.kernel.org/stable/c/fe136426e30ca6debcf916fd6a141555ed9fde74 https://git.kernel.org/stable/c/93c325746ae59709b4f9bad4e3e4761c8d566c70 https://git.kernel.org/stable/c/9218dc26fd922b09858ecd3666ed57dfd8098da8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/ras: Move ras data alloc before bad page check In the rare event if eeprom has only invalid address entries, allocation is skipped, this causes following NULL pointer issue [ 547.103445] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 547.118897] #PF: supervisor read access in kernel mode [ 547.130292] #PF: error_code(0x0000) - not-present page [ 547.141689] PGD 124757067 P4D 0 [ 547.148842] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 547.158504] CPU: 49 PID: 8167 Comm: cat Tainted: G OE 6.8.0-38-generic #38-Ubuntu [ 547.177998] Hardware name: Supermicro AS -8126GS-TNMR/H14DSG-OD, BIOS 1.7 09/12/2025 [ 547.195178] RIP: 0010:amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu] [ 547.210375] Code: e8 63 78 82 c0 45 31 d2 45 3b 75 08 48 8b 45 a0 73 44 44 89 f1 48 8b 7d 88 48 89 ca 48 c1 e2 05 48 29 ca 49 8b 4d 00 48 01 d1 <48> 83 79 10 00 74 17 49 63 f2 48 8b 49 08 41 83 c2 01 48 8d 34 76 [ 547.252045] RSP: 0018:ffa0000067287ac0 EFLAGS: 00010246 [ 547.263636] RAX: ff11000167c28130 RBX: ff11000127600000 RCX: 0000000000000000 [ 547.279467] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ff11000125b1c800 [ 547.295298] RBP: ffa0000067287b50 R08: 0000000000000000 R09: 0000000000000000 [ 547.311129] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 547.326959] R13: ff11000217b1de00 R14: 0000000000000000 R15: 0000000000000092 [ 547.342790] FS: 0000746e59d14740(0000) GS:ff11017dfda80000(0000) knlGS:0000000000000000 [ 547.360744] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 547.373489] CR2: 0000000000000010 CR3: 000000019585e001 CR4: 0000000000f71ef0 [ 547.389321] PKRU: 55555554 [ 547.395316] Call Trace: [ 547.400737] <TASK> [ 547.405386] ? show_regs+0x6d/0x80 [ 547.412929] ? __die+0x24/0x80 [ 547.419697] ? page_fault_oops+0x99/0x1b0 [ 547.428588] ? do_user_addr_fault+0x2ee/0x6b0 [ 547.438249] ? exc_page_fault+0x83/0x1b0 [ 547.446949] ? asm_exc_page_fault+0x27/0x30 [ 547.456225] ? amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu] [ 547.470040] ? mas_wr_modify+0xcd/0x140 [ 547.478548] sysfs_kf_bin_read+0x63/0xb0 [ 547.487248] kernfs_file_read_iter+0xa1/0x190 [ 547.496909] kernfs_fop_read_iter+0x25/0x40 [ 547.506182] vfs_read+0x255/0x390 This also result in space left assigned to negative values. Moving data alloc call before bad page check resolves both the issue. | 2026-05-06 | not yet calculated | CVE-2025-71293 | https://git.kernel.org/stable/c/0b7f78caeffa51a1afa521c284e863ec3b5a36df https://git.kernel.org/stable/c/5c685235b60459381e959109b416a63db4d8dbac https://git.kernel.org/stable/c/bd68a1404b6fa2e7e9957b38ba22616faba43e75 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix NULL pointer issue buffer funcs If SDMA block not enabled, buffer_funcs will not initialize, fix the null pointer issue if buffer_funcs not initialized. | 2026-05-06 | not yet calculated | CVE-2025-71294 | https://git.kernel.org/stable/c/29fd416e0e08aa6d5a97fd313749d08d83de0826 https://git.kernel.org/stable/c/276028fd9b60bbcc68796d1124b6b58298f4ca8a https://git.kernel.org/stable/c/3e849a93bff40f0c88a8aafba062b1de0ec2797b https://git.kernel.org/stable/c/9877a865d62c9c3e0f4cc369dc9ca9f7f24f5ee9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/buffer: add alert in try_to_free_buffers() for folios without buffers try_to_free_buffers() can be called on folios with no buffers attached when filemap_release_folio() is invoked on a folio belonging to a mapping with AS_RELEASE_ALWAYS set but no release_folio operation defined. In such cases, folio_needs_release() returns true because of the AS_RELEASE_ALWAYS flag, but the folio has no private buffer data. This causes try_to_free_buffers() to call drop_buffers() on a folio with no buffers, leading to a null pointer dereference. Adding a check in try_to_free_buffers() to return early if the folio has no buffers attached, with WARN_ON_ONCE() to alert about the misconfiguration. This provides defensive hardening. | 2026-05-06 | not yet calculated | CVE-2025-71295 | https://git.kernel.org/stable/c/1b111a69a6e33a922622bf9870e4e63fb2b649c8 https://git.kernel.org/stable/c/c1b6227555c52781178132b7a06466711855795c https://git.kernel.org/stable/c/727e5140e0cf83b4ce6a11b89bb73bff5d96f8f3 https://git.kernel.org/stable/c/42c32d7571ccd8ef32351cac506f00b0fae99fd2 https://git.kernel.org/stable/c/c6246ca15999053d2632fbcc7b86e6eef7f077cb https://git.kernel.org/stable/c/b68f91ef3b3fe82ad78c417de71b675699a8467c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/tests: shmem: Hold reservation lock around purge Acquire and release the GEM object's reservation lock around calls to the object's purge operation. The tests use drm_gem_shmem_purge_locked(), which led to errors such as show below. [ 58.709128] WARNING: CPU: 1 PID: 1354 at drivers/gpu/drm/drm_gem_shmem_helper.c:515 drm_gem_shmem_purge_locked+0x51c/0x740 Only export the new helper drm_gem_shmem_purge() for Kunit tests. This is not an interface for regular drivers. | 2026-05-08 | not yet calculated | CVE-2025-71296 | https://git.kernel.org/stable/c/cdf8bbbd9017adcfb91ad9a902198d4b507719a9 https://git.kernel.org/stable/c/8baeee2c1c0cdb3a8eac3b8f38156cce6ee1a69f https://git.kernel.org/stable/c/3f41307d589c2f25d556d47b165df808124cd0c4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: 8822b: Avoid WARNING in rtw8822b_config_trx_mode() rtw8822b_set_antenna() can be called from userspace when the chip is powered off. In that case a WARNING is triggered in rtw8822b_config_trx_mode() because trying to read the RF registers when the chip is powered off returns an unexpected value. Call rtw8822b_config_trx_mode() in rtw8822b_set_antenna() only when the chip is powered on. ------------[ cut here ]------------ write RF mode table fail WARNING: CPU: 0 PID: 7183 at rtw8822b.c:824 rtw8822b_config_trx_mode.constprop.0+0x835/0x840 [rtw88_8822b] CPU: 0 UID: 0 PID: 7183 Comm: iw Tainted: G W OE 6.17.5-arch1-1 #1 PREEMPT(full) 01c39fc421df2af799dd5e9180b572af860b40c1 Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: LENOVO 82KR/LNVNB161216, BIOS HBCN18WW 08/27/2021 RIP: 0010:rtw8822b_config_trx_mode.constprop.0+0x835/0x840 [rtw88_8822b] Call Trace: <TASK> rtw8822b_set_antenna+0x57/0x70 [rtw88_8822b 370206f42e5890d8d5f48eb358b759efa37c422b] rtw_ops_set_antenna+0x50/0x80 [rtw88_core 711c8fb4f686162be4625b1d0b8e8c6a5ac850fb] ieee80211_set_antenna+0x60/0x100 [mac80211 f1845d85d2ecacf3b71867635a050ece90486cf3] nl80211_set_wiphy+0x384/0xe00 [cfg80211 296485ee85696d2150309a6d21a7fbca83d3dbda] ? netdev_run_todo+0x63/0x550 genl_family_rcv_msg_doit+0xfc/0x160 genl_rcv_msg+0x1aa/0x2b0 ? __pfx_nl80211_pre_doit+0x10/0x10 [cfg80211 296485ee85696d2150309a6d21a7fbca83d3dbda] ? __pfx_nl80211_set_wiphy+0x10/0x10 [cfg80211 296485ee85696d2150309a6d21a7fbca83d3dbda] ? __pfx_nl80211_post_doit+0x10/0x10 [cfg80211 296485ee85696d2150309a6d21a7fbca83d3dbda] ? __pfx_genl_rcv_msg+0x10/0x10 netlink_rcv_skb+0x59/0x110 genl_rcv+0x28/0x40 netlink_unicast+0x285/0x3c0 ? __alloc_skb+0xdb/0x1a0 netlink_sendmsg+0x20d/0x430 ____sys_sendmsg+0x39f/0x3d0 ? import_iovec+0x2f/0x40 ___sys_sendmsg+0x99/0xe0 ? refill_obj_stock+0x12e/0x240 __sys_sendmsg+0x8a/0xf0 do_syscall_64+0x81/0x970 ? do_syscall_64+0x81/0x970 ? ksys_read+0x73/0xf0 ? do_syscall_64+0x81/0x970 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> ---[ end trace 0000000000000000 ]--- | 2026-05-08 | not yet calculated | CVE-2025-71297 | https://git.kernel.org/stable/c/7852ca1cc65ad43fb8b620e6a65d5cb15e4e4487 https://git.kernel.org/stable/c/a96d161cfdb11cd2c35d5e498b93431164823338 https://git.kernel.org/stable/c/0d0c2fb80ca4c284c397dd7546743a3b5fdf4020 https://git.kernel.org/stable/c/509becaee5680a39bde00c2c7d448dfeb39a8e05 https://git.kernel.org/stable/c/44510ff07b5198e4a835a3074b716cec8357695b https://git.kernel.org/stable/c/44d1f624bbdd2d60319374ba85f7195a28d00c90 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/tests: shmem: Hold reservation lock around madvise Acquire and release the GEM object's reservation lock around calls to the object's madvide operation. The tests use drm_gem_shmem_madvise_locked(), which led to errors such as show below. [ 58.339389] WARNING: CPU: 1 PID: 1352 at drivers/gpu/drm/drm_gem_shmem_helper.c:499 drm_gem_shmem_madvise_locked+0xde/0x140 Only export the new helper drm_gem_shmem_madvise() for Kunit tests. This is not an interface for regular drivers. | 2026-05-08 | not yet calculated | CVE-2025-71298 | https://git.kernel.org/stable/c/9cc77691b5fd615625955cedf726da57543088f1 https://git.kernel.org/stable/c/07cfcab370da06f26c273306571cbb0bfa3b9c52 https://git.kernel.org/stable/c/607d07d8cc0b835a8701259f08a03dc149b79b4f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: cadence-quadspi: Parse DT for flashes with the rest of the DT parsing The recent refactoring of where runtime PM is enabled done in commit f1eb4e792bb1 ("spi: spi-cadence-quadspi: Enable pm runtime earlier to avoid imbalance") made the fact that when we do a pm_runtime_disable() in the error paths of probe() we can trigger a runtime disable which in turn results in duplicate clock disables. This is particularly likely to happen when there is missing or broken DT description for the flashes attached to the controller. Early on in the probe function we do a pm_runtime_get_noresume() since the probe function leaves the device in a powered up state but in the error path we can't assume that PM is enabled so we also manually disable everything, including clocks. This means that when runtime PM is active both it and the probe function release the same reference to the main clock for the IP, triggering warnings from the clock subsystem: [ 8.693719] clk:75:7 already disabled [ 8.693791] WARNING: CPU: 1 PID: 185 at /usr/src/kernel/drivers/clk/clk.c:1188 clk_core_disable+0xa0/0xb ... [ 8.694261] clk_core_disable+0xa0/0xb4 (P) [ 8.694272] clk_disable+0x38/0x60 [ 8.694283] cqspi_probe+0x7c8/0xc5c [spi_cadence_quadspi] [ 8.694309] platform_probe+0x5c/0xa4 Dealing with this issue properly is complicated by the fact that we don't know if runtime PM is active so can't tell if it will disable the clocks or not. We can, however, sidestep the issue for the flash descriptions by moving their parsing to when we parse the controller properties which also save us doing a bunch of setup which can never be used so let's do that. | 2026-05-08 | not yet calculated | CVE-2025-71299 | https://git.kernel.org/stable/c/08dca4c8099a41a9fa3be128a793387603f73a17 https://git.kernel.org/stable/c/dcaa104ad9c860a6dbd5797919e0ec0b1cd5a57a https://git.kernel.org/stable/c/9f0736a4e136a6eb61e0cf530ddc18ab6d816ba3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "arm64: zynqmp: Add an OP-TEE node to the device tree" This reverts commit 06d22ed6b6635b17551f386b50bb5aaff9b75fbe. OP-TEE logic in U-Boot automatically injects a reserved-memory node along with optee firmware node to kernel device tree. The injection logic is dependent on that there is no manually defined optee node. Having the node in zynqmp.dtsi effectively breaks OP-TEE's insertion of the reserved-memory node, causing memory access violations during runtime. | 2026-05-08 | not yet calculated | CVE-2025-71300 | https://git.kernel.org/stable/c/eece81eeda10eb42c687399fb5aa69977ae15664 https://git.kernel.org/stable/c/3983ef126e439900bbf419724a9759863c146660 https://git.kernel.org/stable/c/2a833c730d4e8d1cc10953270ce0f3a156145d81 https://git.kernel.org/stable/c/c197179990124f991fca220d97fac56779a02c6d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/tests: shmem: Hold reservation lock around vmap/vunmap Acquire and release the GEM object's reservation lock around vmap and vunmap operations. The tests use vmap_locked, which led to errors such as show below. [ 122.292030] WARNING: CPU: 3 PID: 1413 at drivers/gpu/drm/drm_gem_shmem_helper.c:390 drm_gem_shmem_vmap_locked+0x3a3/0x6f0 [ 122.468066] WARNING: CPU: 3 PID: 1413 at drivers/gpu/drm/drm_gem_shmem_helper.c:293 drm_gem_shmem_pin_locked+0x1fe/0x350 [ 122.563504] WARNING: CPU: 3 PID: 1413 at drivers/gpu/drm/drm_gem_shmem_helper.c:234 drm_gem_shmem_get_pages_locked+0x23c/0x370 [ 122.662248] WARNING: CPU: 2 PID: 1413 at drivers/gpu/drm/drm_gem_shmem_helper.c:452 drm_gem_shmem_vunmap_locked+0x101/0x330 Only export the new vmap/vunmap helpers for Kunit tests. These are not interfaces for regular drivers. | 2026-05-08 | not yet calculated | CVE-2025-71301 | https://git.kernel.org/stable/c/6b953d92f2f29e74b125617c6f00300fa1bed97e https://git.kernel.org/stable/c/e7b7022f11d3cf281c726117478696b83681bf11 https://git.kernel.org/stable/c/cda83b099f117f2a28a77bf467af934cb39e49cf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: fix for dma-fence safe access rules Commit 506aa8b02a8d6 ("dma-fence: Add safe access helpers and document the rules") details the dma-fence safe access rules. The most common culprit is that drm_sched_fence_get_timeline_name may race with group_free_queue. | 2026-05-08 | not yet calculated | CVE-2025-71302 | https://git.kernel.org/stable/c/ab8c0de60f16d7e0b162ccbbb35fcf1f277c97c2 https://git.kernel.org/stable/c/eae60933abd11df013876f647c9edbd35ce67615 https://git.kernel.org/stable/c/efe24898485c5c831e629d9c6fb9350c35cb576f |
| Google--Android | In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB mutual authentication due to a logic error in the code. This could lead to remote (proximal/adjacent) code execution as the shell user with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-05-04 | not yet calculated | CVE-2026-0073 | https://source.android.com/docs/security/bulletin/2026/2026-05-01 |
| Palo Alto Networks--Cloud NGFW | A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability. | 2026-05-06 | not yet calculated | CVE-2026-0300 | https://security.paloaltonetworks.com/CVE-2026-0300 |
| MediaTek, Inc.--MediaTek chipset | In geniezone, there is a possible escalation of privilege due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10724073; Issue ID: MSV-6296. | 2026-05-04 | not yet calculated | CVE-2026-20447 | https://corp.mediatek.com/product-security-bulletin/May-2026 |
| MediaTek, Inc.--MediaTek chipset | In geniezone, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10708513; Issue ID: MSV-6281. | 2026-05-04 | not yet calculated | CVE-2026-20448 | https://corp.mediatek.com/product-security-bulletin/May-2026 |
| MediaTek, Inc.--MediaTek chipset | In Modem, there is a possible system crash due to a heap buffer overflow. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01760138; Issue ID: MSV-6148. | 2026-05-04 | not yet calculated | CVE-2026-20449 | https://corp.mediatek.com/product-security-bulletin/May-2026 |
| MediaTek, Inc.--MediaTek chipset | In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01753620; Issue ID: MSV-6100. | 2026-05-04 | not yet calculated | CVE-2026-20450 | https://corp.mediatek.com/product-security-bulletin/May-2026 |
| MediaTek, Inc.--MediaTek chipset | In slbc, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10828685; Issue ID: MSV-6504. | 2026-05-04 | not yet calculated | CVE-2026-20451 | https://corp.mediatek.com/product-security-bulletin/May-2026 |
| JohnsonControls--AC2000 | Uncontrolled Search Path Element vulnerability in JohnsonControls AC2000 on Windows allows Leveraging/Manipulating Configuration File Search Paths. This issue affects AC2000: from 10.6 before release 10, from 11.0 before release 9, from 12 before release 3. | 2026-05-06 | not yet calculated | CVE-2026-21661 | https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories |
| redis--redis | Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3. | 2026-05-05 | not yet calculated | CVE-2026-23479 | https://github.com/redis/redis/security/advisories/GHSA-93m2-935m-8rj3 https://github.com/redis/redis/releases/tag/8.6.3 |
| redis--redis | Redis is an in-memory data structure store. In all versions of redis-server with Lua scripting, an authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free on replicas where replica-read-only is disabled or can be disabled, which may lead to remote code execution. A workaround is to prevent users from executing Lua scripts or avoid using replicas where replica-read-only is disabled. This is patched in version 8.6.3. | 2026-05-05 | not yet calculated | CVE-2026-23631 | https://github.com/redis/redis/security/advisories/GHSA-8ghh-qpmp-7826 https://github.com/redis/redis/releases/tag/8.6.3 |
| Apache Software Foundation--Apache HTTP Server | Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-04 | not yet calculated | CVE-2026-23918 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Zabbix--Zabbix | An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the tooltip. | 2026-05-06 | not yet calculated | CVE-2026-23926 | https://support.zabbix.com/browse/ZBX-27758 |
| Zabbix--Zabbix | A user able to connect to Agent 2 can inject an Oracle TNS connection string via the 'service' parameter. This can lead to Agent 2 connecting to an attacker-controlled server and leaking Oracle database credentials if they are saved in a named session. | 2026-05-06 | not yet calculated | CVE-2026-23927 | https://support.zabbix.com/browse/ZBX-27759 |
| Zabbix--Zabbix | The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would have to come from a monitored host controlled by the attacker. Note: the Item history widget is a replacement for the Plain text widget since Zabbix 7.0. | 2026-05-06 | not yet calculated | CVE-2026-23928 | https://support.zabbix.com/browse/ZBX-27760 |
| Apache Software Foundation--Apache HTTP Server | An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue. | 2026-05-04 | not yet calculated | CVE-2026-24072 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation--Apache CloudStack | Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on the KVM hosts. This can result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue. | 2026-05-08 | not yet calculated | CVE-2026-25077 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| Apache Software Foundation--Apache CloudStack | Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants. This issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0. The Proxmox extension for CloudStack improperly uses a user-editable instance setting, proxmox_vmid, to associate CloudStack instances with Proxmox virtual machines. Because this value is not restricted or validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can modify the setting to reference a VM belonging to another account. This allows unauthorized cross-tenant access and enables full control over the targeted VM, including starting, stopping, and destroying the virtual machine. Users are recommended to upgrade to version 4.22.0.1, which fixes this issue. As a workaround for the existing installations, editing of the proxmox_vmid instance detail by users can be prevented by adding this detail name to the global configuration parameter - user.vm.denied.details. | 2026-05-08 | not yet calculated | CVE-2026-25199 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| redis--redis | Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3. | 2026-05-05 | not yet calculated | CVE-2026-25243 | https://github.com/redis/redis/security/advisories/GHSA-c8h9-259x-jff4 https://github.com/redis/redis/releases/tag/8.6.3 |
| RedisTimeSeries--RedisTimeSeries | RedisTimeSeries is a time-series module for Redis. In all versions before 1.12.14 of RedisTimeSeries, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the RedisTimeSeries module loaded can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This has been patched in version 1.12.14. | 2026-05-05 | not yet calculated | CVE-2026-25588 | https://github.com/RedisTimeSeries/RedisTimeSeries/security/advisories/GHSA-7jwr-g5qv-w3gw https://github.com/RedisTimeSeries/RedisTimeSeries/releases/tag/v1.12.14 |
| RedisBloom--RedisBloom | RedisBloom is a probabilistic data structures module for Redis. In all versions of RedisBloom before 2.8.20, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the RedisBloom module loaded can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This issue is fixed in version 2.8.20. | 2026-05-05 | not yet calculated | CVE-2026-25589 | https://github.com/RedisBloom/RedisBloom/security/advisories/GHSA-7862-34pw-44wv https://github.com/RedisBloom/RedisBloom/releases/tag/v2.8.20 |
| Open Notebook--Open Notebook | An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration is also possible. | 2026-05-07 | not yet calculated | CVE-2026-28201 | https://github.com/lfnovo/open-notebook/security/advisories/GHSA-5wj9-f8q5-8f9c |
| Apache Software Foundation--Apache HTTP Server | Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-05 | not yet calculated | CVE-2026-28780 | https://httpd.apache.org/security/vulnerabilities_24.html |
| rucio--rucio | A SQL injection vulnerability in `FilterEngine.create_sqla_query()` allows any authenticated Rucio user to execute arbitrary SQL against the backend database through the DID search endpoint (`GET /dids/<scope>/dids/search`). On Oracle deployments attacker-controlled filter keys and values are interpolated directly into `sqlalchemy.text()` via Python `.format()`, completely bypassing parameterization. This enables full database compromise including extraction of authentication tokens, password hashes, and all managed data identifiers. This affects versions 1.27.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1. The vulnerability exists in `lib/rucio/core/did_meta_plugins/filter_engine.py` within the `create_sqla_query()` method. When the database dialect is Oracle, filter expressions for JSON metadata columns are constructed using `text()` with Python string formatting. Both `key` and `value` are attacker-controlled strings derived from HTTP query parameters. The `text()` function creates a raw SQL fragment - it does **not** escape or parameterize its contents. Any authenticated Rucio user can exploit this through the DID search API to execute arbitrary SQL against the backend database. This can expose all managed data identifiers and sensitive tables such as identities, tokens, accounts, rse_settings, and rules, and may allow modification of database contents. The issue affects Oracle deployments using the default json_meta plugin and does not affect PostgreSQL or MySQL deployments using that plugin. This vulnerability has been fixed in versions 35.8.5, 38.5.5, 39.4.2, and 40.1.1. | 2026-05-06 | not yet calculated | CVE-2026-29080 | https://github.com/rucio/rucio/security/advisories/GHSA-vjr5-c9qv-hgm3 |
| rucio--rucio | ### Summary A SQL injection vulnerability exists in Rucio versions 1.30.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1, in `FilterEngine.create_postgres_query()`. This allows any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database through the DID search endpoint (`GET /dids/<scope>/dids/search`). When the `postgres_meta` metadata plugin is configured, attacker-controlled filter keys and values are interpolated directly into raw SQL strings via Python `.format()`, then passed to `psycopg3`'s `sql.SQL()` which treats the string as trusted SQL syntax. Depending on the database privileges assigned to the service account, exploitation can expose sensitive tables, modify or delete metadata, access server-side files, or achieve code execution through PostgreSQL features such as COPY ... FROM PROGRAM. This issue affects deployments that explicitly use the postgres_meta metadata plugin. This vulnerability has been fixed in versions 35.8.5, 38.5.5, 39.4.2, and 40.1.1. | 2026-05-06 | not yet calculated | CVE-2026-29090 | https://github.com/rucio/rucio/security/advisories/GHSA-6j7p-qjhg-9947 |
| Apache Software Foundation--Apache HTTP Server | Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-05 | not yet calculated | CVE-2026-29168 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation--Apache HTTP Server | A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock. | 2026-05-04 | not yet calculated | CVE-2026-29169 | https://httpd.apache.org/security/vulnerabilities_24.html |
| phpBB--phpBB | phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover. | 2026-05-04 | not yet calculated | CVE-2026-29199 | https://hackerone.com/reports/3543246 |
| WebPros--Comet Backup | A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call. | 2026-05-04 | not yet calculated | CVE-2026-29200 | https://support.cometbackup.com/hc/en-us/articles/40090945484823--CVE-2026-29200-%D0%A1ritical-IDOR-vulnerability-in-Comet-Backup |
| WebPros--cPanel | Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed. | 2026-05-08 | not yet calculated | CVE-2026-29201 | https://support.cpanel.net/hc/en-us/articles/40311033698327-Security-CVE-2026-29201-cPanel-WHM-WP2-Security-Update-May-08-2026 |
| WebPros--cPanel | Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user. | 2026-05-08 | not yet calculated | CVE-2026-29202 | https://support.cpanel.net/hc/en-us/articles/40311426610327-Security-CVE-2026-29202-cPanel-WHM-WP2-Security-Update-May-08-2026 |
| WebPros--cPanel | A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory. | 2026-05-08 | not yet calculated | CVE-2026-29203 | https://support.cpanel.net/hc/en-us/articles/40311543760407-Security-CVE-2026-29203-cPanel-WHM-WP2-Security-Update-May-08-2026 |
| n/a--nanoMODBUS | nanoMODBUS through v1.22.0 has a stack-based buffer overflow in recv_read_registers_res() in nanomodbus.c. When a client calls nmbs_read_holding_registers() or nmbs_read_input_registers(), the library writes register data from the server response to the caller-provided buffer based on the response's byte_count field before validating that byte_count matches the requested quantity. A malicious Modbus TCP server can send a response with byte_count=250 (125 registers) regardless of the requested quantity, causing up to 248 bytes of attacker-controlled data to overflow the buffer, potentially allowing remote code execution. | 2026-05-08 | not yet calculated | CVE-2026-29972 | https://github.com/debevv/nanoMODBUS https://github.com/debevv/nanoMODBUS/blob/master/nanomodbus.c#L580-L615 https://gist.github.com/dwilliams27/a4e26fe747c8561d608f7549804bd85f |
| n/a-- kosma minmea 0.3.0 | An issue was discovered in kosma minmea 0.3.0. The minmea_scan functions format specifier copies NMEA field data to a caller-provided buffer without a size parameter. Applications using minmea_scan on untrusted input are vulnerable to a stack buffer overflow. | 2026-05-08 | not yet calculated | CVE-2026-29974 | https://github.com/kosma/minmea/blob/master/minmea.c#L231-L240 https://gist.github.com/dwilliams27/6d4d8077b970f35e1a921c897ce13852 |
| n/a--lwjson 1.8.1 | lwjson 1.8.1 contains an improper input validation vulnerability in the streaming JSON parser (lwjson_stream.c). The end-of-string detection logic incorrectly identifies escaped quote characters by only checking the immediately preceding character rather than counting consecutive backslashes, causing valid JSON strings ending with an escaped backslash (like "\\") to never terminate parsing. A remote attacker can send well-formed JSON to cause applications using lwjson_stream_parse() to hang indefinitely, resulting in denial of service. | 2026-05-08 | not yet calculated | CVE-2026-29975 | https://github.com/MaJerle/lwjson/tree/develop https://github.com/MaJerle/lwjson/blob/develop/lwjson/src/lwjson/lwjson_stream.c#L362-L364 https://gist.github.com/dwilliams27/b99fd41be5d6848691797042cbfc1103 |
| Optomausa[.]com-- Optoma CinemaX P2 | The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes Android Debug Bridge (ADB) on TCP port 5555 over the network without requiring authentication. The device is configured with ro.adb.secure=0, which disables RSA key verification. Additionally, a functional su binary exists at /system/xbin/su that grants root privileges without authentication. An attacker on the same network can connect to the device via ADB, obtain a shell, and escalate to root privileges, gaining complete control of the device. This allows extraction of stored WiFi credentials, installation of persistent malware, and access to all device data. | 2026-05-07 | not yet calculated | CVE-2026-30495 | https://whitelabel.org/security/2026-02-01-smart-projector/ |
| Optomausa[.]com-- Optoma CinemaX P2 | The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes an HTTP API on TCP port 2345 that allows full unauthenticated remote control of the device. The API supports both reading configuration (74 endpoints) and writing/modifying settings including volume, mute, brightness, power, network protocols enable/disable (including TELNET), display modes, and other projector functions. Any device on the same network can control the projector without authentication. | 2026-05-07 | not yet calculated | CVE-2026-30496 | https://whitelabel.org/security/2026-02-01-smart-projector/ |
| owasp-modsecurity--ModSecurity | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation inspects a query string parameter containing a single character. An attacker can exploit this to crash worker processes, causing a denial of service. Service resumes once the attack stops as worker processes recover from the segfault. All versions before 3.0.15 of libModSecurity3 are affected. This has been patched in version 3.0.15. | 2026-05-05 | not yet calculated | CVE-2026-30923 | https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-qrjc-3jpc-3h2g https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v3.0.15 |
| www[.]alticelabs[.]com-- GR140DG/GR140IG router gateway | The ping diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution. | 2026-05-05 | not yet calculated | CVE-2026-31195 | http://altice.com http://gr140dg.com https://xerod.io/advisories/XEROD-2026-0001 |
| www[.]alticelabs[.]com-- GR140DG/GR140IG router gateway | The traceroute diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution. | 2026-05-05 | not yet calculated | CVE-2026-31196 | http://altice.com http://gr140dg.com https://xerod.ai/advisories/XEROD-2026-0002 |
| dani-garcia--vaultwarden | Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in `validate_webauthn_login()` updates persistent credential metadata (1backup_eligible1 and 1backup_state flags1) based on unverified `authenticatorData` before signature validation is performed. An attacker who knows a user's password but cannot produce a valid WebAuthn signature can permanently modify the stored backup flags for that user's credential. If signature verification fails, the database update is not rolled back. This can result in a persistent denial of service of WebAuthn two-factor authentication for affected credentials. This issue has been fixed in version 1.35.5. | 2026-05-05 | not yet calculated | CVE-2026-31835 | https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-x7g7-cgx5-jhx2 https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.5 |
| Tunnelblick--Tunnelblick | Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink following vulnerability in tunnelblick-helper, reachable through the world-accessible tunnelblickd Unix socket. The socket is configured with mode 0666, allowing any local user to connect. No authorization check is performed on the connecting client. The tunnelblick-helper process constructs a path to config.ovpn inside a user-controlled .tblk directory and reads it as root without symlink validation. An attacker can create a .tblk configuration with a symlinked config.ovpn pointing to any file and request tunnelblickd to read it. This issue has been fixed in versions 9.0beta02. | 2026-05-05 | not yet calculated | CVE-2026-31893 | https://github.com/Tunnelblick/Tunnelblick/security/advisories/GHSA-927j-vcjf-hq69 https://github.com/Tunnelblick/Tunnelblick/releases/tag/v9.0beta02 |
| sandboxie-plus--Sandboxie | Sandboxie is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a local denial of service vulnerability exists in the Sandboxie kernel driver. An unprivileged process running inside a Standard Sandbox can send a malformed IOCTL to the \Device\SandboxieDriverApi driver, triggering an immediate kernel crash (BSOD). The vulnerability affects the Standard Sandbox configuration both with and without dropped administrator privileges, but does not affect the Security Hardened Sandbox configuration. This issue has been fixed in version 1.17.3. Users who cannot update can use the Security Hardened Sandbox configuration as a workaround. | 2026-05-05 | not yet calculated | CVE-2026-32603 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-vvf8-cf4j-v8fv https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.17.3 |
| ericmj--decimal | Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service. The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new("1e1000000000")) is accepted without error. Subsequent calls to arithmetic functions (Decimal.add/2, Decimal.sub/2, Decimal.div/2), Decimal.to_string/2 with :normal or :xsd format, Decimal.to_integer/1, Decimal.round/3, or Decimal.compare/3 with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM. Any application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash. This issue affects decimal: from 0.1.0 before 3.0.0. | 2026-05-07 | not yet calculated | CVE-2026-32686 | https://github.com/ericmj/decimal/security/advisories/GHSA-rhv4-8758-jx7v https://cna.erlef.org/cves/CVE-2026-32686.html https://osv.dev/vulnerability/EEF-CVE-2026-32686 https://github.com/ericmj/decimal/commit/6a523f3a73b8c9974540e21c7aa88f1258bb35ae |
| phoenixframework--phoenix | Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix allows a denial of service via the long-poll transport's NDJSON body handling. In 'Elixir.Phoenix.Transports.LongPoll':publish/4, when a POST request is received with Content-Type: application/x-ndjson, the request body is split on newline characters using String.split/2 with no limit on the number of resulting segments. An attacker can send a body consisting entirely of newline bytes, causing a 1:1 amplification into a list of empty binaries - a 1 MB body produces approximately one million list elements, an 8 MB body approximately 8.4 million. Each element is then walked by Enum.map, materializing another list of the same size. This exhausts BEAM memory and schedulers, crashing the node and terminating all active sessions. A session token required to reach the vulnerable endpoint is freely obtainable by any client via an unauthenticated GET request to the same URL with a matching Origin header, making this attack effectively unauthenticated. This issue affects phoenix: from 1.7.0 before 1.7.22 and 1.8.6. | 2026-05-05 | not yet calculated | CVE-2026-32689 | https://github.com/phoenixframework/phoenix/security/advisories/GHSA-628h-q48j-jr6q https://cna.erlef.org/cves/CVE-2026-32689.html https://osv.dev/vulnerability/EEF-CVE-2026-32689 https://github.com/phoenixframework/phoenix/commit/1a67c61ff9ce0a7711662ac7354861917a7c80f7 https://github.com/phoenixframework/phoenix/commit/912ea181fd247c21dbcc49fb97d0053b947d81bf |
| NeoRazorX--facturascripts | FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form-data parameter to rename any account, including the administrator account. This leads to unauthorized modification of a field intended to be immutable. | 2026-05-05 | not yet calculated | CVE-2026-32699 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3 |
| HP, Inc--Samsung Print Service Plugin | Samsung Print Service Plugin for Android is potentially vulnerable to information disclosure when using an outdated version of the application via mobile devices. HP is releasing updates to mitigate these potential vulnerabilities. | 2026-05-06 | not yet calculated | CVE-2026-3291 | https://support.hp.com/us-en/document/ish_14864662-14864690-16/hpsbgn04093 |
| coredns--coredns | CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a goroutine per accepted stream to wait for a worker token. Additionally, active workers block indefinitely in io.ReadFull() with no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte so the read blocks waiting for the second byte of the DoQ length prefix. This enables an unauthenticated remote attacker to cause memory exhaustion and OOM-kill. This issue has been fixed in version 1.14.3. No known workarounds exist. | 2026-05-05 | not yet calculated | CVE-2026-32934 | https://github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5 https://github.com/coredns/coredns/releases/tag/v1.14.3 |
| coredns--coredns | CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a bounded read via http.MaxBytesReader limited to 65536 bytes, the GET path has no equivalent size validation before expensive processing. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to force high CPU usage, large transient memory allocations, and elevated garbage-collection pressure, leading to denial of service. This issue has been fixed in version 1.14.3. | 2026-05-05 | not yet calculated | CVE-2026-32936 | https://github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwr https://github.com/coredns/coredns/releases/tag/v1.14.3 |
| Apache Software Foundation--Apache HTTP Server | A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue. | 2026-05-04 | not yet calculated | CVE-2026-33006 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation--Apache HTTP Server | A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue. | 2026-05-04 | not yet calculated | CVE-2026-33007 | https://httpd.apache.org/security/vulnerabilities_24.html |
| lepture--mistune | In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles contains overlapping alternatives that can trigger catastrophic backtracking. In both the double-quoted and single-quoted branches, a backslash followed by punctuation can be matched either as an escaped punctuation sequence or as two ordinary characters, creating an ambiguous pattern inside a repeated group. If an attacker supplies Markdown containing repeated ! sequences with no closing quote, the regex engine explores an exponential number of backtracking paths. This is reachable through normal Markdown parsing of inline links and block link reference definitions. A small crafted input can therefore cause significant CPU consumption and make applications using Mistune unresponsive. | 2026-05-06 | not yet calculated | CVE-2026-33079 | https://github.com/lepture/mistune/security/advisories/GHSA-8mp2-v27r-99xp https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/helpers.py#L20-L25 |
| Cradle--e-commerce | Open redirection vulnerability in the latest demo version of the Cradle eCommerce platform. The vulnerability occurs in the login form endpoint, where the 'returnUrl' parameter allows redirection because the web application accepts a URL as a parameter without properly validating it. As a result, it is possible to redirect users from the legitimate website to external pages. An attacker could exploit this vulnerability to deceive users and redirect them from a trusted URL to a malicious one without their knowledge. | 2026-05-08 | not yet calculated | CVE-2026-3318 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cradle-e-commerce |
| coredns--coredns | CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer's TsigStatus() instead of performing verification itself. The DoH and DoH3 writer's TsigStatus() always returns nil, the DoT server does not set TsigSecret on the dns.Server, and the DoQ and gRPC writers also unconditionally return nil. This allows an unauthenticated remote client to bypass TSIG-based authentication and access resources intended to be restricted behind a tsig require all policy. Plain DNS over TCP and UDP are not affected. This issue has been fixed in version 1.14.3. | 2026-05-05 | not yet calculated | CVE-2026-33190 | https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh https://github.com/coredns/coredns/releases/tag/v1.14.3 |
| dataease--SQLBot | SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. In versions 1.7.0 and earlier, the Text2SQL chat interface is vulnerable to prompt injection. The user-provided question parameter is directly concatenated into the LLM prompt without filtering or escaping, and the SQL extracted from the LLM response is executed against the database without validation or sanitization. An authenticated attacker can craft a malicious question to manipulate the LLM into generating and executing arbitrary SQL statements. When connected to a PostgreSQL data source, this can lead to remote code execution via COPY FROM PROGRAM. This issue has been fixed in version 1.7.1. | 2026-05-05 | not yet calculated | CVE-2026-33324 | https://github.com/dataease/SQLBot/security/advisories/GHSA-q2q6-gqqh-4xrx |
| dani-garcia--vaultwarden | Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the get_org_collections_details endpoint (GET /api/organizations/{org_id}/collections/details) is missing the has_full_access() authorization check that exists on the sibling get_org_collections endpoint. This allows any Manager-role user with accessAll=False and no collection assignments to retrieve the names, UUIDs, user-to-collection mappings, and group-to-collection mappings for all collections in the organization. This issue has been fixed in version 1.35.5. | 2026-05-05 | not yet calculated | CVE-2026-33420 | https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-jjxg-p3v6-52ww https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.5 |
| coredns--coredns | CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The longestMatch() function in plugin/transfer/transfer.go uses a lexicographic string comparison instead of an actual longest-suffix match to select the winning zone. As a result, a permissive parent-zone transfer rule can override a restrictive subzone rule depending on zone name ordering (e.g., "example.org." > "a.example.org." lexicographically). This allows an unauthorized remote client to perform AXFR/IXFR for the subzone and retrieve its full zone contents. This issue has been fixed in version 1.14.3. | 2026-05-05 | not yet calculated | CVE-2026-33489 | https://github.com/coredns/coredns/security/advisories/GHSA-h8mm-c463-wjq3 https://github.com/coredns/coredns/releases/tag/v1.14.3 |
| Apache Software Foundation--Apache HTTP Server | HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-04 | not yet calculated | CVE-2026-33523 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Open Notebook--Open Notebook | Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and subsequently OS commands) on the docker container via Server-Side Template Injection (SSTI) for user-created transformations. | 2026-05-07 | not yet calculated | CVE-2026-33587 | https://github.com/lfnovo/open-notebook/security/advisories/GHSA-f35w-wx37-26q7 |
| Open Notebook--Open Notebook | Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to create or modify files on the docker container via path traversal. | 2026-05-07 | not yet calculated | CVE-2026-33588 | https://github.com/lfnovo/open-notebook/security/advisories/GHSA-x4q2-89g5-594v |
| Open Notebook--Open Notebook | Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to access local files content from the docker container via path traversal. | 2026-05-07 | not yet calculated | CVE-2026-33589 | https://github.com/lfnovo/open-notebook/security/advisories/GHSA-842v-h4cj-r646 |
| Go standard library--net | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. | 2026-05-07 | not yet calculated | CVE-2026-33811 | https://go.dev/issue/78803 https://go.dev/cl/767860 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4981 |
| golang.org/x/net--golang.org/x/net/http2 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. | 2026-05-07 | not yet calculated | CVE-2026-33814 | https://go.dev/cl/761581 https://go.dev/cl/761640 https://go.dev/issue/78476 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4918 |
| Apache Software Foundation--Apache HTTP Server | Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-04 | not yet calculated | CVE-2026-33857 | https://httpd.apache.org/security/vulnerabilities_24.html |
| twentyhq--twenty | Twenty is an open source CRM built with NestJS (Node.js). In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex form (e.g., ::ffff:169.254.169.254 becomes ::ffff:a9fe:a9fe), but the isPrivateIp utility only recognizes the dotted-decimal notation. As a result, the hex form passes the SSRF check unchecked. Additionally, the socket lookup validation event does not fire for IP literal addresses, bypassing the second validation layer. An authenticated user can reach any internal IP, including cloud metadata endpoints, to exfiltrate credentials such as IAM keys. | 2026-05-05 | not yet calculated | CVE-2026-33975 | https://github.com/twentyhq/twenty/security/advisories/GHSA-vrcj-hv2q-c58m |
| Apache Software Foundation--Apache HTTP Server | Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-04 | not yet calculated | CVE-2026-34032 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation--Apache HTTP Server | Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-04 | not yet calculated | CVE-2026-34059 | https://httpd.apache.org/security/vulnerabilities_24.html |
| PHPOffice--PhpSpreadsheet | PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load() is user-controlled, an attacker can supply a PHP stream wrapper path (such as phar://, ftp://, or ssh2.sftp://) that passes the is_file() check in File::assertFile(). The phar:// wrapper triggers deserialization of the PHAR metadata, which can lead to remote code execution if a suitable gadget chain is available in the application. The ftp:// and ssh2.sftp:// wrappers can be used for server-side request forgery. This issue has been fixed in versions 1.30.3, 2.1.15, 2.4.4, 3.10.4, and 5.6.0. | 2026-05-05 | not yet calculated | CVE-2026-34084 | https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-q4q6-r8wh-5cgh |
| www[.]gambio[.]com--Gambio 4.9.2.0 | An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrary passwords for arbitrary accounts if the ID is known. | 2026-05-05 | not yet calculated | CVE-2026-34408 | https://www.gambio.de/forum/threads/wichtiges-security-update-2024-02-v1-0-fuer-gx4-v4-0-0-0-bis-v4-9-2-0.50896/ https://herolab.usd.de/security-advisories/usd-2024-0002/ |
| sandboxie-plus--Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection vulnerability allows any standard local user to bypass configuration restrictions (EditAdminOnly and ConfigPassword) and inject arbitrary directives into the global Sandboxie.ini configuration file. The background service skips authorization checks for IPC messages targeting sections beginning with UserSettings_, but does not sanitize CRLF characters in either the value parameter (via MSGID_SBIE_INI_ADD_SETTING) or the setting name parameter (via MSGID_SBIE_INI_SET_SETTING). An attacker can inject a new sandbox section header with unrestricted permissions, enabling sandbox escape and SYSTEM privilege escalation. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34458 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-6xqg-2cjq-95qf https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.17.3 |
| sandboxie-plus--Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieSvc proxy service's GetRawInputDeviceInfoSlave handler contains two vulnerabilities that can be chained for sandbox escape. First, when a sandboxed process sends an IPC request with cbSize set to 0, up to 32KB of uninitialized stack memory from the service process is returned, leaking return addresses and stack cookies which bypass ASLR and /GS protections. Second, the handler performs a memcpy with an attacker-controlled length without verifying it fits within the 32KB stack buffer, enabling a stack buffer overflow. By chaining the information leak with the overflow, a sandboxed process can execute a ROP chain to achieve SYSTEM privilege escalation, even from a Security Hardened Sandbox. Hardware-enforced shadow stacks (Intel CET) prevent the ROP chain execution but do not mitigate the information leak. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34459 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-7cpc-5hv7-rfmh |
| sandboxie-plus--Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieIniServer RunSbieCtrl handler contains a stack buffer overflow. The MSGID_SBIE_INI_RUN_SBIE_CTRL message is handled before normal sandbox and impersonation checks, and for non-sandboxed callers, the handler copies the trailing message payload into a fixed-size WCHAR ctrlCmd[128] stack buffer using memcpy without verifying the length fits within the buffer. The service pipe is created with a NULL DACL, allowing any local interactive process to connect and send an oversized payload to overflow the stack. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34461 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-wpjw-jh2p-gwx7 |
| sandboxie-plus--Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, several ProcessServer handlers (KillAllHandler, SuspendAllHandler, and RunSandboxedHandler) copy a WCHAR boxname[34] field from request structures into WCHAR[40] stack buffers using wcscpy without verifying null termination. Because the service pipe accepts variable-length packets larger than the request structure, an attacker can fill the boxname field with non-zero data and append additional controlled wide characters after the structure. wcscpy then reads past the fixed field and overflows the destination stack buffer. The service pipe is created with a NULL DACL, allowing any local process to connect, and the unsafe copy occurs before authorization checks. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34462 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-9cjg-vh9m-hhx4 |
| sandboxie-plus--Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, NamedPipeServer::OpenHandler copies the server field from NAMED_PIPE_OPEN_REQ into a fixed WCHAR pipename[160] stack buffer using wcscat without verifying null termination. The handler only enforces a minimum packet size, and since the service pipe accepts variable-length messages, a sandboxed caller can fill the server[48] field with non-zero data and append additional controlled wide characters after the structure. wcscat then reads past the fixed field and overflows the stack buffer in the SYSTEM service. This message is restricted to sandboxed callers, making it a sandbox escape vector. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34464 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-cf8x-f33g-vwfg |
| www[.]zte[.]com--Routers H8102E, H168N, H167A, H199A and more | Unauthenticated DoS in ZTE H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A, H388X, H196A, H369A, H268N, H208N, H367N, H181A, and H196Q. A denial-of-service condition can be triggered against the router's web interface by sending an oversized application/x-www-form-urlencoded POST body. After triggering, the management interface may become unresponsive until the device is rebooted. This may affect any firmware version prior to 2022 (reporter observation). The supplier stated that devices are not vulnerable since 2021-03-23; operator firmware may vary. | 2026-05-06 | not yet calculated | CVE-2026-34473 | https://www.zte.com.cn/global/ https://gist.github.com/minanagehsalalma/7a8516b9b00d0008f2f25750320560c9 |
| www[.]zte[.]com--Routers ZTE ZXHN H298A 1.1 and H108N 2.6 | Sensitive data exposure leading to admin/WLAN credential leak in ZTE ZXHN H298A 1.1 and H108N 2.6. A crafted request to the router web interface can expose sensitive device and account information. In affected builds, the response may include the administrator password and WLAN PSK, enabling authentication bypass and network compromise. Some firmware versions may expose only partial identifiers (e.g., serial number, ESSID, MAC addresses). | 2026-05-06 | not yet calculated | CVE-2026-34474 | https://www.zte.com.cn/global/ https://gist.github.com/minanagehsalalma/7a8516b9b00d0008f2f25750320560c9 |
| sandboxie-plus--Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, SbieIniServer::HashPassword converts a SHA-1 digest to hexadecimal incorrectly. The high nibble of each byte is shifted right by 8 instead of 4, which always produces zero for an 8-bit value. As a result, the stored EditPassword hash only preserves the low nibble of each digest byte, reducing the effective entropy from 160 bits to 80 bits. This is layered on top of an unsalted SHA-1 scheme. The reduced entropy makes leaked or backed-up password hashes materially easier to brute-force. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34527 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-w37h-qm9p-h4x2 |
| sandboxie-plus--Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a Time-of-Check-to-Time-of-Use (TOCTOU) race condition exists during addon installation. When a user installs an addon through the SandMan interface, UpdUtil.exe is spawned as SYSTEM by SbieSvc but stages files in the user-writable %TEMP%\sandboxie-updater directory. After UpdUtil verifies file hashes against the signed addon manifest, install.bat extracts files.cab and executes config.exe from its contents. Between hash verification and extraction, an unprivileged user can replace files.cab with a crafted cabinet containing a malicious executable, which is then run as SYSTEM. No UAC prompt is required. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34596 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-xjvp-63f2-v585 |
| ASUS--ASUS System Control Interface | An Out-of-bounds Read vulnerability in the IOCTL handler in ASUS System Control Interface allows a local user to cause system crash (BSOD) via a read size that exceeds the buffer size.Refer to the ' Security Update for MyASUS ' section on the ASUS Security Advisory for more information. | 2026-05-08 | not yet calculated | CVE-2026-3508 | https://www.asus.com/security-advisory |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue. | 2026-05-05 | not yet calculated | CVE-2026-35192 | Django security archive Django releases announcements Django security releases issued: 6.0.5 and 5.2.14 |
| jupyter-server--jupyter_server | Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured root_dir and access sibling directories whose names begin with the same prefix as the root_dir. For example, with a root_dir named "test", the API permits access to a sibling directory named "testtest" through a crafted request to the /api/contents endpoint using encoded path components. An attacker can read, write, and delete files in affected sibling directories. Multi-tenant deployments using predictable naming schemes are particularly at risk, as a user with a directory named "user1" could access directories for user10 through user19 and beyond. A user who can choose a single-character folder name could gain access to a significant number of sibling directories. Version 2.18.0 contains a fix. As a workaround, ensure folder names do not share a common prefix with any sibling directory. | 2026-05-05 | not yet calculated | CVE-2026-35397 | https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3 |
| PHPOffice--PhpSpreadsheet | PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder with additional literal text (e.g., @ "items"). The escaping is only applied when the formatted output strictly equals the original cell value. When the format code contains @ with quoted literal text, the formatter substitutes the raw cell value into the format string and returns early without invoking the escaping callback. An attacker who can control cell content in a spreadsheet processed by the HTML Writer can inject arbitrary HTML and JavaScript into the generated output. This issue has been fixed in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0. | 2026-05-05 | not yet calculated | CVE-2026-35453 | https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-6wpp-88cp-7q68 |
| lxc--incus | Incus is an open source container and virtual machine manager. In versions prior to 7.0.0, the image import flow issues an outbound HEAD request to a user-supplied URL before validating the request against project restrictions such as restricted.images.servers. The imgPostURLInfo function constructs and sends a HEAD request directly from the attacker-supplied source URL to resolve image metadata, and this network interaction occurs before the flow reaches the point where the import would be rejected by policy. Although the actual image download is blocked by the project restriction, an authenticated user can coerce the daemon into making blind HEAD requests to arbitrary destinations. These requests include server metadata in custom headers (Incus-Server-Architectures, Incus-Server-Version), which discloses information about the host environment to the attacker-controlled endpoint. This blind SSRF primitive can be used to probe internal services, unroutable address space, or cloud metadata endpoints reachable from the host. This vulnerability pattern is similar to CVE-2026-24767. This issue has been fixed in version 7.0.0. | 2026-05-05 | not yet calculated | CVE-2026-35527 | https://github.com/lxc/incus/security/advisories/GHSA-8gw4-p4wq-4hcv https://github.com/lxc/incus/blob/v6.22.0/cmd/incusd/images.go |
| coredns--coredns | CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigVerify() to validate the HMAC. If the key name matches a configured key, the tsigStatus field remains nil and the tsig plugin treats the request as successfully authenticated regardless of the MAC value. For DoH and DoH3, the issue is more severe: the DoHWriter.TsigStatus() method unconditionally returns nil, and the server never inspects the TSIG record at all. Any request containing a TSIG record is treated as authenticated over DoH and DoH3, even if the key name is invalid and the MAC is arbitrary. An unauthenticated network attacker can exploit this to bypass TSIG-protected functionality such as AXFR/IXFR zone transfers, dynamic DNS updates, or other TSIG-gated plugin behavior. The DoH and DoH3 variants have a lower exploitation bar because the attacker does not need to know a valid TSIG key name. This issue has been fixed in version 1.14.3. As a workaround, disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required, or restrict network-level access to affected transport ports to trusted sources only. | 2026-05-05 | not yet calculated | CVE-2026-35579 | https://github.com/coredns/coredns/security/advisories/GHSA-vp29-5652-4fw9 |
| n/a--Webkul Krayin CRM v2.1.5 | Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint | 2026-05-07 | not yet calculated | CVE-2026-36341 | https://github.com/krayin/laravel-crm/releases/tag/v2.1.6 https://github.com/krayin/laravel-crm/pull/2401 https://drive.google.com/file/d/1Y_WjD4Tiq_z7zQUlddFCFMDoyyN300r9/view https://cyber.spool.co.jp/vulnerabilities/cve-2026-36341/ https://github.com/cybercrewinc/CVE-2026-36341 |
| www[.]Realtek[.]com--Realtek rtl819x Jungle SDK | The rtl8192cd Wi-Fi kernel driver in the Realtek rtl819x Jungle SDK (all known versions through v3.4.14B) does not perform any access control checks on the write_mem (ioctl 0x89F5) and read_mem (ioctl 0x89F6) debug handlers, which are compiled into production builds via the unconditionally defined _IOCTL_DEBUG_CMD_ macro in 8192cd_cfg.h | 2026-05-05 | not yet calculated | CVE-2026-36355 | http://realtek.com https://github.com/totekuh/CVE-2026-36355 |
| https://en[.]meigsmart[.]com-- MeiG Smart FORGE_SLT711 devices | The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint. | 2026-05-05 | not yet calculated | CVE-2026-36356 | http://forgeslt711.com http://meig.com https://github.com/totekuh/CVE-2026-36356 |
| n/a--Juzaweb CMS v.5.0.0 | Cross Site Scripting vulnerability in Juzaweb CMS v.5.0.0 allows a remote attacker via execute arbitrary code via a crafted script to the Add Banner Ads function | 2026-05-06 | not yet calculated | CVE-2026-36358 | https://juzaweb.com/ http://juzaweb.com https://gist.github.com/yuhuamiao/2c984b2d7f2adb90020818f9308b5862 |
| n/a--Lymphatus caesium-image-compressor | An issue in Lymphatus caesium-image-compressor All versions up to and including commit 02da2c6 allows a local attacker to execute arbitrary code via the shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp | 2026-05-04 | not yet calculated | CVE-2026-36365 | https://github.com/Lymphatus/caesium-image-compressor https://github.com/Lymphatus/caesium-image-compressor/blob/main/src/utils/PostCompressionActions.cpp https://github.com/Lymphatus/caesium-image-compressor/pull/376 https://github.com/mertsatilmaz/vulnerability-research/blob/main/advisories/CVE-2026-36365.md |
| codeastro[.]com-- CODEASTRO MMS v1.0 | A Remote Code Execution vulnerability was found in CODEASTRO Membership Management System v1.0 in /add_members.php. This vulnerability affects the file upload functionality, where improper file sanitization allows attackers to inject malicious files which leads RCE. | 2026-05-07 | not yet calculated | CVE-2026-36387 | http://codeastro.com https://github.com/raneishajustin/CVE/tree/main/CVE-2026-36387 |
| n/a--PHPGurukal Hospital Management System v4.0 | A Cross-Site Scripting (XSS) vulnerability was found in PHPGurukal Hospital Management System v4.0 in the /hospital/hms/edit-profile.php page. This flaw allows an authenticated attacker (patient) to inject a malicious script payload into the User Name parameter, which is stored in the application and later rendered in the doctor s interface. | 2026-05-07 | not yet calculated | CVE-2026-36388 | http://phpgurukal.com https://github.com/raneishajustin/CVE/tree/main/CVE-2026-36388 |
| n/a--ChestnutCMS v1.5.10 | ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered. | 2026-05-07 | not yet calculated | CVE-2026-36458 | https://github.com/liweiyi/ChestnutCMS.git https://github.com/errors11/CVE/blob/main/CVE-2026-36458.md |
| n/a--Beauty Parlour Management System v1.1 | Beauty Parlour Management System v1.1 was discovered to contain a SQL injection vulnerability via the aptnumber parameter in the /appointment-detail.php endpoint. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement. | 2026-05-08 | not yet calculated | CVE-2026-37431 | https://github.com/Y4y17/CVE/blob/main/Beauty%20Parlour%20Management%20System/SQL%20Injection-2.md |
| n/a--FRRouting (FRR) | Missing input validation in the MP_REACH_NLRI component of FRRouting (FRR) stable/10.0 to stable/10.6 allows authenticated attackers to cause a Denial of Service (DoS) via supplying a crafted UPDATE message. | 2026-05-04 | not yet calculated | CVE-2026-37458 | https://github.com/FRRouting/frr/commit/8102a8aeceb9f86fdfe1f80cd77080522bab69c8 https://github.com/mertsatilmaz/vulnerability-research/blob/main/advisories/CVE-2026-36365.md |
| n/a--FRRouting (FRR) | An integer underflow in FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message. | 2026-05-04 | not yet calculated | CVE-2026-37459 | https://github.com/FRRouting/frr/commit/693a2e02687cdc9d16501275e05136edea9650d9 |
| n/a--ParseIP6Extended | An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message. | 2026-05-04 | not yet calculated | CVE-2026-37461 | https://github.com/osrg/gobgp/blob/v4.3.0/pkg/packet/bgp/bgp.go https://github.com/osrg/gobgp/commit/362cce3e325f56e7a4f792ccb9689b3bdda9e682 https://github.com/osrg/gobgp/commit/9ce8936672ebc07df524da77fa4c6ae26d92be6d |
| grok[.]com-- grokability snipe-it v.8.4.0 | Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component | 2026-05-07 | not yet calculated | CVE-2026-37709 | https://github.com/grokability/snipe-it/commit/676a9958895a77de340565e7a0b17ae744664904 https://github.com/grokability/snipe-it/security/advisories/GHSA-xg82-2hrv-hf64 |
| n/a--fohrloop dash-uploader v.0.1.0 | Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, aseHttpRequestHandler.get_temp_root(), BaseHttpRequestHandler._post() components | 2026-05-08 | not yet calculated | CVE-2026-38360 | https://github.com/fohrloop/dash-uploader https://pypi.org/project/dash-uploader/ https://github.com/fohrloop/dash-uploader/blob/stable/dash_uploader/httprequesthandler.py https://github.com/fohrloop/dash-uploader/blob/dev/dash_uploader/httprequesthandler.py https://github.com/fohrloop/dash-uploader/issues/153 https://github.com/a1ohadance/CVE-2026-38360 |
| n/a--fohrloop dash-uploader v.0.1.0 | An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, dash_uploader/upload.py in the Upload function and max_file_size parameter, dash_uploader/configure_upload.py components | 2026-05-08 | not yet calculated | CVE-2026-38361 | https://github.com/fohrloop/dash-uploader https://pypi.org/project/dash-uploader/ https://github.com/fohrloop/dash-uploader/blob/stable/dash_uploader/httprequesthandler.py https://github.com/fohrloop/dash-uploader/issues/153 https://pypistats.org/packages/dash-uploader https://libraries.io/pypi/dash-uploader https://pepy.tech/project/dash-uploader https://docs.python.org/3/library/functions.html#all https://github.com/a1ohadance/CVE-2026-38361 |
| n/a--Kestra v1.3.3 | Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the database query. | 2026-05-05 | not yet calculated | CVE-2026-38428 | https://www.link.com https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x |
| n/a--OpenCMS v20 | OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml. | 2026-05-05 | not yet calculated | CVE-2026-38429 | https://github.com/alkacon/opencms-core/commit/e3e41e5a96d71383279e7d23c627efc9934008c1 |
| n/a--ERPNext v15.103.1 | ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered. | 2026-05-05 | not yet calculated | CVE-2026-38431 | https://c0wking.hashnode.dev/ssti-in-erpnext-frappe-email-template-engine |
| n/a--ERPNext v15.103.1 | ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied. | 2026-05-05 | not yet calculated | CVE-2026-38432 | https://c0wking.hashnode.dev/stored-xss-in-erpnext-frappe-email-template-engine |
| n/a--wCMS v.1.4 | wCMS v.1.4 is vulnerable to Cross Site Scripting (XSS) when creating a new blog. | 2026-05-04 | not yet calculated | CVE-2026-38669 | https://github.com/thv930/yumeng_wu/tree/main/1/readme.md |
| n/a--OpenSTAManager version 2.10 | OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability in the module update functionality (modules/aggiornamenti/upload_modules.php) | 2026-05-04 | not yet calculated | CVE-2026-38751 | https://github.com/devcode-it/openstamanager https://github.com/fuutianyii/poc |
| n/a--FluentCMS 1.2.3 | FluentCMS 1.2.3 is vulnerable to Cross Site Scripting (XSS) in TextHTML plugin. | 2026-05-05 | not yet calculated | CVE-2026-38947 | https://github.com/fluentcms/FluentCMS/issues/2405 |
| n/a--GPAC | Buffer Overflow vulnerability in GPAC before commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 allows an attacker to cause a denial of service via the src/scenegraph/svg_attributes.c, svg_parse_strings(), gf_svg_parse_attribute() | 2026-05-05 | not yet calculated | CVE-2026-39103 | https://github.com/gpac/gpac/issues/3506 https://github.com/gpac/gpac/commit/391dc7f4d234988ea0bc3cc294eb725eddf8f702 |
| gotenberg--gotenberg | Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make outbound HTTP POST requests to arbitrary internal or external destinations by supplying a crafted URL in the Gotenberg-Webhook-Url request header. The FilterDeadline function in filter.go is intended to gate outbound URLs, but when both the allow-list and deny-list are empty (the default configuration), it returns nil unconditionally and permits any URL. This is a blind SSRF: Gotenberg POSTs the converted document to the webhook URL and only checks whether the response status code is an error, but never returns the target's response body to the attacker. An attacker can use this to probe internal network infrastructure by observing whether the error callback is invoked, force POST requests against internal services that perform side effects, and confirm reachability of cloud metadata endpoints. The retryable HTTP client issues up to 4 automatic retries per request, amplifying each probe. This issue has been fixed in version 8.31.0. As a workaround, configure the GOTENBERG_API_WEBHOOK_ALLOW_LIST environment variable to restrict webhook URLs to known receivers, or set GOTENBERG_API_WEBHOOK_DENY_LIST to block RFC-1918 and link-local address ranges. | 2026-05-05 | not yet calculated | CVE-2026-39383 | https://github.com/gotenberg/gotenberg/security/advisories/GHSA-5vh4-rgv7-p9g4 |
| lxc--lxc | lxc is a Linux container runtime. In the setuid helper lxc-user-nic, the delete path contains a logic flaw in the find_line() function that allows an unprivileged user to delete OVS-attached network interfaces belonging to other users. When lxc-user-nic delete scans its NIC database to authorize a deletion request, the interface name comparison can set the authorization flag based on a name match alone, even when the ownership, type, and link fields in that database entry belong to a different user. The vulnerable check sits after the goto next label handling, meaning it is reachable on lines where earlier ownership checks failed or were skipped. Because nothing downstream of this authorization signal re-verifies that the matched database line actually belongs to the caller, an unprivileged attacker with a valid lxc-usernet policy entry can trigger deletion of another user's OVS port on the same bridge. This is limited to multi-tenant environments using lxc-user-nic with OpenVSwitch bridges. The impact is denial of service - one tenant can repeatedly disconnect networking from containers run by another tenant on shared infrastructure. This is patched in version 7.0.0. | 2026-05-05 | not yet calculated | CVE-2026-39402 | https://github.com/lxc/lxc/security/advisories/GHSA-3m9j-g9gc-vcvq |
| Apache Software Foundation--Apache NiFi | The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy Script execution in the service prior to submitting the query. The missing Restricted annotation allows users without the Execute Code Permission to configure the Service in installations that use fine-grained authorization and have the optional TinkerpopClientService installed. Apache NiFi installations that do not have the nifi-other-graph-services-nar installed are not subject to this vulnerability. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation. | 2026-05-08 | not yet calculated | CVE-2026-39816 | https://lists.apache.org/thread/gh9g7xwvv4l20gzff6q3367snf35ctcb |
| Go toolchain--cmd/go | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem. | 2026-05-07 | not yet calculated | CVE-2026-39817 | https://go.dev/issue/78778 https://go.dev/cl/767520 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4979 |
| Go toolchain--cmd/go | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink. | 2026-05-07 | not yet calculated | CVE-2026-39819 | https://go.dev/issue/78584 https://go.dev/cl/763882 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4978 |
| Go standard library--net/mail | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. | 2026-05-07 | not yet calculated | CVE-2026-39820 | https://go.dev/issue/78566 https://go.dev/cl/759940 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4986 |
| Go standard library--html/template | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS. | 2026-05-07 | not yet calculated | CVE-2026-39823 | https://go.dev/issue/78913 https://go.dev/cl/769920 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4982 |
| Go standard library--net/http/httputil | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function. | 2026-05-07 | not yet calculated | CVE-2026-39825 | https://go.dev/cl/770541 https://go.dev/issue/78948 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4976 |
| Go standard library--html/template | If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block. | 2026-05-07 | not yet calculated | CVE-2026-39826 | https://go.dev/issue/78981 https://go.dev/cl/771180 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4980 |
| Go standard library--net | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | 2026-05-07 | not yet calculated | CVE-2026-39836 | https://go.dev/issue/79006 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://go.dev/cl/775320 https://pkg.go.dev/vuln/GO-2026-4971 |
| pi-hole--FTL | Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations with no admin password set (the default for many deployments), the configuration API is fully accessible without credentials, allowing a network-adjacent attacker to inject the payload, enable the built-in DHCP server, and achieve arbitrary command execution on the host the next time any device on the network requests a DHCP lease. The injected value is persisted to /etc/pihole/pihole.toml and survives restarts. The strncpy in the code path limits the total interface field to 31 bytes, but payloads such as wlan0\ndhcp-script=/tmp/p fit within this constraint. The dnsmasq config validation introduced in FTL 6.6 only checks syntactic validity, so valid directives injected via newline pass validation successfully. This issue has been fixed in version 6.6.1. | 2026-05-05 | not yet calculated | CVE-2026-39849 | https://github.com/pi-hole/FTL/security/advisories/GHSA-9cqv-839p-gpq2 https://github.com/pi-hole/FTL/commit/0c46e4ec7fe57f762fce261625f2cf5d43806e6d https://github.com/pi-hole/FTL/releases/tag/v6.6.1 |
| quarkusio--quarkus | Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. Quarkus's security layer performs authorization checks on the raw URL path which preserves matrix parameters (semicolons), while RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. An attacker can append a semicolon and arbitrary text to a request URL (e.g., /api/admin;anything) to bypass policies protecting /api/admin while still routing to the protected endpoint. This issue has been fixed in versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2. | 2026-05-05 | not yet calculated | CVE-2026-39852 | https://github.com/quarkusio/quarkus/security/advisories/GHSA-rc95-pcm8-65v9 |
| Apache Software Foundation--Apache Wicket | Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue. | 2026-05-06 | not yet calculated | CVE-2026-40010 | https://lists.apache.org/thread/61wsc0xdtfd5oozojfx7by9w3jwgkmv1 |
| anthropics--claude-code | In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted, causing Claude Code to bypass its trust confirmation dialog and immediately execute hooks defined in `.claude/settings.json`. Exploitation requires the victim to clone the malicious repository and run Claude Code within it, and the attacker must know or guess a path the victim had already trusted. This issue has been fixed in version 2.1.84. | 2026-05-05 | not yet calculated | CVE-2026-40068 | https://github.com/anthropics/claude-code/security/advisories/GHSA-q5hj-mxqh-vv77 |
| openmrs--openmrs-core | OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the `/openmrs/moduleResources/{moduleid}` endpoint is vulnerable to a path traversal attack. The ModuleResourcesServlet constructs a filesystem path from user-controlled input without performing path boundary validation - the getFile() method concatenates the user-supplied path into an absolute filesystem path without calling normalize() or checking that the result stays within the allowed module resources directory. Because this endpoint serves static resources required for rendering the login page, it is not protected by authentication filters, allowing unauthenticated exploitation. An attacker can traverse directories and read arbitrary files from the server filesystem, including /etc/passwd and application configuration files containing database credentials. Successful exploitation requires the target deployment to run on Apache Tomcat versions prior to 8.5.31, where the ..; path parameter bypass is not mitigated by the container. Deployments on Tomcat 8.5.31 or later and Tomcat 9.0.10 or later are protected at the container level, though the underlying code defect remains. This issue has been fixed in versions after 2.7.8 (within the 2.7.x branch) and in version 2.8.6 and later. | 2026-05-05 | not yet calculated | CVE-2026-40075 | https://github.com/openmrs/openmrs-core/security/advisories/GHSA-jjgj-cx3q-pw4w |
| openmrs--openmrs-core | OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the module upload endpoint at POST `/openmrs/ws/rest/v1/module` is vulnerable to a Zip Slip path traversal attack. During automatic extraction of uploaded .omod archives in `WebModuleUtil.startModule()`, ZIP entries under web/module/ are checked only to see whether the full entry path starts with `..,` and the remaining path is then concatenated into the destination path without normalization or a boundary check. A crafted archive can therefore include entries such as `web/module/../../../../malicious.jsp` and cause files to be written outside the intended module directory. An authenticated attacker with module upload access can write arbitrary files to locations such as the web application root and achieve remote code execution by uploading a JSP file and then requesting it. The issue is compounded by the fact that the module.allow_web_admin runtime property is enforced in the legacy UI controller but not in the REST API upload path, so deployments relying on that property to block web-based module administration remain exposed through the REST endpoint. This issue has been fixed in versions after 2.7.8 in the 2.7.x line and in version 2.8.6 and later. | 2026-05-06 | not yet calculated | CVE-2026-40076 | https://github.com/openmrs/openmrs-core/security/advisories/GHSA-78fc-9688-w8xw |
| jupyter-server--jupyter_server | Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match() to check incoming origins against the allow_origin_pat configuration value. Because re.match() only anchors at the start of the string and does not require a full match, a pattern intended to match only a trusted domain (e.g., trusted.example.com) will also match any origin that begins with that domain followed by additional characters (e.g., trusted.example.com.evil.com). An attacker who controls such a domain can bypass the CORS origin restriction and make cross-origin requests to the Jupyter Server API from an untrusted site. This issue has been fixed in version 2.18.0. | 2026-05-05 | not yet calculated | CVE-2026-40110 | https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p https://github.com/jupyter-server/jupyter_server/pull/603 https://github.com/jupyter-server/jupyter_server/commit/057869a327c46730afede3eab0ca2d2e3e74acea https://github.com/jupyter-server/jupyter_server/commit/49b34392feaa97735b3b777e3baf8f22f2a14ed8 |
| jupyter--notebook | In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with attacker-controlled notebook content to steal authentication tokens with a single click. An attacker can craft a malicious notebook file containing elements that appear indistinguishable from legitimate controls and trigger execution when a user interacts with them. Successful exploitation allows theft of the user's authentication token and complete takeover of the Jupyter session through the REST API, including reading files, creating or modifying files, accessing kernels to execute arbitrary code, and creating terminals for shell access. This issue has been fixed in Notebook 7.5.6, JupyterLab 4.5.7, @jupyter-notebook/help-extension 7.5.6, and @jupyterlab/help-extension 4.5.7. As a workaround, disable the affected help extensions or set allowCommandLinker to false in the sanitizer configuration. | 2026-05-06 | not yet calculated | CVE-2026-40171 | https://github.com/jupyter/notebook/security/advisories/GHSA-rch3-82jr-f9w9 |
| MasaCMS--MasaCMS | Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cUsers.updateAddress function does not properly validate anti-CSRF tokens for user address management operations. An attacker can induce a logged-in administrator to submit a forged request that adds, modifies, or deletes user address records, including email addresses and phone numbers. This can be used to alter contact information, redirect organizational communications, and corrupt address data in the user directory. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, or deploy filtering rules to block forged requests to the affected endpoint | 2026-05-06 | not yet calculated | CVE-2026-40174 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-572m-p246-4356 |
| lxc--incus | Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage bucket import logic allows an authenticated user with access to the storage bucket feature to cause the Incus daemon to crash. The vulnerability is present in the backup metadata handling logic, where the daemon processes the index.yaml file from an imported archive and accesses members of the parsed backup configuration without first verifying that the configuration object was initialized. A malicious or malformed index.yaml that omits the config block causes a nil-pointer dereference during bucket import operations and terminates the daemon. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0. | 2026-05-06 | not yet calculated | CVE-2026-40195 | https://github.com/lxc/incus/security/advisories/GHSA-gc7j-g665-rxr9 |
| lxc--incus | Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash. The custom volume backup import subsystem contains a nil-pointer dereference vulnerability during import operations. In the snapshot import loop, the daemon iterates over entries from `srcBackup.Config.VolumeSnapshots` and assumes that each slice element is initialized, then dereferences fields such as `Name`, `Config`, `Description`, `CreatedAt`, and `ExpiresAt` without first validating the element itself. Because the yaml unmarshaler accepts explicit null array elements from an attacker-controlled index.yaml and converts them into nil pointers inside the slice, an attacker can supply a backup archive containing a null entry in the volume_snapshots array. This causes a nil-pointer dereference during custom volume import and terminates the daemon, resulting in denial of service on the affected node. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0. | 2026-05-06 | not yet calculated | CVE-2026-40197 | https://github.com/lxc/incus/security/advisories/GHSA-r7w7-mmxr-47r9 |
| lxc--incus | Incus is a system container and virtual machine manager. In versions before 7.0.0, broken TLS validation logic in the OVN database connection logic can allow connections to an attacker's OVN database. The OVN client implementations disable Go standard TLS server verification and replace it with custom peer-certificate verification logic. That replacement verifier does not anchor trust in the configured CA certificate. Instead, it constructs the verification root set from certificates supplied by the peer during the handshake, so the configured CA is parsed but not used as the trust anchor for the final verification decision. In OVN-enabled deployments that use these SSL database connection paths, an attacker able to impersonate or intercept the OVN endpoint on the management network can present a rogue self-signed certificate chain, and Incus will accept this certificate as valid. This issue defeats the intended CA-based trust model for OVN database connections and permits endpoint impersonation by an active attacker in a suitable network position. This issue is fixed in version 7.0.0. | 2026-05-06 | not yet calculated | CVE-2026-40243 | https://github.com/lxc/incus/security/advisories/GHSA-c839-4qxr-j4x3 https://github.com/lxc/incus/blob/v6.22.0/internal/server/network/ovn/ovn_icnb.go https://github.com/lxc/incus/blob/v6.22.0/internal/server/network/ovn/ovn_icsb.go https://github.com/lxc/incus/blob/v6.22.0/internal/server/network/ovn/ovn_nb.go https://github.com/lxc/incus/blob/v6.22.0/internal/server/network/ovn/ovn_sb.go |
| lxc--incus | Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash. The backup restore subsystem contains an out-of-bounds panic vulnerability caused by an invalid bounds check when indexing snapshot metadata arrays, and the same flawed pattern also appears in the migration path. When iterating through physical snapshots provided in a backup archive, the loop uses the index to look up corresponding metadata in the parsed `Config.Snapshots` and `Config.VolumeSnapshots` slices. The guard condition `len(slice) >= i-1` is incorrect because it can still evaluate to true when the subsequent slice[i] access is out of bounds. An attacker can submit a backup archive that contains physical snapshot directories while supplying a tampered `index.yaml` with an empty or truncated snapshot metadata array, causing the daemon to index beyond the end of the metadata slice and crash. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0. | 2026-05-06 | not yet calculated | CVE-2026-40251 | https://github.com/lxc/incus/security/advisories/GHSA-4m88-wxj4-9qj6 https://github.com/lxc/incus/blob/v6.22.0/internal/server/storage/backend.go |
| gotenberg--gotenberg | Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression (^https?://) to match URL schemes. Because Go's net/url.Parse() normalizes the scheme to lowercase before establishing the outbound TCP connection, an attacker can bypass the deny-list by simply capitalizing part of the URL scheme (e.g., HTTP://, HTTPS://, or Http://). This allows unauthenticated requests to reach internal network services, including private IP ranges, loopback addresses, and cloud instance metadata endpoints such as HTTP://169.254.169.254/latest/meta-data/. This bypasses the same security control that was patched in CVE-2026-27018. This issue has been fixed in version 8.31.0. | 2026-05-05 | not yet calculated | CVE-2026-40280 | https://github.com/gotenberg/gotenberg/security/advisories/GHSA-5q7p-7jgv-ww56 https://github.com/gotenberg/gotenberg/commit/3f01ca18d3cc21375a1e2da4b5a3f261c8548e47 https://github.com/advisories/GHSA-jjwv-57xh-xr6r |
| MasaCMS--MasaCMS | Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.empty function does not validate anti-CSRF tokens for trash management requests. An attacker can induce a logged-in administrator to submit a forged request that empties the trash and permanently deletes all deleted content. This can cause irreversible data loss and disrupt recovery of content intended for restoration. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, and maintain current database backups to recover from unauthorized deletion. | 2026-05-06 | not yet calculated | CVE-2026-40309 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-9f35-q62j-vm5j |
| MasaCMS--MasaCMS | Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the `cTrash.restore` function does not properly validate anti-CSRF tokens for content restoration requests. An attacker can trick a logged-in administrator to submit a forged request that restores deleted items from the trash and places them at an attacker-controlled location in the site structure through the parentid parameter. This can restore previously deleted malicious or outdated content, expose sensitive documents by moving them into publicly accessible locations, and disrupt site structure or content integrity. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, and regularly empty the trash to reduce the amount of content available for unauthorized restoration. | 2026-05-06 | not yet calculated | CVE-2026-40325 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-3mpf-gq73-crxf |
| MasaCMS--MasaCMS | Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the createBundle method in `csettings.cfc` does not properly validate anti-CSRF tokens for site bundle creation requests. An attacker can craft a malicious webpage or link that, when visited by a logged-in administrator, triggers the silent creation of a comprehensive site bundle. This bundle is saved to a predictable, publicly accessible web directory. An unauthenticated attacker can then retrieve the bundle and obtain site content, user account data, password hashes, form submissions, email lists, plugins, and configuration data. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, remove unexpected bundle files from public directories, restrict access to the affected endpoint, and limit exposure of administrative sessions. | 2026-05-06 | not yet calculated | CVE-2026-40326 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-622v-h7vf-w4gm |
| MasaCMS--MasaCMS | Masa CMS is an open source content management system. In versions 7.5.2 and earlier, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function's processing of the sortBy parameter. The application fails to properly sanitize or parameterize this input before incorporating it into dynamic SQL statements. An unauthenticated remote attacker can execute arbitrary SQL commands against the database, potentially gaining access to sensitive data, modifying or deleting records, or escalating privileges to administrative control. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, configure WAF rules to block malicious SQL patterns in the sortBy parameter sent to beanFeed.cfc. | 2026-05-05 | not yet calculated | CVE-2026-40329 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-3xpq-q494-8qq4 |
| MasaCMS--MasaCMS | Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function's handling of the sortDirection parameter. The parameter value is concatenated directly into SQL queries without sanitization or parameterization. An unauthenticated remote attacker can exploit this to extract sensitive information, modify or delete database records, or potentially achieve remote code execution on the underlying database server. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, use a WAF to block or restrict access to the beanFeed.cfc component, or deploy rules to detect SQL injection patterns targeting the sortDirection parameter. | 2026-05-05 | not yet calculated | CVE-2026-40330 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-56cc-gxfr-hqp8 |
| MasaCMS--MasaCMS | Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, the unauthenticated JSON API accepts an altTable parameter that is stored via the setAltTable() method without validation or sanitization. This value is injected directly into a SQL FROM clause within feedGateway.cfc. An unauthenticated attacker can pass an arbitrary subquery into the altTable parameter to read sensitive data from any table in the database in a single HTTP request, including administrative credentials and password reset tokens. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, apply validation to the setAltTable function in core/mura/content/feed/feedBean.cfc to restrict input to simple alphanumeric table names, or disable the JSON API if it is not required. | 2026-05-05 | not yet calculated | CVE-2026-40331 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-jphh-r686-6w7j |
| MasaCMS--MasaCMS | Masa CMS is affected by an Open Redirect vulnerability due to improper handling of scheme-relative URLs. The application incorrectly interprets paths beginning with double slashes (//) as internal paths, failing to validate the redirect target before processing. The application treats these values as internal paths and processes them without confirming that the redirect target remains on the local site. An attacker can craft a URL on the trusted Masa CMS domain that redirects a victim to an external attacker-controlled site. This can be used for phishing and, in some authentication flows, may expose tokens or other sensitive data to the external site. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, reject or rewrite redirect parameters that begin with // and consider disabling forceDirectoryStructure if compatible with the deployment. | 2026-05-06 | not yet calculated | CVE-2026-40332 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-xw99-h3mw-wj47 |
| KAZEBURO--Gazelle | Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Gazelle incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy. | 2026-05-06 | not yet calculated | CVE-2026-40562 | https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3 https://security.metacpan.org/patches/G/Gazelle/0.49/CVE-2026-40562-r1.patch https://metacpan.org/release/KAZEBURO/Gazelle-0.50/changes |
| Apache Software Foundation--Apache Atlas | Description: Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data Affect Version: This issue affects Apache Atlas: from 0.8 through 2.4.0. For the affect version >= 2.0, vulnerability is only when Atlas is deployed with below non-default configuration. atlas.dsl.executor.traversal=false Mitigation: Users are recommended to upgrade to version 2.5.0, which fixes the issue. | 2026-05-04 | not yet calculated | CVE-2026-40563 | https://lists.apache.org/thread/vd0oggmqxl2k1skm0z2f9p0plx7jhmfl |
| Apache Software Foundation--Apache OpenNLP | XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor class initializes a static SAXParserFactory at class-load time without enabling FEATURE_SECURE_PROCESSING or disabling DTD processing. When create(InputStream, EntryInserter) is invoked, the only feature set on the XMLReader is namespace support - external entity resolution and DOCTYPE declarations remain fully enabled. An attacker who can supply a crafted dictionary file (e.g., a stop-word list or domain dictionary) containing a malicious DOCTYPE declaration can trigger local file disclosure via file:// entity references or server-side request forgery via http:// entity references during SAX parsing, before the application processes a single dictionary entry. This is inconsistent with the project's own XmlUtil.createSaxParser() helper, which correctly sets FEATURE_SECURE_PROCESSING and disallow-doctype-decl and is used by all other XML parsing paths in the codebase. The public Dictionary(InputStream) constructor delegates directly to this method and is the documented API for loading user-supplied dictionaries, making untrusted input a realistic scenario. Mitigation: 2.x users should upgrade to 2.5.9. 3.x users should upgrade to 3.0.0-M3. Users who cannot upgrade immediately should ensure that all dictionary files are sourced from trusted origins and should consider wrapping the Dictionary(InputStream) constructor with input validation that rejects any XML containing a DOCTYPE declaration before it reaches the parser. | 2026-05-04 | not yet calculated | CVE-2026-40682 | https://lists.apache.org/thread/r6jpt0qr9nj67gqhppqg7jxf8vsbo0w6 |
| jupyter-server--jupyter_server | Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0. | 2026-05-05 | not yet calculated | CVE-2026-40934 | https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f |
| josdejong--mathjs | Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0. | 2026-05-07 | not yet calculated | CVE-2026-41139 | https://github.com/josdejong/mathjs/security/advisories/GHSA-5v89-rwgr-qj6g https://github.com/josdejong/mathjs/pull/3656 https://github.com/josdejong/mathjs/commit/0aee2f61866e35ffa0aef915221cdf6b026ffdd4 https://github.com/josdejong/mathjs/commit/bcf0da46f0b8577ec03c9ecd7bff8b5c2543a611 https://github.com/josdejong/mathjs/releases/tag/v15.2.0 |
| Sync-in--server | Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. This issue has been patched in version 2.2.0. | 2026-05-08 | not yet calculated | CVE-2026-41161 | https://github.com/Sync-in/server/security/advisories/GHSA-43fj-qp3h-hrh5 https://github.com/Sync-in/server/releases/tag/v2.2.0 |
| containers--bubblewrap | bubblewrap is a low-level unprivileged sandboxing tool. From version 0.11.0 to before version 0.11.2, if bubblewrap is installed in setuid mode then the user can use ptrace to attach to bubblewrap and control the unprivileged part of the sandbox setup phase. This allows the attacker to arbitrarily use the privileged operations, and in particular the "overlay mount" operation, allowing the creation of overlay mounts which is otherwise not allowed in the setuid version of bubblewrap. This issue has been patched in version 0.11.2. | 2026-05-09 | not yet calculated | CVE-2026-41163 | https://github.com/containers/bubblewrap/security/advisories/GHSA-xq78-7hw4-5jvp https://github.com/containers/bubblewrap/releases/tag/v0.11.2 |
| ci4-cms-erp--ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the backup create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root. This issue has been patched in version 0.31.5.0. | 2026-05-07 | not yet calculated | CVE-2026-41202 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xp9f-pvvc-57p4 https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0 |
| ci4-cms-erp--ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Theme::upload extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the theme create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root. This issue has been patched in version 0.31.5.0. | 2026-05-07 | not yet calculated | CVE-2026-41203 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xv3r-vr59-95rg https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0 |
| WatchGuard Technologies--WatchGuard Agent | Stack-based Buffer Overflow vulnerability in the WatchGuard Agent discovery service on Windows allows Overflow Buffers. An unauthenticated attacker on the same local network could exploit this vulnerability to crash the agent service. | 2026-05-06 | not yet calculated | CVE-2026-41286 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00011 |
| WatchGuard--WatchGuard Agent | Stack-based Buffer Overflow vulnerability in the WatchGuard Agent discovery service on Windows allows Overflow Buffers. An unauthenticated attacker on the same local network could exploit this vulnerability to crash the agent service. | 2026-05-06 | not yet calculated | CVE-2026-41287 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00010 |
| WatchGuard--WatchGuard Agent | Incorrect permission assignment for a resource in the patch management component of the WatchGuard Agent on Windows allows an authenticated local user to elevate their privileges to NT AUTHORITY\\SYSTEM. | 2026-05-06 | not yet calculated | CVE-2026-41288 | https://www.watchguard.com/wgrd-psirt/advisory/WGSA-2026-00011 |
| angular--angular | Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server due to improper handling of URLs during Server-Side Rendering (SSR). When an attacker sends a request such as GET /\evil.com/ HTTP/1.1 the server engine (Express, etc.) passes the URL string to Angular's rendering functions. Because the URL parser normalizes the backslash to a forward slash for HTTP/HTTPS schemes, the internal state of the application is hijacked to believe the current origin is evil.com. This misinterpretation tricks the application into treating the attacker's domain as the local origin. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This issue has been patched in versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8. | 2026-05-08 | not yet calculated | CVE-2026-41423 | https://github.com/angular/angular/security/advisories/GHSA-45q2-gjvg-7973 https://github.com/angular/angular/pull/68194 https://github.com/angular/angular/commit/ede7c58a2aa13fdccc8f0b67ce93ba1c11749412 |
| ray-project--ray | Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls __arrow_ext_deserialize__ on the field's metadata bytes. Ray's implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0. | 2026-05-08 | not yet calculated | CVE-2026-41486 | https://github.com/ray-project/ray/security/advisories/GHSA-mw35-8rx3-xf9r https://github.com/ray-project/ray/pull/62056 https://github.com/ray-project/ray/commit/c02bd31ae31996805868baa446a131a8d304525f https://github.com/ray-project/ray/releases/tag/ray-2.55.0 |
| langfuse--langfuse | Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role "member" in a project could request the update of an existing LLM connection to an attacker-controlled baseUrl, causing Langfuse to reuse the stored provider secret and redirect the test request to an attacker-controlled endpoint. This could expose the plaintext provider LLM API key for that connection. The attack is only possible if a user is already part of a project and has "member" scoped access. This issue has been patched in version 3.167.0. | 2026-05-08 | not yet calculated | CVE-2026-41487 | https://github.com/langfuse/langfuse/security/advisories/GHSA-2524-j966-gfgh https://github.com/langfuse/langfuse/pull/13027 https://github.com/langfuse/langfuse/pull/13055 https://github.com/langfuse/langfuse/commit/7527bb0d84bc0a3dc24a4b16d22ed2e46e6dddff https://github.com/langfuse/langfuse/commit/e12386f9d4368bbfff24a4ad7fd53641091605ff https://github.com/langfuse/langfuse/releases/tag/v3.167.0 |
| lsegal--yard | YARD is a Ruby Documentation tool. Prior to version 0.9.42, a path traversal vulnerability was discovered in YARD when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. This issue has been patched in version 0.9.42. | 2026-05-08 | not yet calculated | CVE-2026-41493 | https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj https://github.com/lsegal/yard/releases/tag/v0.9.42 |
| CROSS-signature--CROSS-implementation | CROSS implementation contains reference and optimized implementations of the CROSS post-quantum signature algorithm. Prior to commit fc6b7e7, there is a buffer overflow in crypto_sign_open() caused by an underflow of the integer mlen. This issue has been patched via commit fc6b7e7. | 2026-05-08 | not yet calculated | CVE-2026-41509 | https://github.com/CROSS-signature/CROSS-implementation/security/advisories/GHSA-w72c-hgx8-p7cv https://github.com/CROSS-signature/CROSS-implementation/commit/fc6b7e78cdf789bb5c395a81dc601356f1383da0 |
| emlog--emlog | Emlog is an open source website building system. Prior to version 2.6.11, insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, leading to complete server compromise and persistent backdoor installation. This issue has been patched in version 2.6.11. | 2026-05-08 | not yet calculated | CVE-2026-41517 | https://github.com/emlog/emlog/security/advisories/GHSA-8qwx-6jx6-94x4 |
| nhost--nhost | Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.49.1, Nhost automatically links an incoming OAuth identity to an existing Nhost account when the email addresses match. This is only safe when the email has been verified by the OAuth provider. Nhost's controller trusts a profile.EmailVerified boolean that is set by each provider adapter. The vulnerability is that several provider adapters do not correctly populate this field they either silently drop a verified field the provider API actually returns (Discord), or they fall back to accepting unconfirmed emails and marking them as verified (Bitbucket). Two Microsoft providers (AzureAD, EntraID) derive the email from non-ownership-proving fields like the user principal name, then mark it verified. The result is that an attacker can present an email they don't own to Nhost, have the OAuth identity merged into the victim's account, and receive a full authenticated session. This issue has been patched in version 0.49.1. | 2026-05-08 | not yet calculated | CVE-2026-41574 | https://github.com/nhost/nhost/security/advisories/GHSA-6g38-8j4p-j3pr https://github.com/nhost/nhost/pull/4162 https://github.com/nhost/nhost/commit/ec8dab3f2cf46e1131ddaf893d56c37aa00380b2 https://github.com/nhost/nhost/releases/tag/auth%400.49.1 |
| ZcashFoundation--zebra | ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-script version 5.0.2, after a refactoring, Zebra failed to validate a consensus rule that restricted the possible values of sighash hash types for V5 transactions which were enabled in the NU5 network upgrade. Zebra nodes could thus accept and eventually mine a block that would be considered invalid by zcashd nodes, creating a consensus split between Zebra and zcashd nodes. In a similar vein, for V4 transactions, Zebra mistakenly used the "canonical" hash type when computing the sighash while zcashd (correctly per the spec) uses the raw value, which could also crate a consensus split. This issue has been patched in zebrad version 4.3.1 and zebra-script version 5.0.2. | 2026-05-08 | not yet calculated | CVE-2026-41583 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-8m29-fpq5-89jj |
| ZcashFoundation--zebra | ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-chain version 6.0.2, Orchard transactions contain a rk field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity (a "zero" value), however, the orchard crate which is used to verify Orchard proofs would panic when fed a rk with the identity value. Thus an attacker could send a crafted transaction that would make a Zebra node crash. This issue has been patched in zebrad version 4.3.1 and zebra-chain version 6.0.2. | 2026-05-08 | not yet calculated | CVE-2026-41584 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-452v-w3gx-72wg |
| ZcashFoundation--zebra | ZEBRA is a Zcash node written entirely in Rust. From zebrad versions 2.2.0 to before 4.3.1 and from zebra-rpc versions 1.0.0-beta.45 to before 6.0.2, a vulnerability in Zebra's JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the request body is fully received. The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response. This issue has been patched in zebrad version 4.3.1 and zebra-rpc version 6.0.2. | 2026-05-08 | not yet calculated | CVE-2026-41585 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-29x4-r6jv-ff4w |
| hyperledger--fabric | Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches. | 2026-05-07 | not yet calculated | CVE-2026-41586 | https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7 https://hyperledger.github.io/fabric-gateway |
| ci4-cms-erp--ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0.0 to before version 0.31.7.0, a theme upload feature allows any authenticated backend user with theme-upload permission to achieve remote code execution (RCE) by uploading a crafted ZIP file. PHP files inside the ZIP are installed into the web-accessible public/ directory with no extension or content filtering, making them directly executable via HTTP. This issue has been patched in version 0.31.7.0. | 2026-05-07 | not yet calculated | CVE-2026-41587 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fw49-9xq4-gmx6 https://github.com/ci4-cms-erp/ci4ms/commit/b969465e71eacd9eb57014ad1fce1fc34fa7bca0 |
| monetr--monetr | monetr is a budgeting application for recurring expenses. Prior to version 1.12.5, a server-side request forgery (SSRF) vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller, with the response body from non-200 upstream responses reflected back in the API error message. This issue has been patched in version 1.12.5. | 2026-05-07 | not yet calculated | CVE-2026-41644 | https://github.com/monetr/monetr/security/advisories/GHSA-29v9-frvh-c426 https://github.com/monetr/monetr/pull/3122 https://github.com/monetr/monetr/commit/c260caa3c573a4a396ec2d264c7641a5d958385b https://github.com/monetr/monetr/releases/tag/v1.12.5 |
| lxc--incus | Incus is a system container and virtual machine manager. Prior to version 7.0.0, user provided image and backup tarballs would be unpacked and YAML files parsed without any size restrictions. This was making it easy for an authenticated user to provide a crafted image or backup tarball that when parsed by Incus would lead to a very large YAML document being loaded into memory, potentially causing the entire server to run out of memory. This issue has been patched in version 7.0.0. | 2026-05-07 | not yet calculated | CVE-2026-41648 | https://github.com/lxc/incus/security/advisories/GHSA-67wx-r9xr-x75x https://github.com/lxc/incus/releases/tag/v7.0.0 |
| alam00000--bentopdf | BentoPDF is a client-side PDF toolkit that is self hostable. Prior to version 2.8.3, a cross-site scripting vulnerability was identified in BentoPD. An attacker may be able to execute arbitrary JavaScript in certain circumstances in Markdown to PDF Tool. This issue has been patched in version 2.8.3. | 2026-05-07 | not yet calculated | CVE-2026-41653 | https://github.com/alam00000/bentopdf/security/advisories/GHSA-6vh8-4frx-647f https://github.com/alam00000/bentopdf/releases/tag/v2.8.3 |
| WeblateOrg--weblate | Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any user holding an active billing/trial plan) can import a crafted project backup ZIP whose components/<name>.json contains an attacker-chosen repo URL pointing at a private address (e.g. http://127.0.0.1:9999/) or using a non-allow-listed scheme (e.g. file://, git://). Weblate persists the component via Component.objects.bulk_create([component])[0], which bypasses Django's full_clean() and therefore never runs the validate_repo_url validator. The URL is subsequently written verbatim into .git/config by configure_repo(pull=False). This issue has been patched in version 5.17.1. | 2026-05-07 | not yet calculated | CVE-2026-41654 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-cwcx-382v-8m9g https://github.com/WeblateOrg/weblate/pull/19061 https://github.com/WeblateOrg/weblate/pull/19062 https://github.com/WeblateOrg/weblate/commit/e1eff1f517c1ee315d69581910baaabb724e5ef0 https://github.com/WeblateOrg/weblate/commit/e4b67a76d95d5165ecb9937f7485fd79223b7f14 https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1 |
| xmldom--xmldom | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13. | 2026-05-07 | not yet calculated | CVE-2026-41672 | https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8 https://github.com/xmldom/xmldom/pull/987 https://github.com/xmldom/xmldom/commit/b397540889086da868c30c366ad5c220d1a750c7 https://github.com/xmldom/xmldom/commit/fda7cc313de30243fea35cada64e0bb12099c2a1 https://github.com/xmldom/xmldom/releases/tag/0.8.13 https://github.com/xmldom/xmldom/releases/tag/0.9.10 |
| xmldom--xmldom | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13. | 2026-05-07 | not yet calculated | CVE-2026-41673 | https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw https://github.com/xmldom/xmldom/commit/17678a2a73ecbd1a2da90f3d47dc23da9cef81aa https://github.com/xmldom/xmldom/commit/291257493cb0eb6980eda83b162a9c4e6d7d2597 https://github.com/xmldom/xmldom/commit/2d6d6916ed8a4c223db1f6d7560ab4544c465b0f https://github.com/xmldom/xmldom/commit/430357c7b6333108856e917bf2367afe5ceb6f8a https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe https://github.com/xmldom/xmldom/commit/8834218c85ac2a4d757b9587c9028e67c2f7b6c3 https://github.com/xmldom/xmldom/commit/8b7cfd1491314abdc347261921d7334ff15f7112 https://github.com/xmldom/xmldom/commit/b0620383abc1df067f3ce1014c43ae1bc1161eeb https://github.com/xmldom/xmldom/commit/e6edcab6bef5bcdba0b220bb35442aa72f452b84 https://github.com/xmldom/xmldom/releases/tag/0.8.13 https://github.com/xmldom/xmldom/releases/tag/0.9.10 |
| xmldom--xmldom | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13. | 2026-05-07 | not yet calculated | CVE-2026-41674 | https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h https://github.com/xmldom/xmldom/commit/372008f9ae0e20fd69f761c7b79e202598267314 https://github.com/xmldom/xmldom/releases/tag/0.8.13 https://github.com/xmldom/xmldom/releases/tag/0.9.10 |
| xmldom--xmldom | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13. | 2026-05-07 | not yet calculated | CVE-2026-41675 | https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx https://github.com/xmldom/xmldom/commit/7207a4b0e0bcc228868075ed991665ef9f73b1c2 https://github.com/xmldom/xmldom/releases/tag/0.8.13 https://github.com/xmldom/xmldom/releases/tag/0.9.10 |
| pupnp--pupnp | pupnp is an SDK for development of UPnP device and control point applications. Prior to version 1.18.5, pupnp is vulnerable to SRRF port confusion due to port truncation via atoi() cast in parse_uri(). This issue has been patched in version 1.18.5. | 2026-05-08 | not yet calculated | CVE-2026-41682 | https://github.com/pupnp/pupnp/security/advisories/GHSA-q522-6w45-4j58 https://github.com/pupnp/pupnp/commit/def5f9a2bc42f5b3d713e37c516fbe840ce54b7b https://github.com/pupnp/pupnp/releases/tag/release-1.18.5 |
| anthropics--anthropic-sdk-typescript | Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.91.1, the BetaLocalFilesystemMemoryTool in the Anthropic TypeScript SDK created memory files and directories using the Node.js default modes (0o666 for files, 0o777 for directories), leaving them world-readable on systems with a standard umask and world-writable in environments with a permissive umask such as many Docker base images. A local attacker on a shared host could read persisted agent state, and in containerized deployments could modify memory files to influence subsequent model behavior. This issue has been patched in version 0.91.1. | 2026-05-04 | not yet calculated | CVE-2026-41686 | https://github.com/anthropics/anthropic-sdk-typescript/security/advisories/GHSA-p7fg-763f-g4gf |
| jackc--pgx | pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2. | 2026-05-08 | not yet calculated | CVE-2026-41889 | https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da https://github.com/jackc/pgx/releases/tag/v5.9.2 |
| ci4-cms-erp--ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.31.1.0 to before version 0.31.8.0, the deleteProcess() action accepts a POST parameter tables[] containing arbitrary table names. These are passed directly to $forge->dropTable() without validating that the tables belong to the theme being deleted. The deleteConfirm view correctly populates tables[] from the theme's own migration files, but the server-side deleteProcess does not verify the received values against those files. An authenticated admin can craft a POST request with arbitrary table names and drop any table in the database. This issue has been patched in version 0.31.8.0. | 2026-05-07 | not yet calculated | CVE-2026-41890 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vgrf-pr28-vf98 https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.8.0 |
| ci4-cms-erp--ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0 to before version 0.31.8.0, the auth filter has the deactivated/banned user check commented out. This issue has been patched in version 0.31.8.0. | 2026-05-07 | not yet calculated | CVE-2026-41891 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-5hfv-c864-qcq9 https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.8.0 |
| SignalK--signalk-server | Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSocket login path - sending {login: {username, password}} messages over an established WebSocket connection - calls app.securityStrategy.login() directly without any rate limiting. An attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds). This issue has been patched in version 2.25.0. | 2026-05-09 | not yet calculated | CVE-2026-41893 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-vmfm-ch9h-5c7g https://github.com/SignalK/signalk-server/pull/2568 https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d https://github.com/SignalK/signalk-server/releases/tag/v2.25.0 |
| Shenzhen Yipu Commercial and Trading Co., Ltd--WDR201A WiFi Extender | WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allow unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. Attackers can exploit unsanitized parameter handling in the set_wifi_basic and set_wifi_do_wps functions to achieve remote code execution without authentication. | 2026-05-04 | not yet calculated | CVE-2026-41922 | https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-wireless-cgi |
| Shenzhen Yipu Commercial and Trading Co., Ltd--WDR201A WiFi Extender | WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the gateway POST parameter. Attackers can exploit unsanitized parameter concatenation in the set_add_routing function to inject shell commands that are executed via popen() with partial output reflected in the HTTP response. | 2026-05-04 | not yet calculated | CVE-2026-41923 | https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-internet-cgi |
| Shenzhen Yipu Commercial and Trading Co., Ltd--WDR201A WiFi Extender | WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the makeRequest.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the set_time or StartSniffer functions. Attackers can craft a POST request with specially crafted ampersand-delimited parameters to bypass input sanitization and execute commands with a maximum length of 31 bytes through the date command or channel parameter processing. | 2026-05-04 | not yet calculated | CVE-2026-41924 | https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-makerequest-cgi |
| Shenzhen Yipu Commercial and Trading Co., Ltd--WDR201A WiFi Extender | WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the adm.cgi binary's reboot_time function that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the reboot_time POST parameter. Attackers can send a crafted request with shell metacharacters in the reboot_time parameter when reboot_enabled=1 to achieve remote code execution. | 2026-05-04 | not yet calculated | CVE-2026-41925 | https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-adm-cgi-reboot-time |
| Shenzhen Yipu Commercial and Trading Co., Ltd--WDR201A WiFi Extender | WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers that apply insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters like websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter using subshell syntax or unfiltered parameters, with payloads persisting in NVRAM and re-executing on every subsequent firewall.cgi request. | 2026-05-04 | not yet calculated | CVE-2026-41926 | https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-firewall-cgi |
| Shenzhen Yipu Commercial and Trading Co., Ltd--WDR201A WiFi Extender | WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains a stack-based buffer overflow vulnerability in the firewall.cgi and makeRequest.cgi binaries that allows unauthenticated attackers to overwrite the saved return address by sending a POST request with a Content-Length header exceeding 512 bytes. Attackers can exploit insufficient length validation in the fgets() call to achieve arbitrary code execution through return-oriented programming or return-to-libc techniques. | 2026-05-04 | not yet calculated | CVE-2026-41927 | https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China https://www.vulncheck.com/advisories/wdr201a-wifi-extender-stack-based-buffer-overflow-via-firewall-cgi |
| Apache Software Foundation--Apache OpenNLP | Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtension(Class, String) method loads a class by its fully-qualified name via Class.forName() and invokes its no-arg constructor, with the class name sourced from the manifest.properties entry of a model archive. The existing isAssignableFrom check correctly rejects classes that are not subtypes of the expected extension interface (BaseToolFactory for factory=, ArtifactSerializer for serializer-class-*), but the check runs after Class.forName() has already loaded and initialized the named class. Class.forName() with default initialization semantics executes the target class's static initializer before returning, so an attacker who can supply a crafted model archive can cause the static initializer of any class on the classpath to run during model loading, regardless of whether that class passes the subsequent type check. Exploitation requires a class with attacker-useful side effects in its static initializer (for example, JNDI lookup, outbound network I/O, or filesystem access) to be present on the classpath, so this is not a drop-in remote code execution; however, the attack surface grows as third-party model distribution becomes more common (community model repositories, Hugging Face-style sharing), where users routinely load model files from origins they do not control. A secondary, narrower vector affects deployments that ship legitimate BaseToolFactory or ArtifactSerializer subclasses with side-effecting no-arg constructors: a malicious manifest can name such a class and force its constructor to run during model load. Mitigation: * 2.x users should upgrade to 2.5.9. * 3.x users should upgrade to 3.0.0-M3. Note: The fix introduces a package-prefix allowlist that is consulted before Class.forName() is invoked, so the static initializer of a disallowed class is never executed. Classes under the opennlp. prefix remain permitted by default. Deployments that load models referencing factories or serializers outside opennlp.* must opt those packages in, either programmatically via ExtensionLoader.registerAllowedPackage(String) before the first model load, or by setting the OPENNLP_EXT_ALLOWED_PACKAGES system property to a comma-separated list of allowed package prefixes. Users who cannot upgrade immediately should ensure that all model files are sourced from trusted origins and should audit their classpath for classes with side-effecting static initializers or constructors, particularly any that perform JNDI lookups, network requests, or filesystem operations during class initialization. | 2026-05-04 | not yet calculated | CVE-2026-42027 | https://lists.apache.org/thread/ltlo4powjfc0w2w2yyl1o5tc7q1gcb2y |
| getkirby--kirby | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0. | 2026-05-09 | not yet calculated | CVE-2026-42051 | https://github.com/getkirby/kirby/security/advisories/GHSA-x68m-c7jf-2572 https://github.com/getkirby/kirby/releases/tag/4.9.0 https://github.com/getkirby/kirby/releases/tag/5.4.0 |
| beetbox--beets | Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode <%= ... %> for untrusted metadata fields. In this runtime, <%= ... %> is raw insertion and HTML escaping is only performed by <%- ... %>. Rendered output is then inserted with .html(...), allowing attacker-controlled markup to become active DOM. This issue has been patched in version 2.10.0. | 2026-05-04 | not yet calculated | CVE-2026-42052 | https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847 https://github.com/beetbox/beets/releases/tag/v2.10.0 |
| getkirby--kirby | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0. | 2026-05-09 | not yet calculated | CVE-2026-42069 | https://github.com/getkirby/kirby/security/advisories/GHSA-2h7v-4372-f6x2 https://github.com/getkirby/kirby/releases/tag/4.9.0 https://github.com/getkirby/kirby/releases/tag/5.4.0 |
| getkirby--kirby | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0. | 2026-05-09 | not yet calculated | CVE-2026-42137 | https://github.com/getkirby/kirby/security/advisories/GHSA-85x2-r8xv-ww8c https://github.com/getkirby/kirby/releases/tag/4.9.0 https://github.com/getkirby/kirby/releases/tag/5.4.0 |
| langgenius--dify | Dify is an open-source LLM app development platform. Prior to version 1.13.1, using the method POST /api/files/upload, any unauthenticated user can upload an SVG file with XSS. The method POST /v1/files/upload, which requires authentication through the application API, is also vulnerable. This issue has been patched in version 1.13.1. | 2026-05-04 | not yet calculated | CVE-2026-42138 | https://github.com/langgenius/dify/security/advisories/GHSA-cg94-8v83-7hjj https://github.com/langgenius/dify/releases/tag/1.13.1 |
| sovity--dataspace-portal | Data Space Portal is an open-source Software as a Service (SaaS) solution designed to streamline Dataspace management. From version 2.1.1 to before version 7.3.2, there is insufficient authorization in the dataspace-portal backend regarding self-registered "PENDING" organization / user accounts. This issue has been patched in version 7.3.2. | 2026-05-08 | not yet calculated | CVE-2026-42160 | https://github.com/sovity/dataspace-portal/security/advisories/GHSA-989g-wpfv-6vxx https://github.com/sovity/dataspace-portal/releases/tag/v7.3.2 |
| getkirby--kirby | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0. | 2026-05-09 | not yet calculated | CVE-2026-42174 | https://github.com/getkirby/kirby/security/advisories/GHSA-39cp-6679-8xv2 https://github.com/getkirby/kirby/releases/tag/4.9.0 https://github.com/getkirby/kirby/releases/tag/5.4.0 |
| argoproj--argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, a nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization() causes a panic (denial of service) for SSO users whose claims match a namespace-level RBAC rule but not an SSO-namespace rule, when SSO_DELEGATE_RBAC_TO_NAMESPACE=true. This issue has been patched in version 4.0.5. | 2026-05-09 | not yet calculated | CVE-2026-42183 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-p4gq-3vxj-f4jq https://github.com/argoproj/argo-workflows/commit/c4cc17d0c034fa9a9cc01ef1af6c8016c93071d4 https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5 |
| BerriAI--litellm | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host. This issue has been patched in version 1.83.7. | 2026-05-08 | not yet calculated | CVE-2026-42203 | https://github.com/BerriAI/litellm/security/advisories/GHSA-xqmj-j6mv-4862 https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable |
| roadiz--core-bundle-dev-app | Roadiz is a polymorphic content management system based on a node system. Prior to versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18, the roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate() and includes it in the authorization request sent to the identity provider, but never stores it and never validates it on the callback. The OpenIdJwtConfigurationFactory validation chain does not include a nonce constraint, and OpenIdAuthenticator::authenticate() never checks the nonce claim in the returned ID token against a stored value. This issue has been patched in versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18. | 2026-05-08 | not yet calculated | CVE-2026-42206 | https://github.com/roadiz/core-bundle-dev-app/security/advisories/GHSA-3gx8-q682-38mx |
| BerriAI--litellm | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7. | 2026-05-08 | not yet calculated | CVE-2026-42208 | https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable |
| anzory--SolidCAM-GPPL-IDE | SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, Opening a .gpp file in the SolidCAM Postprocessor IDE extension causes the language server to parse a companion .vmid file from the same directory (naming convention: foo.gpp to foo.vmid). The VMID parser called XDocument.Load(path) without any XmlReaderSettings, inheriting the framework defaults which in .NET 8 allow DTD processing. A malicious .vmid file could therefore: disclose local files via external entity references, exhaust memory via recursive entity expansion, and cause denial of service via oversized or deeply nested XML. This issue has been patched in version 1.0.2. | 2026-05-08 | not yet calculated | CVE-2026-42212 | https://github.com/anzory/SolidCAM-GPPL-IDE/security/advisories/GHSA-92vg-f4fq-fxm9 https://github.com/anzory/SolidCAM-GPPL-IDE/commit/9d0ba808afd143ede448026a5dc681bfdc5c138d https://github.com/anzory/SolidCAM-GPPL-IDE/blob/master/CHANGELOG.md#102--2026-04-20 https://github.com/anzory/SolidCAM-GPPL-IDE/releases/tag/v1.0.2 |
| anzory--SolidCAM-GPPL-IDE | SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, the inc "filename" directive in GPPL postprocessor files is resolved by GpplDocumentLinkHandler into a clickable link (VS Code textDocument/documentLink). The handler accepted arbitrary paths - absolute, relative with parent-directory segments (..\..\..\), UNC (\\server\share\), and arbitrary subfolders - and called File.Exists on each to decide whether to render the link. Two distinct attack surfaces resulted: information disclosure via File.Exists probing and NTLM hash leak via UNC path probing. This issue has been patched in version 1.0.2. | 2026-05-08 | not yet calculated | CVE-2026-42213 | https://github.com/anzory/SolidCAM-GPPL-IDE/security/advisories/GHSA-xvpx-9p39-g62m https://github.com/anzory/SolidCAM-GPPL-IDE/commit/9d0ba808afd143ede448026a5dc681bfdc5c138d https://github.com/anzory/SolidCAM-GPPL-IDE/releases/tag/v1.0.2 |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. The code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11. | 2026-05-07 | not yet calculated | CVE-2026-42216 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-65j8-95g9-jgj4 |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, readVariableLengthInteger() decodes a variable-length integer from untrusted EXR input without bounding the shift count. After enough continuation bytes, the code executes a left shift by 70 on a 64-bit value, which is undefined behavior. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11. | 2026-05-07 | not yet calculated | CVE-2026-42217 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3c67-4wwp-w52m https://github.com/AcademySoftwareFoundation/openexr/pull/2378 https://github.com/AcademySoftwareFoundation/openexr/commit/21eaa33bcbbb0c83a5fc42f6b6d65b70a996e63c |
| pjsip--pjproject | PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, on GnuTLS builds, the SIP TLS transport (sip_transport_tls) can accept connections with invalid or untrusted certificates even when the application explicitly enables certificate verification via verify_server = PJ_TRUE or verify_client = PJ_TRUE. This issue has been patched in version 2.17. | 2026-05-07 | not yet calculated | CVE-2026-42225 | https://github.com/pjsip/pjproject/security/advisories/GHSA-x2fv-6j6c-pxmx https://github.com/pjsip/pjproject/commit/ef684252bb62b0716675b6e99ad7fe4c90e28920 https://github.com/pjsip/pjproject/releases/tag/2.17 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.33 and 2.17.5, the dynamic-node-parameters endpoints did not verify whether the authenticated caller was authorized to use a supplied credential reference. An authenticated user with access to a shared workflow could supply a foreign credential ID in the request body, causing the backend to decrypt and use that credential in a helper execution path where the caller also controls the destination URL. This allowed the caller to force the backend to authenticate against attacker-controlled infrastructure using a credential belonging to another user, effectively exfiltrating a reusable API key. The issue is not limited to any single node type; any node that resolves credentials dynamically through these endpoints may be affected. This issue has been patched in versions 1.123.33, 2.17.5, and 2.18.0. | 2026-05-04 | not yet calculated | CVE-2026-42226 | https://github.com/n8n-io/n8n/security/advisories/GHSA-r4v6-9fqc-w5jr |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API variables endpoint. The handler queried the variables repository directly without enforcing project membership checks, bypassing the authorization-aware service layer used by the internal enterprise controller. If variables were misused to store sensitive information such as credentials or tokens, they should be rotated immediately. This issue only affects licensed enterprise or team deployments with multiple projects and the variables feature enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42227 | https://github.com/n8n-io/n8n/security/advisories/GHSA-756q-gq9h-fp22 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /chat WebSocket endpoint used by the Chat Trigger node's Hosted Chat feature did not verify that an incoming connection was authorized to interact with the target execution. An unauthenticated remote attacker who could identify a valid execution ID for a workflow in a waiting state could attach to that execution, receive the pending prompt intended for the legitimate user, and submit arbitrary input to resume or influence downstream workflow behavior. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42228 | https://github.com/n8n-io/n8n/security/advisories/GHSA-f77h-j2v7-g6mw |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the SeaTable node's row:search and row:get operations allowed user-controlled input to be concatenated directly into SQL query strings without escaping or parameterization. In workflows where external user input is passed via expressions into the SeaTable node's search or row retrieval parameters, an attacker could manipulate the constructed query to retrieve unintended rows from the connected SeaTable base, bypassing row-level filtering logic implemented in the workflow. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42229 | https://github.com/n8n-io/n8n/security/advisories/GHSA-mp4j-h6gh-f6mp |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /mcp-oauth/register endpoint accepted OAuth client registrations without authentication, allowing arbitrary redirect_uri values to be registered. When a user denies the MCP OAuth consent dialog, the handleDeny handler redirects the user to the registered redirect_uri without validation, enabling an open redirect to an attacker-controlled URL. An attacker can craft a phishing link and send it to a victim; if the victim clicks "Deny" on the consent page, they are silently redirected to an external site. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42230 | https://github.com/n8n-io/n8n/security/advisories/GHSA-f6x8-65q6-j9m9 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the xml2js library used to parse XML request bodies in n8n's webhook handler allowed prototype pollution via a crafted XML payload. An authenticated user with permission to create or modify workflows could exploit this to pollute the JavaScript object prototype and, by chaining the pollution with the Git node's SSH operations, achieve remote code execution on the n8n host. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42231 | https://github.com/n8n-io/n8n/security/advisories/GHSA-q5f4-99jv-pgg5 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RCE when combined with other nodes exploiting the prototype pollution. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42232 | https://github.com/n8n-io/n8n/security/advisories/GHSA-hqr4-h3xv-9m3r |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the Oracle Database node's select operation allowed user-controlled input passed into the Limit field via expressions to be interpolated directly into the SQL query without sanitization or parameterization. In workflows where external input is passed into the Limit field (e.g., from a webhook), an attacker could inject arbitrary SQL and exfiltrate data from the connected Oracle database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42233 | https://github.com/n8n-io/n8n/security/advisories/GHSA-r6jc-mpqw-m755 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This issue only affects instances where the Python Task Runner is enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42234 | https://github.com/n8n-io/n8n/security/advisories/GHSA-44v6-jhgm-p3m4 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP OAuth client with a crafted client_name. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute arbitrary JavaScript in the victim's authenticated n8n browser session, enabling credential and session token theft, workflow manipulation, or privilege escalation. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42235 | https://github.com/n8n-io/n8n/security/advisories/GHSA-537j-gqpc-p7fq |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the MCP OAuth client registration endpoint accepted unauthenticated requests and stored client data without adequate resource controls. An unauthenticated remote attacker could exhaust server memory resources by sending large registration payloads, rendering the n8n instance unavailable. The MCP enable/disable toggle gates MCP access but did not restrict client registrations, meaning the endpoint is reachable regardless of whether MCP access is enabled on the instance. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42236 | https://github.com/n8n-io/n8n/security/advisories/GHSA-49m9-pgww-9vq6 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the fix for GHSA-f3f2-mcxc-pwjx did not cover the Snowflake node or the legacy MySQL v1 node. Both nodes construct SQL queries by directly interpolating user-controlled table names, column names, and update keys into query strings without identifier escaping, enabling SQL injection against the connected database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42237 | https://github.com/n8n-io/n8n/security/advisories/GHSA-hp3c-vfpm-q4f7 |
| 0xJacky--nginx-ui | Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the application's configuration file (app.ini) and SQLite database. Because the attacker controls the restored app.ini, they can inject an arbitrary OS command into the TestConfigCmd setting. After the application automatically restarts to apply the restored config, a single follow-up request triggers that command as the user running nginx-ui - typically root in Docker deployments. This issue has been patched in version 2.3.8. | 2026-05-04 | not yet calculated | CVE-2026-42238 | https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8 |
| ruby--net-imap | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4. | 2026-05-09 | not yet calculated | CVE-2026-42245 | https://github.com/ruby/net-imap/security/advisories/GHSA-q2mw-fvj9-vvcw https://github.com/ruby/net-imap/commit/6091f7d6b1f3514cafbfe39c76f2b5d73de3ca96 https://github.com/ruby/net-imap/commit/88d95231fc8afef11c1f074453f7d75b68c9dfda https://github.com/ruby/net-imap/commit/de685f91a4a4cc75eb80da898c2bf8af08d34819 https://github.com/ruby/net-imap/releases/tag/v0.4.24 https://github.com/ruby/net-imap/releases/tag/v0.5.14 https://github.com/ruby/net-imap/releases/tag/v0.6.4 |
| ruby--net-imap | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4. | 2026-05-09 | not yet calculated | CVE-2026-42246 | https://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618 https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e https://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c https://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da https://github.com/ruby/net-imap/releases/tag/v0.3.10 https://github.com/ruby/net-imap/releases/tag/v0.4.24 https://github.com/ruby/net-imap/releases/tag/v0.5.14 |
| ruby--net-imap | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4. | 2026-05-09 | not yet calculated | CVE-2026-42256 | https://github.com/ruby/net-imap/security/advisories/GHSA-87pf-fpwv-p7m7 https://github.com/ruby/net-imap/commit/158d0b505074397cdb5ceb58935e42dd2bcfa612 https://github.com/ruby/net-imap/commit/808001bc45c06f7297a7e96d341279e041a7f7f4 https://github.com/ruby/net-imap/commit/99f59eab6064955a23debd95410263ad144df758 https://github.com/ruby/net-imap/releases/tag/v0.4.24 https://github.com/ruby/net-imap/releases/tag/v0.5.14 https://github.com/ruby/net-imap/releases/tag/v0.6.4 |
| ruby--net-imap | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4. | 2026-05-09 | not yet calculated | CVE-2026-42257 | https://github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xg https://github.com/ruby/net-imap/releases/tag/v0.4.24 https://github.com/ruby/net-imap/releases/tag/v0.5.14 https://github.com/ruby/net-imap/releases/tag/v0.6.4 |
| ruby--net-imap | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4. | 2026-05-09 | not yet calculated | CVE-2026-42258 | https://github.com/ruby/net-imap/security/advisories/GHSA-75xq-5h9v-w6px https://github.com/ruby/net-imap/releases/tag/v0.4.24 https://github.com/ruby/net-imap/releases/tag/v0.5.14 https://github.com/ruby/net-imap/releases/tag/v0.6.4 |
| saltcorn--saltcorn | Saltcorn is an extensible, open source, no-code database application builder. Prior to versions 1.4.6, 1.5.6, and 1.6.0-beta.5, Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes (\) to forward slashes (/) for special schemes, a payload such as /\evil.com/path slips through is_relative_url(), is emitted unchanged in the HTTP Location header, and causes the browser to navigate cross-origin to an attacker-controlled domain. The bug is reachable on a default install and only requires a victim who can be tricked into logging in via a crafted Saltcorn URL. This issue has been patched in versions 1.4.6, 1.5.6, and 1.6.0-beta.5. | 2026-05-07 | not yet calculated | CVE-2026-42259 | https://github.com/saltcorn/saltcorn/security/advisories/GHSA-f3g8-9xv5-77gv |
| kimai--kimai | Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue() joins tag names with implode() and returns the result unchanged. OpenSpout promotes any =-prefixed string to a FormulaCell, writing <f>SUM(54+51)</f> into the XLSX archive. Excel evaluates the formula when the file is opened. This issue has been patched in version 2.54.0. | 2026-05-08 | not yet calculated | CVE-2026-42267 | https://github.com/kimai/kimai/security/advisories/GHSA-3xc2-h5r3-wv3r https://github.com/kimai/kimai/releases/tag/2.54.0 |
| BerriAI--litellm | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it - POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list - accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user - including holders of low-privilege internal-user keys - could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7. | 2026-05-08 | not yet calculated | CVE-2026-42271 | https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable |
| dadrus--heimdall | Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14. | 2026-05-08 | not yet calculated | CVE-2026-42272 | https://github.com/dadrus/heimdall/security/advisories/GHSA-43jv-5j4x-qv67 https://github.com/dadrus/heimdall/pull/3207 https://github.com/dadrus/heimdall/commit/8b0de6aba23a047cfee3081df878271bb17f4351 https://github.com/dadrus/heimdall/releases/tag/v0.17.14 |
| dadrus--heimdall | Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host that differs only in letter casing, potentially causing the request to be classified differently than intended. This issue has been patched in version 0.17.14. | 2026-05-08 | not yet calculated | CVE-2026-42273 | https://github.com/dadrus/heimdall/security/advisories/GHSA-72h4-mxfc-jx37 https://github.com/dadrus/heimdall/pull/3208 https://github.com/dadrus/heimdall/commit/3d05e56a9e7ef0355f17482b4322054af4e85943 https://github.com/dadrus/heimdall/releases/tag/v0.17.14 |
| dadrus--heimdall | Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL-encoded variants such as /user/%2e%2e/admin or /user/%2e%2e%2fadmin. The latter would require the allow_encoded_slashes option to be set to on or no_decode.) while the downstream ultimately processes a different, normalized path (/admin). This issue has been patched in version 0.17.14. | 2026-05-08 | not yet calculated | CVE-2026-42274 | https://github.com/dadrus/heimdall/security/advisories/GHSA-3q34-rx83-r6mq https://github.com/dadrus/heimdall/pull/3209 https://github.com/dadrus/heimdall/commit/b5dfa484b7a8c2ce6d8691c026f9da867719947a https://github.com/dadrus/heimdall/releases/tag/v0.17.14 |
| UltraDAGcom--core | UltraDAG is a minimal DAG-BFT blockchain in Rust. Prior to commit fb6ef59, the UltraDAG StateEngine implementation of SmartTransferTx contains a critical logic flaw in its policy enforcement pipeline. When a transaction originates from a "Pocket" (a derived sub-address documented in the protocol as a way to organize funds), the engine fails to resolve the pocket's parent account before checking the spending policy. Because pockets are "virtual" addresses that exist only as entries in the pocket_to_parent map and do not have their own SmartAccountConfig entries, the check_spending_policy method defaults to an "authorized/no policy" result. This allow any user (or attacker in possession of a parent key) to instantly drain every pocket on an account, even if the parent account has a strict 24-hour vault delay or a 1 UDAG daily limit. This issue has been patched via commit fb6ef59. | 2026-05-08 | not yet calculated | CVE-2026-42278 | https://github.com/UltraDAGcom/core/security/advisories/GHSA-9chc-gjfr-6hrq https://github.com/UltraDAGcom/core/commit/fb6ef59d6c1385400e7acea7ae31fc6a473c3051 |
| emlog--emlog | Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authenticated administrators into performing unauthorized actions like system registration, plugin management, and configuration changes. This issue has been patched in version 2.6.11. | 2026-05-08 | not yet calculated | CVE-2026-42286 | https://github.com/emlog/emlog/security/advisories/GHSA-cqqp-rx28-gv2q |
| emlog--emlog | Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or system destruction. This issue has been patched in version 2.6.11. | 2026-05-08 | not yet calculated | CVE-2026-42287 | https://github.com/emlog/emlog/security/advisories/GHSA-xxj8-fc63-j3gw |
| argoproj--argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint, which is publicly accessible (albeit intended for webhooks). An attacker can send a request with an extremely large body (e.g., multiple gigabytes), causing the Argo Server to allocate excessive memory, potentially leading to an Out-Of-Memory (OOM) crash and denial of service. This issue has been patched in versions 3.7.14 and 4.0.5. | 2026-05-09 | not yet calculated | CVE-2026-42294 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-jcc8-g2q4-9fxq https://github.com/argoproj/argo-workflows/commit/7abb4de6c3599e2d5d960ba4d5de4cf1df109965 https://github.com/argoproj/argo-workflows/releases/tag/v3.7.14 https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5 |
| argoproj--argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials (S3 access keys, secret keys, GCS service account keys, Azure account keys, Git passwords, etc.) in plaintext on artifact operation. Any user with read access to workflow pod logs can extract these credentials. This issue has been patched in version 4.0.5. | 2026-05-09 | not yet calculated | CVE-2026-42295 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-7vf8-2cr6-54mf https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5 |
| argoproj--argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operations (create, read, update, delete). Any authenticated user - including those using fake Bearer tokens - can create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits. This issue has been patched in version 4.0.5. | 2026-05-09 | not yet calculated | CVE-2026-42297 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xchc-cqwg-g76q https://github.com/argoproj/argo-workflows/commit/09fff05e0830c14a5e36cc40597ad84881db1ab6 https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5 |
| python-pillow--Pillow | Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0. | 2026-05-09 | not yet calculated | CVE-2026-42308 | https://github.com/python-pillow/Pillow/security/advisories/GHSA-wjx4-4jcj-g98j https://github.com/python-pillow/Pillow/releases/tag/12.2.0 |
| python-pillow--Pillow | Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0. | 2026-05-09 | not yet calculated | CVE-2026-42309 | https://github.com/python-pillow/Pillow/security/advisories/GHSA-5xmw-vc9v-4wf2 https://github.com/python-pillow/Pillow/releases/tag/12.2.0 |
| python-pillow--Pillow | Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue has been patched in version 12.2.0. | 2026-05-09 | not yet calculated | CVE-2026-42310 | https://github.com/python-pillow/Pillow/security/advisories/GHSA-r73j-pqj5-w3x7 https://github.com/python-pillow/Pillow/pull/9519 https://github.com/python-pillow/Pillow/commit/3bf614e4b8615d0ce1d5039efaf6db447fe7c468 https://github.com/python-pillow/Pillow/releases/tag/12.2.0 |
| python-pillow--Pillow | Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0. | 2026-05-09 | not yet calculated | CVE-2026-42311 | https://github.com/python-pillow/Pillow/security/advisories/GHSA-pwv6-vv43-88gr https://github.com/python-pillow/Pillow/pull/9520 https://github.com/python-pillow/Pillow/commit/58f9a1d166dcb0c274807d4423522d205b0c35ea https://github.com/python-pillow/Pillow/releases/tag/12.2.0 |
| quarkiverse--quarkus-openapi-generator | Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to versions 2.11.1-lts, 2.16.0-lts, and 2.17.0, the generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected template, causing bearer tokens, API keys, or basic credentials to be sent to unintended endpoints. This issue has been patched in versions 2.11.1-lts, 2.16.0-lts, and 2.17.0. | 2026-05-09 | not yet calculated | CVE-2026-42333 | https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-fr8f-rwjx-f32v https://github.com/quarkiverse/quarkus-openapi-generator/pull/1586 https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.11.1-lts https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.16.0-lts https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.17.0 |
| QuantumNous--new-api | New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. In versions 0.11.9-alpha.1 and prior, the SSRF protection introduced in v0.9.0.5 (CVE-2025-59146) and hardened in v0.9.6 (CVE-2025-62155) does not block the unspecified address 0.0.0.0. A regular (non-admin) user holding any valid API token can send a multimodal request to /v1/chat/completions, /v1/responses, or /v1/messages with 0.0.0.0 as the image/file URL host, bypassing the private-IP filter and causing the server to issue HTTP requests to localhost. This constitutes at minimum a blind SSRF; when the request is routed through an AWS/Bedrock Claude adaptor, the fetched content is inlined into the model response, upgrading it to a full-read SSRF. At time of publication, there are no publicly available patches. | 2026-05-08 | not yet calculated | CVE-2026-42339 | https://github.com/QuantumNous/new-api/security/advisories/GHSA-v5c3-6wvc-pc2q |
| labring--FastGPT | FastGPT is an AI Agent building platform. In versions 4.14.13 and prior, the code-sandbox component suffers from insufficient resource isolation and uncontrolled resource consumption. The service relies solely on an application-level soft limit (a 500ms polling interval) for memory management and lacks strict OS-level constraints such as cgroups or kernel-level namespaces. This architectural weakness allows attackers to easily bypass memory checks via time-window attacks, or exhaust the entire JavaScript worker pool via concurrent CPU-intensive requests, resulting in a complete Denial of Service (DoS) for legitimate users. At time of publication, there are no publicly available patches. | 2026-05-08 | not yet calculated | CVE-2026-42343 | https://github.com/labring/FastGPT/security/advisories/GHSA-qv7v-r94x-6x3x |
| akuity--kargo | Kargo manages and automates the promotion of software artifacts. Prior to versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2, Kargo is vulnerable to open redirect in UI OIDC login flow via the redirectTo query parameter. This issue has been patched in versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2. | 2026-05-08 | not yet calculated | CVE-2026-42350 | https://github.com/akuity/kargo/security/advisories/GHSA-g7gw-m874-7rmf |
| Apache Software Foundation--Apache OpenNLP | OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader Versions Affected: before 2.5.9 before 3.0.0-M3 Description: The AbstractModelReader methods getOutcomes(), getOutcomePatterns(), and getPredicates() each read a 32-bit signed integer count field from a binary model stream and pass that value directly to an array allocation (new String[numOutcomes], new int[numOCTypes][], new String[NUM_PREDS]) without validating that the value is non-negative or within a reasonable bound. The count is therefore fully attacker-controlled when the model file originates from an untrusted source. A crafted .bin model file in which any of these count fields is set to Integer.MAX_VALUE (or any value large enough to exhaust the available heap) triggers an OutOfMemoryError at the array allocation itself, before the corresponding label or pattern data is consumed from the stream. The error occurs very early in deserialization: for a GIS model, getOutcomes() is reached after only the model-type string, the correction constant, and the correction parameter have been read; so the attacker pays no meaningful size cost to weaponize a payload, and a single small file can crash a JVM that loads it. Any code path that deserializes a .bin model is affected, including direct use of GenericModelReader and any higher-level component that delegates to it during model load. The practical impact is denial of service against processes that load model files from untrusted or semi-trusted origins. Mitigation: * 2.x users should upgrade to 2.5.9. * 3.x users should upgrade to 3.0.0-M3. Note: The fix introduces an upper bound on each of the three count fields, checked before array allocation; counts that are negative or exceed the bound cause an IllegalArgumentException to be thrown and the read to fail fast with no large allocation. The default bound is 10,000,000, which is well above the entry counts of legitimate OpenNLP models but far below any value that would threaten heap exhaustion. Deployments that legitimately need to load models with more entries than the default can raise the limit at JVM startup by setting the OPENNLP_MAX_ENTRIES system property to the desired positive integer (e.g. -DOPENNLP_MAX_ENTRIES=50000000); invalid or non-positive values fall back to the default. Users who cannot upgrade immediately should treat all .bin model files as untrusted input unless their provenance is verified, and should avoid loading models supplied by end users or fetched from third-party repositories without integrity checks. | 2026-05-04 | not yet calculated | CVE-2026-42440 | https://lists.apache.org/thread/s8xlkx1gqbxfsq48py5h6jphjvgqp1jo |
| Termix-SSH--Termix | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, the extractArchive and compressFiles endpoints in file-manager.ts use double-quoted strings for shell command construction, unlike all other file manager operations which use single-quote escaping. Double quotes allow $(command) substitution, enabling command injection on the remote SSH host. This issue has been patched in version 2.1.0. | 2026-05-08 | not yet calculated | CVE-2026-42453 | https://github.com/Termix-SSH/Termix/security/advisories/GHSA-rvg4-7vvq-9c2w https://github.com/Termix-SSH/Termix/releases/tag/release-2.1.0-tag |
| linkwarden--linkwarden | Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. In versions 2.14.0 and prior, the archive upload endpoint (POST /api/v1/archives/[linkId]?format=4) accepts HTML files (text/html) without sanitizing JavaScript content. When the archive is later accessed via GET /api/v1/archives/[linkId]?format=4, the HTML is served with Content-Type: text/html from the Linkwarden origin, without any Content-Security-Policy header. This allows arbitrary JavaScript execution in the context of the authenticated Linkwarden sessio. At time of publication, there are no publicly available patches. | 2026-05-08 | not yet calculated | CVE-2026-42455 | https://github.com/linkwarden/linkwarden/security/advisories/GHSA-fjvg-mch3-j3vg |
| getarcaneapp--arcane | Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.18.0, four GET endpoints under /api/templates* in Arcane's Huma backend are registered without any Security requirement, allowing any unauthenticated network client to list and read the full Compose YAML and .env content of every custom template stored in the instance. Because Arcane's UI exposes a "Save as Template" flow on the project / swarm-stack creation pages that persists the operator's real env content (database passwords, API keys, etc.) verbatim, this missing authorization is an unauthenticated read of operator secrets in practice - not a theoretical info-disclosure. The frontend explicitly treats /customize/templates/* as an authenticated area (PROTECTED_PREFIXES in frontend/src/lib/utils/redirect.util.ts), and every CRUD operation (POST/PUT/DELETE) on the same paths requires a Bearer/API key, so this is a clear backend authorization gap, not intended public access. This issue has been patched in version 1.18.0. | 2026-05-09 | not yet calculated | CVE-2026-42461 | https://github.com/getarcaneapp/arcane/security/advisories/GHSA-cxx3-hr75-4q96 https://github.com/getarcaneapp/arcane/releases/tag/v1.18.0 |
| Go standard library--net/mail | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | 2026-05-07 | not yet calculated | CVE-2026-42499 | https://go.dev/issue/78987 https://go.dev/cl/771520 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4977 |
| Go toolchain--cmd/go | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered versions of the Go toolchain. When selecting a different version of the Go toolchain than the currently installed toolchain (due to the GOTOOLCHAIN environment variable, or a go.work or go.mod with a toolchain line), the go command will download and execute a toolchain provided by the module proxy. A malicious module proxy can bypass checksum database validation for this downloaded toolchain. Since this vulnerability affects the security of toolchain downloads, setting GOTOOLCHAIN to a fixed version is not sufficient. You must upgrade your base Go toolchain. The go tool always validates the hash of a toolchain before executing it, so fixed versions will refuse to execute any cached, altered versions of the toolchain. The go tool trusts go.sum files to contain accurate hashes of the current module's dependencies. A malicious proxy exploiting this vulnerability to serve an altered module will have caused an incorrect hash to be recorded in the go.sum. Users who have configured a non-trusted GOPROXY can determine if they have been affected by running "rm go.sum ; go mod tidy ; go mod verify", which will revalidate all dependencies of the current module. The specific flaw in more detail: The go command consults the checksum database to validate downloaded modules, when a module is not listed in the go.sum file. It verifies that the module hash reported by the checksum database matches the hash of the downloaded module. If, however, the checksum database returns a successful response that contains no entry for the module, the go command incorrectly permitted validation to succeed. A module proxy may mirror or proxy the checksum database, in which case the go command will not connect to the checksum database directly. Checksums reported by the checksum database are cryptographically signed, so a malicious proxy cannot alter the reported checksum for a module. However, a proxy which returns an empty checksum response, or a checksum response for an unrelated module, could cause the go command to proceed as if a downloaded module has been validated. | 2026-05-07 | not yet calculated | CVE-2026-42501 | https://go.dev/cl/775321 https://go.dev/issue/79070 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4984 |
| golang.org/x/tools--golang.org/x/tools/gopls | gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0. As a result, users might inadvertently cause gopls to bind 0.0.0.0. This can allow a malicious party on the same network to execute code arbitrarily via gopls. | 2026-05-06 | not yet calculated | CVE-2026-42503 | https://go.dev/issue/79211 https://go.dev/cl/774381 |
| Apache Software Foundation--Apache Wicket | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue. | 2026-05-06 | not yet calculated | CVE-2026-42509 | https://lists.apache.org/thread/52nrq4tt07gxz4r6sj5gyocz5s6bprjp |
| PelicanPlatform--pelican | Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation vulnerability affecting Pelican's Web User Interface (WebUI). This attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. This issue has been patched in versions 7.21.5, 7.22.3, 7.23.3, and 7.24.2. | 2026-05-09 | not yet calculated | CVE-2026-42571 | https://github.com/PelicanPlatform/pelican/security/advisories/GHSA-rpfr-x88x-xwcw https://github.com/PelicanPlatform/pelican/commit/7f73b9c3e677a0ae4a0ec465c5d98bb8bd948854 |
| ArchiveBox--ArchiveBox | ArchiveBox is an open source self-hosted web archiving system. In versions 0.8.6rc0 and prior, the /add/ endpoint (AddView in core/views.py) accepts a config JSON field that gets merged into the crawl config without validation. This config is exported as environment variables when archive plugins run, allowing injection of arbitrary tool arguments to achieve RCE. At time of publication, there are no publicly available patches. | 2026-05-09 | not yet calculated | CVE-2026-42601 | https://github.com/ArchiveBox/ArchiveBox/security/advisories/GHSA-3h23-7824-pj8r |
| absinthe-graphql--absinthe | Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL. Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node. Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed - for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents. This issue affects absinthe: from 1.5.0 before 1.10.2. | 2026-05-08 | not yet calculated | CVE-2026-42793 | https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7 https://cna.erlef.org/cves/CVE-2026-42793.html https://osv.dev/vulnerability/EEF-CVE-2026-42793 https://github.com/absinthe-graphql/absinthe/commit/dd842b938e3823f345c10416914ffab5d5536838 |
| absinthe-graphql--absinthe_plug | Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser. This issue affects absinthe_plug: from 1.2.0. | 2026-05-08 | not yet calculated | CVE-2026-42794 | https://github.com/absinthe-graphql/absinthe_plug/issues/275 https://cna.erlef.org/cves/CVE-2026-42794.html https://osv.dev/vulnerability/EEF-CVE-2026-42794 https://github.com/absinthe-graphql/absinthe_plug/commit/23a0d5658d32420086711adf4ce8f05febb09963 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced mgmt_pending_valid(), which not only validates the pending command but also unlinks it from the pending list if it is valid. This change in semantics requires updates to several completion handlers to avoid list corruption and memory safety issues. This patch addresses two left-over issues from the aforementioned rework: 1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove() is replaced with mgmt_pending_free() in the success path. Since mgmt_pending_valid() already unlinks the command at the beginning of the function, calling mgmt_pending_remove() leads to a double list_del() and subsequent list corruption/kernel panic. 2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error path is removed. Since the current command is already unlinked by mgmt_pending_valid(), this foreach loop would incorrectly target other pending mesh commands, potentially freeing them while they are still being processed concurrently (leading to UAFs). The redundant mgmt_cmd_status() is also simplified to use cmd->opcode directly. | 2026-05-05 | not yet calculated | CVE-2026-43059 | https://git.kernel.org/stable/c/695b45b2262fcb5e71bed1175aad59c72f92aa78 https://git.kernel.org/stable/c/b5c5e96f3b0a5003c3ff98ebb33e59afec51dd77 https://git.kernel.org/stable/c/02023ff760cc104a5d86a82ef5b8dd89098ad78d https://git.kernel.org/stable/c/17f89341cb4281d1da0e2fb0de5406ab7c4e25ef |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: serial: 8250: Fix TX deadlock when using DMA `dmaengine_terminate_async` does not guarantee that the `__dma_tx_complete` callback will run. The callback is currently the only place where `dma->tx_running` gets cleared. If the transaction is canceled and the callback never runs, then `dma->tx_running` will never get cleared and we will never schedule new TX DMA transactions again. This change makes it so we clear `dma->tx_running` after we terminate the DMA transaction. This is "safe" because `serial8250_tx_dma_flush` is holding the UART port lock. The first thing the callback does is also grab the UART port lock, so access to `dma->tx_running` is serialized. | 2026-05-05 | not yet calculated | CVE-2026-43061 | https://git.kernel.org/stable/c/8190f9ab6ad90cb97652adbebd238b874a4ef70d https://git.kernel.org/stable/c/79a19bd936bb35f56ef0ccab1b3b59ebce8c762d https://git.kernel.org/stable/c/f76d91271bcacbd759a2e4ee3ea61faa6a727ccf https://git.kernel.org/stable/c/d2719a0a9c3439abf67843a5504b7afccd9ded93 https://git.kernel.org/stable/c/2a72403b985aea6b4aac3171830492f9a387f9e1 https://git.kernel.org/stable/c/5f6b17562f03fc65c7d3474ef8f1959b19d1ca41 https://git.kernel.org/stable/c/b5ad887339503103d0fbe9827b16ad287597c275 https://git.kernel.org/stable/c/a424a34b8faddf97b5af41689087e7a230f79ba7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix not releasing workqueue on .release() The workqueue associated with an DSA/IAA device is not released when the object is freed. | 2026-05-05 | not yet calculated | CVE-2026-43064 | https://git.kernel.org/stable/c/fd4cb61bbd0fc3a749a8da6145cbb56d8f6dba35 https://git.kernel.org/stable/c/2bb9e9e93adff9cc8a138ae9a3a8d59b3452272e https://git.kernel.org/stable/c/d02c24af126dee45247dc7890409c86d1831859d https://git.kernel.org/stable/c/958e96533ddbd1edd127feb7624a7eed0cc379dc https://git.kernel.org/stable/c/fc34f199eb576b3a73089452fdf0056cc9a9301d https://git.kernel.org/stable/c/3d33de353b1ff9023d5ec73b9becf80ea87af695 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: always drain queued discard work in ext4_mb_release() While reviewing recent ext4 patch[1], Sashiko raised the following concern[2]: > If the filesystem is initially mounted with the discard option, > deleting files will populate sbi->s_discard_list and queue > s_discard_work. If it is then remounted with nodiscard, the > EXT4_MOUNT_DISCARD flag is cleared, but the pending s_discard_work is > neither cancelled nor flushed. [1] https://lore.kernel.org/r/20260319094545.19291-1-qiang.zhang@linux.dev/ [2] https://sashiko.dev/#/patchset/20260319094545.19291-1-qiang.zhang%40linux.dev The concern was valid, but it had nothing to do with the patch[1]. One of the problems with Sashiko in its current (early) form is that it will detect pre-existing issues and report it as a problem with the patch that it is reviewing. In practice, it would be hard to hit deliberately (unless you are a malicious syzkaller fuzzer), since it would involve mounting the file system with -o discard, and then deleting a large number of files, remounting the file system with -o nodiscard, and then immediately unmounting the file system before the queued discard work has a change to drain on its own. Fix it because it's a real bug, and to avoid Sashiko from raising this concern when analyzing future patches to mballoc.c. | 2026-05-05 | not yet calculated | CVE-2026-43065 | https://git.kernel.org/stable/c/e96c2354b170aaa53300c8e8fd59e41b133160f7 https://git.kernel.org/stable/c/c360e9d0def4f4ae03254a67c683103908555b75 https://git.kernel.org/stable/c/1c82f863f090ab899085bdfade073313384b514b https://git.kernel.org/stable/c/9b4d9dda6a71ad3425c8109d27c4c6bfb9da97b8 https://git.kernel.org/stable/c/812b6a7cd3e7f3a3e8a24db85bc6313c26cb1098 https://git.kernel.org/stable/c/b4737e26d4688b8aea88ad6ea4dbfeb6e78b0327 https://git.kernel.org/stable/c/9ee29d20aab228adfb02ca93f87fb53c56c2f3af |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths During code review, Joseph found that ext4_fc_replay_inode() calls ext4_get_fc_inode_loc() to get the inode location, which holds a reference to iloc.bh that must be released via brelse(). However, several error paths jump to the 'out' label without releasing iloc.bh: - ext4_handle_dirty_metadata() failure - sync_dirty_buffer() failure - ext4_mark_inode_used() failure - ext4_iget() failure Fix this by introducing an 'out_brelse' label placed just before the existing 'out' label to ensure iloc.bh is always released. Additionally, make ext4_fc_replay_inode() propagate errors properly instead of always returning 0. | 2026-05-05 | not yet calculated | CVE-2026-43066 | https://git.kernel.org/stable/c/0892f12cd49fde5d5db68137923db107f894f3a3 https://git.kernel.org/stable/c/5a63033696e60b5d70816f1d119645ac5b0b0a03 https://git.kernel.org/stable/c/9c90449a9ac2cd1ba540ad2561b8b70c1bfb0a25 https://git.kernel.org/stable/c/ca99cbcc316cdfd2040cc2b13d1426ccb3b3b50b https://git.kernel.org/stable/c/19782b4c793b49a6aa4abbb307ddff3610009d21 https://git.kernel.org/stable/c/f7817ad399d604e8639005d87d148b5ec626ad26 https://git.kernel.org/stable/c/c426231e3d51916e83b6d1ab7ed8a65e83bca5b4 https://git.kernel.org/stable/c/ec0a7500d8eace5b4f305fa0c594dd148f0e8d29 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal() There's issue as follows: ... EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2243 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2239 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): error count since last fsck: 1 EXT4-fs (mmcblk0p1): initial error at time 1765597433: ext4_mb_generate_buddy:760 EXT4-fs (mmcblk0p1): last error at time 1765597433: ext4_mb_generate_buddy:760 ... According to the log analysis, blocks are always requested from the corrupted block group. This may happen as follows: ext4_mb_find_by_goal ext4_mb_load_buddy ext4_mb_load_buddy_gfp ext4_mb_init_cache ext4_read_block_bitmap_nowait ext4_wait_block_bitmap ext4_validate_block_bitmap if (!grp || EXT4_MB_GRP_BBITMAP_CORRUPT(grp)) return -EFSCORRUPTED; // There's no logs. if (err) return err; // Will return error ext4_lock_group(ac->ac_sb, group); if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info))) // Unreachable goto out; After commit 9008a58e5dce ("ext4: make the bitmap read routines return real error codes") merged, Commit 163a203ddb36 ("ext4: mark block group as corrupt on block bitmap error") is no real solution for allocating blocks from corrupted block groups. This is because if 'EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info)' is true, then 'ext4_mb_load_buddy()' may return an error. This means that the block allocation will fail. Therefore, check block group if corrupted when ext4_mb_load_buddy() returns error. | 2026-05-05 | not yet calculated | CVE-2026-43068 | https://git.kernel.org/stable/c/fea6b2e250ff48f10d166011b57a8516ae5438c9 https://git.kernel.org/stable/c/0b84571c886719823d537f05f4f07cad6357c4b7 https://git.kernel.org/stable/c/ffc0a282462d45fee5957621be5afa29752f3b6d https://git.kernel.org/stable/c/2d31a5073f86a177edf44015e0dedb0c47cfd6d8 https://git.kernel.org/stable/c/9370207b36d26e45a8c8ef0500706d37036edd6b https://git.kernel.org/stable/c/1895f7904be71c48f1e6f338b28f24dabd6b8aeb https://git.kernel.org/stable/c/1c0d7c4cde38a887c6d74e0c89ddb25226943c78 https://git.kernel.org/stable/c/46066e3a06647c5b186cc6334409722622d05c44 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_ll: Fix firmware leak on error path Smatch reports: drivers/bluetooth/hci_ll.c:587 download_firmware() warn: 'fw' from request_firmware() not released on lines: 544. In download_firmware(), if request_firmware() succeeds but the returned firmware content is invalid (no data or zero size), the function returns without releasing the firmware, resulting in a resource leak. Fix this by calling release_firmware() before returning when request_firmware() succeeded but the firmware content is invalid. | 2026-05-05 | not yet calculated | CVE-2026-43069 | https://git.kernel.org/stable/c/95e8601af227b2b4390eecf8db6abdb9f6a91f17 https://git.kernel.org/stable/c/e6d95488c8c964d1df0d3e1db44c958706311e86 https://git.kernel.org/stable/c/b2dfbf1b5ff192cefd49574b951a4af9ddd32213 https://git.kernel.org/stable/c/28904375d54b436a757641fb0331537778c0de5a https://git.kernel.org/stable/c/5213ef54528dd1ac79b846e30d8f72ce092794aa https://git.kernel.org/stable/c/9ecbfd93cd6de6c78cb7fd51fe079e36c7ff074b https://git.kernel.org/stable/c/a7803df606a7d22e896b030f619e1d9d20ae0c6b https://git.kernel.org/stable/c/31148a7be723aa9f2e8fbd62424825ab8d577973 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vc4: platform_get_irq_byname() returns an int platform_get_irq_byname() will return a negative value if an error happens, so it should be checked and not just passed directly into devm_request_threaded_irq() hoping all will be ok. | 2026-05-05 | not yet calculated | CVE-2026-43072 | https://git.kernel.org/stable/c/63c11b19cdc154fa848a6c3b535bfb1dc7b60378 https://git.kernel.org/stable/c/ef2ee9db13b68c5e332b77c0a7108a2d4d56e114 https://git.kernel.org/stable/c/0185e0494a561edfc482507f9de89c2ad798b33d https://git.kernel.org/stable/c/9c10b83a004442c93d7a484c3d221a06a45821e1 https://git.kernel.org/stable/c/0c1b117f7ba46fb8f6ebc5e0bfe5b58568c301ba https://git.kernel.org/stable/c/e597a809a2b97e927060ba182f58eb3e6101bc70 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86-64: rename misleadingly named '__copy_user_nocache()' function This function was a masterclass in bad naming, for various historical reasons. It claimed to be a non-cached user copy. It is literally _neither_ of those things. It's a specialty memory copy routine that uses non-temporal stores for the destination (but not the source), and that does exception handling for both source and destination accesses. Also note that while it works for unaligned targets, any unaligned parts (whether at beginning or end) will not use non-temporal stores, since only words and quadwords can be non-temporal on x86. The exception handling means that it _can_ be used for user space accesses, but not on its own - it needs all the normal "start user space access" logic around it. But typically the user space access would be the source, not the non-temporal destination. That was the original intention of this, where the destination was some fragile persistent memory target that needed non-temporal stores in order to catch machine check exceptions synchronously and deal with them gracefully. Thus that non-descriptive name: one use case was to copy from user space into a non-cached kernel buffer. However, the existing users are a mix of that intended use-case, and a couple of random drivers that just did this as a performance tweak. Some of those random drivers then actively misused the user copying version (with STAC/CLAC and all) to do kernel copies without ever even caring about the exception handling, _just_ for the non-temporal destination. Rename it as a first small step to actually make it halfway sane, and change the prototype to be more normal: it doesn't take a user pointer unless the caller has done the proper conversion, and the argument size is the full size_t (it still won't actually copy more than 4GB in one go, but there's also no reason to silently truncate the size argument in the caller). Finally, use this now sanely named function in the NTB code, which mis-used a user copy version (with STAC/CLAC and all) of this interface despite it not actually being a user copy at all. | 2026-05-05 | not yet calculated | CVE-2026-43073 | https://git.kernel.org/stable/c/14b9194db4a28421a4dbe5d6e519efbaa7c5f3cd https://git.kernel.org/stable/c/c6d4e0599e7e73abc04e2488dfeb7940c4039660 https://git.kernel.org/stable/c/d993e1723aa2a085aa0d72e70ea889031fc225b4 https://git.kernel.org/stable/c/efea91ad1729ff1853d7418e4d3bc27d085e72d0 https://git.kernel.org/stable/c/d187a86de793f84766ea40b9ade7ac60aabbb4fe |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Fix minimum RX size check for decryption The check for the minimum receive buffer size did not take the tag size into account during decryption. Fix this by adding the required extra length. | 2026-05-06 | not yet calculated | CVE-2026-43077 | https://git.kernel.org/stable/c/74a66fdb5282d89e348b00c42cfca3a936946d94 https://git.kernel.org/stable/c/fd427dd84f224309afbcc2cb67c7bb770a01265c https://git.kernel.org/stable/c/1c76b5675119f694458293a2a81f40731c69bd32 https://git.kernel.org/stable/c/e86ab1e5661386a874fbb8551f0c04b8e9f8ad22 https://git.kernel.org/stable/c/af2fa2fbbced26129813274b8b3f7705f280e174 https://git.kernel.org/stable/c/78cea133daf721698876e56135049a96d39d610a https://git.kernel.org/stable/c/3afdc15d6173614d7d834517d9b65e7aa5a08548 https://git.kernel.org/stable/c/3d14bd48e3a77091cbce637a12c2ae31b4a1687c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/uncore: Skip discovery table for offline dies This warning can be triggered if NUMA is disabled and the system boots with fewer CPUs than the number of CPUs in die 0. WARNING: CPU: 9 PID: 7257 at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore] Currently, the discovery table continues to be parsed even if all CPUs in the associated die are offline. This can lead to an array overflow at "pmu->boxes[die] = box" in uncore_pci_pmu_register(), which may trigger the warning above or cause other issues. | 2026-05-06 | not yet calculated | CVE-2026-43079 | https://git.kernel.org/stable/c/cfab2c817d2e7e0bee98d66850246ce842ed5f18 https://git.kernel.org/stable/c/6cfc187d85f18f976d0fe527d4c6f6171542cc19 https://git.kernel.org/stable/c/f34feda8e0c9535fee3f8870ce8bab53c2798f71 https://git.kernel.org/stable/c/7a2cb02437d92ed14fe494d8994056d5bd2c72b4 https://git.kernel.org/stable/c/7b568e9eba2fad89a696f22f0413d44cf4a1f892 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: l2tp: Drop large packets with UDP encap syzbot reported a WARN on my patch series [1]. The actual issue is an overflow of 16-bit UDP length field, and it exists in the upstream code. My series added a debug WARN with an overflow check that exposed the issue, that's why syzbot tripped on my patches, rather than on upstream code. syzbot's repro: r0 = socket$pppl2tp(0x18, 0x1, 0x1) r1 = socket$inet6_udp(0xa, 0x2, 0x0) connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c) connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32) writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)="ee", 0x34000}], 0x1) It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP encapsulation, and l2tp_xmit_core doesn't check for overflows when it assigns the UDP length field. The value gets trimmed to 16 bites. Add an overflow check that drops oversized packets and avoids sending packets with trimmed UDP length to the wire. syzbot's stack trace (with my patch applied): len >= 65536u WARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957 WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957 WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957 Modules linked in: CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline] RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline] RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327 Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f RSP: 0018:ffffc90003d67878 EFLAGS: 00010293 RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000 RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004 R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900 R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000 FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0 Call Trace: <TASK> pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] sock_write_iter+0x503/0x550 net/socket.c:1195 do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1 vfs_writev+0x33c/0x990 fs/read_write.c:1059 do_writev+0x154/0x2e0 fs/read_write.c:1105 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f636479c629 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629 RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003 RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0 </TASK> [1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/ | 2026-05-06 | not yet calculated | CVE-2026-43080 | https://git.kernel.org/stable/c/9ccce02d501335f59a02f26c878c5e095b16302f https://git.kernel.org/stable/c/77c1489398c85a844f90205f5e76fd6bc8bb4089 https://git.kernel.org/stable/c/86534c97abd6365a9a021fd767a2023e63c44469 https://git.kernel.org/stable/c/f295fe86e22ff0a2ecebf05e30a387e5cf6f6ddc https://git.kernel.org/stable/c/ebe560ea5f54134279356703e73b7f867c89db13 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+ Fix the field masks to match the hardware layout documented in downstream GSI (GSI_V3_0_EE_n_GSI_EE_GENERIC_CMD_*). Notably this fixes a WARN I was seeing when I tried to send "stop" to the MPSS remoteproc while IPA was up. | 2026-05-06 | not yet calculated | CVE-2026-43081 | https://git.kernel.org/stable/c/a7d326dfb13b5a0763eccfd78836fe15199fc499 https://git.kernel.org/stable/c/d1c66396796f23f7201b1addf06f62515035354d https://git.kernel.org/stable/c/bafc45ea30d297002750396d5f10e3018bf2cd60 https://git.kernel.org/stable/c/2aa50d2c1f631b405849da246043c6f683af7489 https://git.kernel.org/stable/c/9709b56d908acc120fe8b4ae250b3c9d749ea832 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: txgbe: leave space for null terminators on property_entry Lists of struct property_entry are supposed to be terminated with an empty property, this driver currently seems to be allocating exactly the amount of entry used. Change the struct definition to leave an extra element for all property_entry. | 2026-05-06 | not yet calculated | CVE-2026-43082 | https://git.kernel.org/stable/c/00e1d650fa4b228ef1faea8e29effe4b4861e6e4 https://git.kernel.org/stable/c/16eb3c2f86de9a21aefe7a6386607d4cd3947a77 https://git.kernel.org/stable/c/8eff73e58e1f8fe991522acb863164319a7f7dd3 https://git.kernel.org/stable/c/92c09262dac565a6b831fd724b81fe4ff76f51b4 https://git.kernel.org/stable/c/5a37d228799b0ec2c277459c83c814a59d310bc3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send() appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put() helper only zeroes alignment padding after the payload, not the payload itself, so four bytes of stale kernel heap data are leaked to userspace in the NLMSG_DONE message body. Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes the nfgenmsg payload via nfnl_fill_hdr(), consistent with how __build_packet_message() already constructs NFULNL_MSG_PACKET headers. | 2026-05-06 | not yet calculated | CVE-2026-43085 | https://git.kernel.org/stable/c/368c22aea490f6f50df831b4f9e3623787686c5b https://git.kernel.org/stable/c/d1399632ba255d2e02c757af5d9f5d9279ce168c https://git.kernel.org/stable/c/d552bcfca323d175664d7444989b04f55666978a https://git.kernel.org/stable/c/15d209bccf9273b4a8b4e579ba0e92d065b6ec8c https://git.kernel.org/stable/c/1f3083aec8836213da441270cdb1ab612dd82cf4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipvs: fix NULL deref in ip_vs_add_service error path When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local variable sched is set to NULL. If ip_vs_start_estimator() subsequently fails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched) with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL check (because svc->scheduler was set by the successful bind) but then dereferences the NULL sched parameter at sched->done_service, causing a kernel panic at offset 0x30 from NULL. Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69) Call Trace: <TASK> ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500) do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809) nf_setsockopt (net/netfilter/nf_sockopt.c:102) [..] Fix by simply not clearing the local sched variable after a successful bind. ip_vs_unbind_scheduler() already detects whether a scheduler is installed via svc->scheduler, and keeping sched non-NULL ensures the error path passes the correct pointer to both ip_vs_unbind_scheduler() and ip_vs_scheduler_put(). While the bug is older, the problem popups in more recent kernels (6.2), when the new error path is taken after the ip_vs_start_estimator() call. | 2026-05-06 | not yet calculated | CVE-2026-43086 | https://git.kernel.org/stable/c/730663352c9178f33fcf5929f4a37c1f1ca5a693 https://git.kernel.org/stable/c/4039959315008888dd53c37674d33351817a5166 https://git.kernel.org/stable/c/a32dabacee111cea083ddd57a03635672e1bff29 https://git.kernel.org/stable/c/c2ddbe577e2ebf63f2d8fb15cdc7503af70f3e94 https://git.kernel.org/stable/c/9a91797e61d286805ae10a92cc48959c30800556 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: mcp23s08: Disable all pin interrupts during probe A chip being probed may have the interrupt-on-change feature enabled on some of its pins, for example after a reboot. This can cause the chip to generate interrupts for pins that don't have a registered nested handler, which leads to a kernel crash such as below: [ 7.928897] Unable to handle kernel read from unreadable memory at virtual address 00000000000000ac [ 7.932314] Mem abort info: [ 7.935081] ESR = 0x0000000096000004 [ 7.938808] EC = 0x25: DABT (current EL), IL = 32 bits [ 7.944094] SET = 0, FnV = 0 [ 7.947127] EA = 0, S1PTW = 0 [ 7.950247] FSC = 0x04: level 0 translation fault [ 7.955101] Data abort info: [ 7.957961] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 7.963421] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 7.968447] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 7.973734] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000089b7000 [ 7.980148] [00000000000000ac] pgd=0000000000000000, p4d=0000000000000000 [ 7.986913] Internal error: Oops: 0000000096000004 [#1] SMP [ 7.992545] Modules linked in: [ 8.073678] CPU: 0 UID: 0 PID: 81 Comm: irq/18-4-0025 Not tainted 7.0.0-rc6-gd2b5a1f931c8-dirty #199 [ 8.073689] Hardware name: Khadas VIM3 (DT) [ 8.073692] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 8.094639] pc : _raw_spin_lock_irq+0x40/0x80 [ 8.098970] lr : handle_nested_irq+0x2c/0x168 [ 8.098979] sp : ffff800082b2bd20 [ 8.106599] x29: ffff800082b2bd20 x28: ffff800080107920 x27: ffff800080104d88 [ 8.106611] x26: ffff000003298080 x25: 0000000000000001 x24: 000000000000ff00 [ 8.113707] x23: 0000000000000001 x22: 0000000000000000 x21: 000000000000000e [ 8.120850] x20: 0000000000000000 x19: 00000000000000ac x18: 0000000000000000 [ 8.135046] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 8.135062] x14: ffff800081567ea8 x13: ffffffffffffffff x12: 0000000000000000 [ 8.135070] x11: 00000000000000c0 x10: 0000000000000b60 x9 : ffff800080109e0c [ 8.135078] x8 : 1fffe0000069dbc1 x7 : 0000000000000001 x6 : ffff0000034ede00 [ 8.135086] x5 : 0000000000000000 x4 : ffff0000034ede08 x3 : 0000000000000001 [ 8.163460] x2 : 0000000000000000 x1 : 0000000000000001 x0 : 00000000000000ac [ 8.170560] Call trace: [ 8.180094] _raw_spin_lock_irq+0x40/0x80 (P) [ 8.184443] mcp23s08_irq+0x248/0x358 [ 8.184462] irq_thread_fn+0x34/0xb8 [ 8.184470] irq_thread+0x1a4/0x310 [ 8.195093] kthread+0x13c/0x150 [ 8.198309] ret_from_fork+0x10/0x20 [ 8.201850] Code: d65f03c0 d2800002 52800023 f9800011 (885ffc01) [ 8.207931] ---[ end trace 0000000000000000 ]--- This issue has always been present, but has been latent until commit "f9f4fda15e72" ("pinctrl: mcp23s08: init reg_defaults from HW at probe and switch cache type"), which correctly removed reg_defaults from the regmap and as a side effect changed the behavior of the interrupt handler so that the real value of the MCP_GPINTEN register is now being read from the chip instead of using a bogus 0 default value; a non-zero value for this register can trigger the invocation of a nested handler which may not exist (yet). Fix this issue by disabling all pin interrupts during initialization. | 2026-05-06 | not yet calculated | CVE-2026-43087 | https://git.kernel.org/stable/c/f8c3258541a0680a4ebc08b05b2bc5fdad3288a9 https://git.kernel.org/stable/c/db5b8cecbdf479ad13156af750377e5b43853fab |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: af_key: zero aligned sockaddr tail in PF_KEY exports PF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr payload space, so IPv6 addresses occupy 32 bytes on the wire. However, `pfkey_sockaddr_fill()` initializes only the first 28 bytes of `struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized. Not every PF_KEY message is affected. The state and policy dump builders already zero the whole message buffer before filling the sockaddr payloads. Keep the fix to the export paths that still append aligned sockaddr payloads with plain `skb_put()`: - `SADB_ACQUIRE` - `SADB_X_NAT_T_NEW_MAPPING` - `SADB_X_MIGRATE` Fix those paths by clearing only the aligned sockaddr tail after `pfkey_sockaddr_fill()`. | 2026-05-06 | not yet calculated | CVE-2026-43088 | https://git.kernel.org/stable/c/2e74f974359b5382ecbe8536abbb5b837eb6c724 https://git.kernel.org/stable/c/426c355742f02cf743b347d9d7dbdc1bfbfa31ef |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm_user: fix info leak in build_mapping() struct xfrm_usersa_id has a one-byte padding hole after the proto field, which ends up never getting set to zero before copying out to userspace. Fix that up by zeroing out the whole structure before setting individual variables. | 2026-05-06 | not yet calculated | CVE-2026-43089 | https://git.kernel.org/stable/c/d3125c541a96fb3c0fc7210112684baf22b6c24d https://git.kernel.org/stable/c/5a1a4b049ddde41466ccac0daeec326254b133f2 https://git.kernel.org/stable/c/f779a6b6cdb6e12baa0663063ac59ab2a8f20c0c https://git.kernel.org/stable/c/700c9622b23c33b5933e6dcea816492c064e4e10 https://git.kernel.org/stable/c/1beb76b2053b68c491b78370794b8ff63c8f8c02 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: fix refcount leak in xfrm_migrate_policy_find syzkaller reported a memory leak in xfrm_policy_alloc: BUG: memory leak unreferenced object 0xffff888114d79000 (size 1024): comm "syz.1.17", pid 931 ... xfrm_policy_alloc+0xb3/0x4b0 net/xfrm/xfrm_policy.c:432 The root cause is a double call to xfrm_pol_hold_rcu() in xfrm_migrate_policy_find(). The lookup function already returns a policy with held reference, making the second call redundant. Remove the redundant xfrm_pol_hold_rcu() call to fix the refcount imbalance and prevent the memory leak. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2026-05-06 | not yet calculated | CVE-2026-43090 | https://git.kernel.org/stable/c/21e235a36cfb6d145cefb10728f12f5dc5412f54 https://git.kernel.org/stable/c/836ee1b0426ea3db31531e9581cc32f513d24e32 https://git.kernel.org/stable/c/70c2a89a3bc207c3bfbf6f21bb439809e0a4a27a https://git.kernel.org/stable/c/83317cce60a032c49480dcdabe146435bd689d03 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xsk: validate MTU against usable frame size on bind AF_XDP bind currently accepts zero-copy pool configurations without verifying that the device MTU fits into the usable frame space provided by the UMEM chunk. This becomes a problem since we started to respect tailroom which is subtracted from chunk_size (among with headroom). 2k chunk size might not provide enough space for standard 1500 MTU, so let us catch such settings at bind time. Furthermore, validate whether underlying HW will be able to satisfy configured MTU wrt XSK's frame size multiplied by supported Rx buffer chain length (that is exposed via net_device::xdp_zc_max_segs). | 2026-05-06 | not yet calculated | CVE-2026-43092 | https://git.kernel.org/stable/c/a55793e5a97d4e39bdb380873a9780fe0010bff6 https://git.kernel.org/stable/c/f669d60db11dbabb96279f2b20f9d1cba43cddb2 https://git.kernel.org/stable/c/25e1e91a8da819924df0b16e3812d7b24c8ce133 https://git.kernel.org/stable/c/b2f4daa6422fd6cc0cec969794dab4a88ea4cea1 https://git.kernel.org/stable/c/36ee60b569ba0dfb6f961333b90d19ab5b323fa9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ixgbevf: add missing negotiate_features op to Hyper-V ops table Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features") added the .negotiate_features callback to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL on Hyper-V VMs. During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(), which unconditionally dereferences hw->mac.ops.negotiate_features(). On Hyper-V this results in a NULL pointer dereference: BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...] Workqueue: events work_for_cpu_fn RIP: 0010:0x0 [...] Call Trace: ixgbevf_negotiate_api+0x66/0x160 [ixgbevf] ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf] ixgbevf_probe+0x20f/0x4a0 [ixgbevf] local_pci_probe+0x50/0xa0 work_for_cpu_fn+0x1a/0x30 [...] Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP gracefully. | 2026-05-06 | not yet calculated | CVE-2026-43094 | https://git.kernel.org/stable/c/d8a747057a17ffc79e31df1abb11d05e1669d8e5 https://git.kernel.org/stable/c/2270ebab53128fb73c4a70a292be09094074737f https://git.kernel.org/stable/c/4db7b61ec1d1b2b67c0881b62fc4f9583bc21484 https://git.kernel.org/stable/c/1455ff8809843e6e83f1f5b5c0bcc2224c99a3cb https://git.kernel.org/stable/c/4821d563cd7f251ae728be1a6d04af82a294a5b9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: SDCA: Fix errors in IRQ cleanup IRQs are enabled through sdca_irq_populate() from component probe using devm_request_threaded_irq(), this however means the IRQs can persist if the sound card is torn down. Some of the IRQ handlers store references to the card and the kcontrols which can then fail. Some detail of the crash was explained in [1]. Generally it is not advised to use devm outside of bus probe, so the code is updated to not use devm. The IRQ requests are not moved to bus probe time as it makes passing the snd_soc_component into the IRQs very awkward and would the require a second step once the component is available, so it is simpler to just register the IRQs at this point, even though that necessitates some manual cleanup. | 2026-05-06 | not yet calculated | CVE-2026-43095 | https://git.kernel.org/stable/c/b022da127bd9d2217e8f285e643caf5aff6f7f14 https://git.kernel.org/stable/c/4e53116437e919c4b9a9d95fb73ae14fe0cfc8f9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mshv: Fix infinite fault loop on permission-denied GPA intercepts Prevent infinite fault loops when guests access memory regions without proper permissions. Currently, mshv_handle_gpa_intercept() attempts to remap pages for all faults on movable memory regions, regardless of whether the access type is permitted. When a guest writes to a read-only region, the remap succeeds but the region remains read-only, causing immediate re-fault and spinning the vCPU indefinitely. Validate intercept access type against region permissions before attempting remaps. Reject writes to non-writable regions and executes to non-executable regions early, returning false to let the VMM handle the intercept appropriately. This also closes a potential DoS vector where malicious guests could intentionally trigger these fault loops to consume host resources. | 2026-05-06 | not yet calculated | CVE-2026-43096 | https://git.kernel.org/stable/c/02226839079ccc558820a3b25c4c46812927b4ba https://git.kernel.org/stable/c/16cbec24897624051b324aa3a85859c38ca65fde |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: hv: Fix double ida_free in hv_pci_probe error path If hv_pci_probe() fails after storing the domain number in hbus->bridge->domain_nr, there is a call to free this domain_nr via pci_bus_release_emul_domain_nr(), however, during cleanup, the bridge release callback pci_release_host_bridge_dev() also frees the domain_nr causing ida_free to be called on same ID twice and triggering following warning: ida_free called for id=28971 which is not allocated. WARNING: lib/idr.c:594 at ida_free+0xdf/0x160, CPU#0: kworker/0:2/198 Call Trace: pci_bus_release_emul_domain_nr+0x17/0x20 pci_release_host_bridge_dev+0x4b/0x60 device_release+0x3b/0xa0 kobject_put+0x8e/0x220 devm_pci_alloc_host_bridge_release+0xe/0x20 devres_release_all+0x9a/0xd0 device_unbind_cleanup+0x12/0xa0 really_probe+0x1c5/0x3f0 vmbus_add_channel_work+0x135/0x1a0 Fix this by letting pci core handle the free domain_nr and remove the explicit free called in pci-hyperv driver. | 2026-05-06 | not yet calculated | CVE-2026-43097 | https://git.kernel.org/stable/c/21bc8e0ba5c2a081b0a2808c976d4c9dbddf1e48 https://git.kernel.org/stable/c/b6422dff0e518245019233432b6bccfc30b73e2f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfc: s3fwrn5: allocate rx skb before consuming bytes s3fwrn82_uart_read() reports the number of accepted bytes to the serdev core. The current code consumes bytes into recv_skb and may already deliver a complete frame before allocating a fresh receive buffer. If that alloc_skb() fails, the callback returns 0 even though it has already consumed bytes, and it leaves recv_skb as NULL for the next receive callback. That breaks the receive_buf() accounting contract and can also lead to a NULL dereference on the next skb_put_u8(). Allocate the receive skb lazily before consuming the next byte instead. If allocation fails, return the number of bytes already accepted. | 2026-05-06 | not yet calculated | CVE-2026-43098 | https://git.kernel.org/stable/c/d8c2aa3c4a1ec530a485e46a1c4f1a118bb00156 https://git.kernel.org/stable/c/7c31f7a599cf00fad3c204092a91a924126c67e4 https://git.kernel.org/stable/c/6d931680a9851481c3243689488eafed08eeff71 https://git.kernel.org/stable/c/09822d3d6f68a0cdc4626e0c507324a4927f55a9 https://git.kernel.org/stable/c/5c14a19d5b1645cce1cb1252833d70b23635b632 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bridge: guard local VLAN-0 FDB helpers against NULL vlan group When CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and nbp_vlan_group() return NULL (br_private.h stub definitions). The BR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and reaches br_fdb_delete_locals_per_vlan_port() and br_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer is dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist). The observed crash is in the delete path, triggered when creating a bridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0 via RTM_NEWLINK. The insert helper has the same bug pattern. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7] RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310 Call Trace: br_fdb_toggle_local_vlan_0+0x452/0x4c0 br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276 br_boolopt_toggle net/bridge/br.c:313 br_boolopt_multi_toggle net/bridge/br.c:364 br_changelink net/bridge/br_netlink.c:1542 br_dev_newlink net/bridge/br_netlink.c:1575 Add NULL checks for the vlan group pointer in both helpers, returning early when there are no VLANs to iterate. This matches the existing pattern used by other bridge FDB functions such as br_fdb_add() and br_fdb_delete(). | 2026-05-06 | not yet calculated | CVE-2026-43100 | https://git.kernel.org/stable/c/fb612d436ff0317659e45a91c25fd7d9516f5b1b https://git.kernel.org/stable/c/ddf0ec2d600e7dad62b89692749534d7900a732a https://git.kernel.org/stable/c/1979645e1842cb7017525a61a0e0e0beb924d02a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: airoha: Fix memory leak in airoha_qdma_rx_process() If an error occurs on the subsequents buffers belonging to the non-linear part of the skb (e.g. due to an error in the payload length reported by the NIC or if we consumed all the available fragments for the skb), the page_pool fragment will not be linked to the skb so it will not return to the pool in the airoha_qdma_rx_process() error path. Fix the memory leak partially reverting commit 'd6d2b0e1538d ("net: airoha: Fix page recycling in airoha_qdma_rx_process()")' and always running page_pool_put_full_page routine in the airoha_qdma_rx_process() error path. | 2026-05-06 | not yet calculated | CVE-2026-43102 | https://git.kernel.org/stable/c/4429b761874fb9c7767d12d98913a467ef2654f1 https://git.kernel.org/stable/c/7ee0063fbab8aea8f4e4e3165f541bf898b77b80 https://git.kernel.org/stable/c/285fa6b1e03cff78ead0383e1b259c44b95faf90 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE lapbeth_data_transmit() expects the underlying device type to be ARPHRD_ETHER. Returning NOTIFY_BAD from lapbeth_device_event() makes sure bonding driver can not break this expectation. | 2026-05-06 | not yet calculated | CVE-2026-43103 | https://git.kernel.org/stable/c/363a38044b8cd5b496d241651a1fb666e7c5fe3e https://git.kernel.org/stable/c/328bb2cff5c2ed973f595ded769e15f4b7a117be https://git.kernel.org/stable/c/63851f60781aa89258c8f0952cd13940aab0888e https://git.kernel.org/stable/c/b117056768ab7deb434e7d72065e48d2083a0c2a https://git.kernel.org/stable/c/b120e4432f9f56c7103133d6a11245e617695adb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vc4: Fix a memory leak in hang state error path When vc4_save_hang_state() encounters an early return condition, it returns without freeing the previously allocated `kernel_state`, leaking memory. Add the missing kfree() calls by consolidating the early return paths into a single place. | 2026-05-06 | not yet calculated | CVE-2026-43104 | https://git.kernel.org/stable/c/dd5c49787a32da96a2b154427eb17cbf12a83c28 https://git.kernel.org/stable/c/d8fdd6adc07b78ad3e9ee0004876d90cb59ca941 https://git.kernel.org/stable/c/e352e9adc9f6df54d63150ff832f71c04e30744b https://git.kernel.org/stable/c/3eb7dd55021d0f4308fbea0bea21d2118984d8e7 https://git.kernel.org/stable/c/9525d169e5fd481538cf8c663cc5839e54f2e481 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vc4: Fix memory leak of BO array in hang state The hang state's BO array is allocated separately with kzalloc() in vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the missing kfree() for the BO array before freeing the hang state struct. | 2026-05-06 | not yet calculated | CVE-2026-43105 | https://git.kernel.org/stable/c/a812008fe3a0aebb778d277b35717f64e23d0302 https://git.kernel.org/stable/c/0d3c014a84396a147705f523a8fd6fc873e76502 https://git.kernel.org/stable/c/421cea4f71f7cf65abaae878562ee4aa2b684628 https://git.kernel.org/stable/c/b8138567c4a80fd76a647849ebd4284996cf4b17 https://git.kernel.org/stable/c/f4dfd6847b3e5d24e336bca6057485116d17aea4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: account XFRMA_IF_ID in aevent size calculation xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then build_aevent() appends attributes including XFRMA_IF_ID when x->if_id is set. xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0) in xfrm_get_ae(), turning a malformed netlink interaction into a kernel panic. Account XFRMA_IF_ID in the size calculation unconditionally and replace the BUG_ON with normal error unwinding. | 2026-05-06 | not yet calculated | CVE-2026-43107 | https://git.kernel.org/stable/c/2c41283d94af943a05f7f2cc1a01f0c872f3cf43 https://git.kernel.org/stable/c/e62e322ea20be78e346e4b49f9a6b9f03313af4c https://git.kernel.org/stable/c/58e5735d1a5373652f405a0c16e54ac04aaab0ad https://git.kernel.org/stable/c/7081d46d32312f1a31f0e0e99c6835a394037599 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pd-mapper: Fix element length in servreg_loc_pfr_req_ei It looks element length declared in servreg_loc_pfr_req_ei for reason not matching servreg_loc_pfr_req's reason field due which we could observe decoding error on PD crash. qmi_decode_string_elem: String len 81 >= Max Len 65 Fix this by matching with servreg_loc_pfr_req's reason field. | 2026-05-06 | not yet calculated | CVE-2026-43108 | https://git.kernel.org/stable/c/c93ca7c5a72e23a83a0b96f7f5c41a7a72f1dc47 https://git.kernel.org/stable/c/7d75145672cf2ec7c5417e3243af72c48314f7bb https://git.kernel.org/stable/c/cba84132c2ac7c08b215ce4962bc6f522c08a88c https://git.kernel.org/stable/c/641f6fda143b879da1515f821ee475073678cf2a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86: shadow stacks: proper error handling for mmap lock 김영민 reports that shstk_pop_sigframe() doesn't check for errors from mmap_read_lock_killable(), which is a silly oversight, and also shows that we haven't marked those functions with "__must_check", which would have immediately caught it. So let's fix both issues. | 2026-05-06 | not yet calculated | CVE-2026-43109 | https://git.kernel.org/stable/c/c64cebcc5c4f223dbcbe7dcdf74908fc092a0aa4 https://git.kernel.org/stable/c/262b6d38a81d51b135db81e1f30c13d30e38feee https://git.kernel.org/stable/c/52f657e34d7b21b47434d9d8b26fa7f6778b63a0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: srcu: Use irq_work to start GP in tiny SRCU Tiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(), which acquires the workqueue pool->lock. This causes a lockdep splat when call_srcu() is called with a scheduler lock held, due to: call_srcu() [holding pi_lock] srcu_gp_start_if_needed() schedule_work() -> pool->lock workqueue_init() / create_worker() [holding pool->lock] wake_up_process() -> try_to_wake_up() -> pi_lock Also add irq_work_sync() to cleanup_srcu_struct() to prevent a use-after-free if a queued irq_work fires after cleanup begins. Tested with rcutorture SRCU-T and no lockdep warnings. [ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_work to start process_srcu()" ] | 2026-05-06 | not yet calculated | CVE-2026-43115 | https://git.kernel.org/stable/c/bb37286db65368cb72ba8757ad86299c4e4a73fc https://git.kernel.org/stable/c/a6fc88b22bc8d12ad52e8412c667ec0f5bf055af |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix zero size inode with non-zero size after log replay When logging that an inode exists, as part of logging a new name or logging new dir entries for a directory, we always set the generation of the logged inode item to 0. This is to signal during log replay (in overwrite_item()), that we should not set the i_size since we only logged that an inode exists, so the i_size of the inode in the subvolume tree must be preserved (as when we log new names or that an inode exists, we don't log extents). This works fine except when we have already logged an inode in full mode or it's the first time we are logging an inode created in a past transaction, that inode has a new i_size of 0 and then we log a new name for the inode (due to a new hardlink or a rename), in which case we log an i_size of 0 for the inode and a generation of 0, which causes the log replay code to not update the inode's i_size to 0 (in overwrite_item()). An example scenario: mkdir /mnt/dir xfs_io -f -c "pwrite 0 64K" /mnt/dir/foo sync xfs_io -c "truncate 0" -c "fsync" /mnt/dir/foo ln /mnt/dir/foo /mnt/dir/bar xfs_io -c "fsync" /mnt/dir <power fail> After log replay the file remains with a size of 64K. This is because when we first log the inode, when we fsync file foo, we log its current i_size of 0, and then when we create a hard link we log again the inode in exists mode (LOG_INODE_EXISTS) but we set a generation of 0 for the inode item we add to the log tree, so during log replay overwrite_item() sees that the generation is 0 and i_size is 0 so we skip updating the inode's i_size from 64K to 0. Fix this by making sure at fill_inode_item() we always log the real generation of the inode if it was logged in the current transaction with the i_size we logged before. Also if an inode created in a previous transaction is logged in exists mode only, make sure we log the i_size stored in the inode item located from the commit root, so that if we log multiple times that the inode exists we get the correct i_size. A test case for fstests will follow soon. | 2026-05-06 | not yet calculated | CVE-2026-43118 | https://git.kernel.org/stable/c/fddb157536e67a055597f00a8b4922d5f5ed0826 https://git.kernel.org/stable/c/03e966b63df5b06790310c1faaf3e0cb43adea8b https://git.kernel.org/stable/c/5254d4181add9dfaa5e3519edd71cc8f752b2f85 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: annotate data-races around hdev->req_status __hci_cmd_sync_sk() sets hdev->req_status under hdev->req_lock: hdev->req_status = HCI_REQ_PEND; However, several other functions read or write hdev->req_status without holding any lock: - hci_send_cmd_sync() reads req_status in hci_cmd_work (workqueue) - hci_cmd_sync_complete() reads/writes from HCI event completion - hci_cmd_sync_cancel() / hci_cmd_sync_cancel_sync() read/write - hci_abort_conn() reads in connection abort path Since __hci_cmd_sync_sk() runs on hdev->req_workqueue while hci_send_cmd_sync() runs on hdev->workqueue, these are different workqueues that can execute concurrently on different CPUs. The plain C accesses constitute a data race. Add READ_ONCE()/WRITE_ONCE() annotations on all concurrent accesses to hdev->req_status to prevent potential compiler optimizations that could affect correctness (e.g., load fusing in the wait_event condition or store reordering). | 2026-05-06 | not yet calculated | CVE-2026-43119 | https://git.kernel.org/stable/c/6e539907c0d11f514c5e0b049b27b04dff48a5b1 https://git.kernel.org/stable/c/a7a1cdb4a64ca74eb95cc46648fccb8cd3f9af27 https://git.kernel.org/stable/c/40734ce8efc34c4a0d0222855798c0dc14b65f2e https://git.kernel.org/stable/c/b6807cfc195ef99e1ac37b2e1e60df40295daa8c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix user_ref race between scrub and refill paths The io_zcrx_put_niov_uref() function uses a non-atomic check-then-decrement pattern (atomic_read followed by separate atomic_dec) to manipulate user_refs. This is serialized against other callers by rq_lock, but io_zcrx_scrub() modifies the same counter with atomic_xchg() WITHOUT holding rq_lock. On SMP systems, the following race exists: CPU0 (refill, holds rq_lock) CPU1 (scrub, no rq_lock) put_niov_uref: atomic_read(uref) - 1 // window opens atomic_xchg(uref, 0) - 1 return_niov_freelist(niov) [PUSH #1] // window closes atomic_dec(uref) - wraps to -1 returns true return_niov(niov) return_niov_freelist(niov) [PUSH #2: DOUBLE-FREE] The same niov is pushed to the freelist twice, causing free_count to exceed nr_iovs. Subsequent freelist pushes then perform an out-of-bounds write (a u32 value) past the kvmalloc'd freelist array into the adjacent slab object. Fix this by replacing the non-atomic read-then-dec in io_zcrx_put_niov_uref() with an atomic_try_cmpxchg loop that atomically tests and decrements user_refs. This makes the operation safe against concurrent atomic_xchg from scrub without requiring scrub to acquire rq_lock. [pavel: removed a warning and a comment] | 2026-05-06 | not yet calculated | CVE-2026-43121 | https://git.kernel.org/stable/c/a94f096e28bfc7975163a6b80f1c8f323efe317a https://git.kernel.org/stable/c/485dc691257b96e6d3bdc25b0eff2daadcc5c46c https://git.kernel.org/stable/c/003049b1c4fb8aabb93febb7d1e49004f6ad653b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Update cpuidle driver check in __acpi_processor_start() Commit 7a8c994cbb2d ("ACPI: processor: idle: Optimize ACPI idle driver registration") moved the ACPI idle driver registration to acpi_processor_driver_init() and acpi_processor_power_init() does not register an idle driver any more. Accordingly, the cpuidle driver check in __acpi_processor_start() needs to be updated to avoid calling acpi_processor_power_init() without a cpuidle driver, in which case the registration of the cpuidle device in that function would lead to a NULL pointer dereference in __cpuidle_register_device(). | 2026-05-06 | not yet calculated | CVE-2026-43122 | https://git.kernel.org/stable/c/68f38f648e4b5bed2aeadd2f711e25302e6490f8 https://git.kernel.org/stable/c/6cfed39c2ce64ac024bbde458a9727105e0b8c66 https://git.kernel.org/stable/c/0089ce1c056aee547115bdc25c223f8f88c08498 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbcon: check return value of con2fb_acquire_newinfo() If fbcon_open() fails when called from con2fb_acquire_newinfo() then info->fbcon_par pointer remains NULL which is later dereferenced. Add check for return value of the function con2fb_acquire_newinfo() to avoid it. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2026-05-06 | not yet calculated | CVE-2026-43123 | https://git.kernel.org/stable/c/d3e535533767c85788529e626478718b7e95a59f https://git.kernel.org/stable/c/3b5a754ec86bc6064af9aca76eb191c2405e6b0c https://git.kernel.org/stable/c/a785c4e2a999c2d51dfcf40d317cfb30cc735d2c https://git.kernel.org/stable/c/0b038c0be6827dd2dbb1ce4f8d92d97c80cbe9cc https://git.kernel.org/stable/c/11a93180a70bb3095a9bd80d113d9277e30d9959 https://git.kernel.org/stable/c/f57b61624c86ef8f87f6e6b7dd0755de03d90e89 https://git.kernel.org/stable/c/011a0502801c8536f64141a2b61362c14f456544 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pstore: ram_core: fix incorrect success return when vmap() fails In persistent_ram_vmap(), vmap() may return NULL on failure. If offset is non-zero, adding offset_in_page(start) causes the function to return a non-NULL pointer even though the mapping failed. persistent_ram_buffer_map() therefore incorrectly returns success. Subsequent access to prz->buffer may dereference an invalid address and cause crashes. Add proper NULL checking for vmap() failures. | 2026-05-06 | not yet calculated | CVE-2026-43124 | https://git.kernel.org/stable/c/d47234840aeb4182ed3ee795c578b1dfa9cbd25b https://git.kernel.org/stable/c/49918dd52615097529811d21ec6074dd02ebe77c https://git.kernel.org/stable/c/8baa234181f632cabacf73e4834a910859e9fcc9 https://git.kernel.org/stable/c/1da904e84de608907662ad8a51ba9c571d61e003 https://git.kernel.org/stable/c/8d849adfbc3e98417fb541620568db1a759ef441 https://git.kernel.org/stable/c/2c99326dc1c79b7ce3c8dd92929b5ce724ff70eb https://git.kernel.org/stable/c/88d5b28f63c7aac1271784e3b800ed405d1cde75 https://git.kernel.org/stable/c/05363abc7625cf18c96e67f50673cd07f11da5e9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs3: fix circular locking dependency in run_unpack_ex Syzbot reported a circular locking dependency between wnd->rw_lock (sbi->used.bitmap) and ni->file.run_lock. The deadlock scenario: 1. ntfs_extend_mft() takes ni->file.run_lock then wnd->rw_lock. 2. run_unpack_ex() takes wnd->rw_lock then tries to acquire ni->file.run_lock inside ntfs_refresh_zone(). This creates an AB-BA deadlock. Fix this by using down_read_trylock() instead of down_read() when acquiring run_lock in run_unpack_ex(). If the lock is contended, skip ntfs_refresh_zone() - the MFT zone will be refreshed on the next MFT operation. This breaks the circular dependency since we never block waiting for run_lock while holding wnd->rw_lock. | 2026-05-06 | not yet calculated | CVE-2026-43127 | https://git.kernel.org/stable/c/b014372b62237521444ee51384549bdf48b79015 https://git.kernel.org/stable/c/b8d22d9d8260b0f4f4d8e2898c98037c9982ea66 https://git.kernel.org/stable/c/08ce2fee1b869ecbfbd94e0eb2630e52203a2e03 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ima: verify the previous kernel's IMA buffer lies in addressable RAM Patch series "Address page fault in ima_restore_measurement_list()", v3. When the second-stage kernel is booted via kexec with a limiting command line such as "mem=<size>" we observe a pafe fault that happens. BUG: unable to handle page fault for address: ffff97793ff47000 RIP: ima_restore_measurement_list+0xdc/0x45a #PF: error_code(0x0000) not-present page This happens on x86_64 only, as this is already fixed in aarch64 in commit: cbf9c4b9617b ("of: check previous kernel's ima-kexec-buffer against memory bounds") This patch (of 3): When the second-stage kernel is booted with a limiting command line (e.g. "mem=<size>"), the IMA measurement buffer handed over from the previous kernel may fall outside the addressable RAM of the new kernel. Accessing such a buffer can fault during early restore. Introduce a small generic helper, ima_validate_range(), which verifies that a physical [start, end] range for the previous-kernel IMA buffer lies within addressable memory: - On x86, use pfn_range_is_mapped(). - On OF based architectures, use page_is_ram(). | 2026-05-06 | not yet calculated | CVE-2026-43129 | https://git.kernel.org/stable/c/f11d7d088f5ed54b31c6735854c12845eb60eb4a https://git.kernel.org/stable/c/9e1f51c1ad57cc76a0e8b5eb27038f8973fff4fa https://git.kernel.org/stable/c/5366ec7d2f793ce703c403d7fd4c25a3db365b9d https://git.kernel.org/stable/c/10d1c75ed4382a8e79874379caa2ead8952734f9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in scalable mode Commit 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected") relies on pci_dev_is_disconnected() to skip ATS invalidation for safely-removed devices, but it does not cover link-down caused by faults, which can still hard-lock the system. For example, if a VM fails to connect to the PCIe device, "virsh destroy" is executed to release resources and isolate the fault, but a hard-lockup occurs while releasing the group fd. Call Trace: qi_submit_sync qi_flush_dev_iotlb intel_pasid_tear_down_entry device_block_translation blocking_domain_attach_dev __iommu_attach_device __iommu_device_set_domain __iommu_group_set_domain_internal iommu_detach_group vfio_iommu_type1_detach_group vfio_group_detach_container vfio_group_fops_release __fput Although pci_device_is_present() is slower than pci_dev_is_disconnected(), it still takes only ~70 µs on a ConnectX-5 (8 GT/s, x2) and becomes even faster as PCIe speed and width increase. Besides, devtlb_invalidation_with_pasid() is called only in the paths below, which are far less frequent than memory map/unmap. 1. mm-struct release 2. {attach,release}_dev 3. set/remove PASID 4. dirty-tracking setup The gain in system stability far outweighs the negligible cost of using pci_device_is_present() instead of pci_dev_is_disconnected() to decide when to skip ATS invalidation, especially under GDR high-load conditions. | 2026-05-06 | not yet calculated | CVE-2026-43130 | https://git.kernel.org/stable/c/581ce094d9eafb78ec4f9de77bd24b780c151236 https://git.kernel.org/stable/c/e2c78c69f8faf2885ea4ceee08c71ac738f401a0 https://git.kernel.org/stable/c/ead67d0378e90f419e385a43af29435242d80c12 https://git.kernel.org/stable/c/01aed2f1d7cb8fdf4c60c5bb4727608cb82b401d https://git.kernel.org/stable/c/9813306610d0d718c863aaa70928bf57d7570ec0 https://git.kernel.org/stable/c/9deaacc8dcaddb6ddc5b52e1e63b457450ec0f94 https://git.kernel.org/stable/c/0da6697e577023d8867c7beb2d16a22510e4eea9 https://git.kernel.org/stable/c/10e60d87813989e20eac1f3eda30b3bae461e7f9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: Fix null pointer dereference issue If SMU is disabled, during RAS initialization, there will be null pointer dereference issue here. | 2026-05-06 | not yet calculated | CVE-2026-43131 | https://git.kernel.org/stable/c/8e035505fa0e5b7c4306fd3f4e27f8e8f5bfad8c https://git.kernel.org/stable/c/1197366cca89a4c44c541ddedb8ce8bf0757993d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm-verity: correctly handle dm_bufio_client_create() failure If either of the calls to dm_bufio_client_create() in verity_fec_ctr() fails, then dm_bufio_client_destroy() is later called with an ERR_PTR() argument. That causes a crash. Fix this. | 2026-05-06 | not yet calculated | CVE-2026-43132 | https://git.kernel.org/stable/c/6283e49af87a9c121bb01e5a64a7fe5706c210bc https://git.kernel.org/stable/c/d3e1f1adc8a0289efe2d2cdc90edb8c6ffe0b5ef https://git.kernel.org/stable/c/5c2217ddb3b7e7ac25f4ebe9061258fc8f1c9167 https://git.kernel.org/stable/c/031f2adc1499b112a39ac316bbab3c80bba16cf2 https://git.kernel.org/stable/c/9b8dc1d327e2928f3da59ced0595d850d31c0936 https://git.kernel.org/stable/c/451cc650e40e8c3222d37877a9e4be0fcaacb9c8 https://git.kernel.org/stable/c/b154a868a3856fb5216c4f82981d8a503832e095 https://git.kernel.org/stable/c/119f4f04186fa4f33ee6bd39af145cdaff1ff17f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: cx23885: Add missing unmap in snd_cx23885_hw_params() In error path, add cx23885_alsa_dma_unmap() to release the resource acquired by cx23885_alsa_dma_map(). | 2026-05-06 | not yet calculated | CVE-2026-43135 | https://git.kernel.org/stable/c/fda46c9025b755ea50a969b960f333be62421b71 https://git.kernel.org/stable/c/0b7f56084cc3d7766bf274b71cd14cc9674b76bf https://git.kernel.org/stable/c/505630dd1ebf4b53d3f2866c057ddd93157a24d8 https://git.kernel.org/stable/c/544215cc37d032ccaf1919852c05e2439a4d7540 https://git.kernel.org/stable/c/9c0a6ff538660c36a98081916a24f08d55a91331 https://git.kernel.org/stable/c/9544b73cad4ee667fed6a60f71570c58a870a735 https://git.kernel.org/stable/c/fc4df593a8ffded2f77d69a73ecb51d364932ca5 https://git.kernel.org/stable/c/141c81849fab2ad4d6e3fdaff7cbaa873e8b5eb2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Check maxfield in hidpp_get_report_length() Do not crash when a report has no fields. Fake USB gadgets can send their own HID report descriptors and can define report structures without valid fields. This can be used to crash the kernel over USB. | 2026-05-06 | not yet calculated | CVE-2026-43136 | https://git.kernel.org/stable/c/ae81fac9ce81917817d787e6b74e68482d99bdf2 https://git.kernel.org/stable/c/2dc023dbc11b8dfa8afa63242762acd8cddcad03 https://git.kernel.org/stable/c/7f59999fcd699af06ad2aef446a635ea6aa87db3 https://git.kernel.org/stable/c/b74bf7d0d01fa9b53653f58c29aa00772121f6e9 https://git.kernel.org/stable/c/f1ceaaf93ea32d0f2b95c95f784ee155962c52ad https://git.kernel.org/stable/c/1acb28123e57b50d737377f400f57eec889fe5e4 https://git.kernel.org/stable/c/fb1725c0804dbec9dd01c4cb5c9f1f77a69e36dc https://git.kernel.org/stable/c/1547d41f9f19d691c2c9ce4c29f746297baef9e9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Fix NULL pointer dereference If there's a mismatch between the DAI links in the machine driver and the topology, it is possible that the playback/capture widget is not set, especially in the case of loopback capture for echo reference where we use the dummy DAI link. Return the error when the widget is not set to avoid a null pointer dereference like below when the topology is broken. RIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common] | 2026-05-06 | not yet calculated | CVE-2026-43137 | https://git.kernel.org/stable/c/10411f1f2c76be67103b1f95822ff629aa25e2aa https://git.kernel.org/stable/c/42068f7dd42b559c4eeae645e1455ff36518866a https://git.kernel.org/stable/c/7750d78b4014902bc0ac03d4bb30faa076a913ab https://git.kernel.org/stable/c/16c589567a956d46a7c1363af3f64de3d420af20 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: reset: gpio: suppress bind attributes in sysfs This is a special device that's created dynamically and is supposed to stay in memory forever. We also currently don't have a devlink between it and the actual reset consumer. Suppress sysfs bind attributes so that user-space can't unbind the device because - as of now - it will cause a use-after-free splat from any user that puts the reset control handle. | 2026-05-06 | not yet calculated | CVE-2026-43138 | https://git.kernel.org/stable/c/09d6efc6abd42809956d598906c222ccd1c8ae92 https://git.kernel.org/stable/c/76801c3dfca0ac6339a23e9615b5f23e25b8644c https://git.kernel.org/stable/c/1d7d869f074f98c34fe23f6a56e5f3acc1f95a2b https://git.kernel.org/stable/c/16de4c6a8fe9ff497ca1aba33ef0dbee09f11952 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: magicmouse: Do not crash on missing msc->input Fake USB devices can send their own report descriptors for which the input_mapping() hook does not get called. In this case, msc->input stays NULL, leading to a crash at a later time. Detect this condition in the input_configured() hook and reject the device. This is not supposed to happen with actual magic mouse devices, but can be provoked by imposing as a magic mouse USB device. | 2026-05-06 | not yet calculated | CVE-2026-43140 | https://git.kernel.org/stable/c/db5ba06e7af9325519a03e52fccf4a9e7c1fd9b2 https://git.kernel.org/stable/c/165912d4321c692321c02793068d30700b4e0f1a https://git.kernel.org/stable/c/f6a3860241fbb556fd72332fa31c5e787004413b https://git.kernel.org/stable/c/243e1165eb03aca97d87aafa9c3130593837a1c2 https://git.kernel.org/stable/c/922bd3e498a4b8e445def6e6ffea2ad3682ad516 https://git.kernel.org/stable/c/5bbe266272d86c0657e8253600f3d5b74fb7b2ae https://git.kernel.org/stable/c/36c83c1329dd881f290f7df2feadfb9a21775108 https://git.kernel.org/stable/c/17abd396548035fbd6179ee1a431bd75d49676a7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ntb: ntb_hw_switchtec: Fix shift-out-of-bounds for 0 mw lut Number of MW LUTs depends on NTB configuration and can be set to zero, in such scenario rounddown_pow_of_two will cause undefined behaviour and should not be performed. This patch ensures that rounddown_pow_of_two is called on valid value. | 2026-05-06 | not yet calculated | CVE-2026-43141 | https://git.kernel.org/stable/c/d652ef399f131fcd5f8f34266167449ee7c9e5b3 https://git.kernel.org/stable/c/5590cd04d6845c01a6bad985a491c58af6fb5389 https://git.kernel.org/stable/c/a11d03d116eef138a7249202bd772c8e61915aec https://git.kernel.org/stable/c/d0559d07afabfddaaded6a61a16154486b956764 https://git.kernel.org/stable/c/2e4d5e8d86a969318340be95470bb76e52392082 https://git.kernel.org/stable/c/a133e3caf844a3f56b6eef89ddaa66115874f6bd https://git.kernel.org/stable/c/1a867d0d79a4a570a33f2f433919ad2bd7a27b67 https://git.kernel.org/stable/c/186615f8855a0be4ee7d3fcd09a8ecc10e783b08 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: gen1: Destroy internal buffers after FW releases After the firmware releases internal buffers, the driver was not destroying them. This left stale allocations that were no longer used, especially across resolution changes where new buffers are allocated per the updated requirements. As a result, memory was wasted until session close. Destroy internal buffers once the release response is received from the firmware. | 2026-05-06 | not yet calculated | CVE-2026-43142 | https://git.kernel.org/stable/c/7cde76db8883ec8a3d1456068079ecadbfb15ca5 https://git.kernel.org/stable/c/d4457f23ac0130240053a34be663f0fade3bb371 https://git.kernel.org/stable/c/1dabf00ee206eceb0f08a1fe5d1ce635f9064338 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mfd: core: Add locking around 'mfd_of_node_list' Manipulating a list in the kernel isn't safe without some sort of mutual exclusion. Add a mutex any time we access / modify 'mfd_of_node_list' to prevent possible crashes. | 2026-05-06 | not yet calculated | CVE-2026-43143 | https://git.kernel.org/stable/c/dcfa679bba02412f2087be21cf06ae88b1f4e0ef https://git.kernel.org/stable/c/e2e7c275f557e2b75e3128f4818063798248774c https://git.kernel.org/stable/c/db131ef9d8980cf60dcac8cf94c036eccf75e5d0 https://git.kernel.org/stable/c/9b02e3fec3a7fcb990b4d3bd3b13d7edf123dca6 https://git.kernel.org/stable/c/45341856ecda1d56689451abd5cf1d1aa57dbe47 https://git.kernel.org/stable/c/20117c92bcf9c11afd64d7481d8f94fdf410726e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix potential kernel oops when probe fails When probe of the sdio brcmfmac device fails for some reasons (i.e. missing firmware), the sdiodev->bus is set to error instead of NULL, thus the cleanup later in brcmf_sdio_remove() tries to free resources via invalid bus pointer. This happens because sdiodev->bus is set 2 times: first in brcmf_sdio_probe() and second time in brcmf_sdiod_probe(). Fix this by chaning the brcmf_sdio_probe() function to return the error code and set sdio->bus only there. | 2026-05-06 | not yet calculated | CVE-2026-43144 | https://git.kernel.org/stable/c/64ccb0aac41c5055780c2a58bbe2c1b362ceccde https://git.kernel.org/stable/c/379aac7ee8240848aa35f605b06addb4617c863e https://git.kernel.org/stable/c/243307a0d1b0d01538e202c00454c28b21d4432e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: remoteproc: imx_rproc: Fix invalid loaded resource table detection imx_rproc_elf_find_loaded_rsc_table() may incorrectly report a loaded resource table even when the current firmware does not provide one. When the device tree contains a "rsc-table" entry, priv->rsc_table is non-NULL and denotes where a resource table would be located if one is present in memory. However, when the current firmware has no resource table, rproc->table_ptr is NULL. The function still returns priv->rsc_table, and the remoteproc core interprets this as a valid loaded resource table. Fix this by returning NULL from imx_rproc_elf_find_loaded_rsc_table() when there is no resource table for the current firmware (i.e. when rproc->table_ptr is NULL). This aligns the function's semantics with the remoteproc core: a loaded resource table is only reported when a valid table_ptr exists. With this change, starting firmware without a resource table no longer triggers a crash. | 2026-05-06 | not yet calculated | CVE-2026-43145 | https://git.kernel.org/stable/c/91baf24d972ea3c04a75dd18821c03d223c0dbc0 https://git.kernel.org/stable/c/fcec79b6a3649ae7b1f659267602ca402c240d6e https://git.kernel.org/stable/c/9bd98d088f47153a81a6ec8162b4415c64aa7f39 https://git.kernel.org/stable/c/65379adf7d231c930572db45933ff4538f4c5128 https://git.kernel.org/stable/c/500778df9e4c313190368908ff40c23948508e97 https://git.kernel.org/stable/c/198c629bd03863591f3fbf5ce8ff974a33f13dc9 https://git.kernel.org/stable/c/26aa5295010ffaebcf8f1991c53fa7cf2ee1b20d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: Add buffer to list only after successful allocation Move `list_add_tail()` to after `dma_alloc_attrs()` succeeds when creating internal buffers. Previously, the buffer was enqueued in `buffers->list` before the DMA allocation. If the allocation failed, the function returned `-ENOMEM` while leaving a partially initialized buffer in the list, which could lead to inconsistent state and potential leaks. By adding the buffer to the list only after `dma_alloc_attrs()` succeeds, we ensure the list contains only valid, fully initialized buffers. | 2026-05-06 | not yet calculated | CVE-2026-43146 | https://git.kernel.org/stable/c/45b30f65feeb4d5570d5337793bb0f298be813d2 https://git.kernel.org/stable/c/98b4c4c90f1e11caecbe2093dbe3a901d338bc81 https://git.kernel.org/stable/c/2d0bbd982dfdd67da488a772f7a8a1bdca7642bf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV" This reverts commit 05703271c3cd ("PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV"), which causes a deadlock by recursively taking pci_rescan_remove_lock when sriov_del_vfs() is called as part of pci_stop_and_remove_bus_device(). For example with the following sequence of commands: $ echo <NUM> > /sys/bus/pci/devices/<pf>/sriov_numvfs $ echo 1 > /sys/bus/pci/devices/<pf>/remove A trimmed trace of the deadlock on a mlx5 device is as below: zsh/5715 is trying to acquire lock: 000002597926ef50 (pci_rescan_remove_lock){+.+.}-{3:3}, at: sriov_disable+0x34/0x140 but task is already holding lock: 000002597926ef50 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_stop_and_remove_bus_device_locked+0x24/0x80 ... Call Trace: [<00000259778c4f90>] dump_stack_lvl+0xc0/0x110 [<00000259779c844e>] print_deadlock_bug+0x31e/0x330 [<00000259779c1908>] __lock_acquire+0x16c8/0x32f0 [<00000259779bffac>] lock_acquire+0x14c/0x350 [<00000259789643a6>] __mutex_lock_common+0xe6/0x1520 [<000002597896413c>] mutex_lock_nested+0x3c/0x50 [<00000259784a07e4>] sriov_disable+0x34/0x140 [<00000258f7d6dd80>] mlx5_sriov_disable+0x50/0x80 [mlx5_core] [<00000258f7d5745e>] remove_one+0x5e/0xf0 [mlx5_core] [<00000259784857fc>] pci_device_remove+0x3c/0xa0 [<000002597851012e>] device_release_driver_internal+0x18e/0x280 [<000002597847ae22>] pci_stop_bus_device+0x82/0xa0 [<000002597847afce>] pci_stop_and_remove_bus_device_locked+0x5e/0x80 [<00000259784972c2>] remove_store+0x72/0x90 [<0000025977e6661a>] kernfs_fop_write_iter+0x15a/0x200 [<0000025977d7241c>] vfs_write+0x24c/0x300 [<0000025977d72696>] ksys_write+0x86/0x110 [<000002597895b61c>] __do_syscall+0x14c/0x400 [<000002597896e0ee>] system_call+0x6e/0x90 This alone is not a complete fix as it restores the issue the cited commit tried to solve. A new fix will be provided as a follow on. | 2026-05-06 | not yet calculated | CVE-2026-43147 | https://git.kernel.org/stable/c/f61cdd7e9b67bb8961b0a81bf294b78343e5db05 https://git.kernel.org/stable/c/0de341b2365bad430aade0853fe09c2cbe468f59 https://git.kernel.org/stable/c/83651d37474c762920e345a3a0828f975ca4d732 https://git.kernel.org/stable/c/639265296fe6ee21b6f00e00ee2bab65f3b07252 https://git.kernel.org/stable/c/d47f27e145f8bd13f3c230da5e3af29225b4a2f7 https://git.kernel.org/stable/c/40f67686a5002c0c322fac918406bbc8d9c2ec2f https://git.kernel.org/stable/c/58677783c89681871077f50a7042b0c6380c4fd8 https://git.kernel.org/stable/c/2fa119c0e5e528453ebae9e70740e8d2d8c0ed5a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/smp: Add check for kcalloc() failure in parse_thread_groups() As kcalloc() may fail, check its return value to avoid a NULL pointer dereference when passing it to of_property_read_u32_array(). | 2026-05-06 | not yet calculated | CVE-2026-43148 | https://git.kernel.org/stable/c/1de31dba19c3cd0c1caf388a286b46df638f0b91 https://git.kernel.org/stable/c/b265e53d9adfbb5751713185843f7188aa9dd066 https://git.kernel.org/stable/c/9d0ca11258e7b452653d04310addfec1753de1a2 https://git.kernel.org/stable/c/ca46d2092f307385a7acfb42632056570d6dbbbc https://git.kernel.org/stable/c/9b85c8f624b0f8cf9b932f5a65dacd56a1f47a72 https://git.kernel.org/stable/c/8b221db0b7d24675e465e98d9326d298025a4e8d https://git.kernel.org/stable/c/33c1c6d8a28a2761ac74b0380b2563cf546c2a3a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: wan/fsl_ucc_hdlc: Fix dma_free_coherent() in uhdlc_memclean() The priv->rx_buffer and priv->tx_buffer are alloc'd together as contiguous buffers in uhdlc_init() but freed as two buffers in uhdlc_memclean(). Change the cleanup to only call dma_free_coherent() once on the whole buffer. | 2026-05-06 | not yet calculated | CVE-2026-43149 | https://git.kernel.org/stable/c/6496fb830cbb741d831225cc4e7e5601c6e42970 https://git.kernel.org/stable/c/ba8d8429e5d6c36f9a654d2b96b9e043c43d92b4 https://git.kernel.org/stable/c/011ae5dd84dc9f05eb9b8e1adff44252ac776e7b https://git.kernel.org/stable/c/0f85a9655445e67bb0238cfc983d7c383b54938e https://git.kernel.org/stable/c/84b932bc9899d43e5829e6cf088b72d73a922b2b https://git.kernel.org/stable/c/d8a522085d09b30aba1016daf1dddac37c0f0285 https://git.kernel.org/stable/c/d68994e37ac3b285692559776e0279a88a3b5f8d https://git.kernel.org/stable/c/36bd7d5deef936c4e1e3cd341598140e5c14c1d3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "media: iris: Add sanity check for stop streaming" This reverts commit ad699fa78b59241c9d71a8cafb51525f3dab04d4. Revert the check that skipped stop_streaming when the instance was in IRIS_INST_ERROR, as it caused multiple regressions: 1. Buffers were not returned to vb2 when the instance was already in error state, triggering warnings in the vb2 core because buffer completion was skipped. 2. If a session failed early (e.g. unsupported configuration), the instance transitioned to IRIS_INST_ERROR. When userspace attempted to stop streaming for cleanup, stop_streaming was skipped due to the added check, preventing proper teardown and leaving the firmware in an inconsistent state. | 2026-05-06 | not yet calculated | CVE-2026-43151 | https://git.kernel.org/stable/c/bd4f8fa216182f33c06d4c1e162975a0c42fb14e https://git.kernel.org/stable/c/a58b9d1c1cf81c0b29f1983c63c3e0c0caa68398 https://git.kernel.org/stable/c/370e19042fb8ac68109f8bdb0fdd8118baf39318 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: hid-pl: handle probe errors Errors in init must be reported back or we'll follow a NULL pointer the first time FF is used. | 2026-05-06 | not yet calculated | CVE-2026-43152 | https://git.kernel.org/stable/c/78df3de826668fe842c6061a91bc1ed68f493e80 https://git.kernel.org/stable/c/8a84149337eb5e716e6d59f48ff0374dae8d8b2b https://git.kernel.org/stable/c/926e6715b48b575ed7754bf163a67686bb2eb111 https://git.kernel.org/stable/c/449004434e1f55be85604b2645f2d07c4a92fe53 https://git.kernel.org/stable/c/04e50f45b5175bb90a06f5003113cb4ed6ba44c2 https://git.kernel.org/stable/c/1d46d07458dba369daf61fb643d40a62c8423d8e https://git.kernel.org/stable/c/7d2f4fdf134e7398847417b25743e1e04928c7d7 https://git.kernel.org/stable/c/3756a272d2cf356d2203da8474d173257f5f8521 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix incorrect early exits in volume label handling Crafted EROFS images containing valid volume labels can trigger incorrect early returns, leading to folio reference leaks. However, this does not cause system crashes or other severe issues. | 2026-05-06 | not yet calculated | CVE-2026-43154 | https://git.kernel.org/stable/c/8d8a878ef60801d867119b3df6a93e2982d62a71 https://git.kernel.org/stable/c/d498bd168494ad4a4bce16192bfb9ce04ca19c9a https://git.kernel.org/stable/c/3afa4da38802a4cba1c23848a32284e7e57b831b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mux: mmio: fix regmap leak on probe failure The mmio regmap that may be allocated during probe is never freed. Switch to using the device managed allocator so that the regmap is released on probe failures (e.g. probe deferral) and on driver unbind. | 2026-05-06 | not yet calculated | CVE-2026-43155 | https://git.kernel.org/stable/c/76096f156fe9dc9fbd6e4618088706e91b9b0a6c https://git.kernel.org/stable/c/cbde3c109d52564ae2c12e514c33c44345e84b2c https://git.kernel.org/stable/c/3c4ae63073d84abee5d81ce46d86a94e9dae9c89 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: enable basic endpoint checking pegasus_probe() fills URBs with hardcoded endpoint pipes without verifying the endpoint descriptors: - usb_rcvbulkpipe(dev, 1) for RX data - usb_sndbulkpipe(dev, 2) for TX data - usb_rcvintpipe(dev, 3) for status interrupts A malformed USB device can present these endpoints with transfer types that differ from what the driver assumes. Add a pegasus_usb_ep enum for endpoint numbers, replacing magic constants throughout. Add usb_check_bulk_endpoints() and usb_check_int_endpoints() calls before any resource allocation to verify endpoint types before use, rejecting devices with mismatched descriptors at probe time, and avoid triggering assertion. Similar fix to - commit 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking") - commit 9e7021d2aeae ("net: usb: catc: enable basic endpoint checking") | 2026-05-06 | not yet calculated | CVE-2026-43156 | https://git.kernel.org/stable/c/a3e64e950a3981a8199de9798f6d21261b959171 https://git.kernel.org/stable/c/229dc9b9db475ac900182bafe258943e0e054c6d https://git.kernel.org/stable/c/26b3ec62fa1a94ac801feca47f040fc729b3c174 https://git.kernel.org/stable/c/35854ed5c40b02f95824e44398f9d2ba33727203 https://git.kernel.org/stable/c/67ba6b13dbcaf45681fb6758794c5ac5fa589a6c https://git.kernel.org/stable/c/d2e7c898cc02dfe42443489a67a45ed616cb76e9 https://git.kernel.org/stable/c/2705709f6574a088aab246af72fc95f2fea51484 https://git.kernel.org/stable/c/3d7e6ce34f4fcc7083510c28b17a7c36462a25d4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: CGX: fix bitmap leaks The RX/TX flow-control bitmaps (rx_fc_pfvf_bmap and tx_fc_pfvf_bmap) are allocated by cgx_lmac_init() but never freed in cgx_lmac_exit(). Unbinding and rebinding the driver therefore triggers kmemleak: unreferenced object (size 16): backtrace: rvu_alloc_bitmap cgx_probe Free both bitmaps during teardown. | 2026-05-06 | not yet calculated | CVE-2026-43157 | https://git.kernel.org/stable/c/ad8a13a45c5c24d0d32de9a1c3fd58498a675ece https://git.kernel.org/stable/c/013ac469596a0b8671e62d89c89ae0bd46bbe667 https://git.kernel.org/stable/c/ccef79af58b43787c25710c9da96651c6ddfe50f https://git.kernel.org/stable/c/6d389382ee655128056fbdab86baad8495ffbf33 https://git.kernel.org/stable/c/ccca14bbdcc25829d355b9f4d3249f43dadb71c1 https://git.kernel.org/stable/c/3def995c4ede842adf509c410e92d09a0cedc965 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix null dereference in find_network The variable pwlan has the possibility of being NULL when passed into rtw_free_network_nolock() which would later dereference the variable. | 2026-05-06 | not yet calculated | CVE-2026-43159 | https://git.kernel.org/stable/c/3b1d0c9a1f78836d0bce6fdd37f596f22c19b03e https://git.kernel.org/stable/c/1aa9c59f4b96a9056c02476c7ca89e96d15e0645 https://git.kernel.org/stable/c/48b4dec3a8bfd667cd0cd767eaf511176193e9a1 https://git.kernel.org/stable/c/cc3f83b6fb3773ad943365d1cd774b4ec050332e https://git.kernel.org/stable/c/04d24a3654ed195485bc6346a9ef326fc494a34e https://git.kernel.org/stable/c/677490a6bd4c63acdf6f48e4aaf6a23d7e6a446f https://git.kernel.org/stable/c/7fa16ffed2b9d9d44940990c1f31159770769aeb https://git.kernel.org/stable/c/41460a19654c32d39fd0e3a3671cd8d4b7b8479f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mfd: macsmc: Initialize mutex Initialize struct apple_smc's mutex in apple_smc_probe(). Using the mutex uninitialized surprisingly resulted only in occasional NULL pointer dereferences in apple_smc_read() calls from the probe() functions of sub devices. | 2026-05-06 | not yet calculated | CVE-2026-43160 | https://git.kernel.org/stable/c/a1e9e299c0d9ea42ab1067b39fb72e976d3f1bdb https://git.kernel.org/stable/c/2d5932588f029f7787f52c29174fead9bbc6b2cf https://git.kernel.org/stable/c/414f65d6736342c77d4ec5e7373039f4a09250dd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Skip dev-iotlb flush for inaccessible PCIe device without scalable mode PCIe endpoints with ATS enabled and passed through to userspace (e.g., QEMU, DPDK) can hard-lock the host when their link drops, either by surprise removal or by a link fault. Commit 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected") adds pci_dev_is_disconnected() to devtlb_invalidation_with_pasid() so ATS invalidation is skipped only when the device is being safely removed, but it applies only when Intel IOMMU scalable mode is enabled. With scalable mode disabled or unsupported, a system hard-lock occurs when a PCIe endpoint's link drops because the Intel IOMMU waits indefinitely for an ATS invalidation that cannot complete. Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 domain_context_clear_one_cb pci_for_each_dma_alias device_block_translation blocking_domain_attach_dev iommu_deinit_device __iommu_group_remove_device iommu_release_device iommu_bus_notifier blocking_notifier_call_chain bus_notify device_del pci_remove_bus_device pci_stop_and_remove_bus_device pciehp_unconfigure_device pciehp_disable_slot pciehp_handle_presence_or_link_change pciehp_ist Commit 81e921fd3216 ("iommu/vt-d: Fix NULL domain on device release") adds intel_pasid_teardown_sm_context() to intel_iommu_release_device(), which calls qi_flush_dev_iotlb() and can also hard-lock the system when a PCIe endpoint's link drops. Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 intel_context_flush_no_pasid device_pasid_table_teardown pci_pasid_table_teardown pci_for_each_dma_alias intel_pasid_teardown_sm_context intel_iommu_release_device iommu_deinit_device __iommu_group_remove_device iommu_release_device iommu_bus_notifier blocking_notifier_call_chain bus_notify device_del pci_remove_bus_device pci_stop_and_remove_bus_device pciehp_unconfigure_device pciehp_disable_slot pciehp_handle_presence_or_link_change pciehp_ist Sometimes the endpoint loses connection without a link-down event (e.g., due to a link fault); killing the process (virsh destroy) then hard-locks the host. Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 domain_context_clear_one_cb pci_for_each_dma_alias device_block_translation blocking_domain_attach_dev __iommu_attach_device __iommu_device_set_domain __iommu_group_set_domain_internal iommu_detach_group vfio_iommu_type1_detach_group vfio_group_detach_container vfio_group_fops_release __fput pci_dev_is_disconnected() only covers safe-removal paths; pci_device_is_present() tests accessibility by reading vendor/device IDs and internally calls pci_dev_is_disconnected(). On a ConnectX-5 (8 GT/s, x2) this costs ~70 µs. Since __context_flush_dev_iotlb() is only called on {attach,release}_dev paths (not hot), add pci_device_is_present() there to skip inaccessible devices and avoid the hard-lock. | 2026-05-06 | not yet calculated | CVE-2026-43161 | https://git.kernel.org/stable/c/48b3f08e68b29a79527869cdde7298ca2a9b9646 https://git.kernel.org/stable/c/e70d5feb10c5ba2bbf7ca400b8f39a2f82d653e8 https://git.kernel.org/stable/c/bc0490ad9edf5c6f98e39fbbee2877b85261a5ae https://git.kernel.org/stable/c/42662d19839f34735b718129ea200e3734b07e50 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: tegra-video: Fix memory leak in __tegra_channel_try_format() The state object allocated by __v4l2_subdev_state_alloc() must be freed with __v4l2_subdev_state_free() when it is no longer needed. In __tegra_channel_try_format(), two error paths return directly after v4l2_subdev_call() fails, without freeing the allocated 'sd_state' object. This violates the requirement and causes a memory leak. Fix this by introducing a cleanup label and using goto statements in the error paths to ensure that __v4l2_subdev_state_free() is always called before the function returns. | 2026-05-06 | not yet calculated | CVE-2026-43162 | https://git.kernel.org/stable/c/6c6f419fa9c44a4b7149b0292e01bff47308ba14 https://git.kernel.org/stable/c/ca921be7a1174d5d58b28f84b683c2c0079f18c5 https://git.kernel.org/stable/c/3ca2f09061736e72ef25eec2597d00f7f44094d3 https://git.kernel.org/stable/c/2dff8966a3a889dd9d248a7e15d963b4097efcc5 https://git.kernel.org/stable/c/d92e9a18f97a1d19d4c2ff81dcfbe43591f75b5a https://git.kernel.org/stable/c/43e5302d22334f1183dec3e0d5d8007eefe2817c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/bitmap: fix GPF in write_page caused by resize race A General Protection Fault occurs in write_page() during array resize: RIP: 0010:write_page+0x22b/0x3c0 [md_mod] This is a use-after-free race between bitmap_daemon_work() and __bitmap_resize(). The daemon iterates over `bitmap->storage.filemap` without locking, while the resize path frees that storage via md_bitmap_file_unmap(). `quiesce()` does not stop the md thread, allowing concurrent access to freed pages. Fix by holding `mddev->bitmap_info.mutex` during the bitmap update. | 2026-05-06 | not yet calculated | CVE-2026-43163 | https://git.kernel.org/stable/c/140cc839fbeb1ddb33a8da8811b716d88d3905b7 https://git.kernel.org/stable/c/ebcacc7ca22d5e8a03a970f0621ae1d1356b9ae8 https://git.kernel.org/stable/c/d3af62411e19752c663fe4f424dbf49d95a4cc7c https://git.kernel.org/stable/c/d92b8fac294b5f915c50e65ce4ae2262e53614ec https://git.kernel.org/stable/c/a437e3bf30e32846079e470c1ba5ee790bccdf89 https://git.kernel.org/stable/c/9a6f8cd28bb9bb6ed86a6df19331fb08016dee7f https://git.kernel.org/stable/c/5f73c8b33df9a605a591eab72d43a969600c1f8c https://git.kernel.org/stable/c/46ef85f854dfa9d5226b3c1c46493d79556c9589 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (nct7363) Fix a resource leak in nct7363_present_pwm_fanin When calling of_parse_phandle_with_args(), the caller is responsible to call of_node_put() to release the reference of device node. In nct7363_present_pwm_fanin, it does not release the reference, causing a resource leak. | 2026-05-06 | not yet calculated | CVE-2026-43165 | https://git.kernel.org/stable/c/c8cde3ddd12ad7d0e6b5a3e0ea3914a9a778adf4 https://git.kernel.org/stable/c/fb99b58763a95e20b214fc1dd86837ae00a400b7 https://git.kernel.org/stable/c/4923bbff0bcffe488b3aa76829c829bd15b02585 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: always flush state and policy upon NETDEV_UNREGISTER event syzbot is reporting that "struct xfrm_state" refcount is leaking. unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2 ref_tracker: netdev@ffff888052f24618 has 1/1 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_tracker_alloc include/linux/netdevice.h:4412 [inline] xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316 xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline] xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022 xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550 xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646 __sys_sendmsg+0x16d/0x220 net/socket.c:2678 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f This is because commit d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API") implemented xfrm_dev_unregister() as no-op despite xfrm_dev_state_add() from xfrm_state_construct() acquires a reference to "struct net_device". I guess that that commit expected that NETDEV_DOWN event is fired before NETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add() is called only if (dev->features & NETIF_F_HW_ESP) != 0. Sabrina Dubroca identified steps to reproduce the same symptoms as below. echo 0 > /sys/bus/netdevsim/new_device dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/) ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \ spi 0x1000 mode tunnel aead 'rfc4106(gcm(aes))' $key 128 \ offload crypto dev $dev dir out ethtool -K $dev esp-hw-offload off echo 0 > /sys/bus/netdevsim/del_device Like these steps indicate, the NETIF_F_HW_ESP bit can be cleared after xfrm_dev_state_add() acquired a reference to "struct net_device". Also, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bit when acquiring a reference to "struct net_device". Commit 03891f820c21 ("xfrm: handle NETDEV_UNREGISTER for xfrm device") re-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but that commit for unknown reason chose to share xfrm_dev_down() between the NETDEV_DOWN event and the NETDEV_UNREGISTER event. I guess that that commit missed the behavior in the previous paragraph. Therefore, we need to re-introduce xfrm_dev_unregister() in order to release the reference to "struct net_device" by unconditionally flushing state and policy. | 2026-05-06 | not yet calculated | CVE-2026-43167 | https://git.kernel.org/stable/c/166801e49a5b5fc127b8c9e2f110f303cfddfbc3 https://git.kernel.org/stable/c/a3c8fede034fa27892f87c863cbd5493167d17ed https://git.kernel.org/stable/c/59581778792cbaf8ad788f4a21dc663ce986050e https://git.kernel.org/stable/c/8c75c455ecd3bfd2f36abf66edb7021c4fa19ec4 https://git.kernel.org/stable/c/4efa91a28576054aae0e6dad9cba8fed8293aef8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix reflink preserve cleanup issue commit c06c303832ec ("ocfs2: fix xattr array entry __counted_by error") doesn't handle all cases and the cleanup job for preserved xattr entries still has bug: - the 'last' pointer should be shifted by one unit after cleanup an array entry. - current code logic doesn't cleanup the first entry when xh_count is 1. Note, commit c06c303832ec is also a bug fix for 0fe9b66c65f3. | 2026-05-06 | not yet calculated | CVE-2026-43168 | https://git.kernel.org/stable/c/c44d86ca949cb1e5566ad14510cc26fa1a17e2d8 https://git.kernel.org/stable/c/02acc9f72365e50eb45a56b7dacb9114ca3b503c https://git.kernel.org/stable/c/8ff329353134280b203cb2bce95311cb8f7cbd8a https://git.kernel.org/stable/c/bb273b68c1719c2925e05557f7e7099edb066680 https://git.kernel.org/stable/c/b2952dbeac2c3c527cb0519d5ffaeb95b062466a https://git.kernel.org/stable/c/3bdc3766aafb052aef4baadef455a84c1c0a059d https://git.kernel.org/stable/c/2f4daccd9d9b8b2952df7878df8c2e8ba6439398 https://git.kernel.org/stable/c/5138c936c2c82c9be8883921854bc6f7e1177d8c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/buddy: Prevent BUG_ON by validating rounded allocation When DRM_BUDDY_CONTIGUOUS_ALLOCATION is set, the requested size is rounded up to the next power-of-two via roundup_pow_of_two(). Similarly, for non-contiguous allocations with large min_block_size, the size is aligned up via round_up(). Both operations can produce a rounded size that exceeds mm->size, which later triggers BUG_ON(order > mm->max_order). Example scenarios: - 9G CONTIGUOUS allocation on 10G VRAM memory: roundup_pow_of_two(9G) = 16G > 10G - 9G allocation with 8G min_block_size on 10G VRAM memory: round_up(9G, 8G) = 16G > 10G Fix this by checking the rounded size against mm->size. For non-contiguous or range allocations where size > mm->size is invalid, return -EINVAL immediately. For contiguous allocations without range restrictions, allow the request to fall through to the existing __alloc_contig_try_harder() fallback. This ensures invalid user input returns an error or uses the fallback path instead of hitting BUG_ON. v2: (Matt A) - Add Fixes, Cc stable, and Closes tags for context | 2026-05-06 | not yet calculated | CVE-2026-43169 | https://git.kernel.org/stable/c/d764b8dd420098a4d253b8a5b27568c897edb2cf https://git.kernel.org/stable/c/6236c1cd9fdf433d39ed28b2491ccdfe7ae95061 https://git.kernel.org/stable/c/ecb32c60d8cbed2ee9ce9f343b6aa2f32babc727 https://git.kernel.org/stable/c/5488a29596cdba93a60a79398dc9b69d5bdadf92 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: Move vbus draw to workqueue context Currently dwc3_gadget_vbus_draw() can be called from atomic context, which in turn invokes power-supply-core APIs. And some these PMIC APIs have operations that may sleep, leading to kernel panic. Fix this by moving the vbus_draw into a workqueue context. | 2026-05-06 | not yet calculated | CVE-2026-43170 | https://git.kernel.org/stable/c/76c1123ffccfaba95cf4ecc2a50f95504a522424 https://git.kernel.org/stable/c/a7a80c25b65112768eeba58a7af129d3c52a6d90 https://git.kernel.org/stable/c/2333653ef854c2cc124077f71a8526f03bf6e06a https://git.kernel.org/stable/c/74a231e3d99d310497ab0ccb359539a6063b316a https://git.kernel.org/stable/c/54aaa3b387c2f580a99dc86a9cc2eb6dfaf599a7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: EFI/CPER: don't dump the entire memory region The current logic at cper_print_fw_err() doesn't check if the error record length is big enough to handle offset. On a bad firmware, if the ofset is above the actual record, length -= offset will underflow, making it dump the entire memory. The end result can be: - the logic taking a lot of time dumping large regions of memory; - data disclosure due to the memory dumps; - an OOPS, if it tries to dump an unmapped memory region. Fix it by checking if the section length is too small before doing a hex dump. [ rjw: Subject tweaks ] | 2026-05-06 | not yet calculated | CVE-2026-43171 | https://git.kernel.org/stable/c/02de64ab54b4bb0f1b21bb324aeff3b08612be33 https://git.kernel.org/stable/c/0e09b522f2622841389c3b2f9ac4969e35c0809d https://git.kernel.org/stable/c/64ae5aaa7ac93c83da456039e8ec747bfa8a7cff https://git.kernel.org/stable/c/5a9b1dda8481b82851a655c3bcc5b44879b95334 https://git.kernel.org/stable/c/7780c0bad2a3a70a8c0113a33c02f4151d901eb3 https://git.kernel.org/stable/c/a8419f5f2c5f2d80848ddabb2b95cf0da84a5f91 https://git.kernel.org/stable/c/54e131db4cdffd946db890ff33ff2647053fd4f6 https://git.kernel.org/stable/c/55cc6fe5716f678f06bcb95140882dfa684464ec |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ethernet: xscale: Check for PTP support properly In ixp4xx_get_ts_info() ixp46x_ptp_find() is called unconditionally despite this feature only existing on ixp46x, leading to the following splat from tcpdump: root@OpenWrt:~# tcpdump -vv -X -i eth0 (...) Unable to handle kernel NULL pointer dereference at virtual address 00000238 when read (...) Call trace: ptp_clock_index from ixp46x_ptp_find+0x1c/0x38 ixp46x_ptp_find from ixp4xx_get_ts_info+0x4c/0x64 ixp4xx_get_ts_info from __ethtool_get_ts_info+0x90/0x108 __ethtool_get_ts_info from __dev_ethtool+0xa00/0x2648 __dev_ethtool from dev_ethtool+0x160/0x234 dev_ethtool from dev_ioctl+0x2cc/0x460 dev_ioctl from sock_ioctl+0x1ec/0x524 sock_ioctl from sys_ioctl+0x51c/0xa94 sys_ioctl from ret_fast_syscall+0x0/0x44 (...) Segmentation fault Check for ixp46x in ixp46x_ptp_find() before trying to set up PTP to avoid this. To avoid altering the returned error code from ixp4xx_hwtstamp_set() which before this patch was -EOPNOTSUPP, we return -EOPNOTSUPP from ixp4xx_hwtstamp_set() if ixp46x_ptp_find() fails no matter the error code. The helper function ixp46x_ptp_find() helper returns -ENODEV. | 2026-05-06 | not yet calculated | CVE-2026-43173 | https://git.kernel.org/stable/c/144dde3146985b25fa84d4e4b7c3d11e0f5fc5a4 https://git.kernel.org/stable/c/5195b10c34b8993194ad12ad7d8f54d861be084b https://git.kernel.org/stable/c/322437972f0a712767f6920ad34aba25f2e9b942 https://git.kernel.org/stable/c/21d1e80d0d6e7d0c3cd8b1e001ed1fa92fb9f3f5 https://git.kernel.org/stable/c/2d74412dfd3621552a394d55cc3dd26a7cbf608e https://git.kernel.org/stable/c/cbecebd35909f6cd0f6fb773f0fb73da99e02f8c https://git.kernel.org/stable/c/594163ea88a03bdb412063af50fc7177ef3cbeae |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix post open error handling Closing a queue doesn't guarantee that all associated page pools are terminated right away, let the refcounting do the work instead of releasing the zcrx ctx directly. | 2026-05-06 | not yet calculated | CVE-2026-43174 | https://git.kernel.org/stable/c/18afaff077b46655a8eb6fd7f6de1b81327be577 https://git.kernel.org/stable/c/5d540e4508950c674d6feef1d95463d039bbf4f5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841 The 9FGV0841 has 8 outputs and registers 8 struct clk_hw, make sure there are 8 slots for those newly registered clk_hw pointers, else there is going to be out of bounds write when pointers 4..7 are set into struct rs9_driver_data .clk_dif[4..7] field. Since there are other structure members past this struct clk_hw pointer array, writing to .clk_dif[4..7] fields corrupts both the struct rs9_driver_data content and data around it, sometimes without crashing the kernel. However, the kernel does surely crash when the driver is unbound or during suspend. Fix this, increase the struct clk_hw pointer array size to the maximum output count of 9FGV0841, which is the biggest chip that is supported by this driver. | 2026-05-06 | not yet calculated | CVE-2026-43175 | https://git.kernel.org/stable/c/2f926875dffe2226ea26d129e16d9092cccd03aa https://git.kernel.org/stable/c/da86ca15d7389ee0b5df08e8f70c39354e6b8a4b https://git.kernel.org/stable/c/82a34f344999d8029bcebf131028fa519140c7cc https://git.kernel.org/stable/c/5ec820fc28d0b8a0f3890d476b1976f20e8343cc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: ipu6: Fix RPM reference leak in probe error paths Several error paths in ipu6_pci_probe() were jumping directly to out_ipu6_bus_del_devices without releasing the runtime PM reference. Add pm_runtime_put_sync() before cleaning up other resources. | 2026-05-06 | not yet calculated | CVE-2026-43177 | https://git.kernel.org/stable/c/fdc06d36dab7b28c2bdd16cb7ee4f25e0f55d9ac https://git.kernel.org/stable/c/364759ccc3fb49754758c585c530407f96683030 https://git.kernel.org/stable/c/3cd9e7539a3010a83391fecade1186cf30e616c9 https://git.kernel.org/stable/c/6099f78e4c9223f4de4169d2fd1cded01279da1a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix incorrect early exits for invalid metabox-enabled images Crafted EROFS images with metadata compression enabled can trigger incorrect early returns, leading to folio reference leaks. However, this does not cause system crashes or other severe issues. | 2026-05-06 | not yet calculated | CVE-2026-43179 | https://git.kernel.org/stable/c/041b5163bb9b2e81050bcd885b3373bf2f42d5f5 https://git.kernel.org/stable/c/56e4a84220045b6af0f1efc11825b39217c7decf https://git.kernel.org/stable/c/643575d5a4f24b23b0c54aa20aa74a4abed8ff5e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gpio: sysfs: fix chip removal with GPIOs exported over sysfs Currently if we export a GPIO over sysfs and unbind the parent GPIO controller, the exported attribute will remain under /sys/class/gpio because once we remove the parent device, we can no longer associate the descriptor with it in gpiod_unexport() and never drop the final reference. Rework the teardown code: provide an unlocked variant of gpiod_unexport() and remove all exported GPIOs with the sysfs_lock taken before unregistering the parent device itself. This is done to prevent any new exports happening before we unregister the device completely. | 2026-05-06 | not yet calculated | CVE-2026-43181 | https://git.kernel.org/stable/c/54f463494eb5bf193ef7d904a493474c451734df https://git.kernel.org/stable/c/a645cc25904b0baf508b77a0402ce151212b9800 https://git.kernel.org/stable/c/6766f59012301f1bf3f46c6e7149caca45d92309 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: ccs: Avoid possible division by zero Calculating maximum M for scaler configuration involves dividing by MIN_X_OUTPUT_SIZE limit register's value. Albeit the value is presumably non-zero, the driver was missing the check it in fact was. Fix this. | 2026-05-06 | not yet calculated | CVE-2026-43182 | https://git.kernel.org/stable/c/b6e0529c300e44153fc6f3b565e28163caf1f031 https://git.kernel.org/stable/c/9aae0f31d37a8facd25e37c0f0709ea08de83802 https://git.kernel.org/stable/c/c9af1818387f5c6f543e2e02c40b3038eae86be8 https://git.kernel.org/stable/c/32a21ed2ad743fe2d12af48e627089b921a032c2 https://git.kernel.org/stable/c/a8ff58cc8c7514c278ba0ea2c787d4bf9eeb355d https://git.kernel.org/stable/c/8ca7df18e7a58a0e5b0ed9eaaa34e16fc5cb9680 https://git.kernel.org/stable/c/679f0b7b6a409750a25754c8833e268e5fdde742 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: cx25821: Fix a resource leak in cx25821_dev_setup() Add release_mem_region() if ioremap() fails to release the memory region obtained by cx25821_get_resources(). | 2026-05-06 | not yet calculated | CVE-2026-43183 | https://git.kernel.org/stable/c/9f1c926248bde95a77ca104ab525467470607836 https://git.kernel.org/stable/c/071bfc6e723aabbbf08f0d439fb913cd01eb8de2 https://git.kernel.org/stable/c/f7759eb6738ee9fc296f6ab1705c6809947976f3 https://git.kernel.org/stable/c/4010e596d23cda6de65acb14f7fd4ce8289f1d49 https://git.kernel.org/stable/c/e220ec4c4596d634685b8a08d79ad876a720b466 https://git.kernel.org/stable/c/b7210170b10e2d17f7a4f6b9d39cc092442db860 https://git.kernel.org/stable/c/80ce3797dc99dae4ce8b939626b891c9eb85139f https://git.kernel.org/stable/c/68cd8ac994cac38a305200f638b30e13c690753b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: do not propagate page array emplacement errors as batch errors When fscrypt is enabled, move_dirty_folio_in_page_array() may fail because it needs to allocate bounce buffers to store the encrypted versions of each folio. Each folio beyond the first allocates its bounce buffer with GFP_NOWAIT. Failures are common (and expected) under this allocation mode; they should flush (not abort) the batch. However, ceph_process_folio_batch() uses the same `rc` variable for its own return code and for capturing the return codes of its routine calls; failing to reset `rc` back to 0 results in the error being propagated out to the main writeback loop, which cannot actually tolerate any errors here: once `ceph_wbc.pages` is allocated, it must be passed to ceph_submit_write() to be freed. If it survives until the next iteration (e.g. due to the goto being followed), ceph_allocate_page_array()'s BUG_ON() will oops the worker. Note that this failure mode is currently masked due to another bug (addressed next in this series) that prevents multiple encrypted folios from being selected for the same write. For now, just reset `rc` when redirtying the folio to prevent errors in move_dirty_folio_in_page_array() from propagating. Note that move_dirty_folio_in_page_array() is careful never to return errors on the first folio, so there is no need to check for that. After this change, ceph_process_folio_batch() no longer returns errors; its only remaining failure indicator is `locked_pages == 0`, which the caller already handles correctly. | 2026-05-06 | not yet calculated | CVE-2026-43188 | https://git.kernel.org/stable/c/746840c87d76b614b14d9337c466ff022fc49823 https://git.kernel.org/stable/c/4c0d84c788d89c167abf0bf84fd37890c4c84f08 https://git.kernel.org/stable/c/707104682e3c163f7c14cdd6b07a3e95fb374759 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: v4l2-async: Fix error handling on steps after finding a match Once an async connection is found to be matching with an fwnode, a sub-device may be registered (in case it wasn't already), its bound operation is called, ancillary links are created, the async connection is added to the sub-device's list of connections and removed from the global waiting connection list. Further on, the sub-device's possible own notifier is searched for possible additional matches. Fix these specific issues: - If v4l2_async_match_notify() failed before the sub-notifier handling, the async connection was unbound and its entry removed from the sub-device's async connection list. The latter part was also done in v4l2_async_match_notify(). - The async connection's sd field was only set after creating ancillary links in v4l2_async_match_notify(). It was however dereferenced in v4l2_async_unbind_subdev_one(), which was called on error path of v4l2_async_match_notify() failure. | 2026-05-06 | not yet calculated | CVE-2026-43189 | https://git.kernel.org/stable/c/30aaed311f973f13ba13a0cd2dc0202f595fff48 https://git.kernel.org/stable/c/461733d83e67ba7e3a5b750c0d203f738e01244f https://git.kernel.org/stable/c/b02bcb378efa8af07827f49b3afcc5e825318c55 https://git.kernel.org/stable/c/2de0a3c8148fc3dbea21981e6569f550b3626119 https://git.kernel.org/stable/c/7345d6d356336c448d6b9230ed8704f39679fd12 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35 [Why] A backport of the change made for DCN401 that addresses an issue where we turn off the PHY PLL when disabling TMDS output, which causes the OTG to remain stuck. The OTG being stuck can lead to a hang in the DCHVM's ability to ACK invalidations when it thinks the HUBP is still on but it's not receiving global sync. The transition to PLL_ON needs to be atomic as there's no guarantee that the thread isn't pre-empted or is able to complete before the IOMMU watchdog times out. [How] Backport the implementation from dcn401 back to dcn35. There's a functional difference in when the eDP output is disabled in dcn401 code so we don't want to utilize it directly. | 2026-05-06 | not yet calculated | CVE-2026-43191 | https://git.kernel.org/stable/c/d1f7ceb00e8956ff6d183b7b45ef4e73c96f4c51 https://git.kernel.org/stable/c/75372d75a4e23783583998ed99d5009d555850da |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm mpath: Add missing dm_put_device when failing to get scsi dh name When commit fd81bc5cca8f ("scsi: device_handler: Return error pointer in scsi_dh_attached_handler_name()") added code to fail parsing the path if scsi_dh_attached_handler_name() failed with -ENOMEM, it didn't clean up the reference to the path device that had just been taken. Fix this, and steamline the error paths of parse_path() a little. | 2026-05-06 | not yet calculated | CVE-2026-43192 | https://git.kernel.org/stable/c/4aa5c37b7d8019f7296111c1add00e7214baae60 https://git.kernel.org/stable/c/787bd63ee661b0148ce8e1fde92b7afddd85c446 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: fix nfs4_file refcount leak in nfsd_get_dir_deleg() Claude pointed out that there is a nfs4_file refcount leak in nfsd_get_dir_deleg(). Ensure that the reference to "fp" is released before returning. | 2026-05-06 | not yet calculated | CVE-2026-43193 | https://git.kernel.org/stable/c/0d8362e15aad5b5c1d6a65bb23ac6c45ccf881f3 https://git.kernel.org/stable/c/789477b849394afdb60507924d65f7ef18f078ce |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate user queue size constraints Add validation to ensure user queue sizes meet hardware requirements: - Size must be a power of two for efficient ring buffer wrapping - Size must be at least AMDGPU_GPU_PAGE_SIZE to prevent undersized allocations This prevents invalid configurations that could lead to GPU faults or unexpected behavior. | 2026-05-06 | not yet calculated | CVE-2026-43195 | https://git.kernel.org/stable/c/cf2a37be899dc1b01f53bf1d0157330eaf3e3f55 https://git.kernel.org/stable/c/9f6cc309cd15922fe58cab2dfa1b5993ad31dec7 https://git.kernel.org/stable/c/8079b87c02e531cc91601f72ea8336dd2262fdf1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: soc: ti: pruss: Fix double free in pruss_clk_mux_setup() In the pruss_clk_mux_setup(), the devm_add_action_or_reset() indirectly calls pruss_of_free_clk_provider(), which calls of_node_put(clk_mux_np) on the error path. However, after the devm_add_action_or_reset() returns, the of_node_put(clk_mux_np) is called again, causing a double free. Fix by returning directly, to avoid the duplicate of_node_put(). | 2026-05-06 | not yet calculated | CVE-2026-43196 | https://git.kernel.org/stable/c/dbda01bf2dfe5af33163e1e5fca1b82b619c2803 https://git.kernel.org/stable/c/24c40076e3bc3d73c839c886d6bda1da6c4d9b93 https://git.kernel.org/stable/c/818cf66d91c8ef09b01664a12d5f4ea786d64396 https://git.kernel.org/stable/c/e113339cc7d23be4948891f3a702e9dce5b47035 https://git.kernel.org/stable/c/69aa67c1e22d13e9aad4b08c86304ad8e743dcab https://git.kernel.org/stable/c/b7db9953c2f8da37de498198623b05b46f8e2ca0 https://git.kernel.org/stable/c/04dbbb18cc9c8795c9ff47d8994bc03ebfef9d68 https://git.kernel.org/stable/c/80db65d4acfb9ff12d00172aed39ea8b98261aad |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix swapped parameters in pci_{primary/secondary}_epc_epf_unlink() functions struct configfs_item_operations callbacks are defined like the following: int (*allow_link)(struct config_item *src, struct config_item *target); void (*drop_link)(struct config_item *src, struct config_item *target); While pci_primary_epc_epf_link() and pci_secondary_epc_epf_link() specify the parameters in the correct order, pci_primary_epc_epf_unlink() and pci_secondary_epc_epf_unlink() specify the parameters in the wrong order, leading to the below kernel crash when using the unlink command in configfs: Unable to handle kernel paging request at virtual address 0000000300000857 Mem abort info: ... pc : string+0x54/0x14c lr : vsnprintf+0x280/0x6e8 ... string+0x54/0x14c vsnprintf+0x280/0x6e8 vprintk_default+0x38/0x4c vprintk+0xc4/0xe0 pci_epf_unbind+0xdc/0x108 configfs_unlink+0xe0/0x208+0x44/0x74 vfs_unlink+0x120/0x29c __arm64_sys_unlinkat+0x3c/0x90 invoke_syscall+0x48/0x134 do_el0_svc+0x1c/0x30prop.0+0xd0/0xf0 [mani: cced stable, changed commit message as per https://lore.kernel.org/linux-pci/aV9joi3jF1R6ca02@ryzen] | 2026-05-06 | not yet calculated | CVE-2026-43200 | https://git.kernel.org/stable/c/58686bf62cb38b92e4b28408162a5703775b4d12 https://git.kernel.org/stable/c/1c96c1acef4b4a1108fc13f84a8ac0b0633bbb46 https://git.kernel.org/stable/c/142b1bba3299264b76ed8ef53cd93b2b2af65d6c https://git.kernel.org/stable/c/339191811e6fc4559c4008c5af7a91b05086d596 https://git.kernel.org/stable/c/733cbc3aa97e71cc70847e75c925b364cc9b04a6 https://git.kernel.org/stable/c/aefc0e0bd20f54abe3b501b8798c0be656af272b https://git.kernel.org/stable/c/8754dd7639ab0fd68c3ab9d91c7bdecc3e5740a8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: APEI/GHES: ARM processor Error: don't go past allocated memory If the BIOS generates a very small ARM Processor Error, or an incomplete one, the current logic will fail to deferrence err->section_length and ctx_info->size Add checks to avoid that. With such changes, such GHESv2 records won't cause OOPSes like this: [ 1.492129] Internal error: Oops: 0000000096000005 [#1] SMP [ 1.495449] Modules linked in: [ 1.495820] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.18.0-rc1-00017-gabadcc3553dd-dirty #18 PREEMPT [ 1.496125] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022 [ 1.496433] Workqueue: kacpi_notify acpi_os_execute_deferred [ 1.496967] pstate: 814000c5 (Nzcv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1.497199] pc : log_arm_hw_error+0x5c/0x200 [ 1.497380] lr : ghes_handle_arm_hw_error+0x94/0x220 0xffff8000811c5324 is in log_arm_hw_error (../drivers/ras/ras.c:75). 70 err_info = (struct cper_arm_err_info *)(err + 1); 71 ctx_info = (struct cper_arm_ctx_info *)(err_info + err->err_info_num); 72 ctx_err = (u8 *)ctx_info; 73 74 for (n = 0; n < err->context_info_num; n++) { 75 sz = sizeof(struct cper_arm_ctx_info) + ctx_info->size; 76 ctx_info = (struct cper_arm_ctx_info *)((long)ctx_info + sz); 77 ctx_len += sz; 78 } 79 and similar ones while trying to access section_length on an error dump with too small size. [ rjw: Subject tweaks ] | 2026-05-06 | not yet calculated | CVE-2026-43201 | https://git.kernel.org/stable/c/242c652849d979d0133c315a42d9acea0ff88390 https://git.kernel.org/stable/c/136093ba4161e0080088abff48273f6830a47766 https://git.kernel.org/stable/c/db103b8bd3a4aca69b1b5fe8831a6ed75ac4b3bd https://git.kernel.org/stable/c/87880af2d24e62a84ed19943dbdd524f097172f2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: vt8500lcdfb: fix missing dma_free_coherent() fbi->fb.screen_buffer is allocated with dma_alloc_coherent() but is not freed if the error path is reached. | 2026-05-06 | not yet calculated | CVE-2026-43202 | https://git.kernel.org/stable/c/9a9bc60ed372aaae9784ff8ad8e5f496ff15fd31 https://git.kernel.org/stable/c/9c3873cccb3fab54cde0605ae7093d332c99073e https://git.kernel.org/stable/c/778f31be5b8c10024db23fdd8a05f68a02311008 https://git.kernel.org/stable/c/e8c5d5f6cd66e032f9aefdcc21b0c34761aef78a https://git.kernel.org/stable/c/f47d5b9e8aa6178a0aaf225119ad1ec7d3f49876 https://git.kernel.org/stable/c/40c1ff25025150ff6d7ec7ad441fcfd6d070ee76 https://git.kernel.org/stable/c/2cd2f988a8bd2da227f5c3cfa0cbf3a9a287ddc3 https://git.kernel.org/stable/c/88b3b9924337336a31cefbe99a22ed09401be74a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6asm: drop DSP responses for closed data streams 'Commit a354f030dbce ("ASoC: qcom: q6asm: handle the responses after closing")' attempted to ignore DSP responses arriving after a stream had been closed. However, those responses were still handled, causing lockups. Fix this by unconditionally dropping all DSP responses associated with closed data streams. | 2026-05-06 | not yet calculated | CVE-2026-43204 | https://git.kernel.org/stable/c/3249251eac6081d5169ba09f2d9cca66ab0cab0d https://git.kernel.org/stable/c/8a066a81ee0c1b6cdbd81393536c3b2d19ccef25 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports num_ifs >= 64, the loop can write past the array bounds. Add a bound check for num_ifs in dpaa2_switch_init(). dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all ports match the flood filter, the loop fills all 64 slots and the control interface write overflows by one entry. The check uses >= because num_ifs == DPSW_MAX_IF is also functionally broken. build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] |= ... | 2026-05-06 | not yet calculated | CVE-2026-43205 | https://git.kernel.org/stable/c/a26dda3bae469c8e4e1b1993ad33dafa32d0fc28 https://git.kernel.org/stable/c/a3034a8d56174dd6464c46823438f25797910a8d https://git.kernel.org/stable/c/b690635d4719214892855b79ce018d4b1672ac96 https://git.kernel.org/stable/c/8b841fd529db9faf8bc678d429d4bf4e98b10900 https://git.kernel.org/stable/c/89764cf44544e943230f5e03b8c40a90da26537c https://git.kernel.org/stable/c/c18493f750208eb4ff1198fc5a02786b8b2d70a6 https://git.kernel.org/stable/c/8a5752c6dcc085a3bfc78589925182e4e98468c5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: minix: Add required sanity checking to minix_check_superblock() The fs/minix implementation of the minix filesystem does not currently support any other value for s_log_zone_size than 0. This is also the only value supported in util-linux; see mkfs.minix.c line 511. In addition, this patch adds some sanity checking for the other minix superblock fields, and moves the minix_blocks_needed() checks for the zmap and imap also to minix_check_super_block(). This also closes a related syzbot bug report. | 2026-05-06 | not yet calculated | CVE-2026-43209 | https://git.kernel.org/stable/c/a051ecf5c5b0387840dc210413ed3bc7fbdaa69c https://git.kernel.org/stable/c/d791c544efd6b9c944b43cf7f502e5bcb02fb941 https://git.kernel.org/stable/c/66c7c239c65341f99ae388d4d53dc9df2bcb9925 https://git.kernel.org/stable/c/2bb588cede1c1969e49c0a2822c8cb8b346b7682 https://git.kernel.org/stable/c/f57ccd4657c7f082dc47e5b9e18a883bb5f9118f https://git.kernel.org/stable/c/31fefc18096cdc5549cfa54964d90e0b3229aedc https://git.kernel.org/stable/c/1efc128ee4adbc23e082715425ff895449d233bc https://git.kernel.org/stable/c/8c97a6ddc95690a938ded44b4e3202f03f15078c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tracing: ring-buffer: Fix to check event length before using Check the event length before adding it for accessing next index in rb_read_data_buffer(). Since this function is used for validating possibly broken ring buffers, the length of the event could be broken. In that case, the new event (e + len) can point a wrong address. To avoid invalid memory access at boot, check whether the length of each event is in the possible range before using it. | 2026-05-06 | not yet calculated | CVE-2026-43210 | https://git.kernel.org/stable/c/b4700c089a10f89de3a5149d57f8a58306458982 https://git.kernel.org/stable/c/5026010110a5ad2268d8c23e1e286ab7c736f7ac https://git.kernel.org/stable/c/9eb80e54494ef1efef8a64bec4ffa672c9cf411e https://git.kernel.org/stable/c/912b0ee248c529a4f45d1e7f568dc1adddbf2a4a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: Drop the lock in skb_may_tx_timestamp() skb_may_tx_timestamp() may acquire sock::sk_callback_lock. The lock must not be taken in IRQ context, only softirq is okay. A few drivers receive the timestamp via a dedicated interrupt and complete the TX timestamp from that handler. This will lead to a deadlock if the lock is already write-locked on the same CPU. Taking the lock can be avoided. The socket (pointed by the skb) will remain valid until the skb is released. The ->sk_socket and ->file member will be set to NULL once the user closes the socket which may happen before the timestamp arrives. If we happen to observe the pointer while the socket is closing but before the pointer is set to NULL then we may use it because both pointer (and the file's cred member) are RCU freed. Drop the lock. Use READ_ONCE() to obtain the individual pointer. Add a matching WRITE_ONCE() where the pointer are cleared. | 2026-05-06 | not yet calculated | CVE-2026-43216 | https://git.kernel.org/stable/c/f3e4cceafad27c9363c33622732f86722846ec6f https://git.kernel.org/stable/c/e4c6efb3b70ff87f1df99efce2f8893717695718 https://git.kernel.org/stable/c/983512f3a87fd8dc4c94dfa6b596b6e57df5aad7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: gen2: Add sanity check for session stop In iris_kill_session, inst->state is set to IRIS_INST_ERROR and session_close is executed, which will kfree(inst_hfi_gen2->packet). If stop_streaming is called afterward, it will cause a crash. Add a NULL check for inst_hfi_gen2->packet before sendling STOP packet to firmware to fix that. | 2026-05-06 | not yet calculated | CVE-2026-43217 | https://git.kernel.org/stable/c/72846441c5f6396de9face04e77fa3d28e9915b6 https://git.kernel.org/stable/c/75992ba43072674fd4767df62a1fe2048565cc60 https://git.kernel.org/stable/c/9aa8d63d09cfc44d879427cc5ba308012ca4ab8e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: i2c/tw9903: Fix potential memory leak in tw9903_probe() In one of the error paths in tw9903_probe(), the memory allocated in v4l2_ctrl_handler_init() and v4l2_ctrl_new_std() is not freed. Fix that by calling v4l2_ctrl_handler_free() on the handler in that error path. | 2026-05-06 | not yet calculated | CVE-2026-43218 | https://git.kernel.org/stable/c/e54aa17c968c4de2c5f7b7ea390c63d33c07513b https://git.kernel.org/stable/c/32f0493506313775d3bd448de34762b6538da6bd https://git.kernel.org/stable/c/92537a15780b6d0281fd8286f93fbc3652e35f48 https://git.kernel.org/stable/c/9cb9eca33d20316ed3c7a938793b8735ac3e128b https://git.kernel.org/stable/c/a114918270f0d95c607d69b03a244e6afe54813f https://git.kernel.org/stable/c/cc7aeed33e4f55c76f35f0fca73e4dfe12a63a3a https://git.kernel.org/stable/c/add02a3fb1fd71b004f0ed824cbac00f850de558 https://git.kernel.org/stable/c/9cea16fea47e5553f51d10957677ff735b1eff03 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: cpsw_new: Fix potential unregister of netdev that has not been registered yet If an error occurs during register_netdev() for the first MAC in cpsw_register_ports(), even though cpsw->slaves[0].ndev is set to NULL, cpsw->slaves[1].ndev would remain unchanged. This could later cause cpsw_unregister_ports() to attempt unregistering the second MAC. To address this, add a check for ndev->reg_state before calling unregister_netdev(). With this change, setting cpsw->slaves[i].ndev to NULL becomes unnecessary and can be removed accordingly. | 2026-05-06 | not yet calculated | CVE-2026-43219 | https://git.kernel.org/stable/c/29739ec197ed66535bc0b86f14ab66c5f4512138 https://git.kernel.org/stable/c/349c4cac6f54a81fc107589771f88136a2b20415 https://git.kernel.org/stable/c/9d724b34fbe13b71865ad0906a4be97571f19cf5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/amd: serialize sequence allocation under concurrent TLB invalidations With concurrent TLB invalidations, completion wait randomly gets timed out because cmd_sem_val was incremented outside the IOMMU spinlock, allowing CMD_COMPL_WAIT commands to be queued out of sequence and breaking the ordering assumption in wait_on_sem(). Move the cmd_sem_val increment under iommu->lock so completion sequence allocation is serialized with command queuing. And remove the unnecessary return. | 2026-05-06 | not yet calculated | CVE-2026-43220 | https://git.kernel.org/stable/c/5000ce7fcb31067566a1a1a2e5b5bbff93625242 https://git.kernel.org/stable/c/48caa7542a795c9679ec1bd1bc2592e05a7369a4 https://git.kernel.org/stable/c/9e249c48412828e807afddc21527eb734dc9bd3d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipmi: ipmb: initialise event handler read bytes IPMB doesn't use i2c reads, but the handler needs to set a value. Otherwise an i2c read will return an uninitialised value from the bus driver. | 2026-05-06 | not yet calculated | CVE-2026-43221 | https://git.kernel.org/stable/c/905554ebd76aeee370bfd5136ea11e0b9d75c6f1 https://git.kernel.org/stable/c/56d5c0557e53c4d8d92a619fa83eaae178165e07 https://git.kernel.org/stable/c/2dfbc8c17dd161885336e77e71c336cd62cf6748 https://git.kernel.org/stable/c/f726b3a57e00bb6249c67714c11ae8b4b31719a1 https://git.kernel.org/stable/c/102712417bb6aa9a00d852bc59cb0a276db486c4 https://git.kernel.org/stable/c/9f235ccecd03c436cb1683eac16b12f119e54aa9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix URB leak in pvr2_send_request_ex When pvr2_send_request_ex() submits a write URB successfully but fails to submit the read URB (e.g. returns -ENOMEM), it returns immediately without waiting for the write URB to complete. Since the driver reuses the same URB structure, a subsequent call to pvr2_send_request_ex() attempts to submit the still-active write URB, triggering a 'URB submitted while active' warning in usb_submit_urb(). Fix this by ensuring the write URB is unlinked and waited upon if the read URB submission fails. | 2026-05-06 | not yet calculated | CVE-2026-43223 | https://git.kernel.org/stable/c/da524c939b1e5ba17f10db4bde4bdaf569ffcda6 https://git.kernel.org/stable/c/cf459d6ffa5e150ef3744b897f936ff24b52bd15 https://git.kernel.org/stable/c/77a63f8efc434ddb04667ed632aade58301a2f13 https://git.kernel.org/stable/c/4ba5c7a1aade7090172cbffd4d120bf4cf5ccbde https://git.kernel.org/stable/c/58dd722b6c3debcddb4684fb256c90fee7f063e5 https://git.kernel.org/stable/c/2011929f0e4cf6a0a34dd6205911b12276904453 https://git.kernel.org/stable/c/5f3ac816861c3b8a5d1a3645b17dc3a99d668d94 https://git.kernel.org/stable/c/a8333c8262aed2aedf608c18edd39cf5342680a7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix sgtable leak on mapping failures In an unlikely case when io_populate_area_dma() fails, which could only happen on a PAGE_POOL_32BIT_ARCH_WITH_64BIT_DMA machine, io_zcrx_map_area() will have an initialised and not freed table. It was supposed to be cleaned up in the error path, but !is_mapped prevents that. | 2026-05-06 | not yet calculated | CVE-2026-43224 | https://git.kernel.org/stable/c/f1ae403324311e143ef20e53cf9a5f01e312f7c9 https://git.kernel.org/stable/c/ef075c1464ac9047e2cf7d23cb020bfd0b8e4b60 https://git.kernel.org/stable/c/a983aae397767e9da931128ff2b5bf9066513ce3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix memory leak on failure path cfg80211_inform_bss_frame() may return NULL on failure. In that case, the allocated buffer 'buf' is not freed and the function returns early, leading to potential memory leak. Fix this by ensuring that 'buf' is freed on both success and failure paths. | 2026-05-06 | not yet calculated | CVE-2026-43225 | https://git.kernel.org/stable/c/9874e33ce52ba449ab0ade78752a2d37a2294617 https://git.kernel.org/stable/c/a968c6a39607c129b8ac2c3c2a5e8923574e90d0 https://git.kernel.org/stable/c/8311bb40698ba027649d5d1ca84ad4bf25270546 https://git.kernel.org/stable/c/9f70f78e22b321429afc77befecedf05543d4e2c https://git.kernel.org/stable/c/af48c1a0abe849e167fc754b6c260b6d8350b6fd https://git.kernel.org/stable/c/017295b17bf1f477246c95bd253a7ef0cb4684c9 https://git.kernel.org/stable/c/abe850d82c8cb72d28700673678724e779b1826e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clocksource/drivers/sh_tmu: Always leave device running after probe The TMU device can be used as both a clocksource and a clockevent provider. The driver tries to be smart and power itself on and off, as well as enabling and disabling its clock when it's not in operation. This behavior is slightly altered if the TMU is used as an early platform device in which case the device is left powered on after probe, but the clock is still enabled and disabled at runtime. This has worked for a long time, but recent improvements in PREEMPT_RT and PROVE_LOCKING have highlighted an issue. As the TMU registers itself as a clockevent provider, clockevents_register_device(), it needs to use raw spinlocks internally as this is the context of which the clockevent framework interacts with the TMU driver. However in the context of holding a raw spinlock the TMU driver can't really manage its power state or clock with calls to pm_runtime_*() and clk_*() as these calls end up in other platform drivers using regular spinlocks to control power and clocks. This mix of spinlock contexts trips a lockdep warning. ============================= [ BUG: Invalid wait context ] 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 Not tainted ----------------------------- swapper/0/0 is trying to lock: ffff000008c9e180 (&dev->power.lock){-...}-{3:3}, at: __pm_runtime_resume+0x38/0x88 other info that might help us debug this: context-{5:5} 1 lock held by swapper/0/0: ccree e6601000.crypto: ARM CryptoCell 630P Driver: HW version 0xAF400001/0xDCC63000, Driver version 5.0 #0: ffff8000817ec298 ccree e6601000.crypto: ARM ccree device initialized (tick_broadcast_lock){-...}-{2:2}, at: __tick_broadcast_oneshot_control+0xa4/0x3a8 stack backtrace: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 PREEMPT Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) Call trace: show_stack+0x14/0x1c (C) dump_stack_lvl+0x6c/0x90 dump_stack+0x14/0x1c __lock_acquire+0x904/0x1584 lock_acquire+0x220/0x34c _raw_spin_lock_irqsave+0x58/0x80 __pm_runtime_resume+0x38/0x88 sh_tmu_clock_event_set_oneshot+0x84/0xd4 clockevents_switch_state+0xfc/0x13c tick_broadcast_set_event+0x30/0xa4 __tick_broadcast_oneshot_control+0x1e0/0x3a8 tick_broadcast_oneshot_control+0x30/0x40 cpuidle_enter_state+0x40c/0x680 cpuidle_enter+0x30/0x40 do_idle+0x1f4/0x280 cpu_startup_entry+0x34/0x40 kernel_init+0x0/0x130 do_one_initcall+0x0/0x230 __primary_switched+0x88/0x90 For non-PREEMPT_RT builds this is not really an issue, but for PREEMPT_RT builds where normal spinlocks can sleep this might be an issue. Be cautious and always leave the power and clock running after probe. | 2026-05-06 | not yet calculated | CVE-2026-43227 | https://git.kernel.org/stable/c/79d650695773f03de36b99228a090d33d1c18264 https://git.kernel.org/stable/c/f0b31247e7d67a943b3a09d3cef7c0ae788d88e6 https://git.kernel.org/stable/c/016476afef993d1201a19decc9b5b2ea1e6620f2 https://git.kernel.org/stable/c/6f113ab549b864c1bc57d4f89846ee335394089a https://git.kernel.org/stable/c/88c76792180dffd83f1c5b9dc8fdaeb145cb94e0 https://git.kernel.org/stable/c/bc59d5f3afe41fec5d673c27c703b761ae578d28 https://git.kernel.org/stable/c/0e513cc6b9cea190fe342cc222b1054e7e8acfc8 https://git.kernel.org/stable/c/b1278972b08e480990e2789bdc6a7c918bc349be |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfs: Replace BUG_ON with error handling for CNID count checks In a06ec283e125 next_id, folder_count, and file_count in the super block info were expanded to 64 bits, and BUG_ONs were added to detect overflow. This triggered an error reported by syzbot: if the MDB is corrupted, the BUG_ON is triggered. This patch replaces this mechanism with proper error handling and resolves the syzbot reported bug. Singed-off-by: Jori Koolstra <jkoolstra@xs4all.nl> | 2026-05-06 | not yet calculated | CVE-2026-43228 | https://git.kernel.org/stable/c/b6536c1ced315fa645576d3a39c6e07f2a472962 https://git.kernel.org/stable/c/b226804532a875c10276168dc55ce752944096bd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix device cleanup order to prevent kernel panic Move video device unregistration to the beginning of the remove function to ensure all video operations are stopped before cleaning up the worker thread and disabling PM runtime. This prevents hardware register access after the device has been powered down. In polling mode, the hrtimer periodically triggers wave5_vpu_timer_callback() which queues work to the kthread worker. The worker executes wave5_vpu_irq_work_fn() which reads hardware registers via wave5_vdi_read_register(). The original cleanup order disabled PM runtime and powered down hardware before unregistering video devices. When autosuspend triggers and powers off the hardware, the video devices are still registered and the worker thread can still be triggered by the hrtimer, causing it to attempt reading registers from powered-off hardware. This results in a bus error (synchronous external abort) and kernel panic. This causes random kernel panics during encoding operations: Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP Modules linked in: wave5 rpmsg_ctrl rpmsg_char ... CPU: 0 UID: 0 PID: 1520 Comm: vpu_irq_thread Tainted: G M W pc : wave5_vdi_read_register+0x10/0x38 [wave5] lr : wave5_vpu_irq_work_fn+0x28/0x60 [wave5] Call trace: wave5_vdi_read_register+0x10/0x38 [wave5] kthread_worker_fn+0xd8/0x238 kthread+0x104/0x120 ret_from_fork+0x10/0x20 Code: aa1e03e9 d503201f f9416800 8b214000 (b9400000) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: synchronous external abort: Fatal exception | 2026-05-06 | not yet calculated | CVE-2026-43229 | https://git.kernel.org/stable/c/b73d85231d5b1400a4fa5046cdac6c4d7cc6d969 https://git.kernel.org/stable/c/526816f2e331954d80fed8b37fa94efbbdde2b8d https://git.kernel.org/stable/c/dc2b7deae740a3ed138fb7ae17c97fa4055cfc5f https://git.kernel.org/stable/c/b74cedac643b02aefa7da881b58a3792859d9748 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: radio-keene: fix memory leak in error path Fix a memory leak in usb_keene_probe(). The v4l2 control handler is initialized and controls are added, but if v4l2_device_register() or video_register_device() fails afterward, the handler was never freed, leaking memory. Add v4l2_ctrl_handler_free() call in the err_v4l2 error path to ensure the control handler is properly freed for all error paths after it is initialized. | 2026-05-06 | not yet calculated | CVE-2026-43231 | https://git.kernel.org/stable/c/ad85bb5623079a35bd400f51de2e2fbc2170bdb2 https://git.kernel.org/stable/c/242b0aabb1866024a7995a767ac330c158b39aa4 https://git.kernel.org/stable/c/2fe28a63d598235595a9601e0d8fdc7c8f4fd575 https://git.kernel.org/stable/c/27c508f61963013fdf29097578284099ee7a85a4 https://git.kernel.org/stable/c/7fa9754f48cb8eefa566156be341e63d313247e5 https://git.kernel.org/stable/c/1d8558a232ecb187e8e0328d6347a125f437a0fc https://git.kernel.org/stable/c/de204d87e7d61859937272fe30cbdd46a4cfb10a https://git.kernel.org/stable/c/b8bf939d77c0cd01118e953bbf554e0fa15e9006 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: team: avoid NETDEV_CHANGEMTU event when unregistering slave syzbot is reporting unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3 ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_hold include/linux/netdevice.h:4429 [inline] inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286 inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline] netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886 netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907 dev_set_mtu+0x126/0x260 net/core/dev_api.c:248 team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333 team_del_slave drivers/net/team/team_core.c:1936 [inline] team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2281 [inline] call_netdevice_notifiers net/core/dev.c:2295 [inline] __dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592 do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060 rtnl_changelink net/core/rtnetlink.c:3776 [inline] __rtnl_newlink net/core/rtnetlink.c:3935 [inline] rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 problem. Ido Schimmel found steps to reproduce ip link add name team1 type team ip link add name dummy1 mtu 1499 master team1 type dummy ip netns add ns1 ip link set dev dummy1 netns ns1 ip -n ns1 link del dev dummy1 and also found that the same issue was fixed in the bond driver in commit f51048c3e07b ("bonding: avoid NETDEV_CHANGEMTU event when unregistering slave"). Let's do similar thing for the team driver, with commit ad7c7b2172c3 ("net: hold netdev instance lock during sysfs operations") and commit 303a8487a657 ("net: s/__dev_set_mtu/__netif_set_mtu/") also applied. | 2026-05-06 | not yet calculated | CVE-2026-43234 | https://git.kernel.org/stable/c/bce42728ac4887060a24a585c5122fbd24939db7 https://git.kernel.org/stable/c/5268892de70f0b29bde341db863b234aa9259c08 https://git.kernel.org/stable/c/bb4c698633c0e19717586a6524a33196cff01a32 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: Add missing platform data entries for SM8750 Two platform-data fields for SM8750 were missed: - get_vpu_buffer_size = iris_vpu33_buf_size Without this, the driver fails to allocate the required internal buffers, leading to basic decode/encode failures during session bring-up. - max_core_mbps = ((7680 * 4320) / 256) * 60 Without this capability exposed, capability checks are incomplete and v4l2-compliance for encoder fails. | 2026-05-06 | not yet calculated | CVE-2026-43235 | https://git.kernel.org/stable/c/1aa5833f29b88c16e9ad49a1782927754f3af742 https://git.kernel.org/stable/c/c7b2105a1cad1737eb877cdb4865618927623dd4 https://git.kernel.org/stable/c/bbef55f414100853d5bcea56a41f8b171bac8fcb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash() Commit 38a6f0865796 ("net: sched: support hash selecting tx queue") added SKBEDIT_F_TXQ_SKBHASH support. The inclusive range size is computed as: mapping_mod = queue_mapping_max - queue_mapping + 1; The range size can be 65536 when the requested range covers all possible u16 queue IDs (e.g. queue_mapping=0 and queue_mapping_max=U16_MAX). That value cannot be represented in a u16 and previously wrapped to 0, so tcf_skbedit_hash() could trigger a divide-by-zero: queue_mapping += skb_get_hash(skb) % params->mapping_mod; Compute mapping_mod in a wider type and reject ranges larger than U16_MAX to prevent params->mapping_mod from becoming 0 and avoid the crash. | 2026-05-06 | not yet calculated | CVE-2026-43238 | https://git.kernel.org/stable/c/59809fda4da7730cfe84a948033f47eb45db073d https://git.kernel.org/stable/c/9c735a7d98c982a786b0db71eb6566ee00aaa04f https://git.kernel.org/stable/c/015cebdfcb97b5347fb7f598ea712a281cb35840 https://git.kernel.org/stable/c/4ece5eb4836f8ff03b9004dc2430a7169f282851 https://git.kernel.org/stable/c/3c2b95b26860bd6f8e2310d31ea1200d3f8f173e https://git.kernel.org/stable/c/be054cc66f739a9ba615dba9012a07fab8e7dd6f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/kexec: add a sanity check on previous kernel's ima kexec buffer When the second-stage kernel is booted via kexec with a limiting command line such as "mem=<size>", the physical range that contains the carried over IMA measurement list may fall outside the truncated RAM leading to a kernel panic. BUG: unable to handle page fault for address: ffff97793ff47000 RIP: ima_restore_measurement_list+0xdc/0x45a #PF: error_code(0x0000) - not-present page Other architectures already validate the range with page_is_ram(), as done in commit cbf9c4b9617b ("of: check previous kernel's ima-kexec-buffer against memory bounds") do a similar check on x86. Without carrying the measurement list across kexec, the attestation would fail. | 2026-05-06 | not yet calculated | CVE-2026-43240 | https://git.kernel.org/stable/c/37f18915a261afe84dab462624ed829cddb77a9b https://git.kernel.org/stable/c/22e460b6333a5f818b042ac89201f8e735556f4a https://git.kernel.org/stable/c/f8f73bf0f8a57ee9b86792456bd42079bc98c6b7 https://git.kernel.org/stable/c/d4a132f121c591b60dbaf57ea91f1faf11631fbc https://git.kernel.org/stable/c/4d7a8f5f28187e3d2958b2a134473da2665207e7 https://git.kernel.org/stable/c/c5489d04337b47e93c0623e8145fcba3f5739efd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ntb: ntb_hw_switchtec: Fix array-index-out-of-bounds access Number of MW LUTs depends on NTB configuration and can be set to MAX_MWS, This patch protects against invalid index out of bounds access to mw_sizes When invalid access print message to user that configuration is not valid. | 2026-05-06 | not yet calculated | CVE-2026-43241 | https://git.kernel.org/stable/c/348e1ac9ad983ed7e62de14e1daf47f1695a4ce9 https://git.kernel.org/stable/c/ee02c4f980c91820845dd8e469ec7dc670ab6d9d https://git.kernel.org/stable/c/740945de896021b9a859e71f38f6aea72a6393cf https://git.kernel.org/stable/c/85c9daa1f8319bbb3dfee71dc6a2f969cd3b4c92 https://git.kernel.org/stable/c/0e930420945106151c6eb3d7837b4e6154e9b144 https://git.kernel.org/stable/c/2346856b74823a2a78109002e479a3d02526a9ce https://git.kernel.org/stable/c/47ce292dd45dc689747c40603222691638919189 https://git.kernel.org/stable/c/c8ba7ad2cc1c7b90570aa347b8ebbe279f1eface |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: soc: ti: k3-socinfo: Fix regmap leak on probe failure The mmio regmap allocated during probe is never freed. Switch to using the device managed allocator so that the regmap is released on probe failures (e.g. probe deferral) and on driver unbind. | 2026-05-06 | not yet calculated | CVE-2026-43242 | https://git.kernel.org/stable/c/c97c21d342838b2a7787b0f1d6ad417e85c906f6 https://git.kernel.org/stable/c/b1006b5892ec8a95d039a89b47e6fd69cf607405 https://git.kernel.org/stable/c/458136527fe127fd051c1c9537f4540849780d70 https://git.kernel.org/stable/c/d451bf970a0c54b586f8b3161261bdf35d463c99 https://git.kernel.org/stable/c/eaa16059f9af26d8b8a6f3e887649f58e8ca96c9 https://git.kernel.org/stable/c/ab1ac24c407e4df326d7154a4deadd444e9209d9 https://git.kernel.org/stable/c/bbaa9e615608c204d384a7d4b1a434580a142d4c https://git.kernel.org/stable/c/c933138d45176780fabbbe7da263e04d5b3e525d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add signal type check for dcn401 get_phyd32clk_src Trying to access link enc on a dpia link will cause a crash otherwise | 2026-05-06 | not yet calculated | CVE-2026-43243 | https://git.kernel.org/stable/c/23e7150afc70da615857f9f07b494ec58540f096 https://git.kernel.org/stable/c/486b2909ac284185900c06f05ffc6eca895f38b8 https://git.kernel.org/stable/c/e332112255afbce02db67760f5743a1b13aa8541 https://git.kernel.org/stable/c/c979d8db7b0f293111f2e83795ea353c8ed75de9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kcm: fix zero-frag skb in frag_list on partial sendmsg error Syzkaller reported a warning in kcm_write_msgs() when processing a message with a zero-fragment skb in the frag_list. When kcm_sendmsg() fills MAX_SKB_FRAGS fragments in the current skb, it allocates a new skb (tskb) and links it into the frag_list before copying data. If the copy subsequently fails (e.g. -EFAULT from user memory), tskb remains in the frag_list with zero fragments: head skb (msg being assembled, NOT yet in sk_write_queue) +-----------+ | frags[17] | (MAX_SKB_FRAGS, all filled with data) | frag_list-+--> tskb +-----------+ +----------+ | frags[0] | (empty! copy failed before filling) +----------+ For SOCK_SEQPACKET with partial data already copied, the error path saves this message via partial_message for later completion. For SOCK_SEQPACKET, sock_write_iter() automatically sets MSG_EOR, so a subsequent zero-length write(fd, NULL, 0) completes the message and queues it to sk_write_queue. kcm_write_msgs() then walks the frag_list and hits: WARN_ON(!skb_shinfo(skb)->nr_frags) TCP has a similar pattern where skbs are enqueued before data copy and cleaned up on failure via tcp_remove_empty_skb(). KCM was missing the equivalent cleanup. Fix this by tracking the predecessor skb (frag_prev) when allocating a new frag_list entry. On error, if the tail skb has zero frags, use frag_prev to unlink and free it in O(1) without walking the singly-linked frag_list. frag_prev is safe to dereference because the entire message chain is only held locally (or in kcm->seq_skb) and is not added to sk_write_queue until MSG_EOR, so the send path cannot free it underneath us. Also change the WARN_ON to WARN_ON_ONCE to avoid flooding the log if the condition is somehow hit repeatedly. There are currently no KCM selftests in the kernel tree; a simple reproducer is available at [1]. [1] https://gist.github.com/mrpre/a94d431c757e8d6f168f4dd1a3749daa | 2026-05-06 | not yet calculated | CVE-2026-43244 | https://git.kernel.org/stable/c/9ea3671d70ee07480d80bebe86696397c4e99fb7 https://git.kernel.org/stable/c/b1e3edf688a88c1a3ac41657055d9c136a08cd25 https://git.kernel.org/stable/c/7af58f76e4b404a74c836881a845e6652db8a09f https://git.kernel.org/stable/c/ca220141fa8ebae09765a242076b2b77338106b0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: i2c/tw9906: Fix potential memory leak in tw9906_probe() In one of the error paths in tw9906_probe(), the memory allocated in v4l2_ctrl_handler_init() and v4l2_ctrl_new_std() is not freed. Fix that by calling v4l2_ctrl_handler_free() on the handler in that error path. | 2026-05-06 | not yet calculated | CVE-2026-43246 | https://git.kernel.org/stable/c/e9a490937942f18205dac7b6b192975ef1369ae1 https://git.kernel.org/stable/c/9548a8bbf511a252a9848f96220c6b95c9a3b918 https://git.kernel.org/stable/c/0c33338514d8246280533a77091e6b6ee548c606 https://git.kernel.org/stable/c/ccb92def042a3636ed47f25a30bd553788e5191e https://git.kernel.org/stable/c/fb09d8b80046216646f1a344410cfa9cfa6c6c7c https://git.kernel.org/stable/c/377a7756914364d72550fc86ca0f404ef1d96141 https://git.kernel.org/stable/c/59420d5d9c46b084e21f9ea6ce79fc79ae9e414c https://git.kernel.org/stable/c/cad237b6c875fbee5d353a2b289e98d240d17ec8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix SError of kernel panic when closed SError of kernel panic rarely happened while testing fluster. The root cause was to enter suspend mode because timeout of autosuspend delay happened. [ 48.834439] SError Interrupt on CPU0, code 0x00000000bf000000 -- SError [ 48.834455] CPU: 0 UID: 0 PID: 1067 Comm: v4l2h265dec0:sr Not tainted 6.12.9-gc9e21a1ebd75-dirty #7 [ 48.834461] Hardware name: ti Texas Instruments J721S2 EVM/Texas Instruments J721S2 EVM, BIOS 2025.01-00345-gbaf3aaa8ecfa 01/01/2025 [ 48.834464] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 48.834468] pc : wave5_dec_clr_disp_flag+0x40/0x80 [wave5] [ 48.834488] lr : wave5_dec_clr_disp_flag+0x40/0x80 [wave5] [ 48.834495] sp : ffff8000856e3a30 [ 48.834497] x29: ffff8000856e3a30 x28: ffff0008093f6010 x27: ffff000809158130 [ 48.834504] x26: 0000000000000000 x25: ffff00080b625000 x24: ffff000804a9ba80 [ 48.834509] x23: ffff000802343028 x22: ffff000809158150 x21: ffff000802218000 [ 48.834513] x20: ffff0008093f6000 x19: ffff0008093f6000 x18: 0000000000000000 [ 48.834518] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff74009618 [ 48.834523] x14: 000000010000000c x13: 0000000000000000 x12: 0000000000000000 [ 48.834527] x11: ffffffffffffffff x10: ffffffffffffffff x9 : ffff000802343028 [ 48.834532] x8 : ffff00080b6252a0 x7 : 0000000000000038 x6 : 0000000000000000 [ 48.834536] x5 : ffff00080b625060 x4 : 0000000000000000 x3 : 0000000000000000 [ 48.834541] x2 : 0000000000000000 x1 : ffff800084bf0118 x0 : ffff800084bf0000 [ 48.834547] Kernel panic - not syncing: Asynchronous SError Interrupt [ 48.834549] CPU: 0 UID: 0 PID: 1067 Comm: v4l2h265dec0:sr Not tainted 6.12.9-gc9e21a1ebd75-dirty #7 [ 48.834554] Hardware name: ti Texas Instruments J721S2 EVM/Texas Instruments J721S2 EVM, BIOS 2025.01-00345-gbaf3aaa8ecfa 01/01/2025 [ 48.834556] Call trace: [ 48.834559] dump_backtrace+0x94/0xec [ 48.834574] show_stack+0x18/0x24 [ 48.834579] dump_stack_lvl+0x38/0x90 [ 48.834585] dump_stack+0x18/0x24 [ 48.834588] panic+0x35c/0x3e0 [ 48.834592] nmi_panic+0x40/0x8c [ 48.834595] arm64_serror_panic+0x64/0x70 [ 48.834598] do_serror+0x3c/0x78 [ 48.834601] el1h_64_error_handler+0x34/0x4c [ 48.834605] el1h_64_error+0x64/0x68 [ 48.834608] wave5_dec_clr_disp_flag+0x40/0x80 [wave5] [ 48.834615] wave5_vpu_dec_clr_disp_flag+0x54/0x80 [wave5] [ 48.834622] wave5_vpu_dec_buf_queue+0x19c/0x1a0 [wave5] [ 48.834628] __enqueue_in_driver+0x3c/0x74 [videobuf2_common] [ 48.834639] vb2_core_qbuf+0x508/0x61c [videobuf2_common] [ 48.834646] vb2_qbuf+0xa4/0x168 [videobuf2_v4l2] [ 48.834656] v4l2_m2m_qbuf+0x80/0x238 [v4l2_mem2mem] [ 48.834666] v4l2_m2m_ioctl_qbuf+0x18/0x24 [v4l2_mem2mem] [ 48.834673] v4l_qbuf+0x48/0x5c [videodev] [ 48.834704] __video_do_ioctl+0x180/0x3f0 [videodev] [ 48.834725] video_usercopy+0x2ec/0x68c [videodev] [ 48.834745] video_ioctl2+0x18/0x24 [videodev] [ 48.834766] v4l2_ioctl+0x40/0x60 [videodev] [ 48.834786] __arm64_sys_ioctl+0xa8/0xec [ 48.834793] invoke_syscall+0x44/0x100 [ 48.834800] el0_svc_common.constprop.0+0xc0/0xe0 [ 48.834804] do_el0_svc+0x1c/0x28 [ 48.834809] el0_svc+0x30/0xd0 [ 48.834813] el0t_64_sync_handler+0xc0/0xc4 [ 48.834816] el0t_64_sync+0x190/0x194 [ 48.834820] SMP: stopping secondary CPUs [ 48.834831] Kernel Offset: disabled [ 48.834833] CPU features: 0x08,00002002,80200000,4200421b [ 48.834837] Memory Limit: none [ 49.161404] ---[ end Kernel panic - not syncing: Asynchronous SError Interrupt ]--- | 2026-05-06 | not yet calculated | CVE-2026-43247 | https://git.kernel.org/stable/c/27cb12b7dc88c51582094eeb2b65b0e94603e411 https://git.kernel.org/stable/c/5da55243fe190c2165ed34e77091a43c0ff74f10 https://git.kernel.org/stable/c/cbb9c0d50e471483cced55f5b7db4569dcd959a6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke() The ChipIdea UDC driver can encounter "not page aligned sg buffer" errors when a USB device is reconnected after being disconnected during an active transfer. This occurs because _ep_nuke() returns requests to the gadget layer without properly unmapping DMA buffers or cleaning up scatter-gather bounce buffers. Root cause: When a disconnect happens during a multi-segment DMA transfer, the request's num_mapped_sgs field and sgt.sgl pointer remain set with stale values. The request is returned to the gadget driver with status -ESHUTDOWN but still has active DMA state. If the gadget driver reuses this request on reconnect without reinitializing it, the stale DMA state causes _hardware_enqueue() to skip DMA mapping (seeing non-zero num_mapped_sgs) and attempt to use freed/invalid DMA addresses, leading to alignment errors and potential memory corruption. The normal completion path via _hardware_dequeue() properly calls usb_gadget_unmap_request_by_dev() and sglist_do_debounce() before returning the request. The _ep_nuke() path must do the same cleanup to ensure requests are returned in a clean, reusable state. Fix: Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror the cleanup sequence in _hardware_dequeue(): - Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set - Call sglist_do_debounce() with copy=false if bounce buffer exists This ensures that when requests are returned due to endpoint shutdown, they don't retain stale DMA mappings. The 'false' parameter to sglist_do_debounce() prevents copying data back (appropriate for shutdown path where transfer was aborted). | 2026-05-06 | not yet calculated | CVE-2026-43250 | https://git.kernel.org/stable/c/1b72b834511d17f4d069d512f78671f3f210a2f1 https://git.kernel.org/stable/c/f4fbf2d4750d12ac8525d2efac1016fa0d84d4ec https://git.kernel.org/stable/c/e74c436f8568af1c60942469d0a2300b3ada3857 https://git.kernel.org/stable/c/cea2a1257a3b5ea3e769a445b34af13e6aa5a123 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: prodikeys: Check presence of pm->input_ep82 Fake USB devices can send their own report descriptors for which the input_mapping() hook does not get called. In this case, pm->input_ep82 stays NULL, which leads to a crash later. This does not happen with the real device, but can be provoked by imposing as one. | 2026-05-06 | not yet calculated | CVE-2026-43251 | https://git.kernel.org/stable/c/f580c79683356632f12f2c2029f2fe936d953aa1 https://git.kernel.org/stable/c/ee572578f09f0e743e9383393a75c3a7a0f9b4c2 https://git.kernel.org/stable/c/edccbf7d6dc05d692bde3a89de5a4001f72a0fa4 https://git.kernel.org/stable/c/3f1b21cc67a15d7d081378a9b8747dd000a017b8 https://git.kernel.org/stable/c/e7ac1cd823cd2e9fcbd5cb0b261d6d35dbb79341 https://git.kernel.org/stable/c/d5512ce892f774d37c53082adadfcad04f21b50e https://git.kernel.org/stable/c/d08f35f843881ec504d7537a9bb728a073db3366 https://git.kernel.org/stable/c/cee8337e1bad168136aecfe6416ecd7d3aa7529a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: in-kernel: always set ID as avail when rm endp Syzkaller managed to find a combination of actions that was generating this warning: WARNING: net/mptcp/pm_kernel.c:1074 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1074 [inline], CPU#1: syz.7.48/2535 WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_fullmesh net/mptcp/pm_kernel.c:1446 [inline], CPU#1: syz.7.48/2535 WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_set_flags_all net/mptcp/pm_kernel.c:1474 [inline], CPU#1: syz.7.48/2535 WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_set_flags+0x5de/0x640 net/mptcp/pm_kernel.c:1538, CPU#1: syz.7.48/2535 Modules linked in: CPU: 1 UID: 0 PID: 2535 Comm: syz.7.48 Not tainted 6.18.0-03987-gea5f5e676cf5 #17 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 25.10 PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1074 [inline] RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_kernel.c:1446 [inline] RIP: 0010:mptcp_pm_nl_set_flags_all net/mptcp/pm_kernel.c:1474 [inline] RIP: 0010:mptcp_pm_nl_set_flags+0x5de/0x640 net/mptcp/pm_kernel.c:1538 Code: 89 c7 e8 c5 8c 73 fe e9 f7 fd ff ff 49 83 ef 80 e8 b7 8c 73 fe 4c 89 ff be 03 00 00 00 e8 4a 29 e3 fe eb ac e8 a3 8c 73 fe 90 <0f> 0b 90 e9 3d ff ff ff e8 95 8c 73 fe b8 a1 ff ff ff eb 1a e8 89 RSP: 0018:ffffc9001535b820 EFLAGS: 00010287 netdevsim0: tun_chr_ioctl cmd 1074025677 RAX: ffffffff82da294d RBX: 0000000000000001 RCX: 0000000000080000 RDX: ffffc900096d0000 RSI: 00000000000006d6 RDI: 00000000000006d7 netdevsim0: linktype set to 823 RBP: ffff88802cdb2240 R08: 00000000000104ae R09: ffffffffffffffff R10: ffffffff82da27d4 R11: 0000000000000000 R12: 0000000000000000 R13: ffff88801246d8c0 R14: ffffc9001535b8b8 R15: ffff88802cdb1800 FS: 00007fc6ac5a76c0(0000) GS:ffff8880f90c8000(0000) knlGS:0000000000000000 netlink: 'syz.3.50': attribute type 5 has an invalid length. CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 netlink: 1232 bytes leftover after parsing attributes in process `syz.3.50'. CR2: 0000200000010000 CR3: 0000000025b1a000 CR4: 0000000000350ef0 Call Trace: <TASK> mptcp_pm_set_flags net/mptcp/pm_netlink.c:277 [inline] mptcp_pm_nl_set_flags_doit+0x1d7/0x210 net/mptcp/pm_netlink.c:282 genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x4ab/0x5b0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0xc9/0xf0 net/socket.c:733 ____sys_sendmsg+0x272/0x3b0 net/socket.c:2608 ___sys_sendmsg+0x2de/0x320 net/socket.c:2662 __sys_sendmsg net/socket.c:2694 [inline] __do_sys_sendmsg net/socket.c:2699 [inline] __se_sys_sendmsg net/socket.c:2697 [inline] __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2697 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xed/0x360 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fc6adb66f6d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc6ac5a6ff8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fc6addf5fa0 RCX: 00007fc6adb66f6d RDX: 0000000000048084 RSI: 00002000000002c0 RDI: 000000000000000e RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000 ---truncated--- | 2026-05-06 | not yet calculated | CVE-2026-43252 | https://git.kernel.org/stable/c/d90d73ad183566c81320d453a223f610a280f210 https://git.kernel.org/stable/c/1b3ff4d88b508b73e2bbddb59356311efb7ba192 https://git.kernel.org/stable/c/7c1d221e475e3d8eb8ed4702392d43f8c5134d1f https://git.kernel.org/stable/c/7e4d88e36e5d0b8ffda637999cbca64c81701a81 https://git.kernel.org/stable/c/4d480efd98e290c445f4ba476e4dcda5624b1aab https://git.kernel.org/stable/c/d191101dee25567c2af3b28565f45346c33d65f5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix WARNING in usb_tx_block The function usb_tx_block() submits cardp->tx_urb without ensuring that any previous transmission on this URB has completed. If a second call occurs while the URB is still active (e.g. during rapid firmware loading), usb_submit_urb() detects the active state and triggers a warning: 'URB submitted while active'. Fix this by enforcing serialization: call usb_kill_urb() before submitting the new request. This ensures the URB is idle and safe to reuse. | 2026-05-06 | not yet calculated | CVE-2026-43255 | https://git.kernel.org/stable/c/498525d8358d6d20918787e59736d5b6a021e9fd https://git.kernel.org/stable/c/2902a9b4415a6bafc9b1e5dd360f065d757a0bb7 https://git.kernel.org/stable/c/948a39c95d0f8d73722910f8cdb7b6e3e9206232 https://git.kernel.org/stable/c/5bfb25495e391a1be0db94b15715174fa06b93a1 https://git.kernel.org/stable/c/b82073564373e68c6ae3a96039fae14cd002a496 https://git.kernel.org/stable/c/3308c7504e093b22e91a4468470309cee2e26b83 https://git.kernel.org/stable/c/fc188b44547dea4e7350833171982a6312befde9 https://git.kernel.org/stable/c/d66676e6ca96bf8680f869a9bd6573b26c634622 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: cx88: Add missing unmap in snd_cx88_hw_params() In error path, add cx88_alsa_dma_unmap() to release resource acquired by cx88_alsa_dma_map(). | 2026-05-06 | not yet calculated | CVE-2026-43257 | https://git.kernel.org/stable/c/f0d7f735eba963742009b0706e19dd0bed91537a https://git.kernel.org/stable/c/dc911fccc6e08ef46a66b2a42a764252b001ee3c https://git.kernel.org/stable/c/24f3dabeb97bd0bec8c1c926c97e3eb6a8129225 https://git.kernel.org/stable/c/10ab64f8efc2f479293dce929fde326c285fc96f https://git.kernel.org/stable/c/e3fb15aadfc8643203bbdf97ace0396e4586fa64 https://git.kernel.org/stable/c/1ce8c2a8f050a23240553c8bae628ac623f9dbc1 https://git.kernel.org/stable/c/3baefeeb7b85e1e34eebef399ffa312be7179e30 https://git.kernel.org/stable/c/dbc527d980f7ba8559de38f8c1e4158c71a78915 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: phy: fsl-imx8mq-usb: set platform driver data Add missing platform_set_drvdata() as the data will be used in remove(). | 2026-05-06 | not yet calculated | CVE-2026-43259 | https://git.kernel.org/stable/c/42d9509161d0539767ba875f3ef6b4b3c0b425ed https://git.kernel.org/stable/c/06db8c06d94858cda4b3870f421a1aeeef617690 https://git.kernel.org/stable/c/debf8326a435ac746f48173e4742a574810f1ff4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix RSS context delete logic We need to free the corresponding RSS context VNIC in FW everytime an RSS context is deleted in driver. Commit 667ac333dbb7 added a check to delete the VNIC in FW only when netif_running() is true to help delete RSS contexts with interface down. Having that condition will make the driver leak VNICs in FW whenever close() happens with active RSS contexts. On the subsequent open(), as part of RSS context restoration, we will end up trying to create extra VNICs for which we did not make any reservation. FW can fail this request, thereby making us lose active RSS contexts. Suppose an RSS context is deleted already and we try to process a delete request again, then the HWRM functions will check for validity of the request and they simply return if the resource is already freed. So, even for delete-when-down cases, netif_running() check is not necessary. Remove the netif_running() condition check when deleting an RSS context. | 2026-05-06 | not yet calculated | CVE-2026-43260 | https://git.kernel.org/stable/c/348a5f8d06c7bdf954e13c17ad5f80b59a075604 https://git.kernel.org/stable/c/079986d6db1f8e3d50c55f400cf998ac9690d2c8 https://git.kernel.org/stable/c/9a9b89eea4a9cc7726702946ff688d716962fabd https://git.kernel.org/stable/c/e123d9302d223767bd910bfbcfe607bae909f8ac |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arm64: Add support for TSV110 Spectre-BHB mitigation The TSV110 processor is vulnerable to the Spectre-BHB (Branch History Buffer) attack, which can be exploited to leak information through branch prediction side channels. This commit adds the MIDR of TSV110 to the list for software mitigation. | 2026-05-06 | not yet calculated | CVE-2026-43261 | https://git.kernel.org/stable/c/598c11dd4f4a9de31d854fcb9702f54c1c70f0d0 https://git.kernel.org/stable/c/a8d0ad5d990b050a6db74218a34b5529085e16b8 https://git.kernel.org/stable/c/cccf96c49f61e47d9332d6a4d1c7fe9a2df44440 https://git.kernel.org/stable/c/fd7e360845d331f542854d552469544182e61134 https://git.kernel.org/stable/c/5dbe1f14359735fa50ba0dd4a496125b5bc7f422 https://git.kernel.org/stable/c/fd51d47fcacec3ca027eb65d8c44853d3b6cea95 https://git.kernel.org/stable/c/ad0c356cae164ed5dbd1f4cfd438e46faa5292cb https://git.kernel.org/stable/c/e3baa5d4b361276efeb87b20d8beced451a7dbd5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gfs2: fiemap page fault fix In gfs2_fiemap(), we are calling iomap_fiemap() while holding the inode glock. This can lead to recursive glock taking if the fiemap buffer is memory mapped to the same inode and accessing it triggers a page fault. Fix by disabling page faults for iomap_fiemap() and faulting in the buffer by hand if necessary. Fixes xfstest generic/742. | 2026-05-06 | not yet calculated | CVE-2026-43262 | https://git.kernel.org/stable/c/5d5d9ec957bfa1eb2b05861c19f5d701dd006db7 https://git.kernel.org/stable/c/cead3bebf3e318578b8a86a5472015d713d2a8a8 https://git.kernel.org/stable/c/e428670cfb2993d8c224effd076242ca6b0950de https://git.kernel.org/stable/c/5d2c4f182ea8516de8682e2b60411c03df00e3ea https://git.kernel.org/stable/c/2e121c53b581e40397ae08090a7af4ed10781fbc https://git.kernel.org/stable/c/9d15fee888f0e8938c9aeed71ec9c2cbba0c88ab https://git.kernel.org/stable/c/e411d74cc5ba290f85d0dd5e4d1df8f1d6d975d2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: of: display_timing: fix refcount leak in of_get_display_timings() of_parse_phandle() returns a device_node with refcount incremented, which is stored in 'entry' and then copied to 'native_mode'. When the error paths at lines 184 or 192 jump to 'entryfail', native_mode's refcount is not decremented, causing a refcount leak. Fix this by changing the goto target from 'entryfail' to 'timingfail', which properly calls of_node_put(native_mode) before cleanup. | 2026-05-06 | not yet calculated | CVE-2026-43264 | https://git.kernel.org/stable/c/20881ad42e651c69d89eb38a2042838187900fd6 https://git.kernel.org/stable/c/b5bdcc5afbff845834d04d651773cb6b47db5dd3 https://git.kernel.org/stable/c/2b22e4fe1273c24f405ed7903349c4bbd82b6368 https://git.kernel.org/stable/c/3ed019654234edb8625c05d05e15d40f74e64f70 https://git.kernel.org/stable/c/d6f34bbff07476c6abb8672c89d217824871c5ed https://git.kernel.org/stable/c/69290f2d3999c5fa1a7f5d5593cfc5461fa3ee64 https://git.kernel.org/stable/c/c5734f9030a8b1e13868d1641b5163d8e659306e https://git.kernel.org/stable/c/eacf9840ae1285a1ef47eb0ce16d786e542bd4d7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block() Ignore -EBUSY when checking nested events after exiting a blocking state while L2 is active, as exiting to userspace will generate a spurious userspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM's demise. Continuing with the wakeup isn't perfect either, as *something* has gone sideways if a vCPU is awakened in L2 with an injected event (or worse, a nested run pending), but continuing on gives the VM a decent chance of surviving without any major side effects. As explained in the Fixes commits, it _should_ be impossible for a vCPU to be put into a blocking state with an already-injected event (exception, IRQ, or NMI). Unfortunately, userspace can stuff MP_STATE and/or injected events, and thus put the vCPU into what should be an impossible state. Don't bother trying to preserve the WARN, e.g. with an anti-syzkaller Kconfig, as WARNs can (hopefully) be added in paths where _KVM_ would be violating x86 architecture, e.g. by WARNing if KVM attempts to inject an exception or interrupt while the vCPU isn't running. | 2026-05-06 | not yet calculated | CVE-2026-43265 | https://git.kernel.org/stable/c/78265cd066d73a5cb41c088fcae4a2515e480d97 https://git.kernel.org/stable/c/ec3be7dc9391085a2d96700e159d66d1328b7ff6 https://git.kernel.org/stable/c/2657439265d34a911886b916ba8be97ecc117d51 https://git.kernel.org/stable/c/1e88b5f854bdb469424132e0bb44793ad7a7c20a https://git.kernel.org/stable/c/1c957773063ed3264953597e32990a748381caf6 https://git.kernel.org/stable/c/ead63640d4e72e6f6d464f4e31f7fecb79af8869 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: EFI/CPER: don't go past the ARM processor CPER record buffer There's a logic inside GHES/CPER to detect if the section_length is too small, but it doesn't detect if it is too big. Currently, if the firmware receives an ARM processor CPER record stating that a section length is big, kernel will blindly trust section_length, producing a very long dump. For instance, a 67 bytes record with ERR_INFO_NUM set 46198 and section length set to 854918320 would dump a lot of data going a way past the firmware memory-mapped area. Fix it by adding a logic to prevent it to go past the buffer if ERR_INFO_NUM is too big, making it report instead: [Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1 [Hardware Error]: event severity: recoverable [Hardware Error]: Error 0, type: recoverable [Hardware Error]: section_type: ARM processor error [Hardware Error]: MIDR: 0xff304b2f8476870a [Hardware Error]: section length: 854918320, CPER size: 67 [Hardware Error]: section length is too big [Hardware Error]: firmware-generated error record is incorrect [Hardware Error]: ERR_INFO_NUM is 46198 [ rjw: Subject and changelog tweaks ] | 2026-05-06 | not yet calculated | CVE-2026-43266 | https://git.kernel.org/stable/c/c80113dcfc807308f5ab33847fae77e07531aeb8 https://git.kernel.org/stable/c/ca2aad8771aa9091bc9e42e7d546bd40b72ddcd4 https://git.kernel.org/stable/c/a68d22902a6916e10ee235fee609239004e129d0 https://git.kernel.org/stable/c/64eb63f573f497553e1a0c388bbcdd639e0f0704 https://git.kernel.org/stable/c/be10c1bdf64a39832998f54900aa309b3917abcf https://git.kernel.org/stable/c/25b290624b0e3d2f0f90238709ee0b6009b9fde8 https://git.kernel.org/stable/c/45766863baf899059e75595dd3cb1116467f2095 https://git.kernel.org/stable/c/eae21beecb95a3b69ee5c38a659f774e171d730e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix potential zero beacon interval in beacon tracking During fuzz testing, it was discovered that bss_conf->beacon_int might be zero, which could result in a division by zero error in subsequent calculations. Set a default value of 100 TU if the interval is zero to ensure stability. | 2026-05-06 | not yet calculated | CVE-2026-43267 | https://git.kernel.org/stable/c/1260bee01493126cf9c872b6ca2af261173baa6d https://git.kernel.org/stable/c/e00c9a4ec84c0bb067833b34202f457badbbc1c1 https://git.kernel.org/stable/c/eb57be32f438c57c88d6ce756101c1dfbcc03bba |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: pretend special inodes as regular files Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for special inodes. | 2026-05-06 | not yet calculated | CVE-2026-43268 | https://git.kernel.org/stable/c/dcac5582f90b55a267d89769073c5651990b2ec5 https://git.kernel.org/stable/c/799c492a619a10322543d13e6d2a6d27335c868c https://git.kernel.org/stable/c/676bc99d0b3e356cdfec5d8204518e1aac14ec84 https://git.kernel.org/stable/c/de9affb698d5034888314880736925c39d6d048e https://git.kernel.org/stable/c/d209ebaee93fc5089101d34d1b38a91d7abb03fd https://git.kernel.org/stable/c/67407d6abc9520a8a4661285b3ed294eb73ff6e7 https://git.kernel.org/stable/c/9353d4ee26dc33f6ada1646e84660f4c59189763 https://git.kernel.org/stable/c/ed8889ca21b6ab37bc1435c4009ce37a79acb9e6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback After several commits, the slab memory increases. Some drm_crtc_commit objects are not freed. The atomic_destroy_state callback only put the framebuffer. Use the __drm_atomic_helper_plane_destroy_state() function to put all the objects that are no longer needed. It has been seen after hours of usage of a graphics application or using kmemleak: unreferenced object 0xc63a6580 (size 64): comm "egt_basic", pid 171, jiffies 4294940784 hex dump (first 32 bytes): 40 50 34 c5 01 00 00 00 ff ff ff ff 8c 65 3a c6 @P4..........e:. 8c 65 3a c6 ff ff ff ff 98 65 3a c6 98 65 3a c6 .e:......e:..e:. backtrace (crc c25aa925): kmemleak_alloc+0x34/0x3c __kmalloc_cache_noprof+0x150/0x1a4 drm_atomic_helper_setup_commit+0x1e8/0x7bc drm_atomic_helper_commit+0x3c/0x15c drm_atomic_commit+0xc0/0xf4 drm_atomic_helper_set_config+0x84/0xb8 drm_mode_setcrtc+0x32c/0x810 drm_ioctl+0x20c/0x488 sys_ioctl+0x14c/0xc20 ret_fast_syscall+0x0/0x54 | 2026-05-06 | not yet calculated | CVE-2026-43269 | https://git.kernel.org/stable/c/6d4e91ab97fda64e8cf9c8881cc3b4da026bd849 https://git.kernel.org/stable/c/5718d98976ad6b9700e5a6afec67fc47a8a92580 https://git.kernel.org/stable/c/57fa3487acfa3467405f8506b94682abd96e7393 https://git.kernel.org/stable/c/ec40702029b08ee8d5f5b03303d64a10e74a957b https://git.kernel.org/stable/c/25e832a7830740e72103eb0b527680a4b64bbcb3 https://git.kernel.org/stable/c/082271e364a3205598c2e4e6233a9f49ce7941cf https://git.kernel.org/stable/c/3e64e78f4a70e3f6ac8fe5a7071f08ffd25a2489 https://git.kernel.org/stable/c/f12352471061df83a36edf54bbb16284793284e4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove() In mtk_mdp_probe(), vpu_get_plat_device() increases the reference count of the returned platform device. Add platform_device_put() to prevent reference leak. | 2026-05-06 | not yet calculated | CVE-2026-43270 | https://git.kernel.org/stable/c/403b7c757ac9f6b2ffb7d00ff4795a245f5e8911 https://git.kernel.org/stable/c/dd530e29bd514d7187b3e2df8eb2107419c7988f https://git.kernel.org/stable/c/c44beed2e5caf2cbbe651432baa3a129f18b0169 https://git.kernel.org/stable/c/564fd3a63efc3ebbdb5d0a8fc7c0d3f753fbbd5d https://git.kernel.org/stable/c/4f2a51433a3a65d16975d1e32052d80656da077d https://git.kernel.org/stable/c/a62ba5aa9ee95fd953583e95e519badf0b76ecf3 https://git.kernel.org/stable/c/2d93758f42a57f3485534eab858b308e41653de4 https://git.kernel.org/stable/c/f128bab57b8018e526b7eda854ca20069863af47 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md-cluster: fix NULL pointer dereference in process_metadata_update The function process_metadata_update() blindly dereferences the 'thread' pointer (acquired via rcu_dereference_protected) within the wait_event() macro. While the code comment states "daemon thread must exist", there is a valid race condition window during the MD array startup sequence (md_run): 1. bitmap_load() is called, which invokes md_cluster_ops->join(). 2. join() starts the "cluster_recv" thread (recv_daemon). 3. At this point, recv_daemon is active and processing messages. 4. However, mddev->thread (the main MD thread) is not initialized until later in md_run(). If a METADATA_UPDATED message is received from a remote node during this specific window, process_metadata_update() will be called while mddev->thread is still NULL, leading to a kernel panic. To fix this, we must validate the 'thread' pointer. If it is NULL, we release the held lock (no_new_dev_lockres) and return early, safely ignoring the update request as the array is not yet fully ready to process it. | 2026-05-06 | not yet calculated | CVE-2026-43271 | https://git.kernel.org/stable/c/a61c1bc84c4a0f1e7c2fe55b0f43d7d94af4adf1 https://git.kernel.org/stable/c/dec123825c1ed74d98fd5fc7571a851dea4f46ff https://git.kernel.org/stable/c/721599e837d3f4c0e6cc14da059612c017b6d3ec https://git.kernel.org/stable/c/dceb5a843910004cb118148e267036104fc3ee43 https://git.kernel.org/stable/c/f150e753cb8dd756085f46e86f2c35ce472e0a3c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix possible dereference of uninitialized pointer There is a pointer head_page in rb_meta_validate_events() which is not initialized at the beginning of a function. This pointer can be dereferenced if there is a failure during reader page validation. In this case the control is passed to "invalid" label where the pointer is dereferenced in a loop. To fix the issue initialize orig_head and head_page before calling rb_validate_buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2026-05-06 | not yet calculated | CVE-2026-43272 | https://git.kernel.org/stable/c/bc77986f3cb7476637052edf2d87137fa39f153d https://git.kernel.org/stable/c/d9942396845fef2369478c157b26738fe07142f6 https://git.kernel.org/stable/c/f1547779402c4cd67755c33616b7203baa88420b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: supply snapshot context in ceph_zero_partial_object() The ceph_zero_partial_object function was missing proper snapshot context for its OSD write operations, which could lead to data inconsistencies in snapshots. Reproducer: ../src/vstart.sh --new -x --localhost --bluestore ./bin/ceph auth caps client.fs_a mds 'allow rwps fsname=a' mon 'allow r fsname=a' osd 'allow rw tag cephfs data=a' mount -t ceph fs_a@.a=/ /mnt/mycephfs/ -o conf=./ceph.conf dd if=/dev/urandom of=/mnt/mycephfs/foo bs=64K count=1 mkdir /mnt/mycephfs/.snap/snap1 md5sum /mnt/mycephfs/.snap/snap1/foo fallocate -p -o 0 -l 4096 /mnt/mycephfs/foo echo 3 > /proc/sys/vm/drop/caches md5sum /mnt/mycephfs/.snap/snap1/foo # get different md5sum!! | 2026-05-06 | not yet calculated | CVE-2026-43273 | https://git.kernel.org/stable/c/36673344b41c31fb502dd0d0113cec1aa96f581e https://git.kernel.org/stable/c/5788b742007f53406049bef917833a71ddd43f60 https://git.kernel.org/stable/c/757873abfc8ea38592582180aed0f57f0f0cb07a https://git.kernel.org/stable/c/9efa154609cdb658f51c7d76b30a09f7e6485250 https://git.kernel.org/stable/c/531a76c5a2e44264cee8a70121e63eb28c1ba728 https://git.kernel.org/stable/c/69e59a87bab0ea31ab2a584fc65e12dafacf8953 https://git.kernel.org/stable/c/4097e70fc543cca72982854108a32f6ae924e727 https://git.kernel.org/stable/c/f16bd3fa74a2084ee7e16a8a2be7e7399b970907 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Flush exception handling work when RPM level is zero Ensure that the exception event handling work is explicitly flushed during suspend when the runtime power management level is set to UFS_PM_LVL_0. When the RPM level is zero, the device power mode and link state both remain active. Previously, the UFS core driver bypassed flushing exception event handling jobs in this configuration. This created a race condition where the driver could attempt to access the host controller to handle an exception after the system had already entered a deep power-down state, resulting in a system crash. Explicitly flush this work and disable auto BKOPs before the suspend callback proceeds. This guarantees that pending exception tasks complete and prevents illegal hardware access during the power-down sequence. | 2026-05-06 | not yet calculated | CVE-2026-43275 | https://git.kernel.org/stable/c/d5c3a1a13f97355c397f9439d79cb04b182958a3 https://git.kernel.org/stable/c/5d186731bc335cc049d4e57ab9f563cfab95593e https://git.kernel.org/stable/c/aa8d68d97c7f0ef966e51afc17fdbdc372700edf https://git.kernel.org/stable/c/aac2fee7513dd25042a616f86a1469b4858d2c5c https://git.kernel.org/stable/c/78d8e2d6352e8317686ee3a44811ac14c415a57d https://git.kernel.org/stable/c/ab71c146c135f9af1614ef0fc29a0a3b84f1a373 https://git.kernel.org/stable/c/f8ef441811ec413717f188f63d99182f30f0f08e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix double destroy_workqueue on service rescan PCI path While testing corner cases in the driver, a use-after-free crash was found on the service rescan PCI path. When mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup() destroys gc->service_wq. If the subsequent mana_gd_resume() fails with -ETIMEDOUT or -EPROTO, the code falls through to mana_serv_rescan() which triggers pci_stop_and_remove_bus_device(). This invokes the PCI .remove callback (mana_gd_remove), which calls mana_gd_cleanup() a second time, attempting to destroy the already- freed workqueue. Fix this by NULL-checking gc->service_wq in mana_gd_cleanup() and setting it to NULL after destruction. Call stack of issue for reference: [Sat Feb 21 18:53:48 2026] Call Trace: [Sat Feb 21 18:53:48 2026] <TASK> [Sat Feb 21 18:53:48 2026] mana_gd_cleanup+0x33/0x70 [mana] [Sat Feb 21 18:53:48 2026] mana_gd_remove+0x3a/0xc0 [mana] [Sat Feb 21 18:53:48 2026] pci_device_remove+0x41/0xb0 [Sat Feb 21 18:53:48 2026] device_remove+0x46/0x70 [Sat Feb 21 18:53:48 2026] device_release_driver_internal+0x1e3/0x250 [Sat Feb 21 18:53:48 2026] device_release_driver+0x12/0x20 [Sat Feb 21 18:53:48 2026] pci_stop_bus_device+0x6a/0x90 [Sat Feb 21 18:53:48 2026] pci_stop_and_remove_bus_device+0x13/0x30 [Sat Feb 21 18:53:48 2026] mana_do_service+0x180/0x290 [mana] [Sat Feb 21 18:53:48 2026] mana_serv_func+0x24/0x50 [mana] [Sat Feb 21 18:53:48 2026] process_one_work+0x190/0x3d0 [Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0 [Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130 [Sat Feb 21 18:53:48 2026] ? __pfx_worker_thread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork+0x269/0x350 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork_asm+0x1a/0x30 [Sat Feb 21 18:53:48 2026] </TASK> | 2026-05-06 | not yet calculated | CVE-2026-43276 | https://git.kernel.org/stable/c/fa3c2f8d9152344a478abb847081c1b5f84a94f5 https://git.kernel.org/stable/c/a9a7c3203fdc4d4a8d8a7a3b1ed05d2bb4c6e77e https://git.kernel.org/stable/c/f975a0955276579e2176a134366ed586071c7c6a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: APEI/GHES: ensure that won't go past CPER allocated record The logic at ghes_new() prevents allocating too large records, by checking if they're bigger than GHES_ESTATUS_MAX_SIZE (currently, 64KB). Yet, the allocation is done with the actual number of pages from the CPER bios table location, which can be smaller. Yet, a bad firmware could send data with a different size, which might be bigger than the allocated memory, causing an OOPS: Unable to handle kernel paging request at virtual address fff00000f9b40000 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 52-bit VAs, pgdp=000000008ba16000 [fff00000f9b40000] pgd=180000013ffff403, p4d=180000013fffe403, pud=180000013f85b403, pmd=180000013f68d403, pte=0000000000000000 Internal error: Oops: 0000000096000007 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 303 Comm: kworker/0:1 Not tainted 6.19.0-rc1-00002-gda407d200220 #34 PREEMPT Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022 Workqueue: kacpi_notify acpi_os_execute_deferred pstate: 214020c5 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : hex_dump_to_buffer+0x30c/0x4a0 lr : hex_dump_to_buffer+0x328/0x4a0 sp : ffff800080e13880 x29: ffff800080e13880 x28: ffffac9aba86f6a8 x27: 0000000000000083 x26: fff00000f9b3fffc x25: 0000000000000004 x24: 0000000000000004 x23: ffff800080e13905 x22: 0000000000000010 x21: 0000000000000083 x20: 0000000000000001 x19: 0000000000000008 x18: 0000000000000010 x17: 0000000000000001 x16: 00000007c7f20fec x15: 0000000000000020 x14: 0000000000000008 x13: 0000000000081020 x12: 0000000000000008 x11: ffff800080e13905 x10: ffff800080e13988 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000001 x6 : 0000000000000020 x5 : 0000000000000030 x4 : 00000000fffffffe x3 : 0000000000000000 x2 : ffffac9aba78c1c8 x1 : ffffac9aba76d0a8 x0 : 0000000000000008 Call trace: hex_dump_to_buffer+0x30c/0x4a0 (P) print_hex_dump+0xac/0x170 cper_estatus_print_section+0x90c/0x968 cper_estatus_print+0xf0/0x158 __ghes_print_estatus+0xa0/0x148 ghes_proc+0x1bc/0x220 ghes_notify_hed+0x5c/0xb8 notifier_call_chain+0x78/0x148 blocking_notifier_call_chain+0x4c/0x80 acpi_hed_notify+0x28/0x40 acpi_ev_notify_dispatch+0x50/0x80 acpi_os_execute_deferred+0x24/0x48 process_one_work+0x15c/0x3b0 worker_thread+0x2d0/0x400 kthread+0x148/0x228 ret_from_fork+0x10/0x20 Code: 6b14033f 540001ad a94707e2 f100029f (b8747b44) ---[ end trace 0000000000000000 ]--- Prevent that by taking the actual allocated are into account when checking for CPER length. [ rjw: Subject tweaks ] | 2026-05-06 | not yet calculated | CVE-2026-43277 | https://git.kernel.org/stable/c/92ba79074c58e65a6e32713758c5a9aecd33c2ea https://git.kernel.org/stable/c/616c120dcdf1ce96edcd818e38bce49667f80689 https://git.kernel.org/stable/c/f3740a1562445f36f08afab8af59e37117b3acdc https://git.kernel.org/stable/c/e0ec99115e135dbb58e11a0df007c7d4771d4a17 https://git.kernel.org/stable/c/b6be51a12441136fdf8c49b2525689fbea1856e1 https://git.kernel.org/stable/c/6f5d41984ad896736c23e2fff7c80e15c1319132 https://git.kernel.org/stable/c/98bd9b28d4d11e6739ad86524b4be4ada9025e60 https://git.kernel.org/stable/c/fa2408a24f8f0db14d9cfc613ef162dc267d7ad4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate() Although it is guided that `#mbox-cells` must be at least 1, there are many instances of `#mbox-cells = <0>;` in the device tree. If that is the case and the corresponding mailbox controller does not provide `fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` will be used by default and out-of-bounds accesses could occur due to lack of bounds check in that function. | 2026-05-06 | not yet calculated | CVE-2026-43281 | https://git.kernel.org/stable/c/2662ed331a69c0b551f78af58f12eb629a89a36f https://git.kernel.org/stable/c/31c4c67dec3362094a6747a171a4848e98542265 https://git.kernel.org/stable/c/01d9a8c2615d436b2b30c19c1afe9fcd5726ff6d https://git.kernel.org/stable/c/4caae8168d1b808c7d4ff481295292e3f97f90fb https://git.kernel.org/stable/c/f50b39fd7c72a8734153644ee945ca0d8b2e65ab https://git.kernel.org/stable/c/fcd7f96c783626c07ee3ed75fa3739a8a2052310 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/ionic: Fix potential NULL pointer dereference in ionic_query_port The function ionic_query_port() calls ib_device_get_netdev() without checking the return value which could lead to NULL pointer dereference, Fix it by checking the return value and return -ENODEV if the 'ndev' is NULL. | 2026-05-06 | not yet calculated | CVE-2026-43282 | https://git.kernel.org/stable/c/2b96156c927cd83c109e2e3946e6111dce73231f https://git.kernel.org/stable/c/81932a46dfd0db10a03f46f0b1c7ef946ac4552f https://git.kernel.org/stable/c/fd80bd7105f88189f47d465ca8cb7d115570de30 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/slab: do not access current->mems_allowed_seq if !allow_spin Lockdep complains when get_from_any_partial() is called in an NMI context, because current->mems_allowed_seq is seqcount_spinlock_t and not NMI-safe: ================================ WARNING: inconsistent lock state 6.19.0-rc5-kfree-rcu+ #315 Tainted: G N -------------------------------- inconsistent {INITIAL USE} -> {IN-NMI} usage. kunit_try_catch/9989 [HC1[1]:SC0[0]:HE0:SE1] takes: ffff889085799820 (&____s->seqcount#3){.-.-}-{0:0}, at: ___slab_alloc+0x58f/0xc00 {INITIAL USE} state was registered at: lock_acquire+0x185/0x320 kernel_init_freeable+0x391/0x1150 kernel_init+0x1f/0x220 ret_from_fork+0x736/0x8f0 ret_from_fork_asm+0x1a/0x30 irq event stamp: 56 hardirqs last enabled at (55): [<ffffffff850a68d7>] _raw_spin_unlock_irq+0x27/0x70 hardirqs last disabled at (56): [<ffffffff850858ca>] __schedule+0x2a8a/0x6630 softirqs last enabled at (0): [<ffffffff81536711>] copy_process+0x1dc1/0x6a10 softirqs last disabled at (0): [<0000000000000000>] 0x0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&____s->seqcount#3); <Interrupt> lock(&____s->seqcount#3); *** DEADLOCK *** According to Documentation/locking/seqlock.rst, seqcount_t is not NMI-safe and seqcount_latch_t should be used when read path can interrupt the write-side critical section. In this case, do not access current->mems_allowed_seq and avoid retry. | 2026-05-08 | not yet calculated | CVE-2026-43285 | https://git.kernel.org/stable/c/353dd9934447b9193643ae1afd938607a74d4915 https://git.kernel.org/stable/c/efd767ddcef0669bbd33c6a823ea0a88f06d4b29 https://git.kernel.org/stable/c/144080a5823b2dbd635acb6decf7ab23182664f3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: restore failed global reservations to subpool Commit a833a693a490 ("mm: hugetlb: fix incorrect fallback for subpool") fixed an underflow error for hstate->resv_huge_pages caused by incorrectly attributing globally requested pages to the subpool's reservation. Unfortunately, this fix also introduced the opposite problem, which would leave spool->used_hpages elevated if the globally requested pages could not be acquired. This is because while a subpool's reserve pages only accounts for what is requested and allocated from the subpool, its "used" counter keeps track of what is consumed in total, both from the subpool and globally. Thus, we need to adjust spool->used_hpages in the other direction, and make sure that globally requested pages are uncharged from the subpool's used counter. Each failed allocation attempt increments the used_hpages counter by how many pages were requested from the global pool. Ultimately, this renders the subpool unusable, as used_hpages approaches the max limit. The issue can be reproduced as follows: 1. Allocate 4 hugetlb pages 2. Create a hugetlb mount with max=4, min=2 3. Consume 2 pages globally 4. Request 3 pages from the subpool (2 from subpool + 1 from global) 4.1 hugepage_subpool_get_pages(spool, 3) succeeds. used_hpages += 3 4.2 hugetlb_acct_memory(h, 1) fails: no global pages left used_hpages -= 2 5. Subpool now has used_hpages = 1, despite not being able to successfully allocate any hugepages. It believes it can now only allocate 3 more hugepages, not 4. With each failed allocation attempt incrementing the used counter, the subpool eventually reaches a point where its used counter equals its max counter. At that point, any future allocations that try to allocate hugeTLB pages from the subpool will fail, despite the subpool not having any of its hugeTLB pages consumed by any user. Once this happens, there is no way to make the subpool usable again, since there is no way to decrement the used counter as no process is really consuming the hugeTLB pages. The underflow issue that the original commit fixes still remains fixed as well. Without this fix, used_hpages would keep on leaking if hugetlb_acct_memory() fails. | 2026-05-08 | not yet calculated | CVE-2026-43286 | https://git.kernel.org/stable/c/5eac1322a7b14b8cd05ec896618278b90fba7f39 https://git.kernel.org/stable/c/f055897c975d079a90af873c791ab58cf0f6f2a5 https://git.kernel.org/stable/c/1d3f9bb4c8af70304d19c22e30f5d16a2d589bb5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm: Account property blob allocations to memcg DRM_IOCTL_MODE_CREATEPROPBLOB allows userspace to allocate arbitrary-sized property blobs backed by kernel memory. Currently, the blob data allocation is not accounted to the allocating process's memory cgroup, allowing unprivileged users to trigger unbounded kernel memory consumption and potentially cause system-wide OOM. Mark the property blob data allocation with GFP_KERNEL_ACCOUNT so that the memory is properly charged to the caller's memcg. This ensures existing cgroup memory limits apply and prevents uncontrolled kernel memory growth without introducing additional policy or per-file limits. | 2026-05-08 | not yet calculated | CVE-2026-43287 | https://git.kernel.org/stable/c/b6117210ed349356f8e6027ff020b4d620bca42b https://git.kernel.org/stable/c/815fa29cab3c67bebb9d0b5f41145cdd3a14d04d https://git.kernel.org/stable/c/866e0c1a9e7244d58ed74853cb22b81e1900cfdd https://git.kernel.org/stable/c/bbfaa5761f589a81031b493cb01275a990d6fb25 https://git.kernel.org/stable/c/8e1664b9ee43608eb973d357ae5d858d30cbc9ca https://git.kernel.org/stable/c/cb8b9a1755fe9f38e4fb7f287486d7e7fab3dba4 https://git.kernel.org/stable/c/405fd652d8fedff219a8f48daf8f20e881e303ab https://git.kernel.org/stable/c/26b4309a3ab82a0697751cde52eb336c29c19035 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: move ext4_percpu_param_init() before ext4_mb_init() When running `kvm-xfstests -c ext4/1k -C 1 generic/383` with the `DOUBLE_CHECK` macro defined, the following panic is triggered: ================================================================== EXT4-fs error (device vdc): ext4_validate_block_bitmap:423: comm mount: bg 0: bad block bitmap checksum BUG: unable to handle page fault for address: ff110000fa2cc000 PGD 3e01067 P4D 3e02067 PUD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 2386 Comm: mount Tainted: G W 6.18.0-gba65a4e7120a-dirty #1152 PREEMPT(none) RIP: 0010:percpu_counter_add_batch+0x13/0xa0 Call Trace: <TASK> ext4_mark_group_bitmap_corrupted+0xcb/0xe0 ext4_validate_block_bitmap+0x2a1/0x2f0 ext4_read_block_bitmap+0x33/0x50 mb_group_bb_bitmap_alloc+0x33/0x80 ext4_mb_add_groupinfo+0x190/0x250 ext4_mb_init_backend+0x87/0x290 ext4_mb_init+0x456/0x640 __ext4_fill_super+0x1072/0x1680 ext4_fill_super+0xd3/0x280 get_tree_bdev_flags+0x132/0x1d0 vfs_get_tree+0x29/0xd0 vfs_cmd_create+0x59/0xe0 __do_sys_fsconfig+0x4f6/0x6b0 do_syscall_64+0x50/0x1f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ================================================================== This issue can be reproduced using the following commands: mkfs.ext4 -F -q -b 1024 /dev/sda 5G tune2fs -O quota,project /dev/sda mount /dev/sda /tmp/test With DOUBLE_CHECK defined, mb_group_bb_bitmap_alloc() reads and validates the block bitmap. When the validation fails, ext4_mark_group_bitmap_corrupted() attempts to update sbi->s_freeclusters_counter. However, this percpu_counter has not been initialized yet at this point, which leads to the panic described above. Fix this by moving the execution of ext4_percpu_param_init() to occur before ext4_mb_init(), ensuring the per-CPU counters are initialized before they are used. | 2026-05-08 | not yet calculated | CVE-2026-43288 | https://git.kernel.org/stable/c/0d5fcb063cdabb9aeaa8554b7fedad2092c4150e https://git.kernel.org/stable/c/9e9fb259bcddf459a0168f4a964e979e500a68a5 https://git.kernel.org/stable/c/bf5b609524497c195f801cd5707252384aed8149 https://git.kernel.org/stable/c/aec095f3cc6cf209effd93278ce35be27db81d73 https://git.kernel.org/stable/c/270564513489d98b721a1e4a10017978d5213bff |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kexec: derive purgatory entry from symbol kexec_load_purgatory() derives image->start by locating e_entry inside an SHF_EXECINSTR section. If the purgatory object contains multiple executable sections with overlapping sh_addr, the entrypoint check can match more than once and trigger a WARN. Derive the entry section from the purgatory_start symbol when present and compute image->start from its final placement. Keep the existing e_entry fallback for purgatories that do not expose the symbol. WARNING: kernel/kexec_file.c:1009 at kexec_load_purgatory+0x395/0x3c0, CPU#10: kexec/1784 Call Trace: <TASK> bzImage64_load+0x133/0xa00 __do_sys_kexec_file_load+0x2b3/0x5c0 do_syscall_64+0x81/0x610 entry_SYSCALL_64_after_hwframe+0x76/0x7e [me@linux.beauty: move helper to avoid forward declaration, per Baoquan] | 2026-05-08 | not yet calculated | CVE-2026-43289 | https://git.kernel.org/stable/c/027797595a108726f4a0a45d225f603b0ffbd22b https://git.kernel.org/stable/c/1737d37ae1d2814e6cf0a1af87af3d41f0812b95 https://git.kernel.org/stable/c/f736032c638a33a243e9126e617788f763d648f9 https://git.kernel.org/stable/c/cfccd3b8c51bc57a8a6fcb2fd30453afae5bc0d2 https://git.kernel.org/stable/c/875355152b33436907c2a6d2ffad1431fa86c62b https://git.kernel.org/stable/c/36eb314184a0ae74dd42914b47d2b9fc43be8034 https://git.kernel.org/stable/c/5226570bd252cea2e805a161cb0f75c204c3108a https://git.kernel.org/stable/c/480e1d5c64bb14441f79f2eb9421d5e26f91ea3d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node When CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages during vmalloc cleanup triggers expensive stack unwinding that acquires RCU read locks. Processing a large purge_list without rescheduling can cause the task to hold CPU for extended periods (10+ seconds), leading to RCU stalls and potential OOM conditions. The issue manifests in purge_vmap_node() -> kasan_release_vmalloc_node() where iterating through hundreds or thousands of vmap_area entries and freeing their associated shadow pages causes: rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6229/1:b..l ... task:kworker/0:17 state:R running task stack:28840 pid:6229 ... kasan_release_vmalloc_node+0x1ba/0xad0 mm/vmalloc.c:2299 purge_vmap_node+0x1ba/0xad0 mm/vmalloc.c:2299 Each call to kasan_release_vmalloc() can free many pages, and with page_owner tracking, each free triggers save_stack() which performs stack unwinding under RCU read lock. Without yielding, this creates an unbounded RCU critical section. Add periodic cond_resched() calls within the loop to allow: - RCU grace periods to complete - Other tasks to run - Scheduler to preempt when needed The fix uses need_resched() for immediate response under load, with a batch count of 32 as a guaranteed upper bound to prevent worst-case stalls even under light load. | 2026-05-08 | not yet calculated | CVE-2026-43292 | https://git.kernel.org/stable/c/2efa9c02c9b4c0d6866aa445f11056809b25ca28 https://git.kernel.org/stable/c/1afe45f89d54b7183768ebbbbf14238ec187ab5c https://git.kernel.org/stable/c/b351fbe71091f7c8676c8ba597653d08b6719447 https://git.kernel.org/stable/c/5747435e0fd474c24530ef1a6822f47e7d264b27 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix kthread worker destruction in polling mode Fix the cleanup order in polling mode (irq < 0) to prevent kernel warnings during module removal. Cancel the hrtimer before destroying the kthread worker to ensure work queues are empty. In polling mode, the driver uses hrtimer to periodically trigger wave5_vpu_timer_callback() which queues work via kthread_queue_work(). The kthread_destroy_worker() function validates that both work queues are empty with WARN_ON(!list_empty(&worker->work_list)) and WARN_ON(!list_empty(&worker->delayed_work_list)). The original code called kthread_destroy_worker() before hrtimer_cancel(), creating a race condition where the timer could fire during worker destruction and queue new work, triggering the WARN_ON. This causes the following warning on every module unload in polling mode: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1034 at kernel/kthread.c:1430 kthread_destroy_worker+0x84/0x98 Modules linked in: wave5(-) rpmsg_ctrl rpmsg_char ... Call trace: kthread_destroy_worker+0x84/0x98 wave5_vpu_remove+0xc8/0xe0 [wave5] platform_remove+0x30/0x58 ... ---[ end trace 0000000000000000 ]--- | 2026-05-08 | not yet calculated | CVE-2026-43293 | https://git.kernel.org/stable/c/156020e889edf4593870d926d3c4a6d06baac44a https://git.kernel.org/stable/c/cc8071b1bac6568ea09d54be2d4f74dba80e17f8 https://git.kernel.org/stable/c/0c2e752688a0ee3b89993e6de6c496d863870c93 https://git.kernel.org/stable/c/5a0c122e834b2f7f029526422c71be922960bf03 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm: renesas: rz-du: mipi_dsi: fix kernel panic when rebooting for some panels Since commit 56de5e305d4b ("clk: renesas: r9a07g044: Add MSTOP for RZ/G2L") we may get the following kernel panic, for some panels, when rebooting: systemd-shutdown[1]: Rebooting. Call trace: ... do_serror+0x28/0x68 el1h_64_error_handler+0x34/0x50 el1h_64_error+0x6c/0x70 rzg2l_mipi_dsi_host_transfer+0x114/0x458 (P) mipi_dsi_device_transfer+0x44/0x58 mipi_dsi_dcs_set_display_off_multi+0x9c/0xc4 ili9881c_unprepare+0x38/0x88 drm_panel_unprepare+0xbc/0x108 This happens for panels that need to send MIPI-DSI commands in their unprepare() callback. Since the MIPI-DSI interface is stopped at that point, rzg2l_mipi_dsi_host_transfer() triggers the kernel panic. Fix by moving rzg2l_mipi_dsi_stop() to new callback function rzg2l_mipi_dsi_atomic_post_disable(). With this change we now have the correct power-down/stop sequence: systemd-shutdown[1]: Rebooting. rzg2l-mipi-dsi 10850000.dsi: rzg2l_mipi_dsi_atomic_disable(): entry ili9881c-dsi 10850000.dsi.0: ili9881c_unprepare(): entry rzg2l-mipi-dsi 10850000.dsi: rzg2l_mipi_dsi_atomic_post_disable(): entry reboot: Restarting system | 2026-05-08 | not yet calculated | CVE-2026-43294 | https://git.kernel.org/stable/c/79f42487ed60d0d5ffce97c3bb98f80c3d17735a https://git.kernel.org/stable/c/41cda667ffc5074c56279c632b0c20024da6ecdd https://git.kernel.org/stable/c/64aa8b3a60a825134f7d866adf05c024bbe0c24c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rapidio: replace rio_free_net() with kfree() in rio_scan_alloc_net() When idtab allocation fails, net is not registered with rio_add_net() yet, so kfree(net) is sufficient to release the memory. Set mport->net to NULL to avoid dangling pointer. | 2026-05-08 | not yet calculated | CVE-2026-43295 | https://git.kernel.org/stable/c/83e579c2f7f6b1706323d744833b26470049dcc2 https://git.kernel.org/stable/c/34a4f233df5eef5f1f113b2196142c0568b387f8 https://git.kernel.org/stable/c/fecf292c6691970897396190855aa38826b7104e https://git.kernel.org/stable/c/649c2e853608cad0b0cba545555d168e67f094b3 https://git.kernel.org/stable/c/87272e3e70ec4b666885bd520ff77463c11444ef https://git.kernel.org/stable/c/e5a732bfe29451e16abf9c6f07ce5948b22f3d59 https://git.kernel.org/stable/c/78812c4fb7ed242d5961bf1337a49070d6487c94 https://git.kernel.org/stable/c/666183dcdd9ad3b8156a1df7f204f728f720380f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: rockchip: rga: Fix possible ERR_PTR dereference in rga_buf_init() rga_get_frame() can return ERR_PTR(-EINVAL) when buffer type is unsupported or invalid. rga_buf_init() does not check the return value and unconditionally dereferences the pointer when accessing f->size. Add proper ERR_PTR checking and return the error to prevent dereferencing an invalid pointer. | 2026-05-08 | not yet calculated | CVE-2026-43297 | https://git.kernel.org/stable/c/5da29ade540b51763b950987bd410add7edaf3d1 https://git.kernel.org/stable/c/1af2853b4e97fd95262fdef311b2334337069bc9 https://git.kernel.org/stable/c/aa22221c5dc695a3d479e1e1b63f0c0e9eb29dbf https://git.kernel.org/stable/c/81f8e0e6a2e115df9274d0289779f8fca694479c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Skip vcn poison irq release on VF VF doesn't enable VCN poison irq in VCNv2.5. Skip releasing it and avoid call trace during deinitialization. [ 71.913601] [drm] clean up the vf2pf work item [ 71.915088] ------------[ cut here ]------------ [ 71.915092] WARNING: CPU: 3 PID: 1079 at /tmp/amd.aFkFvSQl/amd/amdgpu/amdgpu_irq.c:641 amdgpu_irq_put+0xc6/0xe0 [amdgpu] [ 71.915355] Modules linked in: amdgpu(OE-) amddrm_ttm_helper(OE) amdttm(OE) amddrm_buddy(OE) amdxcp(OE) amddrm_exec(OE) amd_sched(OE) amdkcl(OE) drm_suballoc_helper drm_display_helper cec rc_core i2c_algo_bit video wmi binfmt_misc nls_iso8859_1 intel_rapl_msr intel_rapl_common input_leds joydev serio_raw mac_hid qemu_fw_cfg sch_fq_codel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 hid_generic crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel usbhid 8139too sha256_ssse3 sha1_ssse3 hid psmouse bochs i2c_i801 ahci drm_vram_helper libahci i2c_smbus lpc_ich drm_ttm_helper 8139cp mii ttm aesni_intel crypto_simd cryptd [ 71.915484] CPU: 3 PID: 1079 Comm: rmmod Tainted: G OE 6.8.0-87-generic #88~22.04.1-Ubuntu [ 71.915489] Hardware name: Red Hat KVM/RHEL, BIOS 1.16.3-2.el9_5.1 04/01/2014 [ 71.915492] RIP: 0010:amdgpu_irq_put+0xc6/0xe0 [amdgpu] [ 71.915768] Code: 75 84 b8 ea ff ff ff eb d4 44 89 ea 48 89 de 4c 89 e7 e8 fd fc ff ff 5b 41 5c 41 5d 41 5e 5d 31 d2 31 f6 31 ff e9 55 30 3b c7 <0f> 0b eb d4 b8 fe ff ff ff eb a8 e9 b7 3b 8a 00 66 2e 0f 1f 84 00 [ 71.915771] RSP: 0018:ffffcf0800eafa30 EFLAGS: 00010246 [ 71.915775] RAX: 0000000000000000 RBX: ffff891bda4b0668 RCX: 0000000000000000 [ 71.915777] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 71.915779] RBP: ffffcf0800eafa50 R08: 0000000000000000 R09: 0000000000000000 [ 71.915781] R10: 0000000000000000 R11: 0000000000000000 R12: ffff891bda480000 [ 71.915782] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000 [ 71.915792] FS: 000070cff87c4c40(0000) GS:ffff893abfb80000(0000) knlGS:0000000000000000 [ 71.915795] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 71.915797] CR2: 00005fa13073e478 CR3: 000000010d634006 CR4: 0000000000770ef0 [ 71.915800] PKRU: 55555554 [ 71.915802] Call Trace: [ 71.915805] <TASK> [ 71.915809] vcn_v2_5_hw_fini+0x19e/0x1e0 [amdgpu] | 2026-05-08 | not yet calculated | CVE-2026-43298 | https://git.kernel.org/stable/c/8ee9aa80d4f1893a6699d46c403a1731548b544b https://git.kernel.org/stable/c/f1db6fc5a834c8ca9485cc0596dd7df8b8619b64 https://git.kernel.org/stable/c/8980be03b3f9a4b58197ef95d3b37efa41a25331 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: do not ASSERT() when the fs flips RO inside btrfs_repair_io_failure() [BUG] There is a bug report that when btrfs hits ENOSPC error in a critical path, btrfs flips RO (this part is expected, although the ENOSPC bug still needs to be addressed). The problem is after the RO flip, if there is a read repair pending, we can hit the ASSERT() inside btrfs_repair_io_failure() like the following: BTRFS info (device vdc): relocating block group 30408704 flags metadata|raid1 ------------[ cut here ]------------ BTRFS: Transaction aborted (error -28) WARNING: fs/btrfs/extent-tree.c:3235 at __btrfs_free_extent.isra.0+0x453/0xfd0, CPU#1: btrfs/383844 Modules linked in: kvm_intel kvm irqbypass [...] ---[ end trace 0000000000000000 ]--- BTRFS info (device vdc state EA): 2 enospc errors during balance BTRFS info (device vdc state EA): balance: ended with status: -30 BTRFS error (device vdc state EA): parent transid verify failed on logical 30556160 mirror 2 wanted 8 found 6 BTRFS error (device vdc state EA): bdev /dev/nvme0n1 errs: wr 0, rd 0, flush 0, corrupt 10, gen 0 [...] assertion failed: !(fs_info->sb->s_flags & SB_RDONLY) :: 0, in fs/btrfs/bio.c:938 ------------[ cut here ]------------ assertion failed: !(fs_info->sb->s_flags & SB_RDONLY) :: 0, in fs/btrfs/bio.c:938 kernel BUG at fs/btrfs/bio.c:938! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 868 Comm: kworker/u8:13 Tainted: G W N 6.19.0-rc6+ #4788 PREEMPT(full) Tainted: [W]=WARN, [N]=TEST Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 Workqueue: btrfs-endio simple_end_io_work RIP: 0010:btrfs_repair_io_failure.cold+0xb2/0x120 RSP: 0000:ffffc90001d2bcf0 EFLAGS: 00010246 RAX: 0000000000000051 RBX: 0000000000001000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8305cf42 RDI: 00000000ffffffff RBP: 0000000000000002 R08: 00000000fffeffff R09: ffffffff837fa988 R10: ffffffff8327a9e0 R11: 6f69747265737361 R12: ffff88813018d310 R13: ffff888168b8a000 R14: ffffc90001d2bd90 R15: ffff88810a169000 FS: 0000000000000000(0000) GS:ffff8885e752c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 ------------[ cut here ]------------ [CAUSE] The cause of -ENOSPC error during the test case btrfs/124 is still unknown, although it's known that we still have cases where metadata can be over-committed but can not be fulfilled correctly, thus if we hit such ENOSPC error inside a critical path, we have no choice but abort the current transaction. This will mark the fs read-only. The problem is inside the btrfs_repair_io_failure() path that we require the fs not to be mount read-only. This is normally fine, but if we are doing a read-repair meanwhile the fs flips RO due to a critical error, we can enter btrfs_repair_io_failure() with super block set to read-only, thus triggering the above crash. [FIX] Just replace the ASSERT() with a proper return if the fs is already read-only. | 2026-05-08 | not yet calculated | CVE-2026-43299 | https://git.kernel.org/stable/c/f6df18c001e3dcebc08482d0adeacd0cfea08593 https://git.kernel.org/stable/c/8ceaad6cd6e7fa5f73b0b2796a2e85d75d37e9f3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panel: Fix a possible null-pointer dereference in jdi_panel_dsi_remove() In jdi_panel_dsi_remove(), jdi is explicitly checked, indicating that it may be NULL: if (!jdi) mipi_dsi_detach(dsi); However, when jdi is NULL, the function does not return and continues by calling jdi_panel_disable(): err = jdi_panel_disable(&jdi->base); Inside jdi_panel_disable(), jdi is dereferenced unconditionally, which can lead to a NULL-pointer dereference: struct jdi_panel *jdi = to_panel_jdi(panel); backlight_disable(jdi->backlight); To prevent such a potential NULL-pointer dereference, return early from jdi_panel_dsi_remove() when jdi is NULL. | 2026-05-08 | not yet calculated | CVE-2026-43300 | https://git.kernel.org/stable/c/ec2f37bbb733cdd7ed7d04171fca728a532414d5 https://git.kernel.org/stable/c/2f5427d8726b22b807beec248d7d6bf88e291e0b https://git.kernel.org/stable/c/83ce0085fabf757b039322928188ad78e962d609 https://git.kernel.org/stable/c/95eed73b871111123a8b1d31cb1fce7e902e49ea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix PM runtime usage count underflow Replace pm_runtime_put_sync() with pm_runtime_dont_use_autosuspend() in the remove path to properly pair with pm_runtime_use_autosuspend() from probe. This allows pm_runtime_disable() to handle reference count cleanup correctly regardless of current suspend state. The driver calls pm_runtime_put_sync() unconditionally in remove, but the device may already be suspended due to autosuspend configured in probe. When autosuspend has already suspended the device, the usage count is 0, and pm_runtime_put_sync() decrements it to -1. This causes the following warning on module unload: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 963 at kernel/kthread.c:1430 kthread_destroy_worker+0x84/0x98 ... vdec 30210000.video-codec: Runtime PM usage count underflow! | 2026-05-08 | not yet calculated | CVE-2026-43301 | https://git.kernel.org/stable/c/3a278a55ead50db2444c8f01410c7f5a68723990 https://git.kernel.org/stable/c/0bffda02317989f8d5cdc2d4462a4110b1290cf0 https://git.kernel.org/stable/c/9cf4452e824c1e2d41c9c0b13cc8a32a0a7dec38 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Set DMA segment size to avoid debug warnings When using V3D rendering with CONFIG_DMA_API_DEBUG enabled, the kernel occasionally reports a segment size mismatch. This is because 'max_seg_size' is not set. The kernel defaults to 64K. setting 'max_seg_size' to the maximum will prevent 'debug_dma_map_sg()' from complaining about the over-mapping of the V3D segment length. DMA-API: v3d 1002000000.v3d: mapping sg segment longer than device claims to support [len=8290304] [max=65536] WARNING: CPU: 0 PID: 493 at kernel/dma/debug.c:1179 debug_dma_map_sg+0x330/0x388 CPU: 0 UID: 0 PID: 493 Comm: Xorg Not tainted 6.12.53-yocto-standard #1 Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT) pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : debug_dma_map_sg+0x330/0x388 lr : debug_dma_map_sg+0x330/0x388 sp : ffff8000829a3ac0 x29: ffff8000829a3ac0 x28: 0000000000000001 x27: ffff8000813fe000 x26: ffffc1ffc0000000 x25: ffff00010fdeb760 x24: 0000000000000000 x23: ffff8000816a9bf0 x22: 0000000000000001 x21: 0000000000000002 x20: 0000000000000002 x19: ffff00010185e810 x18: ffffffffffffffff x17: 69766564206e6168 x16: 74207265676e6f6c x15: 20746e656d676573 x14: 20677320676e6970 x13: 5d34303334393134 x12: 0000000000000000 x11: 00000000000000c0 x10: 00000000000009c0 x9 : ffff8000800e0b7c x8 : ffff00010a315ca0 x7 : ffff8000816a5110 x6 : 0000000000000001 x5 : 000000000000002b x4 : 0000000000000002 x3 : 0000000000000008 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00010a315280 Call trace: debug_dma_map_sg+0x330/0x388 __dma_map_sg_attrs+0xc0/0x278 dma_map_sgtable+0x30/0x58 drm_gem_shmem_get_pages_sgt+0xb4/0x140 v3d_bo_create_finish+0x28/0x130 [v3d] v3d_create_bo_ioctl+0x54/0x180 [v3d] drm_ioctl_kernel+0xc8/0x140 drm_ioctl+0x2d4/0x4d8 | 2026-05-08 | not yet calculated | CVE-2026-43302 | https://git.kernel.org/stable/c/14d0d6c8b4504a60cfeea74775ab2e0164019e65 https://git.kernel.org/stable/c/225023e3619b81af6d8d0e680503fc2d68633023 https://git.kernel.org/stable/c/2663ef70c6123b2232190f917275e5c3175f97d0 https://git.kernel.org/stable/c/cf510785f74e74c54de40a43a955b7f844857487 https://git.kernel.org/stable/c/0290934d30abe7c88e18140fd5184c3f386b1e44 https://git.kernel.org/stable/c/db15f469a88d3bbeeaa9f8c9f5e74d856ba5d7d2 https://git.kernel.org/stable/c/9eb018828b1b30dfba689c060735c50fc5b9f704 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix mismatched unlock for DMUB HW lock in HWSS fast path [Why] The evaluation for whether we need to use the DMUB HW lock isn't the same as whether we need to unlock which results in a hang when the fast path is used for ASIC without FAMS support. [How] Store a flag that indicates whether we should use the lock and use that same flag to specify whether unlocking is needed. | 2026-05-08 | not yet calculated | CVE-2026-43305 | https://git.kernel.org/stable/c/4e387ad67efb100b645630ffbce7716786f52283 https://git.kernel.org/stable/c/af3303970da5ce5bfe6dffdd07f38f42aad603e0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: crypto: Use the correct destructor kfunc type With CONFIG_CFI enabled, the kernel strictly enforces that indirect function calls use a function pointer type that matches the target function. I ran into the following type mismatch when running BPF self-tests: CFI failure at bpf_obj_free_fields+0x190/0x238 (target: bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc) Internal error: Oops - CFI: 00000000f2008228 [#1] SMP ... As bpf_crypto_ctx_release() is also used in BPF programs and using a void pointer as the argument would make the verifier unhappy, add a simple stub function with the correct type and register it as the destructor kfunc instead. | 2026-05-08 | not yet calculated | CVE-2026-43306 | https://git.kernel.org/stable/c/4e3e57dbf46dad3498f8c4219ce2dba756875962 https://git.kernel.org/stable/c/50d6fd69388cc7b05dce72f09080674dcede4ac9 https://git.kernel.org/stable/c/3979a550fe06b370d73647f59cf462fa525c9ec4 https://git.kernel.org/stable/c/b40a5d724f29fc2eed23ff353808a9aae616b48a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG() on unexpected delayed ref type in run_one_delayed_ref() There is no need to BUG(), we can just return an error and log an error message. | 2026-05-08 | not yet calculated | CVE-2026-43308 | https://git.kernel.org/stable/c/5549743e11c06da23cfa7712a994b9f1e69064c6 https://git.kernel.org/stable/c/c7d1d4ff56744074e005771aff193b927392d51f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md raid: fix hang when stopping arrays with metadata through dm-raid When using device-mapper's dm-raid target, stopping a RAID array can cause the system to hang under specific conditions. This occurs when: - A dm-raid managed device tree is suspended from top to bottom (the top-level RAID device is suspended first, followed by its underlying metadata and data devices) - The top-level RAID device is then removed Removing the top-level device triggers a hang in the following sequence: the dm-raid destructor calls md_stop(), which tries to flush the write-intent bitmap by writing to the metadata sub-devices. However, these devices are already suspended, making them unable to complete the write-intent operations and causing an indefinite block. Fix: - Prevent bitmap flushing when md_stop() is called from dm-raid destructor context and avoid a quiescing/unquescing cycle which could also cause I/O - Still allow write-intent bitmap flushing when called from dm-raid suspend context This ensures that RAID array teardown can complete successfully even when the underlying devices are in a suspended state. This second patch uses md_is_rdwr() to distinguish between suspend and destructor paths as elaborated on above. | 2026-05-08 | not yet calculated | CVE-2026-43309 | https://git.kernel.org/stable/c/24783dd06de870d646c25207bae186f78195f912 https://git.kernel.org/stable/c/338378dfffbdbb8d37a18f0a0c0358812671f91e https://git.kernel.org/stable/c/cefcb9297fbdb6d94b61787b4f8d84f55b741470 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: verisilicon: Avoid G2 bus error while decoding H.264 and HEVC For the i.MX8MQ platform, there is a hardware limitation: the g1 VPU and g2 VPU cannot decode simultaneously; otherwise, it will cause below bus error and produce corrupted pictures, even potentially lead to system hang. [ 110.527986] hantro-vpu 38310000.video-codec: frame decode timed out. [ 110.583517] hantro-vpu 38310000.video-codec: bus error detected. Therefore, it is necessary to ensure that g1 and g2 operate alternately. This allows for successful multi-instance decoding of H.264 and HEVC. To achieve this, g1 and g2 share the same v4l2_m2m_dev, and then the v4l2_m2m_dev can handle the scheduling. | 2026-05-08 | not yet calculated | CVE-2026-43310 | https://git.kernel.org/stable/c/286d629d10640bc22f3bf46aa4f356eb7975e862 https://git.kernel.org/stable/c/e0203ddf9af7c8e170e1e99ce83b4dc07f0cd765 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: soc/tegra: pmc: Fix unsafe generic_handle_irq() call Currently, when resuming from system suspend on Tegra platforms, the following warning is observed: WARNING: CPU: 0 PID: 14459 at kernel/irq/irqdesc.c:666 Call trace: handle_irq_desc+0x20/0x58 (P) tegra186_pmc_wake_syscore_resume+0xe4/0x15c syscore_resume+0x3c/0xb8 suspend_devices_and_enter+0x510/0x540 pm_suspend+0x16c/0x1d8 The warning occurs because generic_handle_irq() is being called from a non-interrupt context which is considered as unsafe. Fix this warning by deferring generic_handle_irq() call to an IRQ work which gets executed in hard IRQ context where generic_handle_irq() can be called safely. When PREEMPT_RT kernels are used, regular IRQ work (initialized with init_irq_work) is deferred to run in per-CPU kthreads in preemptible context rather than hard IRQ context. Hence, use the IRQ_WORK_INIT_HARD variant so that with PREEMPT_RT kernels, the IRQ work is processed in hardirq context instead of being deferred to a thread which is required for calling generic_handle_irq(). On non-PREEMPT_RT kernels, both init_irq_work() and IRQ_WORK_INIT_HARD() execute in IRQ context, so this change has no functional impact for standard kernel configurations. [treding@nvidia.com: miscellaneous cleanups] | 2026-05-08 | not yet calculated | CVE-2026-43311 | https://git.kernel.org/stable/c/64016227dcdb968b7030eda04304f3d0df5d209d https://git.kernel.org/stable/c/e6d96073af681780820c94079b978474a8a44413 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: i2c: ov5647: Initialize subdev before controls In ov5647_init_controls() we call v4l2_get_subdevdata, but it is initialized by v4l2_i2c_subdev_init() in the probe, which currently happens after init_controls(). This can result in a segfault if the error condition is hit, and we try to access i2c_client, so fix the order. | 2026-05-08 | not yet calculated | CVE-2026-43312 | https://git.kernel.org/stable/c/f2a1998bc0053ebfe137f65081ed13afd9f34502 https://git.kernel.org/stable/c/59e372aa4cf60e2500eba7f978acdcb18bb49032 https://git.kernel.org/stable/c/cabd025182cfed4a19b3aab57493e312d681e398 https://git.kernel.org/stable/c/2dedda97a64e7735844609c6c77c0dd953d73833 https://git.kernel.org/stable/c/8ecb21c20387cc0c8aa00489a21ccc69f6b0f5d1 https://git.kernel.org/stable/c/fb69e4842f5b463ff5f121d2ac7746014e3477ea https://git.kernel.org/stable/c/eee13cbccacb6d0a3120c126b8544030905b069d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4() In acpi_processor_errata_piix4(), the pointer dev is first assigned an IDE device and then reassigned an ISA device: dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB, ...); dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB_0, ...); If the first lookup succeeds but the second fails, dev becomes NULL. This leads to a potential null-pointer dereference when dev_dbg() is called: if (errata.piix4.bmisx) dev_dbg(&dev->dev, ...); To prevent this, use two temporary pointers and retrieve each device independently, avoiding overwriting dev with a possible NULL value. [ rjw: Subject adjustment, added an empty code line ] | 2026-05-08 | not yet calculated | CVE-2026-43313 | https://git.kernel.org/stable/c/06724a60cfa9767ea90b0f5d3dfb5cdd251b64f5 https://git.kernel.org/stable/c/ad86ac604f8391c0212a91412d4f764c7a85f254 https://git.kernel.org/stable/c/01e8751b37a366b1ca561add0042f2ceb18c03bf https://git.kernel.org/stable/c/b803811485ac0b2f774b6bf3abc8b999ba3b7033 https://git.kernel.org/stable/c/29f60d3d06818d40118a30d663231f027ae87a05 https://git.kernel.org/stable/c/0398b641be2b66c2fc7e0163c606ef19372e7ad5 https://git.kernel.org/stable/c/f132e089fe89cadc2098991f0a3cb05c3f824ac6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm: remove fake timeout to avoid leak request Since commit 15f73f5b3e59 ("blk-mq: move failure injection out of blk_mq_complete_request"), drivers are responsible for calling blk_should_fake_timeout() at appropriate code paths and opportunities. However, the dm driver does not implement its own timeout handler and relies on the timeout handling of its slave devices. If an io-timeout-fail error is injected to a dm device, the request will be leaked and never completed, causing tasks to hang indefinitely. Reproduce: 1. prepare dm which has iscsi slave device 2. inject io-timeout-fail to dm echo 1 >/sys/class/block/dm-0/io-timeout-fail echo 100 >/sys/kernel/debug/fail_io_timeout/probability echo 10 >/sys/kernel/debug/fail_io_timeout/times 3. read/write dm 4. iscsiadm -m node -u Result: hang task like below [ 862.243768] INFO: task kworker/u514:2:151 blocked for more than 122 seconds. [ 862.244133] Tainted: G E 6.19.0-rc1+ #51 [ 862.244337] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 862.244718] task:kworker/u514:2 state:D stack:0 pid:151 tgid:151 ppid:2 task_flags:0x4288060 flags:0x00080000 [ 862.245024] Workqueue: iscsi_ctrl_3:1 __iscsi_unbind_session [scsi_transport_iscsi] [ 862.245264] Call Trace: [ 862.245587] <TASK> [ 862.245814] __schedule+0x810/0x15c0 [ 862.246557] schedule+0x69/0x180 [ 862.246760] blk_mq_freeze_queue_wait+0xde/0x120 [ 862.247688] elevator_change+0x16d/0x460 [ 862.247893] elevator_set_none+0x87/0xf0 [ 862.248798] blk_unregister_queue+0x12e/0x2a0 [ 862.248995] __del_gendisk+0x231/0x7e0 [ 862.250143] del_gendisk+0x12f/0x1d0 [ 862.250339] sd_remove+0x85/0x130 [sd_mod] [ 862.250650] device_release_driver_internal+0x36d/0x530 [ 862.250849] bus_remove_device+0x1dd/0x3f0 [ 862.251042] device_del+0x38a/0x930 [ 862.252095] __scsi_remove_device+0x293/0x360 [ 862.252291] scsi_remove_target+0x486/0x760 [ 862.252654] __iscsi_unbind_session+0x18a/0x3e0 [scsi_transport_iscsi] [ 862.252886] process_one_work+0x633/0xe50 [ 862.253101] worker_thread+0x6df/0xf10 [ 862.253647] kthread+0x36d/0x720 [ 862.254533] ret_from_fork+0x2a6/0x470 [ 862.255852] ret_from_fork_asm+0x1a/0x30 [ 862.256037] </TASK> Remove the blk_should_fake_timeout() check from dm, as dm has no native timeout handling and should not attempt to fake timeouts. | 2026-05-08 | not yet calculated | CVE-2026-43314 | https://git.kernel.org/stable/c/ece6720de9403260088209b0b92d45e0b49ff856 https://git.kernel.org/stable/c/8200fca818c1e2f65bc6cb16d934ff6049302197 https://git.kernel.org/stable/c/b307b6307f6459841312432bd4bc9519cbac97f5 https://git.kernel.org/stable/c/4f9e7ca933a9fbf9912a384b061a00c77332cbf0 https://git.kernel.org/stable/c/cf2d06c9fd4b6521ea5b7f73c99c64c2c6f5e224 https://git.kernel.org/stable/c/6cdb21e0c9fdee484feba14fc9e72e9d07daf9f3 https://git.kernel.org/stable/c/c8a23d4c995ef4227bd4de64cd3910637ee6162e https://git.kernel.org/stable/c/f3a9c95a15d2f4466acad5c68faeff79ca5e9f47 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3() succeeding Drop the WARN in svm_set_nested_state() on nested_svm_load_cr3() failing as it is trivially easy to trigger from userspace by modifying CPUID after loading CR3. E.g. modifying the state restoration selftest like so: --- tools/testing/selftests/kvm/x86/state_test.c +++ tools/testing/selftests/kvm/x86/state_test.c @@ -280,7 +280,16 @@ int main(int argc, char *argv[]) /* Restore state in a new VM. */ vcpu = vm_recreate_with_one_vcpu(vm); - vcpu_load_state(vcpu, state); + + if (stage == 4) { + state->sregs.cr3 = BIT(44); + vcpu_load_state(vcpu, state); + + vcpu_set_cpuid_property(vcpu, X86_PROPERTY_MAX_PHY_ADDR, 36); + __vcpu_nested_state_set(vcpu, &state->nested); + } else { + vcpu_load_state(vcpu, state); + } /* * Restore XSAVE state in a dummy vCPU, first without doing generates: WARNING: CPU: 30 PID: 938 at arch/x86/kvm/svm/nested.c:1877 svm_set_nested_state+0x34a/0x360 [kvm_amd] Modules linked in: kvm_amd kvm irqbypass [last unloaded: kvm] CPU: 30 UID: 1000 PID: 938 Comm: state_test Tainted: G W 6.18.0-rc7-58e10b63777d-next-vm Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:svm_set_nested_state+0x34a/0x360 [kvm_amd] Call Trace: <TASK> kvm_arch_vcpu_ioctl+0xf33/0x1700 [kvm] kvm_vcpu_ioctl+0x4e6/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x61/0xad0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Simply delete the WARN instead of trying to prevent userspace from shoving "illegal" state into CR3. For better or worse, KVM's ABI allows userspace to set CPUID after SREGS, and vice versa, and KVM is very permissive when it comes to guest CPUID. I.e. attempting to enforce the virtual CPU model when setting CPUID could break userspace. Given that the WARN doesn't provide any meaningful protection for KVM or benefit for userspace, simply drop it even though the odds of breaking userspace are minuscule. Opportunistically delete a spurious newline. | 2026-05-08 | not yet calculated | CVE-2026-43315 | https://git.kernel.org/stable/c/155ec243ef726f4bc49536fa0bfb565dc011ab17 https://git.kernel.org/stable/c/580ea57840864d40e019bc13fd26afdc8d510a2f https://git.kernel.org/stable/c/deb8f6dfd31d94b18dbeeaa8c01fbec5fc70fd2b https://git.kernel.org/stable/c/ce904c8a5bbe697eae0f7e34b07095bd7a6dee19 https://git.kernel.org/stable/c/969e5e13ff5c18603f21d1f9f64ec9194e141ac0 https://git.kernel.org/stable/c/ebb2ab4f1c87d6b52776292cf7dc16aea48e95f8 https://git.kernel.org/stable/c/fc3ba56385d03501eb582e4b86691ba378e556f9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: solo6x10: Check for out of bounds chip_id Clang with CONFIG_UBSAN_SHIFT=y noticed a condition where a signed type (literal "1" is an "int") could end up being shifted beyond 32 bits, so instrumentation was added (and due to the double is_tw286x() call seen via inlining), Clang decides the second one must now be undefined behavior and elides the rest of the function[1]. This is a known problem with Clang (that is still being worked on), but we can avoid the entire problem by actually checking the existing max chip ID, and now there is no runtime instrumentation added at all since everything is known to be within bounds. Additionally use an unsigned value for the shift to remove the instrumentation even without the explicit bounds checking. [hverkuil: fix checkpatch warning for is_tw286x] | 2026-05-08 | not yet calculated | CVE-2026-43316 | https://git.kernel.org/stable/c/c327192ca26670cf6e588c1eeda66cd2fa97630e https://git.kernel.org/stable/c/0b3dadada2417782a63ce32dae05bafe1c949e3f https://git.kernel.org/stable/c/603e3859393ee2ce91393b7d05e6e56e4b66e5cd https://git.kernel.org/stable/c/33af366211ee78e3b074ff44a16121e537e86826 https://git.kernel.org/stable/c/5849ae68d7b8b6ad55cc1bf0d227dd2ae6362528 https://git.kernel.org/stable/c/d29f33b2cf98e4901cd5457d1ee34062e808df73 https://git.kernel.org/stable/c/4d6db0c6bbbfd8d7bbdbf7ab6a9c003752abf116 https://git.kernel.org/stable/c/0fdf6323c35a134f206dcad5babb4ff488552076 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: most: core: fix leak on early registration failure A recent commit fixed a resource leak on early registration failures but for some reason left out the first error path which still leaks the resources associated with the interface. Fix up also the first error path so that the interface is always released on errors. | 2026-05-08 | not yet calculated | CVE-2026-43317 | https://git.kernel.org/stable/c/bbfe49ffb892bddf32c34bea95b7ff0fc30affb5 https://git.kernel.org/stable/c/f1ba620f9e8d7291f80c0554e4b820f5fb30e819 https://git.kernel.org/stable/c/5fd4396c2e48e90cc2597a86c18227d56ea845f0 https://git.kernel.org/stable/c/2c198c272f9c9213b0fdf6b4a879f445c574f416 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify Invalidating a dmabuf will impact other users of the shared BO. In the scenario where process A moves the BO, it needs to inform process B about the move and process B will need to update its page table. The commit fixes a synchronisation bug caused by the use of the ticket: it made amdgpu_vm_handle_moved behave as if updating the page table immediately was correct but in this case it's not. An example is the following scenario, with 2 GPUs and glxgears running on GPU0 and Xorg running on GPU1, on a system where P2P PCI isn't supported: glxgears: export linear buffer from GPU0 and import using GPU1 submit frame rendering to GPU0 submit tiled->linear blit Xorg: copy of linear buffer The sequence of jobs would be: drm_sched_job_run # GPU0, frame rendering drm_sched_job_queue # GPU0, blit drm_sched_job_done # GPU0, frame rendering drm_sched_job_run # GPU0, blit move linear buffer for GPU1 access # amdgpu_dma_buf_move_notify -> update pt # GPU0 It this point the blit job on GPU0 is still running and would likely produce a page fault. | 2026-05-08 | not yet calculated | CVE-2026-43318 | https://git.kernel.org/stable/c/82a7ea35a1526bef8ae170c33ff80e5db7728961 https://git.kernel.org/stable/c/89a9389ad70d3c69538e59d87df67d407aef4c26 https://git.kernel.org/stable/c/3307459eb3583115264421e859858d1f90f3694a https://git.kernel.org/stable/c/b18fc0ab837381c1a6ef28386602cd888f2d9edf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: spidev: fix lock inversion between spi_lock and buf_lock The spidev driver previously used two mutexes, spi_lock and buf_lock, but acquired them in different orders depending on the code path: write()/read(): buf_lock -> spi_lock ioctl(): spi_lock -> buf_lock This AB-BA locking pattern triggers lockdep warnings and can cause real deadlocks: WARNING: possible circular locking dependency detected spidev_ioctl() -> mutex_lock(&spidev->buf_lock) spidev_sync_write() -> mutex_lock(&spidev->spi_lock) *** DEADLOCK *** The issue is reproducible with a simple userspace program that performs write() and SPI_IOC_WR_MAX_SPEED_HZ ioctl() calls from separate threads on the same spidev file descriptor. Fix this by simplifying the locking model and removing the lock inversion entirely. spidev_sync() no longer performs any locking, and all callers serialize access using spi_lock. buf_lock is removed since its functionality is fully covered by spi_lock, eliminating the possibility of lock ordering issues. This removes the lock inversion and prevents deadlocks without changing userspace ABI or behaviour. | 2026-05-08 | not yet calculated | CVE-2026-43319 | https://git.kernel.org/stable/c/f8431b8672231d378b03176fe74c95adfd3522cf https://git.kernel.org/stable/c/e341e18215030af2136836b78508e0d798916df7 https://git.kernel.org/stable/c/41ccfac7d302968a4f32b5f7b012d066c5f5cdf8 https://git.kernel.org/stable/c/40534d19ed2afb880ecf202dab26a8e7a5808d16 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix dsc eDP issue [why] Need to add function hook check before use | 2026-05-08 | not yet calculated | CVE-2026-43320 | https://git.kernel.org/stable/c/11718976c53a258c4d107aa05d68773379d0006f https://git.kernel.org/stable/c/c10fe9471f3aa352bb9d9329d0b25e28e0672243 https://git.kernel.org/stable/c/0481be9f12d8324789ccebf1e5fd0704b6e3fc99 https://git.kernel.org/stable/c/878a4b73c11111ff5f820730f59a7f8c6fd59374 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix zero_vruntime tracking fix John reported that stress-ng-yield could make his machine unhappy and managed to bisect it to commit b3d99f43c72b ("sched/fair: Fix zero_vruntime tracking"). The combination of yield and that commit was specific enough to hypothesize the following scenario: Suppose we have 2 runnable tasks, both doing yield. Then one will be eligible and one will not be, because the average position must be in between these two entities. Therefore, the runnable task will be eligible, and be promoted a full slice (all the tasks do is yield after all). This causes it to jump over the other task and now the other task is eligible and current is no longer. So we schedule. Since we are runnable, there is no {de,en}queue. All we have is the __{en,de}queue_entity() from {put_prev,set_next}_task(). But per the fingered commit, those two no longer move zero_vruntime. All that moves zero_vruntime are tick and full {de,en}queue. This means, that if the two tasks playing leapfrog can reach the critical speed to reach the overflow point inside one tick's worth of time, we're up a creek. Additionally, when multiple cgroups are involved, there is no guarantee the tick will in fact hit every cgroup in a timely manner. Statistically speaking it will, but that same statistics does not rule out the possibility of one cgroup not getting a tick for a significant amount of time -- however unlikely. Therefore, just like with the yield() case, force an update at the end of every slice. This ensures the update is never more than a single slice behind and the whole thing is within 2 lag bounds as per the comment on entity_key(). | 2026-05-08 | not yet calculated | CVE-2026-43323 | https://git.kernel.org/stable/c/c089147074ed96ff4330739a0559394c19a3dfc8 https://git.kernel.org/stable/c/87573883c30f1a8555ff720836bb6ea231058539 https://git.kernel.org/stable/c/fb61ffb3fb30a161eb5404c27fc7635e275beafd https://git.kernel.org/stable/c/1319ea57529e131822bab56bf417c8edc2db9ae8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: don't send a 6E related command when not supported MCC_ALLOWED_AP_TYPE_CMD is related to 6E support. Do not send it if the device doesn't support 6E. Apparently, the firmware is mistakenly advertising support for this command even on AX201 which does not support 6E and then the firmware crashes. | 2026-05-08 | not yet calculated | CVE-2026-43325 | https://git.kernel.org/stable/c/c0b3fa5e0eaecd38e6a9f8f78e86f468fbde719a https://git.kernel.org/stable/c/6607d0e58ceca997816122568ce54db9e134edab https://git.kernel.org/stable/c/323156c3541e23da7e582008a7ac30cd51b60acd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix SCX_KICK_WAIT deadlock by deferring wait to balance callback SCX_KICK_WAIT busy-waits in kick_cpus_irq_workfn() using smp_cond_load_acquire() until the target CPU's kick_sync advances. Because the irq_work runs in hardirq context, the waiting CPU cannot reschedule and its own kick_sync never advances. If multiple CPUs form a wait cycle, all CPUs deadlock. Replace the busy-wait in kick_cpus_irq_workfn() with resched_curr() to force the CPU through do_pick_task_scx(), which queues a balance callback to perform the wait. The balance callback drops the rq lock and enables IRQs following the sched_core_balance() pattern, so the CPU can process IPIs while waiting. The local CPU's kick_sync is advanced on entry to do_pick_task_scx() and continuously during the wait, ensuring any CPU that starts waiting for us sees the advancement and cannot form cyclic dependencies. | 2026-05-08 | not yet calculated | CVE-2026-43326 | https://git.kernel.org/stable/c/c3a7903f65cf4c7fb0477eb0f8b94f326a47fe54 https://git.kernel.org/stable/c/415cb193bb9736f0e830286c72a6fa8eb2a9cc5c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: USB: dummy-hcd: Fix locking/synchronization error Syzbot testing was able to provoke an addressing exception and crash in the usb_gadget_udc_reset() routine in drivers/usb/gadgets/udc/core.c, resulting from the fact that the routine was called with a second ("driver") argument of NULL. The bad caller was set_link_state() in dummy_hcd.c, and the problem arose because of a race between a USB reset and driver unbind. These sorts of races were not supposed to be possible; commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"), along with a few followup commits, was written specifically to prevent them. As it turns out, there are (at least) two errors remaining in the code. Another patch will address the second error; this one is concerned with the first. The error responsible for the syzbot crash occurred because the stop_activity() routine will sometimes drop and then re-acquire the dum->lock spinlock. A call to stop_activity() occurs in set_link_state() when handling an emulated USB reset, after the test of dum->ints_enabled and before the increment of dum->callback_usage. This allowed another thread (doing a driver unbind) to sneak in and grab the spinlock, and then clear dum->ints_enabled and dum->driver. Normally this other thread would have to wait for dum->callback_usage to go down to 0 before it would clear dum->driver, but in this case it didn't have to wait since dum->callback_usage had not yet been incremented. The fix is to increment dum->callback_usage _before_ calling stop_activity() instead of after. Then the thread doing the unbind will not clear dum->driver until after the call to usb_gadget_udc_reset() safely returns and dum->callback_usage has been decremented again. | 2026-05-08 | not yet calculated | CVE-2026-43327 | https://git.kernel.org/stable/c/6350c7dd33ab481ef41c931a238361490c32d15c https://git.kernel.org/stable/c/cc97fb5969177cccce2e23b31298df220fc7570d https://git.kernel.org/stable/c/218886b2ef2dea7627d3700ab0abaf4bf9d1161f https://git.kernel.org/stable/c/791966f85b439b261bf19865cf1c07c065ffb4b4 https://git.kernel.org/stable/c/805b1833d6ed6da5086e610578a28e71bb54fbbb https://git.kernel.org/stable/c/efbd9441f1e769a7aae1813d497cec09cbdff031 https://git.kernel.org/stable/c/69ab97a693251d6a6093e630060a3c744fd58524 https://git.kernel.org/stable/c/616a63ff495df12863692ab3f9f7b84e3fa7a66d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls kobject_put(&dbs_data->attr_set.kobj). The kobject release callback cpufreq_dbs_data_release() calls gov->exit(dbs_data) and kfree(dbs_data), but the current error path then calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a double free. Keep the direct kfree(dbs_data) for the gov->init() failure path, but after kobject_init_and_add() has been called, let kobject_put() handle the cleanup through cpufreq_dbs_data_release(). | 2026-05-08 | not yet calculated | CVE-2026-43328 | https://git.kernel.org/stable/c/56bc91ee78babe9578585a2bc137abc4b3115ff3 https://git.kernel.org/stable/c/019ea28629720c220daedf38107c8787f330dc05 https://git.kernel.org/stable/c/da39ee627fd82b52068d4d5f115749a8b7d271f9 https://git.kernel.org/stable/c/427d048e4f6acbfa01b5a8062449fe0ee8987c0d https://git.kernel.org/stable/c/d2703b4f8fb7cc6f0dfdb2dc2359cc46189e7357 https://git.kernel.org/stable/c/3bf9d023d2329a0e5379f2fd09d06ef09729cd9d https://git.kernel.org/stable/c/6dcf9d0064ce2f3e3dfe5755f98b93abe6a98e1e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/kexec: Disable KCOV instrumentation after load_segments() The load_segments() function changes segment registers, invalidating GS base (which KCOV relies on for per-cpu data). When CONFIG_KCOV is enabled, any subsequent instrumented C code call (e.g. native_gdt_invalidate()) begins crashing the kernel in an endless loop. To reproduce the problem, it's sufficient to do kexec on a KCOV-instrumented kernel: $ kexec -l /boot/otherKernel $ kexec -e The real-world context for this problem is enabling crash dump collection in syzkaller. For this, the tool loads a panic kernel before fuzzing and then calls makedumpfile after the panic. This workflow requires both CONFIG_KEXEC and CONFIG_KCOV to be enabled simultaneously. Adding safeguards directly to the KCOV fast-path (__sanitizer_cov_trace_pc()) is also undesirable as it would introduce an extra performance overhead. Disabling instrumentation for the individual functions would be too fragile, so disable KCOV instrumentation for the entire machine_kexec_64.c and physaddr.c. If coverage-guided fuzzing ever needs these components in the future, other approaches should be considered. The problem is not relevant for 32 bit kernels as CONFIG_KCOV is not supported there. [ bp: Space out comment for better readability. ] | 2026-05-08 | not yet calculated | CVE-2026-43331 | https://git.kernel.org/stable/c/1e3e98596c2769721ade0418434852fb3af4849a https://git.kernel.org/stable/c/de05c66fab8847237a9ca216934e56d3ee837f08 https://git.kernel.org/stable/c/917e3ad3321e75ca0223d5ccf26ceda116aa51e1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: reject direct access to nullable PTR_TO_BUF pointers check_mem_access() matches PTR_TO_BUF via base_type() which strips PTR_MAYBE_NULL, allowing direct dereference without a null check. Map iterator ctx->key and ctx->value are PTR_TO_BUF | PTR_MAYBE_NULL. On stop callbacks these are NULL, causing a kernel NULL dereference. Add a type_may_be_null() guard to the PTR_TO_BUF branch, matching the existing PTR_TO_BTF_ID pattern. | 2026-05-08 | not yet calculated | CVE-2026-43333 | https://git.kernel.org/stable/c/10bc4a4dcded509c5d5c67d497900c3922c604cd https://git.kernel.org/stable/c/21a10c06ffae24cb01fd174a7ab7736001d2ea56 https://git.kernel.org/stable/c/8755066f7bd0f4ac46a29d1708c7b20894539252 https://git.kernel.org/stable/c/70abd9d118da2f56beb4ec22e3a29becae373535 https://git.kernel.org/stable/c/63276547debc4d8a73eefb2c5273b2a905c961b0 https://git.kernel.org/stable/c/4f6c99dc0420f1a3d671c1b8ab8a7ac84d9cba09 https://git.kernel.org/stable/c/b0db1accbc7395657c2b79db59fa9fae0d6656f3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: interconnect: qcom: sm8450: Fix NULL pointer dereference in icc_link_nodes() The change to dynamic IDs for SM8450 platform interconnects left two links unconverted, fix it to avoid the NULL pointer dereference in runtime, when a pointer to a destination interconnect is not valid: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 <...> Call trace: icc_link_nodes+0x3c/0x100 (P) qcom_icc_rpmh_probe+0x1b4/0x528 platform_probe+0x64/0xc0 really_probe+0xc4/0x2a8 __driver_probe_device+0x80/0x140 driver_probe_device+0x48/0x170 __device_attach_driver+0xc0/0x148 bus_for_each_drv+0x88/0xf0 __device_attach+0xb0/0x1c0 device_initial_probe+0x58/0x68 bus_probe_device+0x40/0xb8 deferred_probe_work_func+0x90/0xd0 process_one_work+0x15c/0x3c0 worker_thread+0x2e8/0x400 kthread+0x150/0x208 ret_from_fork+0x10/0x20 Code: 900310f4 911d6294 91008280 94176078 (f94002a0) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception | 2026-05-08 | not yet calculated | CVE-2026-43335 | https://git.kernel.org/stable/c/77d22bf3fc5d1bcdee035979b07840c9c2ece8f2 https://git.kernel.org/stable/c/dbbd550d7c8d90d3af9fe8a12a9caff077ddb8e3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL pointer dereference in dcn401_init_hw() dcn401_init_hw() assumes that update_bw_bounding_box() is valid when entering the update path. However, the existing condition: ((!fams2_enable && update_bw_bounding_box) || freq_changed) does not guarantee this, as the freq_changed branch can evaluate to true independently of the callback pointer. This can result in calling update_bw_bounding_box() when it is NULL. Fix this by separating the update condition from the pointer checks and ensuring the callback, dc->clk_mgr, and bw_params are validated before use. Fixes the below: ../dc/hwss/dcn401/dcn401_hwseq.c:367 dcn401_init_hw() error: we previously assumed 'dc->res_pool->funcs->update_bw_bounding_box' could be null (see line 362) (cherry picked from commit 86117c5ab42f21562fedb0a64bffea3ee5fcd477) | 2026-05-08 | not yet calculated | CVE-2026-43337 | https://git.kernel.org/stable/c/10c13c111d0d7f8e101c742feff264fc98e3f9f7 https://git.kernel.org/stable/c/2d4a6f0702c5211e0be8b688c5fc24f082ec74d6 https://git.kernel.org/stable/c/e927b36ae18b66b49219eaa9f46edc7b4fdbb25e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: reserve enough transaction items for qgroup ioctls Currently our qgroup ioctls don't reserve any space, they just do a transaction join, which does not reserve any space, neither for the quota tree updates nor for the delayed refs generated when updating the quota tree. The quota root uses the global block reserve, which is fine most of the time since we don't expect a lot of updates to the quota root, or to be too close to -ENOSPC such that other critical metadata updates need to resort to the global reserve. However this is not optimal, as not reserving proper space may result in a transaction abort due to not reserving space for delayed refs and then abusing the use of the global block reserve. For example, the following reproducer (which is unlikely to model any real world use case, but just to illustrate the problem), triggers such a transaction abort due to -ENOSPC when running delayed refs: $ cat test.sh #!/bin/bash DEV=/dev/nullb0 MNT=/mnt/nullb0 umount $DEV &> /dev/null # Limit device to 1G so that it's much faster to reproduce the issue. mkfs.btrfs -f -b 1G $DEV mount -o commit=600 $DEV $MNT fallocate -l 800M $MNT/filler btrfs quota enable $MNT for ((i = 1; i <= 400000; i++)); do btrfs qgroup create 1/$i $MNT done umount $MNT When running this, we can see in dmesg/syslog that a transaction abort happened: [436.490] BTRFS error (device nullb0): failed to run delayed ref for logical 30408704 num_bytes 16384 type 176 action 1 ref_mod 1: -28 [436.493] ------------[ cut here ]------------ [436.494] BTRFS: Transaction aborted (error -28) [436.495] WARNING: fs/btrfs/extent-tree.c:2247 at btrfs_run_delayed_refs+0xd9/0x110 [btrfs], CPU#4: umount/2495372 [436.497] Modules linked in: btrfs loop (...) [436.508] CPU: 4 UID: 0 PID: 2495372 Comm: umount Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) [436.510] Tainted: [W]=WARN [436.511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [436.513] RIP: 0010:btrfs_run_delayed_refs+0xdf/0x110 [btrfs] [436.514] Code: 0f 82 ea (...) [436.518] RSP: 0018:ffffd511850b7d78 EFLAGS: 00010292 [436.519] RAX: 00000000ffffffe4 RBX: ffff8f120dad37e0 RCX: 0000000002040001 [436.520] RDX: 0000000000000002 RSI: 00000000ffffffe4 RDI: ffffffffc090fd80 [436.522] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffffc04d1867 [436.523] R10: ffff8f18dc1fffa8 R11: 0000000000000003 R12: ffff8f173aa89400 [436.524] R13: 0000000000000000 R14: ffff8f173aa89400 R15: 0000000000000000 [436.526] FS: 00007fe59045d840(0000) GS:ffff8f192e22e000(0000) knlGS:0000000000000000 [436.527] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [436.528] CR2: 00007fe5905ff2b0 CR3: 000000060710a002 CR4: 0000000000370ef0 [436.530] Call Trace: [436.530] <TASK> [436.530] btrfs_commit_transaction+0x73/0xc00 [btrfs] [436.531] ? btrfs_attach_transaction_barrier+0x1e/0x70 [btrfs] [436.532] sync_filesystem+0x7a/0x90 [436.533] generic_shutdown_super+0x28/0x180 [436.533] kill_anon_super+0x12/0x40 [436.534] btrfs_kill_super+0x12/0x20 [btrfs] [436.534] deactivate_locked_super+0x2f/0xb0 [436.534] cleanup_mnt+0xea/0x180 [436.535] task_work_run+0x58/0xa0 [436.535] exit_to_user_mode_loop+0xed/0x480 [436.536] ? __x64_sys_umount+0x68/0x80 [436.536] do_syscall_64+0x2a5/0xf20 [436.537] entry_SYSCALL_64_after_hwframe+0x76/0x7e [436.537] RIP: 0033:0x7fe5906b6217 [436.538] Code: 0d 00 f7 (...) [436.540] RSP: 002b:00007ffcd87a61f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [436.541] RAX: 0000000000000000 RBX: 00005618b9ecadc8 RCX: 00007fe5906b6217 [436.541] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005618b9ecb100 [436.542] RBP: 0000000000000000 R08: 00007ffcd87a4fe0 R09: 00000000ffffffff [436.544] R10: 0000000000000103 R11: ---truncated--- | 2026-05-08 | not yet calculated | CVE-2026-43338 | https://git.kernel.org/stable/c/bb6eb33c908edbbb4d92abdc0c6c87f21b4952e8 https://git.kernel.org/stable/c/cf930a651eef6f8d915bf0ccd60c2045974f870c https://git.kernel.org/stable/c/386f5e16a383101a68e195c806b4eedb233cd1d3 https://git.kernel.org/stable/c/f9a4e3015db1aeafbef407650eb8555445ca943e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: comedi: Reinit dev->spinlock between attachments to low-level drivers `struct comedi_device` is the main controlling structure for a COMEDI device created by the COMEDI subsystem. It contains a member `spinlock` containing a spin-lock that is initialized by the COMEDI subsystem, but is reserved for use by a low-level driver attached to the COMEDI device (at least since commit 25436dc9d84f ("Staging: comedi: remove RT code")). Some COMEDI devices (those created on initialization of the COMEDI subsystem when the "comedi.comedi_num_legacy_minors" parameter is non-zero) can be attached to different low-level drivers over their lifetime using the `COMEDI_DEVCONFIG` ioctl command. This can result in inconsistent lock states being reported when there is a mismatch in the spin-lock locking levels used by each low-level driver to which the COMEDI device has been attached. Fix it by reinitializing `dev->spinlock` before calling the low-level driver's `attach` function pointer if `CONFIG_LOCKDEP` is enabled. | 2026-05-08 | not yet calculated | CVE-2026-43340 | https://git.kernel.org/stable/c/3181c34b415c5464be9d34bff3e43ef63b747039 https://git.kernel.org/stable/c/2b1f49e4fdff3ef0f8e9158bbb5b149e06287560 https://git.kernel.org/stable/c/4d5ffe524903a30e2e0da7d16841a56bec2de55c https://git.kernel.org/stable/c/c01bcc67a9a692d65508ebd480405b5e77d562b7 https://git.kernel.org/stable/c/430291d8f3884f57ae0057049b0ca291453e29e1 https://git.kernel.org/stable/c/b89c026227712c367950bbae055a5b31073d3b30 https://git.kernel.org/stable/c/83134a7a176ce5b4b19b6edecf4360e8d98d1a5a https://git.kernel.org/stable/c/4b9a9a6d71e3e252032f959fb3895a33acb5865c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Protect RNDIS options with mutex The class/subclass/protocol options are suspectible to race conditions as they can be accessed concurrently through configfs. Use existing mutex to protect these options. This issue was identified during code inspection. | 2026-05-08 | not yet calculated | CVE-2026-43342 | https://git.kernel.org/stable/c/0a75d97c53477a59c0aa1c65f69038c719f9c5b8 https://git.kernel.org/stable/c/c1b3d5b0acb194efe20fc5864ee03439fa7bd45c https://git.kernel.org/stable/c/65b7dbf80a1627667c241fff7c1c224f3118014f https://git.kernel.org/stable/c/cb5316b37288ab8791584e32f114c4f41ad45b67 https://git.kernel.org/stable/c/7d8fa3b8783ab95a46e20d97fbeeede719b2efda https://git.kernel.org/stable/c/446f1842cda929c40d4697722bfdcfb334bc9692 https://git.kernel.org/stable/c/209decd3f7901df9842b83f2540dc8685e344a07 https://git.kernel.org/stable/c/8d8c68b1fc06ece60cf43e1306ff0f4ac121547e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_subset: Fix unbalanced refcnt in geth_free geth_alloc() increments the reference count, but geth_free() fails to decrement it. This prevents the configuration of attributes via configfs after unlinking the function. Decrement the reference count in geth_free() to ensure proper cleanup. | 2026-05-08 | not yet calculated | CVE-2026-43343 | https://git.kernel.org/stable/c/a932b171554714b1bca313b853c7aa9f2930f9aa https://git.kernel.org/stable/c/d7d702407b61e96286a15b6e715572f541a8d41c https://git.kernel.org/stable/c/3f5bfc550a40d7493b1cf09540ed6b412b3b82be https://git.kernel.org/stable/c/75776a055b656873319c3830fed471daef3ceb23 https://git.kernel.org/stable/c/cc8ec610cd14c093a19371691a7ce1ee5421e829 https://git.kernel.org/stable/c/3d436670b47415da042452618fb5d8e317ab095f https://git.kernel.org/stable/c/23e4851ce348a329d974e84e828155dda9f52122 https://git.kernel.org/stable/c/caa27923aacd8a5869207842f2ab1657c6c0c7bc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/uncore: Fix die ID init and look up bugs In snbep_pci2phy_map_init(), in the nr_node_ids > 8 path, uncore_device_to_die() may return -1 when all CPUs associated with the UBOX device are offline. Remove the WARN_ON_ONCE(die_id == -1) check for two reasons: - The current code breaks out of the loop. This is incorrect because pci_get_device() does not guarantee iteration in domain or bus order, so additional UBOX devices may be skipped during the scan. - Returning -EINVAL is incorrect, since marking offline buses with die_id == -1 is expected and should not be treated as an error. Separately, when NUMA is disabled on a NUMA-capable platform, pcibus_to_node() returns NUMA_NO_NODE, causing uncore_device_to_die() to return -1 for all PCI devices. As a result, spr_update_device_location(), used on Intel SPR and EMR, ignores the corresponding PMON units and does not add them to the RB tree. Fix this by using uncore_pcibus_to_dieid(), which retrieves topology from the UBOX GIDNIDMAP register and works regardless of whether NUMA is enabled in Linux. This requires snbep_pci2phy_map_init() to be added in spr_uncore_pci_init(). Keep uncore_device_to_die() only for the nr_node_ids > 8 case, where NUMA is expected to be enabled. | 2026-05-08 | not yet calculated | CVE-2026-43344 | https://git.kernel.org/stable/c/6a5dc3ee97581da2907fc7acd62853f07184de67 https://git.kernel.org/stable/c/a16d1ec4dd0cdcf689f324adde6067083bce9099 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ice: ptp: don't WARN when controlling PF is unavailable In VFIO passthrough setups, it is possible to pass through only a PF which doesn't own the source timer. In that case the PTP controlling PF (adapter->ctrl_pf) is never initialized in the VM, so ice_get_ctrl_ptp() returns NULL and triggers WARN_ON() in ice_ptp_setup_pf(). Since this is an expected behavior in that configuration, replace WARN_ON() with an informational message and return -EOPNOTSUPP. | 2026-05-08 | not yet calculated | CVE-2026-43346 | https://git.kernel.org/stable/c/e19675b384e9dcaca1bd5e4a67b8ad136eccfbe8 https://git.kernel.org/stable/c/c73f365707d3b1b78b7d16e1f029020d1ae50d0f https://git.kernel.org/stable/c/bb3f21edc7056cdf44a7f7bd7ba65af40741838c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER When registering VTL0 memory via MSHV_ADD_VTL0_MEMORY, the kernel computes pgmap->vmemmap_shift as the number of trailing zeros in the OR of start_pfn and last_pfn, intending to use the largest compound page order both endpoints are aligned to. However, this value is not clamped to MAX_FOLIO_ORDER, so a sufficiently aligned range (e.g. physical range [0x800000000000, 0x800080000000), corresponding to start_pfn=0x800000000 with 35 trailing zeros) can produce a shift larger than what memremap_pages() accepts, triggering a WARN and returning -EINVAL: WARNING: ... memremap_pages+0x512/0x650 requested folio size unsupported The MAX_FOLIO_ORDER check was added by commit 646b67d57589 ("mm/memremap: reject unreasonable folio/compound page sizes in memremap_pages()"). Fix this by clamping vmemmap_shift to MAX_FOLIO_ORDER so we always request the largest order the kernel supports, in those cases, rather than an out-of-range value. Also fix the error path to propagate the actual error code from devm_memremap_pages() instead of hard-coding -EFAULT, which was masking the real -EINVAL return. | 2026-05-08 | not yet calculated | CVE-2026-43348 | https://git.kernel.org/stable/c/a142ca4b6481e71498712800b20e0c0fcf02843b https://git.kernel.org/stable/c/404cd6bffe17e25e0f94ed2775ffdd6cd10ac3fd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer syzbot reported a f2fs bug as below: BUG: KMSAN: uninit-value in f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2fs/node.c:1520 f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2fs/node.c:1520 f2fs_finish_read_bio+0xe1e/0x1d60 fs/f2fs/data.c:177 f2fs_read_end_io+0x6ab/0x2220 fs/f2fs/data.c:-1 bio_endio+0x1006/0x1160 block/bio.c:1792 submit_bio_noacct+0x533/0x2960 block/blk-core.c:891 submit_bio+0x57a/0x620 block/blk-core.c:926 blk_crypto_submit_bio include/linux/blk-crypto.h:203 [inline] f2fs_submit_read_bio+0x12c/0x360 fs/f2fs/data.c:557 f2fs_submit_page_bio+0xee2/0x1450 fs/f2fs/data.c:775 read_node_folio+0x384/0x4b0 fs/f2fs/node.c:1481 __get_node_folio+0x5db/0x15d0 fs/f2fs/node.c:1576 f2fs_get_inode_folio+0x40/0x50 fs/f2fs/node.c:1623 do_read_inode fs/f2fs/inode.c:425 [inline] f2fs_iget+0x1209/0x9380 fs/f2fs/inode.c:596 f2fs_fill_super+0x8f5a/0xb2e0 fs/f2fs/super.c:5184 get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694 get_tree_bdev+0x38/0x50 fs/super.c:1717 f2fs_get_tree+0x35/0x40 fs/f2fs/super.c:5436 vfs_get_tree+0xb3/0x5d0 fs/super.c:1754 fc_mount fs/namespace.c:1193 [inline] do_new_mount_fc fs/namespace.c:3763 [inline] do_new_mount+0x885/0x1dd0 fs/namespace.c:3839 path_mount+0x7a2/0x20b0 fs/namespace.c:4159 do_mount fs/namespace.c:4172 [inline] __do_sys_mount fs/namespace.c:4361 [inline] __se_sys_mount+0x704/0x7f0 fs/namespace.c:4338 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4338 x64_sys_call+0x39f0/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The root cause is: in f2fs_finish_read_bio(), we may access uninit data in folio if we failed to read the data from device into folio, let's add a check condition to avoid such issue. | 2026-05-08 | not yet calculated | CVE-2026-43349 | https://git.kernel.org/stable/c/59970b2586fef4b13e96527b9d232bed30b640cd https://git.kernel.org/stable/c/a10b89343d41ceee1af0ec38d3a74e526c77fa09 https://git.kernel.org/stable/c/7b9161a605e91d0987e2596a245dc1f21621b23f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Eagerly init vgic dist/redist on vgic creation If vgic_allocate_private_irqs_locked() fails for any odd reason, we exit kvm_vgic_create() early, leaving dist->rd_regions uninitialised. kvm_vgic_dist_destroy() then comes along and walks into the weeds trying to free the RDs. Got to love this stuff. Solve it by moving all the static initialisation early, and make sure that if we fail halfway, we're in a reasonable shape to perform the rest of the teardown. While at it, reset the vgic model on failure, just in case... | 2026-05-08 | not yet calculated | CVE-2026-43351 | https://git.kernel.org/stable/c/b7493f48c3dba75674a4ee505b4afa8fe5102457 https://git.kernel.org/stable/c/a24f1d80fbcdbf8b2a7044a00fa12b3972b4c31c https://git.kernel.org/stable/c/ac6769c8f948dff33265c50e524aebf9aa6f1be0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: proximity: hx9023s: Protect against division by zero in set_samp_freq Avoid division by zero when sampling frequency is unspecified. | 2026-05-08 | not yet calculated | CVE-2026-43354 | https://git.kernel.org/stable/c/451ec5e67444f8460f9706a1bde146b5bbc86ce6 https://git.kernel.org/stable/c/ad9da7d39cecd3e92f54149ea0ebca390f33fe69 https://git.kernel.org/stable/c/739fdfe65678d8e5dcf59496c56b32ab3ba3dbaa https://git.kernel.org/stable/c/a318cfc0853706f1d6ce682dba660bc455d674ef |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: light: bh1780: fix PM runtime leak on error path Move pm_runtime_put_autosuspend() before the error check to ensure the PM runtime reference count is always decremented after pm_runtime_get_sync(), regardless of whether the read operation succeeds or fails. | 2026-05-08 | not yet calculated | CVE-2026-43355 | https://git.kernel.org/stable/c/1eb3af4f59e09323788860a9155e9766b12891e5 https://git.kernel.org/stable/c/424bf90e87134effe4bd932608a15286493b11ab https://git.kernel.org/stable/c/fc77e0a5600e620a2ae51ec78933162fb217b20b https://git.kernel.org/stable/c/aae572ddc28578af476cce7da3faec0395ef0bf0 https://git.kernel.org/stable/c/33661bfc85c14836bfef4425a74b0ca2df4bb5ad https://git.kernel.org/stable/c/dd72e6c3cdea05cad24e99710939086f7a113fb5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: imu: adis: Fix NULL pointer dereference in adis_init The adis_init() function dereferences adis->ops to check if the individual function pointers (write, read, reset) are NULL, but does not first check if adis->ops itself is NULL. Drivers like adis16480, adis16490, adis16545 and others do not set custom ops and rely on adis_init() assigning the defaults. Since struct adis is zero-initialized by devm_iio_device_alloc(), adis->ops is NULL when adis_init() is called, causing a NULL pointer dereference: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 pc : adis_init+0xc0/0x118 Call trace: adis_init+0xc0/0x118 adis16480_probe+0xe0/0x670 Fix this by checking if adis->ops is NULL before dereferencing it, falling through to assign the default ops in that case. | 2026-05-08 | not yet calculated | CVE-2026-43356 | https://git.kernel.org/stable/c/ba19dd366528b961430f5195c2e382420703074f https://git.kernel.org/stable/c/1a48f94c63a078e7b6a2e59a637fc0858dc6510c https://git.kernel.org/stable/c/9990cd4f8827bd1ae3fb6eb7407630d8d463c430 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: gyro: mpu3050-core: fix pm_runtime error handling The return value of pm_runtime_get_sync() is not checked, allowing the driver to access hardware that may fail to resume. The device usage count is also unconditionally incremented. Use pm_runtime_resume_and_get() which propagates errors and avoids incrementing the usage count on failure. In preenable, add pm_runtime_put_autosuspend() on set_8khz_samplerate() failure since postdisable does not run when preenable fails. | 2026-05-08 | not yet calculated | CVE-2026-43357 | https://git.kernel.org/stable/c/935f57dd43492240e1ca220dd065d624efece6be https://git.kernel.org/stable/c/8544c488e50206f00630a8bbba43d2c8bd290345 https://git.kernel.org/stable/c/35f54e7bcb1eccdc6e5bff06580eeef2e0ff3677 https://git.kernel.org/stable/c/2a86a396aa001a9f9ba2d37dda36573a76f17c90 https://git.kernel.org/stable/c/66c0d1d600e7be034959cf49edab104cb5a39258 https://git.kernel.org/stable/c/42685cf96e28262e0b84d74447f3d99f3f6a72e0 https://git.kernel.org/stable/c/7a3dec5b265cf87678b10c98a72a435a8e769bb7 https://git.kernel.org/stable/c/acc3949aab3e8094641a9c7c2768de1958c88378 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: add missing RCU unlock in error path in try_release_subpage_extent_buffer() Call rcu_read_lock() before exiting the loop in try_release_subpage_extent_buffer() because there is a rcu_read_unlock() call past the loop. This has been detected by the Clang thread-safety analyzer. | 2026-05-08 | not yet calculated | CVE-2026-43358 | https://git.kernel.org/stable/c/5e1ab71f74a1e61f1254dff128a764fdebaec0b8 https://git.kernel.org/stable/c/35b0c8768e848e1b7e32052db36b5fa59b6a33a1 https://git.kernel.org/stable/c/b2840e33127ce0eea880504b7f133e780f567a9b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort on set received ioctl due to item overflow If the set received ioctl fails due to an item overflow when attempting to add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction since we did some metadata updates before. This means that if a user calls this ioctl with the same received UUID field for a lot of subvolumes, we will hit the overflow, trigger the transaction abort and turn the filesystem into RO mode. A malicious user could exploit this, and this ioctl does not even requires that a user has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume. Fix this by doing an early check for item overflow before starting a transaction. This is also race safe because we are holding the subvol_sem semaphore in exclusive (write) mode. A test case for fstests will follow soon. | 2026-05-08 | not yet calculated | CVE-2026-43359 | https://git.kernel.org/stable/c/b9914db13ac15aca3b74544c0bb1a2e0dad1f174 https://git.kernel.org/stable/c/b19c0465e4daad5aa8f60552ea0578cf31a11b1e https://git.kernel.org/stable/c/2e57b8cac2ba0d38aac76c1ecdfd8b899e3581a5 https://git.kernel.org/stable/c/d11aefe654a04fc41996d254748d6a38b6b0a7be https://git.kernel.org/stable/c/41fb97353ff58fa4f31904c343fc8e3df2f7517d https://git.kernel.org/stable/c/87f2c46003fce4d739138aab4af1942b1afdadac |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort on file creation due to name hash collision If we attempt to create several files with names that result in the same hash, we have to pack them in same dir item and that has a limit inherent to the leaf size. However if we reach that limit, we trigger a transaction abort and turns the filesystem into RO mode. This allows for a malicious user to disrupt a system, without the need to have administration privileges/capabilities. Reproducer: $ cat exploit-hash-collisions.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi # Use smallest node size to make the test faster and require fewer file # names that result in hash collision. mkfs.btrfs -f --nodesize 4K $DEV mount $DEV $MNT # List of names that result in the same crc32c hash for btrfs. declare -a names=( 'foobar' '%a8tYkxfGMLWRGr55QSeQc4PBNH9PCLIvR6jZnkDtUUru1t@RouaUe_L:@xGkbO3nCwvLNYeK9vhE628gss:T$yZjZ5l-Nbd6CbC$M=hqE-ujhJICXyIxBvYrIU9-TDC' 'AQci3EUB%shMsg-N%frgU:02ByLs=IPJU0OpgiWit5nexSyxZDncY6WB:=zKZuk5Zy0DD$Ua78%MelgBuMqaHGyKsJUFf9s=UW80PcJmKctb46KveLSiUtNmqrMiL9-Y0I_l5Fnam04CGIg=8@U:Z' 'CvVqJpJzueKcuA$wqwePfyu7VxuWNN3ho$p0zi2H8QFYK$7YlEqOhhb%:hHgjhIjW5vnqWHKNP4' 'ET:vk@rFU4tsvMB0$C_p=xQHaYZjvoF%-BTc%wkFW8yaDAPcCYoR%x$FH5O:' 'HwTon%v7SGSP4FE08jBwwiu5aot2CFKXHTeEAa@38fUcNGOWvE@Mz6WBeDH_VooaZ6AgsXPkVGwy9l@@ZbNXabUU9csiWrrOp0MWUdfi$EZ3w9GkIqtz7I_eOsByOkBOO' 'Ij%2VlFGXSuPvxJGf5UWy6O@1svxGha%b@=%wjkq:CIgE6u7eJOjmQY5qTtxE2Rjbis9@us' 'KBkjG5%9R8K9sOG8UTnAYjxLNAvBmvV5vz3IiZaPmKuLYO03-6asI9lJ_j4@6Xo$KZicaLWJ3Pv8XEwVeUPMwbHYWwbx0pYvNlGMO9F:ZhHAwyctnGy%_eujl%WPd4U2BI7qooOSr85J-C2V$LfY' 'NcRfDfuUQ2=zP8K3CCF5dFcpfiOm6mwenShsAb_F%n6GAGC7fT2JFFn:c35X-3aYwoq7jNX5$ZJ6hI3wnZs$7KgGi7wjulffhHNUxAT0fRRLF39vJ@NvaEMxsMO' 'Oj42AQAEzRoTxa5OuSKIr=A_lwGMy132v4g3Pdq1GvUG9874YseIFQ6QU' 'Ono7avN5GjC:_6dBJ_' 'WHmN2gnmaN-9dVDy4aWo:yNGFzz8qsJyJhWEWcud7$QzN2D9R0efIWWEdu5kwWr73NZm4=@CoCDxrrZnRITr-kGtU_cfW2:%2_am' 'WiFnuTEhAG9FEC6zopQmj-A-$LDQ0T3WULz%ox3UZAPybSV6v1Z$b4L_XBi4M4BMBtJZpz93r9xafpB77r:lbwvitWRyo$odnAUYlYMmU4RvgnNd--e=I5hiEjGLETTtaScWlQp8mYsBovZwM2k' 'XKyH=OsOAF3p%uziGF_ZVr$ivrvhVgD@1u%5RtrV-gl_vqAwHkK@x7YwlxX3qT6WKKQ%PR56NrUBU2dOAOAdzr2=5nJuKPM-T-$ZpQfCL7phxQbUcb:BZOTPaFExc-qK-gDRCDW2' 'd3uUR6OFEwZr%ns1XH_@tbxA@cCPmbBRLdyh7p6V45H$P2$F%w0RqrD3M0g8aGvWpoTFMiBdOTJXjD:JF7=h9a_43xBywYAP%r$SPZi%zDg%ql-KvkdUCtF9OLaQlxmd' 'ePTpbnit%hyNm@WELlpKzNZYOzOTf8EQ$sEfkMy1VOfIUu3coyvIr13-Y7Sv5v-Ivax2Go_GQRFMU1b3362nktT9WOJf3SpT%z8sZmM3gvYQBDgmKI%%RM-G7hyrhgYflOw%z::ZRcv5O:lDCFm' 'evqk743Y@dvZAiG5J05L_ROFV@$2%rVWJ2%3nxV72-W7$e$-SK3tuSHA2mBt$qloC5jwNx33GmQUjD%akhBPu=VJ5g$xhlZiaFtTrjeeM5x7dt4cHpX0cZkmfImndYzGmvwQG:$euFYmXn$_2rA9mKZ' 'gkgUtnihWXsZQTEkrMAWIxir09k3t7jk_IK25t1:cy1XWN0GGqC%FrySdcmU7M8MuPO_ppkLw3=Dfr0UuBAL4%GFk2$Ma10V1jDRGJje%Xx9EV2ERaWKtjpwiZwh0gCSJsj5UL7CR8RtW5opCVFKGGy8Cky' 'hNgsG_8lNRik3PvphqPm0yEH3P%%fYG:kQLY=6O-61Wa6nrV_WVGR6TLB09vHOv%g4VQRP8Gzx7VXUY1qvZyS' 'isA7JVzN12xCxVPJZ_qoLm-pTBuhjjHMvV7o=F:EaClfYNyFGlsfw-Kf%uxdqW-kwk1sPl2vhbjyHU1A6$hz' 'kiJ_fgcdZFDiOptjgH5PN9-PSyLO4fbk_:u5_2tz35lV_iXiJ6cx7pwjTtKy-XGaQ5IefmpJ4N_ZqGsqCsKuqOOBgf9LkUdffHet@Wu' 'lvwtxyhE9:%Q3UxeHiViUyNzJsy:fm38pg_b6s25JvdhOAT=1s0$pG25x=LZ2rlHTszj=gN6M4zHZYr_qrB49i=pA--@WqWLIuX7o1S_SfS@2FSiUZN' 'rC24cw3UBDZ=5qJBUMs9e$=S4Y94ni%Z8639vnrGp=0Hv4z3dNFL0fBLmQ40=EYIY:Z=SLc@QLMSt2zsss2ZXrP7j4=' 'uwGl2s-fFrf@GqS=DQqq2I0LJSsOmM%xzTjS:lzXguE3wChdMoHYtLRKPvfaPOZF2fER@j53evbKa7R%A7r4%YEkD=kicJe@SFiGtXHbKe4gCgPAYbnVn' 'UG37U6KKua2bgc:IHzRs7BnB6FD:2Mt5Cc5NdlsW%$1tyvnfz7S27FvNkroXwAW:mBZLA1@qa9WnDbHCDmQmfPMC9z-Eq6QT0jhhPpqyymaD:R02ghwYo%yx7SAaaq-:x33LYpei$5g8DMl3C' 'y2vjek0FE1PDJC0qpfnN:x8k2wCFZ9xiUF2ege=JnP98R%wxjKkdfEiLWvQzmnW' '8-HCSgH5B%K7P8_jaVtQhBXpBk:pE-$P7ts58U0J@iR9YZntMPl7j$s62yAJO@_9eanFPS54b=UTw$94C-t=HLxT8n6o9P=QnIxq-f1=Ne2dvhe6WbjEQtc' 'YPPh:IFt2mtR6XWSmjHptXL_hbSYu8bMw-JP8@PNyaFkdNFsk$M=xfL6LDKCDM-mSyGA_2MBwZ8Dr4=R1D%7-mC ---truncated--- | 2026-05-08 | not yet calculated | CVE-2026-43360 | https://git.kernel.org/stable/c/36947b5200b89bbe3a63629c12d4b31c84c0af9f https://git.kernel.org/stable/c/64ad49597d14c495ab8b7933bfefc83936a598e4 https://git.kernel.org/stable/c/5e2ea10b800d1bbb95e0c01a83f4f8119ac5d688 https://git.kernel.org/stable/c/9273175bf16c83f3ec93aa242d78c9b5db452d4d https://git.kernel.org/stable/c/0625e564290450c1921b115fc3d9abef74e055bd https://git.kernel.org/stable/c/2d1ababdedd4ba38867c2500eb7f95af5ddeeef7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort when snapshotting received subvolumes Currently a user can trigger a transaction abort by snapshotting a previously received snapshot a bunch of times until we reach a BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we can store in a leaf). This is very likely not common in practice, but if it happens, it turns the filesystem into RO mode. The snapshot, send and set_received_subvol and subvol_setflags (used by receive) don't require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user could use this to turn a filesystem into RO mode and disrupt a system. Reproducer script: $ cat test.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi # Use smallest node size to make the test faster. mkfs.btrfs -f --nodesize 4K $DEV mount $DEV $MNT # Create a subvolume and set it to RO so that it can be used for send. btrfs subvolume create $MNT/sv touch $MNT/sv/foo btrfs property set $MNT/sv ro true # Send and receive the subvolume into snaps/sv. mkdir $MNT/snaps btrfs send $MNT/sv | btrfs receive $MNT/snaps # Now snapshot the received subvolume, which has a received_uuid, a # lot of times to trigger the leaf overflow. total=500 for ((i = 1; i <= $total; i++)); do echo -ne "\rCreating snapshot $i/$total" btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null done echo umount $MNT When running the test: $ ./test.sh (...) Create subvolume '/mnt/sdi/sv' At subvol /mnt/sdi/sv At subvol sv Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system And in dmesg/syslog: $ dmesg (...) [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252! [251067.629212] ------------[ cut here ]------------ [251067.630033] BTRFS: Transaction aborted (error -75) [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235 [251067.632851] Modules linked in: btrfs dm_zero (...) [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) [251067.646165] Tainted: [W]=WARN [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs] [251067.649984] Code: f0 48 0f (...) [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292 [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3 [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750 [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820 [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0 [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5 [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000 [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0 [251067.661972] Call Trace: [251067.662292] <TASK> [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs] [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs] [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs] [251067.665238] ? _raw_spin_unlock+0x15/0x30 [251067.665837] ? record_root_ ---truncated--- | 2026-05-08 | not yet calculated | CVE-2026-43361 | https://git.kernel.org/stable/c/9a9227b488ffb7cdbb5d930a01fc6956c05ba61a https://git.kernel.org/stable/c/6bce705b699cba9afccb996c77d194fe003dfa2a https://git.kernel.org/stable/c/e3d8efc157bc590457d3e31da403af1a221643d6 https://git.kernel.org/stable/c/bac55dde8efa457e769c934fd88a63f2141ba238 https://git.kernel.org/stable/c/770af8e465c2c3de528f85e840eab462dd41542b https://git.kernel.org/stable/c/e1b18b959025e6b5dbad668f391f65d34b39595a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/apic: Disable x2apic on resume if the kernel expects so When resuming from s2ram, firmware may re-enable x2apic mode, which may have been disabled by the kernel during boot either because it doesn't support IRQ remapping or for other reasons. This causes the kernel to continue using the xapic interface, while the hardware is in x2apic mode, which causes hangs. This happens on defconfig + bare metal + s2ram. Fix this in lapic_resume() by disabling x2apic if the kernel expects it to be disabled, i.e. when x2apic_mode = 0. The ACPI v6.6 spec, Section 16.3 [1] says firmware restores either the pre-sleep configuration or initial boot configuration for each CPU, including MSR state: When executing from the power-on reset vector as a result of waking from an S2 or S3 sleep state, the platform firmware performs only the hardware initialization required to restore the system to either the state the platform was in prior to the initial operating system boot, or to the pre-sleep configuration state. In multiprocessor systems, non-boot processors should be placed in the same state as prior to the initial operating system boot. (further ahead) If this is an S2 or S3 wake, then the platform runtime firmware restores minimum context of the system before jumping to the waking vector. This includes: CPU configuration. Platform runtime firmware restores the pre-sleep configuration or initial boot configuration of each CPU (MSR, MTRR, firmware update, SMBase, and so on). Interrupts must be disabled (for IA-32 processors, disabled by CLI instruction). (and other things) So at least as per the spec, re-enablement of x2apic by the firmware is allowed if "x2apic on" is a part of the initial boot configuration. [1] https://uefi.org/specs/ACPI/6.6/16_Waking_and_Sleeping.html#initialization [ bp: Massage. ] | 2026-05-08 | not yet calculated | CVE-2026-43363 | https://git.kernel.org/stable/c/a6ad6f2e31b524cbb66b2f370bad0cf17d327e6c https://git.kernel.org/stable/c/3dd0812a7c764cd8f3b0182441ac22da0a7f3b09 https://git.kernel.org/stable/c/965289b120cc68cca886c75219c68b8c15751d73 https://git.kernel.org/stable/c/f591938072115bf08730b8530c67fab189cc6308 https://git.kernel.org/stable/c/1a85f84214f9d790216547ac6086bf8033cd9e5a https://git.kernel.org/stable/c/11712c4eb384098db4cb08792e223c818b908c1a https://git.kernel.org/stable/c/1d8440c1e7c49715f937416ac90cf260f1f1712c https://git.kernel.org/stable/c/8cc7dd77a1466f0ec58c03478b2e735a5b289b96 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ublk: fix NULL pointer dereference in ublk_ctrl_set_size() ublk_ctrl_set_size() unconditionally dereferences ub->ub_disk via set_capacity_and_notify() without checking if it is NULL. ub->ub_disk is NULL before UBLK_CMD_START_DEV completes (it is only assigned in ublk_ctrl_start_dev()) and after UBLK_CMD_STOP_DEV runs (ublk_detach_disk() sets it to NULL). Since the UBLK_CMD_UPDATE_SIZE handler performs no state validation, a user can trigger a NULL pointer dereference by sending UPDATE_SIZE to a device that has been added but not yet started, or one that has been stopped. Fix this by checking ub->ub_disk under ub->mutex before dereferencing it, and returning -ENODEV if the disk is not available. | 2026-05-08 | not yet calculated | CVE-2026-43364 | https://git.kernel.org/stable/c/f13fe6794726755a43090cb680c4c58cea6aa5f1 https://git.kernel.org/stable/c/c28d945bfa92e15147e93b73f95345b9bec979b0 https://git.kernel.org/stable/c/25966fc097691e5c925ad080f64a2f19c5fd940a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd: Fix a few more NULL pointer dereference in device cleanup I found a few more paths that cleanup fails due to a NULL version pointer on unsupported hardware. Add NULL checks as applicable. (cherry picked from commit f5a05f8414fc10f307eb965f303580c7778f8dd2) | 2026-05-08 | not yet calculated | CVE-2026-43367 | https://git.kernel.org/stable/c/38f1640db7f8bf57b9e09c5b0b8b205a598f1b3e https://git.kernel.org/stable/c/5edcb0d6729b88f192ec8b0896aaf581e3593c9c https://git.kernel.org/stable/c/72ecb1dae72775fa9fea0159d8445d620a0a2295 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd: Fix NULL pointer dereference in device cleanup When GPU initialization fails due to an unsupported HW block IP blocks may have a NULL version pointer. During cleanup in amdgpu_device_fini_hw, the code calls amdgpu_device_set_pg_state and amdgpu_device_set_cg_state which iterate over all IP blocks and access adev->ip_blocks[i].version without NULL checks, leading to a kernel NULL pointer dereference. Add NULL checks for adev->ip_blocks[i].version in both amdgpu_device_set_cg_state and amdgpu_device_set_pg_state to prevent dereferencing NULL pointers during GPU teardown when initialization has failed. (cherry picked from commit b7ac77468cda92eecae560b05f62f997a12fe2f2) | 2026-05-08 | not yet calculated | CVE-2026-43369 | https://git.kernel.org/stable/c/43025c941aced9a9009f9ff20eea4eb78c61deb8 https://git.kernel.org/stable/c/767cd24d3c4ae847688877def4891943f6611ecd https://git.kernel.org/stable/c/062ea905fff7756b2e87143ffccaece5cdb44267 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: macb: Shuffle the tx ring before enabling tx Quanyang observed that when using an NFS rootfs on an AMD ZynqMp board, the rootfs may take an extended time to recover after a suspend. Upon investigation, it was determined that the issue originates from a problem in the macb driver. According to the Zynq UltraScale TRM [1], when transmit is disabled, the transmit buffer queue pointer resets to point to the address specified by the transmit buffer queue base address register. In the current implementation, the code merely resets `queue->tx_head` and `queue->tx_tail` to '0'. This approach presents several issues: - Packets already queued in the tx ring are silently lost, leading to memory leaks since the associated skbs cannot be released. - Concurrent write access to `queue->tx_head` and `queue->tx_tail` may occur from `macb_tx_poll()` or `macb_start_xmit()` when these values are reset to '0'. - The transmission may become stuck on a packet that has already been sent out, with its 'TX_USED' bit set, but has not yet been processed. However, due to the manipulation of 'queue->tx_head' and 'queue->tx_tail', `macb_tx_poll()` incorrectly assumes there are no packets to handle because `queue->tx_head == queue->tx_tail`. This issue is only resolved when a new packet is placed at this position. This is the root cause of the prolonged recovery time observed for the NFS root filesystem. To resolve this issue, shuffle the tx ring and tx skb array so that the first unsent packet is positioned at the start of the tx ring. Additionally, ensure that updates to `queue->tx_head` and `queue->tx_tail` are properly protected with the appropriate lock. [1] https://docs.amd.com/v/u/en-US/ug1085-zynq-ultrascale-trm | 2026-05-08 | not yet calculated | CVE-2026-43371 | https://git.kernel.org/stable/c/c6783bfa31a59f34fe4feb1bdbf67791ef3fb0b7 https://git.kernel.org/stable/c/0a47c3889fcd843c72aa57fa8c4d06f5801fced4 https://git.kernel.org/stable/c/88f974fe118cb4653f029929ecbca7cfe06132ae https://git.kernel.org/stable/c/58f5d34f88e8f00910b692537f7b2efdb8c3705d https://git.kernel.org/stable/c/403182e0771b250cfde0fe7e1081d095ceaf8230 https://git.kernel.org/stable/c/881a0263d502e1a93ebc13a78254e9ad19520232 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: dsa: microchip: Fix error path in PTP IRQ setup If request_threaded_irq() fails during the PTP message IRQ setup, the newly created IRQ mapping is never disposed. Indeed, the ksz_ptp_irq_setup()'s error path only frees the mappings that were successfully set up. Dispose the newly created mapping if the associated request_threaded_irq() fails at setup. | 2026-05-08 | not yet calculated | CVE-2026-43372 | https://git.kernel.org/stable/c/3704ac6a0d9a78f66a187515a8ca3faedaf01cc5 https://git.kernel.org/stable/c/e80fef36c676c947072dabeb5803ae59d92ba493 https://git.kernel.org/stable/c/6c58a9fdb0d0e1011aa02455d26d6ebea251979b https://git.kernel.org/stable/c/c2d1d41e0e8ec447d40a5752844fc5fb0b23db27 https://git.kernel.org/stable/c/99c8c16a4aad0b37293cae213e15957c573cf79b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: mctp: fix device leak on probe failure Driver core holds a reference to the USB interface and its parent USB device while the interface is bound to a driver and there is no need to take additional references unless the structures are needed after disconnect. This driver takes a reference to the USB device during probe but does not to release it on probe failures. Drop the redundant device reference to fix the leak, reduce cargo culting, make it easier to spot drivers where an extra reference is needed, and reduce the risk of further memory leaks. | 2026-05-08 | not yet calculated | CVE-2026-43375 | https://git.kernel.org/stable/c/3224990fb16a831aabc50b67c74f5d0074ce80dd https://git.kernel.org/stable/c/ec9538f9b5cd1db5e8c612aa636b6119b6355c5d https://git.kernel.org/stable/c/224a0d284c3caf1951302d1744a714784febed71 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: server: fix use-after-free in smb2_open() The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is dereferenced after rcu_read_unlock(), creating a use-after-free window. | 2026-05-08 | not yet calculated | CVE-2026-43378 | https://git.kernel.org/stable/c/e1b21e6066615e7d3d3a7aa2677e415e563fd7cc https://git.kernel.org/stable/c/b720c84087cb547f23ce03eab93568c1769e4556 https://git.kernel.org/stable/c/54b48ae83de8bb06e65079d96368efe359d4909c https://git.kernel.org/stable/c/8f5b1a7cb009a93c48e9e334a2f59a660f9afc07 https://git.kernel.org/stable/c/190e5f808e8058640b408ccfed25440b441a718a https://git.kernel.org/stable/c/1e689a56173827669a35da7cb2a3c78ed5c53680 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read The q54sj108a2_debugfs_read function suffers from a stack buffer overflow due to incorrect arguments passed to bin2hex(). The function currently passes 'data' as the destination and 'data_char' as the source. Because bin2hex() converts each input byte into two hex characters, a 32-byte block read results in 64 bytes of output. Since 'data' is only 34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end of the buffer onto the stack. Additionally, the arguments were swapped: it was reading from the zero-initialized 'data_char' and writing to 'data', resulting in all-zero output regardless of the actual I2C read. Fix this by: 1. Expanding 'data_char' to 66 bytes to safely hold the hex output. 2. Correcting the bin2hex() argument order and using the actual read count. 3. Using a pointer to select the correct output buffer for the final simple_read_from_buffer call. | 2026-05-08 | not yet calculated | CVE-2026-43380 | https://git.kernel.org/stable/c/a0fc1b9c738fba231f190ab960c83202722efee5 https://git.kernel.org/stable/c/c59090c50f62a17129fc4c5407bc4071305a9e82 https://git.kernel.org/stable/c/52db5ef163c96f916d424e472fb17aadc35a9f7a https://git.kernel.org/stable/c/b48a0f8d4541a4f6651dc9a64430ce9fdf5c120b https://git.kernel.org/stable/c/73a7a345816946d276ad2c46c8bb771de67cfc46 https://git.kernel.org/stable/c/24a7b9daa103fa963b3fd37d8805b23e01621976 https://git.kernel.org/stable/c/25dd70a03b1f5f3aa71e1a5091ecd9cd2a13ee43 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nouveau/dpcd: return EBUSY for aux xfer if the device is asleep If we have runtime suspended, and userspace wants to use /dev/drm_dp_* then just tell it the device is busy instead of crashing in the GSP code. WARNING: CPU: 2 PID: 565741 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:164 r535_gsp_msgq_wait+0x9a/0xb0 [nouveau] CPU: 2 UID: 0 PID: 565741 Comm: fwupd Not tainted 6.18.10-200.fc43.x86_64 #1 PREEMPT(lazy) Hardware name: LENOVO 20QTS0PQ00/20QTS0PQ00, BIOS N2OET65W (1.52 ) 08/05/2024 RIP: 0010:r535_gsp_msgq_wait+0x9a/0xb0 [nouveau] This is a simple fix to get backported. We should probably engineer a proper power domain solution to wake up devices and keep them awake while fw updates are happening. | 2026-05-08 | not yet calculated | CVE-2026-43381 | https://git.kernel.org/stable/c/178df7c91e6c202579284df9f79d1592a514cdcf https://git.kernel.org/stable/c/4df518aa196085909fd7e32518ecd27fba60ed69 https://git.kernel.org/stable/c/cd24cab2023aa46b595bc6b9cc39d8973d9d0a8c https://git.kernel.org/stable/c/fad178ae894930520519ead3c8e0150641466360 https://git.kernel.org/stable/c/6bdd2d70c338d52c387d3b3aadc596784ae81b01 https://git.kernel.org/stable/c/ad8fa5bff53f5d1f8394f996850da8ce070eaee3 https://git.kernel.org/stable/c/24639553a016578222ac597db924dfb6fa5ec8b5 https://git.kernel.org/stable/c/8f3c6f08ababad2e3bdd239728cf66a9949446b4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: batman-adv: Avoid double-rtnl_lock ELP metric worker batadv_v_elp_get_throughput() might be called when the RTNL lock is already held. This could be problematic when the work queue item is cancelled via cancel_delayed_work_sync() in batadv_v_elp_iface_disable(). In this case, an rtnl_lock() would cause a deadlock. To avoid this, rtnl_trylock() was used in this function to skip the retrieval of the ethtool information in case the RTNL lock was already held. But for cfg80211 interfaces, batadv_get_real_netdev() was called - which also uses rtnl_lock(). The approach for __ethtool_get_link_ksettings() must also be used instead and the lockless version __batadv_get_real_netdev() has to be called. | 2026-05-08 | not yet calculated | CVE-2026-43382 | https://git.kernel.org/stable/c/4c3ae249431b4fcb315d7dfb4c3a13f9e443fd9b https://git.kernel.org/stable/c/192f40ad8a7dac58dae9199a065dbf7e6e67b75b https://git.kernel.org/stable/c/fa7b4edfbabdf9235b0ab4bea297fc12b3bec9ca https://git.kernel.org/stable/c/f3ca45673dab0514a887231de6f3243a699d5bfd https://git.kernel.org/stable/c/b7e5d8ddfdf1d6e9e0808d1adf7736a107372d77 https://git.kernel.org/stable/c/2ab9f2531d37775cd79228c1f5d80e6bd08d11d3 https://git.kernel.org/stable/c/77808fe7d03ad0062840b95f431869a8b3d88b24 https://git.kernel.org/stable/c/cfc83a3c71517b59c1047db57da31e26a9dc2f33 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie The current code checks 'i + 5 < in_len' at the end of the if statement. However, it accesses 'in_ie[i + 5]' before that check, which can lead to an out-of-bounds read. Move the length check to the beginning of the conditional to ensure the index is within bounds before accessing the array. | 2026-05-08 | not yet calculated | CVE-2026-43386 | https://git.kernel.org/stable/c/6ff2243d5e05a5239e39d4ba61d96b0ea3bf7259 https://git.kernel.org/stable/c/12cc6e8f8d4245b7b5a408c6fc8ab1d098d67020 https://git.kernel.org/stable/c/209644e25757c499e1c1f08c071ea0386d4448b6 https://git.kernel.org/stable/c/768f25613a9fe6766d15a4a72979657adfc1c6d8 https://git.kernel.org/stable/c/e14a1148f02e8cf1ca380d57e4b95ca36c97f45d https://git.kernel.org/stable/c/4dd2d9cf563c54e09d5f7eacf95c5b8f538b513b https://git.kernel.org/stable/c/d97fc1b29513010b60fde874c7f0ba816744e18c https://git.kernel.org/stable/c/a75281626fc8fa6dc6c9cc314ee423e8bc45203b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() Just like in commit 154828bf9559 ("staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser"), we don't trust the data in the frame so we should check the length better before acting on it | 2026-05-08 | not yet calculated | CVE-2026-43387 | https://git.kernel.org/stable/c/ac38856092b4c994f94343251b30520bdeb7f475 https://git.kernel.org/stable/c/35969c3a208a07cb8642301df5869c34e2db7071 https://git.kernel.org/stable/c/8097a48c606a9306281ea7bd73bf2afc97553733 https://git.kernel.org/stable/c/740bca8bbdb707c0e4bb11e3316deb2f04fc7ce1 https://git.kernel.org/stable/c/821f7d759fb2de33c5e5b0c4981181c4d0c3e9b1 https://git.kernel.org/stable/c/6d62fa548387e159a21ea95132c09bfc96d336ed https://git.kernel.org/stable/c/9a4cd4c37593cc8b8d28f9a6732b490a8032006a https://git.kernel.org/stable/c/f0109b9d3e1e455429279d602f6276e34689750a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: clear walk_control on inactive context in damos_walk() damos_walk() sets ctx->walk_control to the caller-provided control structure before checking whether the context is running. If the context is inactive (damon_is_running() returns false), the function returns -EINVAL without clearing ctx->walk_control. This leaves a dangling pointer to a stack-allocated structure that will be freed when the caller returns. This is structurally identical to the bug fixed in commit f9132fbc2e83 ("mm/damon/core: remove call_control in inactive contexts") for damon_call(), which had the same pattern of linking a control object and returning an error without unlinking it. The dangling walk_control pointer can cause: 1. Use-after-free if the context is later started and kdamond dereferences ctx->walk_control (e.g., in damos_walk_cancel() which writes to control->canceled and calls complete()) 2. Permanent -EBUSY from subsequent damos_walk() calls, since the stale pointer is non-NULL Nonetheless, the real user impact is quite restrictive. The use-after-free is impossible because there is no damos_walk() callers who starts the context later. The permanent -EBUSY can actually confuse users, as DAMON is not running. But the symptom is kept only while the context is turned off. Turning it on again will make DAMON internally uses a newly generated damon_ctx object that doesn't have the invalid damos_walk_control pointer, so everything will work fine again. Fix this by clearing ctx->walk_control under walk_control_lock before returning -EINVAL, mirroring the fix pattern from f9132fbc2e83. | 2026-05-08 | not yet calculated | CVE-2026-43388 | https://git.kernel.org/stable/c/ce0aa47c963b8c3e5beace89e2b5a665a64b5b6b https://git.kernel.org/stable/c/9320c77134ab8d7701e20608bbf08517df4fa321 https://git.kernel.org/stable/c/d210fdcac9c0d1380eab448aebc93f602c1cd4e6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm: memfd_luo: always dirty all folios A dirty folio is one which has been written to. A clean folio is its opposite. Since a clean folio has no user data, it can be freed under memory pressure. memfd preservation with LUO saves the flag at preserve(). This is problematic. The folio might get dirtied later. Saving it at freeze() also doesn't work, since the dirty bit from PTE is normally synced at unmap and there might still be mappings of the file at freeze(). To see why this is a problem, say a folio is clean at preserve, but gets dirtied later. The serialized state of the folio will mark it as clean. After retrieve, the next kernel will see the folio as clean and might try to reclaim it under memory pressure. This will result in losing user data. Mark all folios of the file as dirty, and always set the MEMFD_LUO_FOLIO_DIRTY flag. This comes with the side effect of making all clean folios un-reclaimable. This is a cost that has to be paid for participants of live update. It is not expected to be a common use case to preserve a lot of clean folios anyway. Since the value of pfolio->flags is a constant now, drop the flags variable and set it directly. | 2026-05-08 | not yet calculated | CVE-2026-43389 | https://git.kernel.org/stable/c/e901c871d4b592f0042e30f3a0f031eae79744ec https://git.kernel.org/stable/c/7e04bf1f33151a30e06a65b74b5f2c19fc2be128 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nstree: tighten permission checks for listing Even privileged services should not necessarily be able to see other privileged service's namespaces so they can't leak information to each other. Use may_see_all_namespaces() helper that centralizes this policy until the nstree adapts. | 2026-05-08 | not yet calculated | CVE-2026-43390 | https://git.kernel.org/stable/c/0abd81645fc95ec6a9d4e4813000f22c5efc0ff4 https://git.kernel.org/stable/c/8d76afe84fa2babf604b3c173730d4d2b067e361 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix starvation of scx_enable() under fair-class saturation During scx_enable(), the READY -> ENABLED task switching loop changes the calling thread's sched_class from fair to ext. Since fair has higher priority than ext, saturating fair-class workloads can indefinitely starve the enable thread, hanging the system. This was introduced when the enable path switched from preempt_disable() to scx_bypass() which doesn't protect against fair-class starvation. Note that the original preempt_disable() protection wasn't complete either - in partial switch modes, the calling thread could still be starved after preempt_enable() as it may have been switched to ext class. Fix it by offloading the enable body to a dedicated system-wide RT (SCHED_FIFO) kthread which cannot be starved by either fair or ext class tasks. scx_enable() lazily creates the kthread on first use and passes the ops pointer through a struct scx_enable_cmd containing the kthread_work, then synchronously waits for completion. The workfn runs on a different kthread from sch->helper (which runs disable_work), so it can safely flush disable_work on the error path without deadlock. | 2026-05-08 | not yet calculated | CVE-2026-43392 | https://git.kernel.org/stable/c/e0b14bf06393be137d3efb6a3b7cd5b4b9810a6b https://git.kernel.org/stable/c/c44198f25fdfecc0ec0fe366bf8a47fe17d8e229 https://git.kernel.org/stable/c/05ab9ec5dc24f234e0a2fecf3e6ff937c68f7d81 https://git.kernel.org/stable/c/b06ccbabe2506fd70b9167a644978b049150224a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies() Fix a chunk map leak in btrfs_map_block(): if we return early with -EINVAL, we're not freeing the chunk map that we've just looked up. | 2026-05-08 | not yet calculated | CVE-2026-43393 | https://git.kernel.org/stable/c/0e4aaf5a3212b6a469c2489637c29a8e2a5062a5 https://git.kernel.org/stable/c/7bdf00ed75c477252578068dba19934cd825f20a https://git.kernel.org/stable/c/4f90c5c2698383984102401b1724b0b67da832ab https://git.kernel.org/stable/c/f15fb3d41543244d1179f423da4a4832a55bc050 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit(). nfsd_nl_listener_set_doit() uses get_current_cred() without put_cred(). As we can see from other callers, svc_xprt_create_from_sa() does not require the extra refcount. nfsd_nl_listener_set_doit() is always in the process context, sendmsg(), and current->cred does not go away. Let's use current_cred() in nfsd_nl_listener_set_doit(). | 2026-05-08 | not yet calculated | CVE-2026-43394 | https://git.kernel.org/stable/c/02e87ec0bc706cb93fa47b43d18c4d10102c7d54 https://git.kernel.org/stable/c/019debe5851d7355bea9ff0248cc317878924d8f https://git.kernel.org/stable/c/cba413765376bb466035c9160fa3130402971e2c https://git.kernel.org/stable/c/92978c83bb4eef55d02a6c990c01c423131eefa7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/sync: Cleanup partially initialized sync on parse failure xe_sync_entry_parse() can allocate references (syncobj, fence, chain fence, or user fence) before hitting a later failure path. Several of those paths returned directly, leaving partially initialized state and leaking refs. Route these error paths through a common free_sync label and call xe_sync_entry_cleanup(sync) before returning the error. (cherry picked from commit f939bdd9207a5d1fc55cced5459858480686ce22) | 2026-05-08 | not yet calculated | CVE-2026-43395 | https://git.kernel.org/stable/c/91c228f96fcfacc2341a58815b1da8c69da94ebb https://git.kernel.org/stable/c/af65cd1853599394b94201c08bed7a46717db478 https://git.kernel.org/stable/c/f0af63ffa06306f12592cd3919fad6957b425e1b https://git.kernel.org/stable/c/1bfd7575092420ba5a0b944953c95b74a5646ff8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/sync: Fix user fence leak on alloc failure When dma_fence_chain_alloc() fails, properly release the user fence reference to prevent a memory leak. (cherry picked from commit a5d5634cde48a9fcd68c8504aa07f89f175074a0) | 2026-05-08 | not yet calculated | CVE-2026-43396 | https://git.kernel.org/stable/c/05edc78eb4699e8e000a62aaa8dace50a17e19e3 https://git.kernel.org/stable/c/f8f90b33934b307f6e4599b9fae38aa1ee5441a7 https://git.kernel.org/stable/c/0879c3f04f67e2a1677c25dcc24669ce21eb6a6c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/bridge: samsung-dsim: Fix memory leak in error path In samsung_dsim_host_attach(), drm_bridge_add() is called to add the bridge. However, if samsung_dsim_register_te_irq() or pdata->host_ops->attach() fails afterwards, the function returns without removing the bridge, causing a memory leak. Fix this by adding proper error handling with goto labels to ensure drm_bridge_remove() is called in all error paths. Also ensure that samsung_dsim_unregister_te_irq() is called if the attach operation fails after the TE IRQ has been registered. samsung_dsim_unregister_te_irq() function is moved without changes to be before samsung_dsim_host_attach() to avoid forward declaration. | 2026-05-08 | not yet calculated | CVE-2026-43397 | https://git.kernel.org/stable/c/98310fe3a2a79671b739a5344c1a11d74c503e25 https://git.kernel.org/stable/c/0b07f7d2c5a4078c2f1c11bb36685084fe4e5c95 https://git.kernel.org/stable/c/e6d779654cda63d632bd8dfcdcabd125057e30a5 https://git.kernel.org/stable/c/a40b92fb4b26d4cb1b5e439e55a56db7e79a82d1 https://git.kernel.org/stable/c/803ec1faf7c1823e6e3b1f2aaa81be18528c9436 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: add upper bound check on user inputs in wait ioctl Huge input values in amdgpu_userq_wait_ioctl can lead to a OOM and could be exploited. So check these input value against AMDGPU_USERQ_MAX_HANDLES which is big enough value for genuine use cases and could potentially avoid OOM. v2: squash in Srini's fix (cherry picked from commit fcec012c664247531aed3e662f4280ff804d1476) | 2026-05-08 | not yet calculated | CVE-2026-43398 | https://git.kernel.org/stable/c/b1d10508da559da2e0ca9cca6505094a7df948e1 https://git.kernel.org/stable/c/3cd93bc695b3456f26f5ed52753d9071da26202a https://git.kernel.org/stable/c/64ac7c09fc44985ec9bb6a9db740899fa40ca613 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/userq: Fix reference leak in amdgpu_userq_wait_ioctl Drop reference to syncobj and timeline fence when aborting the ioctl due output array being too small. (cherry picked from commit 68951e9c3e6bb22396bc42ef2359751c8315dd27) | 2026-05-08 | not yet calculated | CVE-2026-43399 | https://git.kernel.org/stable/c/762f47e2b824383d5be65eee2c40a1269b7d50c8 https://git.kernel.org/stable/c/5409247d41f372bec5b141ef599f2d9f5e81b746 https://git.kernel.org/stable/c/49abfa812617a7f2d0132c70d23ac98b389c6ec1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: add upper bound check on user inputs in signal ioctl Huge input values in amdgpu_userq_signal_ioctl can lead to a OOM and could be exploited. So check these input value against AMDGPU_USERQ_MAX_HANDLES which is big enough value for genuine use cases and could potentially avoid OOM. (cherry picked from commit be267e15f99bc97cbe202cd556717797cdcf79a5) | 2026-05-08 | not yet calculated | CVE-2026-43400 | https://git.kernel.org/stable/c/6fff5204d8aa26b1be50b6427f833bd3e8899c4f https://git.kernel.org/stable/c/46630d966b99b0fc6cb01fef4110587f3375a0c0 https://git.kernel.org/stable/c/ea78f8c68f4f6211c557df49174c54d167821962 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix NULL pointer dereference in update_cpu_qos_request() The update_cpu_qos_request() function attempts to initialize the 'freq' variable by dereferencing 'cpudata' before verifying if the 'policy' is valid. This issue occurs on systems booted with the "nosmt" parameter, where all_cpu_data[cpu] is NULL for the SMT sibling threads. As a result, any call to update_qos_requests() will result in a NULL pointer dereference as the code will attempt to access pstate.turbo_freq using the NULL cpudata pointer. Also, pstate.turbo_freq may be updated by intel_pstate_get_hwp_cap() after initializing the 'freq' variable, so it is better to defer the 'freq' until intel_pstate_get_hwp_cap() has been called. Fix this by deferring the 'freq' assignment until after the policy and driver_data have been validated. [ rjw: Added one paragraph to the changelog ] | 2026-05-08 | not yet calculated | CVE-2026-43401 | https://git.kernel.org/stable/c/6bfda7ce56e7d14a677b7bcd6c7a5009cc29aa88 https://git.kernel.org/stable/c/42738dffb7b0766a45882dff7989401d78f66f92 https://git.kernel.org/stable/c/ab39cc4cb8ceecdc2b61747433e7237f1ac2b789 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm: Fix a hmm_range_fault() livelock / starvation problem If hmm_range_fault() fails a folio_trylock() in do_swap_page, trying to acquire the lock of a device-private folio for migration, to ram, the function will spin until it succeeds grabbing the lock. However, if the process holding the lock is depending on a work item to be completed, which is scheduled on the same CPU as the spinning hmm_range_fault(), that work item might be starved and we end up in a livelock / starvation situation which is never resolved. This can happen, for example if the process holding the device-private folio lock is stuck in migrate_device_unmap()->lru_add_drain_all() sinc lru_add_drain_all() requires a short work-item to be run on all online cpus to complete. A prerequisite for this to happen is: a) Both zone device and system memory folios are considered in migrate_device_unmap(), so that there is a reason to call lru_add_drain_all() for a system memory folio while a folio lock is held on a zone device folio. b) The zone device folio has an initial mapcount > 1 which causes at least one migration PTE entry insertion to be deferred to try_to_migrate(), which can happen after the call to lru_add_drain_all(). c) No or voluntary only preemption. This all seems pretty unlikely to happen, but indeed is hit by the "xe_exec_system_allocator" igt test. Resolve this by waiting for the folio to be unlocked if the folio_trylock() fails in do_swap_page(). Rename migration_entry_wait_on_locked() to softleaf_entry_wait_unlock() and update its documentation to indicate the new use-case. Future code improvements might consider moving the lru_add_drain_all() call in migrate_device_unmap() to be called *after* all pages have migration entries inserted. That would eliminate also b) above. v2: - Instead of a cond_resched() in hmm_range_fault(), eliminate the problem by waiting for the folio to be unlocked in do_swap_page() (Alistair Popple, Andrew Morton) v3: - Add a stub migration_entry_wait_on_locked() for the !CONFIG_MIGRATION case. (Kernel Test Robot) v4: - Rename migrate_entry_wait_on_locked() to softleaf_entry_wait_on_locked() and update docs (Alistair Popple) v5: - Add a WARN_ON_ONCE() for the !CONFIG_MIGRATION version of softleaf_entry_wait_on_locked(). - Modify wording around function names in the commit message (Andrew Morton) (cherry picked from commit a69d1ab971a624c6f112cea61536569d579c3215) | 2026-05-08 | not yet calculated | CVE-2026-43404 | https://git.kernel.org/stable/c/94b6d0ba4b640ba23bb6c708a59316e74e5ede63 https://git.kernel.org/stable/c/7e6e2fc91d4b9b12ec6e137019532568ebcf2680 https://git.kernel.org/stable/c/b570f37a2ce480be26c665345c5514686a8a0274 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kprobes: avoid crash when rmmod/insmod after ftrace killed After we hit ftrace is killed by some errors, the kernel crash if we remove modules in which kprobe probes. BUG: unable to handle page fault for address: fffffbfff805000d PGD 817fcc067 P4D 817fcc067 PUD 817fc8067 PMD 101555067 PTE 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 4 UID: 0 PID: 2012 Comm: rmmod Tainted: G W OE Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE RIP: 0010:kprobes_module_callback+0x89/0x790 RSP: 0018:ffff88812e157d30 EFLAGS: 00010a02 RAX: 1ffffffff805000d RBX: dffffc0000000000 RCX: ffffffff86a8de90 RDX: ffffed1025c2af9b RSI: 0000000000000008 RDI: ffffffffc0280068 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed1025c2af9a R10: ffff88812e157cd7 R11: 205d323130325420 R12: 0000000000000002 R13: ffffffffc0290488 R14: 0000000000000002 R15: ffffffffc0280040 FS: 00007fbc450dd740(0000) GS:ffff888420331000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffbfff805000d CR3: 000000010f624000 CR4: 00000000000006f0 Call Trace: <TASK> notifier_call_chain+0xc6/0x280 blocking_notifier_call_chain+0x60/0x90 __do_sys_delete_module.constprop.0+0x32a/0x4e0 do_syscall_64+0x5d/0xfa0 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is because the kprobe on ftrace does not correctly handles the kprobe_ftrace_disabled flag set by ftrace_kill(). To prevent this error, check kprobe_ftrace_disabled in __disarm_kprobe_ftrace() and skip all ftrace related operations. | 2026-05-08 | not yet calculated | CVE-2026-43409 | https://git.kernel.org/stable/c/8b6767e4141b2a42745b544d4555cf1614ba1a2d https://git.kernel.org/stable/c/b0ca81616a010807e91fc31db9be242b96326adc https://git.kernel.org/stable/c/cae928e3178c75602c21d67e21255d73e7e9ed4f https://git.kernel.org/stable/c/9edc79d664832a842012ad105b1521c1a3c35ab3 https://git.kernel.org/stable/c/e113f0b46d19626ec15388bcb91432c9a4fd6261 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled When the Remote System Update (RSU) isn't enabled in the First Stage Boot Loader (FSBL), the driver encounters a NULL pointer dereference when excute svc_normal_to_secure_thread() thread, resulting in a kernel panic: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Mem abort info: ... Data abort info: ... [0000000000000008] user address but active_mm is swapper Internal error: Oops: 0000000096000004 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 79 Comm: svc_smc_hvc_thr Not tainted 6.19.0-rc8-yocto-standard+ #59 PREEMPT Hardware name: SoCFPGA Stratix 10 SoCDK (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : svc_normal_to_secure_thread+0x38c/0x990 lr : svc_normal_to_secure_thread+0x144/0x990 ... Call trace: svc_normal_to_secure_thread+0x38c/0x990 (P) kthread+0x150/0x210 ret_from_fork+0x10/0x20 Code: 97cfc113 f9400260 aa1403e1 f9400400 (f9400402) ---[ end trace 0000000000000000 ]--- The issue occurs because rsu_send_async_msg() fails when RSU is not enabled in firmware, causing the channel to be freed via stratix10_svc_free_channel(). However, the probe function continues execution and registers svc_normal_to_secure_thread(), which subsequently attempts to access the already-freed channel, triggering the NULL pointer dereference. Fix this by properly cleaning up the async client and returning early on failure, preventing the thread from being used with an invalid channel. | 2026-05-08 | not yet calculated | CVE-2026-43410 | https://git.kernel.org/stable/c/aa5739e0c51ad01c6e763ca89c1bfb58fc6ea71a https://git.kernel.org/stable/c/c45f7263100cece247dd3fa5fe277bd97fdb5687 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tipc: fix divide-by-zero in tipc_sk_filter_connect() A user can set conn_timeout to any value via setsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When a SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in tipc_sk_filter_connect() executes: delay %= (tsk->conn_timeout / 4); If conn_timeout is in the range [0, 3], the integer division yields 0, and the modulo operation triggers a divide-by-zero exception, causing a kernel oops/panic. Fix this by clamping conn_timeout to a minimum of 4 at the point of use in tipc_sk_filter_connect(). Oops: divide error: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+ RIP: 0010:tipc_sk_filter_rcv (net/tipc/socket.c:2236 net/tipc/socket.c:2362) Call Trace: tipc_sk_backlog_rcv (include/linux/instrumented.h:82 include/linux/atomic/atomic-instrumented.h:32 include/net/sock.h:2357 net/tipc/socket.c:2406) __release_sock (include/net/sock.h:1185 net/core/sock.c:3213) release_sock (net/core/sock.c:3797) tipc_connect (net/tipc/socket.c:2570) __sys_connect (include/linux/file.h:62 include/linux/file.h:83 net/socket.c:2098) | 2026-05-08 | not yet calculated | CVE-2026-43411 | https://git.kernel.org/stable/c/600feb0a66a98c6b7f6f02b5f3612e75f9b8540f https://git.kernel.org/stable/c/3bc9998041076ee05d3f312a22cee6b2ca35527f https://git.kernel.org/stable/c/579956f9f297eb1b6a5d24de313f3acccee1f9d5 https://git.kernel.org/stable/c/a360d3815aae1f00dd71b7714a846482e85cc1f7 https://git.kernel.org/stable/c/c2ebfbe63deb7bfd4dc2532bae62a7ed67713272 https://git.kernel.org/stable/c/2754e7b3d64748643df867d1ea6fec522914b635 https://git.kernel.org/stable/c/338c5edeb6ae3f12a4b84dff9d71f6f7f8c202c3 https://git.kernel.org/stable/c/6c5a9baa15de240e747263aba435a0951da8d8d2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start During ADSP stop and start, the kernel crashes due to the order in which ASoC components are removed. On ADSP stop, the q6apm-audio .remove callback unloads topology and removes PCM runtimes during ASoC teardown. This deletes the RTDs that contain the q6apm DAI components before their removal pass runs, leaving those components still linked to the card and causing crashes on the next rebind. Fix this by ensuring that all dependent (child) components are removed first, and the q6apm component is removed last. [ 48.105720] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0 [ 48.114763] Mem abort info: [ 48.117650] ESR = 0x0000000096000004 [ 48.121526] EC = 0x25: DABT (current EL), IL = 32 bits [ 48.127010] SET = 0, FnV = 0 [ 48.130172] EA = 0, S1PTW = 0 [ 48.133415] FSC = 0x04: level 0 translation fault [ 48.138446] Data abort info: [ 48.141422] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 48.147079] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 48.152354] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 48.157859] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001173cf000 [ 48.164517] [00000000000000d0] pgd=0000000000000000, p4d=0000000000000000 [ 48.171530] Internal error: Oops: 0000000096000004 [#1] SMP [ 48.177348] Modules linked in: q6prm_clocks q6apm_lpass_dais q6apm_dai snd_q6dsp_common q6prm snd_q6apm 8021q garp mrp stp llc snd_soc_hdmi_codec apr pdr_interface phy_qcom_edp fastrpc qcom_pd_mapper rpmsg_ctrl qrtr_smd rpmsg_char qcom_pdr_msg qcom_iris v4l2_mem2mem videobuf2_dma_contig ath11k_pci msm ubwc_config at24 ath11k videobuf2_memops mac80211 ocmem videobuf2_v4l2 libarc4 drm_gpuvm mhi qrtr videodev drm_exec snd_soc_sc8280xp gpu_sched videobuf2_common nvmem_qcom_spmi_sdam snd_soc_qcom_sdw drm_dp_aux_bus qcom_q6v5_pas qcom_spmi_temp_alarm snd_soc_qcom_common rtc_pm8xxx qcom_pon drm_display_helper cec qcom_pil_info qcom_stats soundwire_bus drm_client_lib mc dispcc0_sa8775p videocc_sa8775p qcom_q6v5 camcc_sa8775p snd_soc_dmic phy_qcom_sgmii_eth snd_soc_max98357a i2c_qcom_geni snd_soc_core dwmac_qcom_ethqos llcc_qcom icc_bwmon qcom_sysmon snd_compress qcom_refgen_regulator coresight_stm stmmac_platform snd_pcm_dmaengine qcom_common coresight_tmc stmmac coresight_replicator qcom_glink_smem coresight_cti stm_core [ 48.177444] coresight_funnel snd_pcm ufs_qcom phy_qcom_qmp_usb gpi phy_qcom_snps_femto_v2 coresight phy_qcom_qmp_ufs qcom_wdt gpucc_sa8775p pcs_xpcs mdt_loader qcom_ice icc_osm_l3 qmi_helpers snd_timer snd soundcore display_connector qcom_rng nvmem_reboot_mode drm_kms_helper phy_qcom_qmp_pcie sha256 cfg80211 rfkill socinfo fuse drm backlight ipv6 [ 48.301059] CPU: 2 UID: 0 PID: 293 Comm: kworker/u32:2 Not tainted 6.19.0-rc6-dirty #10 PREEMPT [ 48.310081] Hardware name: Qualcomm Technologies, Inc. Lemans EVK (DT) [ 48.316782] Workqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface] [ 48.323672] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 48.330825] pc : mutex_lock+0xc/0x54 [ 48.334514] lr : soc_dapm_shutdown_dapm+0x44/0x174 [snd_soc_core] [ 48.340794] sp : ffff800084ddb7b0 [ 48.344207] x29: ffff800084ddb7b0 x28: ffff00009cd9cf30 x27: ffff00009cd9cc00 [ 48.351544] x26: ffff000099610190 x25: ffffa31d2f19c810 x24: ffffa31d2f185098 [ 48.358869] x23: ffff800084ddb7f8 x22: 0000000000000000 x21: 00000000000000d0 [ 48.366198] x20: ffff00009ba6c338 x19: ffff00009ba6c338 x18: 00000000ffffffff [ 48.373528] x17: 000000040044ffff x16: ffffa31d4ae6dca8 x15: 072007740775076f [ 48.380853] x14: 0765076d07690774 x13: 00313a323a656369 x12: 767265733a637673 [ 48.388182] x11: 00000000000003f9 x10: ffffa31d4c7dea98 x9 : 0000000000000001 [ 48.395519] x8 : ffff00009a2aadc0 x7 : 0000000000000003 x6 : 0000000000000000 [ 48.402854] x5 : 0000000000000 ---truncated--- | 2026-05-08 | not yet calculated | CVE-2026-43412 | https://git.kernel.org/stable/c/94bda21adb2a51f69366b847b4d80dfe50bd9fb9 https://git.kernel.org/stable/c/a8e9cab16771b15160465783507496dc83742d8e https://git.kernel.org/stable/c/0da170b9e600da6930cfb8352e4cc036db3b6159 https://git.kernel.org/stable/c/22b05abb17e3c6ef45035141fe3d26f815ff9d30 https://git.kernel.org/stable/c/897f32cab7945f4662a50b3841ba31c6c3204876 https://git.kernel.org/stable/c/d6db827b430bdcca3976cebca7bd69cca03cde2c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: hisi_sas: Fix NULL pointer exception during user_scan() user_scan() invokes updated sas_user_scan() for channel 0, and if successful, iteratively scans remaining channels (1 to shost->max_channel) via scsi_scan_host_selected() in commit 37c4e72b0651 ("scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans"). However, hisi_sas supports only one channel, and the current value of max_channel is 1. sas_user_scan() for channel 1 will trigger the following NULL pointer exception: [ 441.554662] Unable to handle kernel NULL pointer dereference at virtual address 00000000000008b0 [ 441.554699] Mem abort info: [ 441.554710] ESR = 0x0000000096000004 [ 441.554718] EC = 0x25: DABT (current EL), IL = 32 bits [ 441.554723] SET = 0, FnV = 0 [ 441.554726] EA = 0, S1PTW = 0 [ 441.554730] FSC = 0x04: level 0 translation fault [ 441.554735] Data abort info: [ 441.554737] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 441.554742] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 441.554747] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 441.554752] user pgtable: 4k pages, 48-bit VAs, pgdp=00000828377a6000 [ 441.554757] [00000000000008b0] pgd=0000000000000000, p4d=0000000000000000 [ 441.554769] Internal error: Oops: 0000000096000004 [#1] SMP [ 441.629589] Modules linked in: arm_spe_pmu arm_smmuv3_pmu tpm_tis_spi hisi_uncore_sllc_pmu hisi_uncore_pa_pmu hisi_uncore_l3c_pmu hisi_uncore_hha_pmu hisi_uncore_ddrc_pmu hisi_uncore_cpa_pmu hns3_pmu hisi_ptt hisi_pcie_pmu tpm_tis_core spidev spi_hisi_sfc_v3xx hisi_uncore_pmu spi_dw_mmio fuse hclge hclge_common hisi_sec2 hisi_hpre hisi_zip hisi_qm hns3 hisi_sas_v3_hw sm3_ce sbsa_gwdt hnae3 hisi_sas_main uacce hisi_dma i2c_hisi dm_mirror dm_region_hash dm_log dm_mod [ 441.670819] CPU: 46 UID: 0 PID: 6994 Comm: bash Kdump: loaded Not tainted 7.0.0-rc2+ #84 PREEMPT [ 441.691327] pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 441.698277] pc : sas_find_dev_by_rphy+0x44/0x118 [ 441.702896] lr : sas_find_dev_by_rphy+0x3c/0x118 [ 441.707502] sp : ffff80009abbba40 [ 441.710805] x29: ffff80009abbba40 x28: ffff082819a40008 x27: ffff082810c37c08 [ 441.717930] x26: ffff082810c37c28 x25: ffff082819a40290 x24: ffff082810c37c00 [ 441.725054] x23: 0000000000000000 x22: 0000000000000001 x21: ffff082819a40000 [ 441.732179] x20: ffff082819a40290 x19: 0000000000000000 x18: 0000000000000020 [ 441.739304] x17: 0000000000000000 x16: ffffb5dad6bda690 x15: 00000000ffffffff [ 441.746428] x14: ffff082814c3b26c x13: 00000000ffffffff x12: ffff082814c3b26a [ 441.753553] x11: 00000000000000c0 x10: 000000000000003a x9 : ffffb5dad5ea94f4 [ 441.760678] x8 : 000000000000003a x7 : ffff80009abbbab0 x6 : 0000000000000030 [ 441.767802] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 441.774926] x2 : ffff08280f35a300 x1 : ffffb5dad7127180 x0 : 0000000000000000 [ 441.782053] Call trace: [ 441.784488] sas_find_dev_by_rphy+0x44/0x118 (P) [ 441.789095] sas_target_alloc+0x24/0xb0 [ 441.792920] scsi_alloc_target+0x290/0x330 [ 441.797010] __scsi_scan_target+0x88/0x258 [ 441.801096] scsi_scan_channel+0x74/0xb8 [ 441.805008] scsi_scan_host_selected+0x170/0x188 [ 441.809615] sas_user_scan+0xfc/0x148 [ 441.813267] store_scan+0x10c/0x180 [ 441.816743] dev_attr_store+0x20/0x40 [ 441.820398] sysfs_kf_write+0x84/0xa8 [ 441.824054] kernfs_fop_write_iter+0x130/0x1c8 [ 441.828487] vfs_write+0x2c0/0x370 [ 441.831880] ksys_write+0x74/0x118 [ 441.835271] __arm64_sys_write+0x24/0x38 [ 441.839182] invoke_syscall+0x50/0x120 [ 441.842919] el0_svc_common.constprop.0+0xc8/0xf0 [ 441.847611] do_el0_svc+0x24/0x38 [ 441.850913] el0_svc+0x38/0x158 [ 441.854043] el0t_64_sync_handler+0xa0/0xe8 [ 441.858214] el0t_64_sync+0x1ac/0x1b0 [ 441.861865] Code: aa1303e0 97ff70a8 34ffff80 d10a4273 (f9445a75) [ 441.867946] ---[ end trace 0000000000000000 ]--- Therefore ---truncated--- | 2026-05-08 | not yet calculated | CVE-2026-43413 | https://git.kernel.org/stable/c/70c78429ef383e35f9c58848994aeeac8083ae35 https://git.kernel.org/stable/c/40119a21d9769bf8fdab5c93c6c878296e628abf https://git.kernel.org/stable/c/21a13db8d449b9c7eda4471da7f12417602dbbc7 https://git.kernel.org/stable/c/beadac156610a4f3bb15cb7bb4b07b6ac06f6567 https://git.kernel.org/stable/c/8ddc0c26916574395447ebf4cff684314f6873a9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend In __ufshcd_wl_suspend(), cancel_delayed_work_sync() is called to cancel the UFS RTC work, but it is placed after ufshcd_vops_suspend(hba, pm_op, POST_CHANGE). This creates a race condition where ufshcd_rtc_work() can still be running while ufshcd_vops_suspend() is executing. When UFSHCD_CAP_CLK_GATING is not supported, the condition !hba->clk_gating.active_reqs is always true, causing ufshcd_update_rtc() to be executed. Since ufshcd_vops_suspend() typically performs clock gating operations, executing ufshcd_update_rtc() at that moment triggers an SError. The kernel panic trace is as follows: Kernel panic - not syncing: Asynchronous SError Interrupt Call trace: dump_backtrace+0xec/0x128 show_stack+0x18/0x28 dump_stack_lvl+0x40/0xa0 dump_stack+0x18/0x24 panic+0x148/0x374 nmi_panic+0x3c/0x8c arm64_serror_panic+0x64/0x8c do_serror+0xc4/0xc8 el1h_64_error_handler+0x34/0x4c el1h_64_error+0x68/0x6c el1_interrupt+0x20/0x58 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x68/0x6c ktime_get+0xc4/0x12c ufshcd_mcq_sq_stop+0x4c/0xec ufshcd_mcq_sq_cleanup+0x64/0x1dc ufshcd_clear_cmd+0x38/0x134 ufshcd_issue_dev_cmd+0x298/0x4d0 ufshcd_exec_dev_cmd+0x1a4/0x1c4 ufshcd_query_attr+0xbc/0x19c ufshcd_rtc_work+0x10c/0x1c8 process_scheduled_works+0x1c4/0x45c worker_thread+0x32c/0x3e8 kthread+0x120/0x1d8 ret_from_fork+0x10/0x20 Fix this by moving cancel_delayed_work_sync() before the call to ufshcd_vops_suspend(hba, pm_op, PRE_CHANGE), ensuring the UFS RTC work is fully completed or cancelled at that point. | 2026-05-08 | not yet calculated | CVE-2026-43415 | https://git.kernel.org/stable/c/a6a894413b043704b77a6294c379c93b1477e48d https://git.kernel.org/stable/c/2fcc2fc21cae7a0cbe73053f7fc70680ce2a7f69 https://git.kernel.org/stable/c/b17211b512cbf0e07de27e1932428ee6c20df910 https://git.kernel.org/stable/c/c387a8f1d3713f6b0415ece8485042d0f134b91a https://git.kernel.org/stable/c/b0bd84c39289ef6a6c3827dd52c875659291970a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc, perf: Check that current->mm is alive before getting user callchain It may happen that mm is already released, which leads to kernel panic. This adds the NULL check for current->mm, similarly to commit 20afc60f892d ("x86, perf: Check that current->mm is alive before getting user callchain"). I was getting this panic when running a profiling BPF program (profile.py from bcc-tools): [26215.051935] Kernel attempted to read user page (588) - exploit attempt? (uid: 0) [26215.051950] BUG: Kernel NULL pointer dereference on read at 0x00000588 [26215.051952] Faulting instruction address: 0xc00000000020fac0 [26215.051957] Oops: Kernel access of bad area, sig: 11 [#1] [...] [26215.052049] Call Trace: [26215.052050] [c000000061da6d30] [c00000000020fc10] perf_callchain_user_64+0x2d0/0x490 (unreliable) [26215.052054] [c000000061da6dc0] [c00000000020f92c] perf_callchain_user+0x1c/0x30 [26215.052057] [c000000061da6de0] [c0000000005ab2a0] get_perf_callchain+0x100/0x360 [26215.052063] [c000000061da6e70] [c000000000573bc8] bpf_get_stackid+0x88/0xf0 [26215.052067] [c000000061da6ea0] [c008000000042258] bpf_prog_16d4ab9ab662f669_do_perf_event+0xf8/0x274 [...] In addition, move storing the top-level stack entry to generic perf_callchain_user to make sure the top-evel entry is always captured, even if current->mm is NULL. [Maddy: fixed message to avoid checkpatch format style error] | 2026-05-08 | not yet calculated | CVE-2026-43416 | https://git.kernel.org/stable/c/98074e16742ae87fb82e234b419783c5ffc9baea https://git.kernel.org/stable/c/7e5f60b8cfc02a2b23a40a5f5fd2fa81d010e737 https://git.kernel.org/stable/c/e9bbfb4bfa86c6b5515b868d6982ac60505d7e39 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Handle vfork()/CLONE_VM correctly Matthieu and Jiri reported stalls where a task endlessly loops in mm_get_cid() when scheduling in. It turned out that the logic which handles vfork()'ed tasks is broken. It is invoked when the number of tasks associated to a process is smaller than the number of MMCID users. It then walks the task list to find the vfork()'ed task, but accounts all the already processed tasks as well. If that double processing brings the number of to be handled tasks to 0, the walk stops and the vfork()'ed task's CID is not fixed up. As a consequence a subsequent schedule in fails to acquire a (transitional) CID and the machine stalls. Cure this by removing the accounting condition and make the fixup always walk the full task list if it could not find the exact number of users in the process' thread list. | 2026-05-08 | not yet calculated | CVE-2026-43417 | https://git.kernel.org/stable/c/e6761cdce78a8919a537989afb6aaf6881469f83 https://git.kernel.org/stable/c/28b5a1395036d6c7a6c8034d85ad3d7d365f192c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Prevent CID stalls due to concurrent forks A newly forked task is accounted as MMCID user before the task is visible in the process' thread list and the global task list. This creates the following problem: CPU1 CPU2 fork() sched_mm_cid_fork(tnew1) tnew1->mm.mm_cid_users++; tnew1->mm_cid.cid = getcid() -> preemption fork() sched_mm_cid_fork(tnew2) tnew2->mm.mm_cid_users++; // Reaches the per CPU threshold mm_cid_fixup_tasks_to_cpus() for_each_other(current, p) .... As tnew1 is not visible yet, this fails to fix up the already allocated CID of tnew1. As a consequence a subsequent schedule in might fail to acquire a (transitional) CID and the machine stalls. Move the invocation of sched_mm_cid_fork() after the new task becomes visible in the thread and the task list to prevent this. This also makes it symmetrical vs. exit() where the task is removed as CID user before the task is removed from the thread and task lists. | 2026-05-08 | not yet calculated | CVE-2026-43418 | https://git.kernel.org/stable/c/f0189d49282e0458f3a737bd486c1ec048148f66 https://git.kernel.org/stable/c/b2e48c429ec54715d16fefa719dd2fbded2e65be |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: fix memory leaks in ceph_mdsc_build_path() Add __putname() calls to error code paths that did not free the "path" pointer obtained by __getname(). If ownership of this pointer is not passed to the caller via path_info.path, the function must free it before returning. | 2026-05-08 | not yet calculated | CVE-2026-43419 | https://git.kernel.org/stable/c/657dc653b06a3cc0282aea447a3f137fa94066a4 https://git.kernel.org/stable/c/5895d0164c84d7fec6abc198920c257f55c51899 https://git.kernel.org/stable/c/097cd68f46686391a98f2618188f0cb7b7570de2 https://git.kernel.org/stable/c/13b8b9d6f59ef17fb96c298c3a0d62a8306950cc https://git.kernel.org/stable/c/040d159a45ded7f33201421a81df0aa2a86e5a0b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: fix i_nlink underrun during async unlink During async unlink, we drop the `i_nlink` counter before we receive the completion (that will eventually update the `i_nlink`) because "we assume that the unlink will succeed". That is not a bad idea, but it races against deletions by other clients (or against the completion of our own unlink) and can lead to an underrun which emits a WARNING like this one: WARNING: CPU: 85 PID: 25093 at fs/inode.c:407 drop_nlink+0x50/0x68 Modules linked in: CPU: 85 UID: 3221252029 PID: 25093 Comm: php-cgi8.1 Not tainted 6.14.11-cm4all1-ampere #655 Hardware name: Supermicro ARS-110M-NR/R12SPD-A, BIOS 1.1b 10/17/2023 pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drop_nlink+0x50/0x68 lr : ceph_unlink+0x6c4/0x720 sp : ffff80012173bc90 x29: ffff80012173bc90 x28: ffff086d0a45aaf8 x27: ffff0871d0eb5680 x26: ffff087f2a64a718 x25: 0000020000000180 x24: 0000000061c88647 x23: 0000000000000002 x22: ffff07ff9236d800 x21: 0000000000001203 x20: ffff07ff9237b000 x19: ffff088b8296afc0 x18: 00000000f3c93365 x17: 0000000000070000 x16: ffff08faffcbdfe8 x15: ffff08faffcbdfec x14: 0000000000000000 x13: 45445f65645f3037 x12: 34385f6369706f74 x11: 0000a2653104bb20 x10: ffffd85f26d73290 x9 : ffffd85f25664f94 x8 : 00000000000000c0 x7 : 0000000000000000 x6 : 0000000000000002 x5 : 0000000000000081 x4 : 0000000000000481 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff08727d3f91e8 Call trace: drop_nlink+0x50/0x68 (P) vfs_unlink+0xb0/0x2e8 do_unlinkat+0x204/0x288 __arm64_sys_unlinkat+0x3c/0x80 invoke_syscall.constprop.0+0x54/0xe8 do_el0_svc+0xa4/0xc8 el0_svc+0x18/0x58 el0t_64_sync_handler+0x104/0x130 el0t_64_sync+0x154/0x158 In ceph_unlink(), a call to ceph_mdsc_submit_request() submits the CEPH_MDS_OP_UNLINK to the MDS, but does not wait for completion. Meanwhile, between this call and the following drop_nlink() call, a worker thread may process a CEPH_CAP_OP_IMPORT, CEPH_CAP_OP_GRANT or just a CEPH_MSG_CLIENT_REPLY (the latter of which could be our own completion). These will lead to a set_nlink() call, updating the `i_nlink` counter to the value received from the MDS. If that new `i_nlink` value happens to be zero, it is illegal to decrement it further. But that is exactly what ceph_unlink() will do then. The WARNING can be reproduced this way: 1. Force async unlink; only the async code path is affected. Having no real clue about Ceph internals, I was unable to find out why the MDS wouldn't give me the "Fxr" capabilities, so I patched get_caps_for_async_unlink() to always succeed. (Note that the WARNING dump above was found on an unpatched kernel, without this kludge - this is not a theoretical bug.) 2. Add a sleep call after ceph_mdsc_submit_request() so the unlink completion gets handled by a worker thread before drop_nlink() is called. This guarantees that the `i_nlink` is already zero before drop_nlink() runs. The solution is to skip the counter decrement when it is already zero, but doing so without a lock is still racy (TOCTOU). Since ceph_fill_inode() and handle_cap_grant() both hold the `ceph_inode_info.i_ceph_lock` spinlock while set_nlink() runs, this seems like the proper lock to protect the `i_nlink` updates. I found prior art in NFS and SMB (using `inode.i_lock`) and AFS (using `afs_vnode.cb_lock`). All three have the zero check as well. | 2026-05-08 | not yet calculated | CVE-2026-43420 | https://git.kernel.org/stable/c/9b31e88ac5623d15c8bc46f69dfe1d3b43a8f67c https://git.kernel.org/stable/c/6d5fd8bb574bef039eb3b738e523870433a2aeb9 https://git.kernel.org/stable/c/fcc477a6e8856c8a42b3c9e171724d8d6dfadd06 https://git.kernel.org/stable/c/b3f5513141ecc6b277a8f7b7efe58a0cf9a5e859 https://git.kernel.org/stable/c/aedd29386b23f3e1e6818943e11abfff2953732f https://git.kernel.org/stable/c/7db008e85a5d17b64bc5390b828bf457ae91a415 https://git.kernel.org/stable/c/8975b85b0d45ca811ace6fac5907652f2310e5ac https://git.kernel.org/stable/c/ce0123cbb4a40a2f1bbb815f292b26e96088639f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix net_device lifecycle with device_move The network device outlived its parent gadget device during disconnection, resulting in dangling sysfs links and null pointer dereference problems. A prior attempt to solve this by removing SET_NETDEV_DEV entirely [1] was reverted due to power management ordering concerns and a NO-CARRIER regression. A subsequent attempt to defer net_device allocation to bind [2] broke 1:1 mapping between function instance and network device, making it impossible for configfs to report the resolved interface name. This results in a regression where the DHCP server fails on pmOS. Use device_move to reparent the net_device between the gadget device and /sys/devices/virtual/ across bind/unbind cycles. This preserves the network interface across USB reconnection, allowing the DHCP server to retain their binding. Introduce gether_attach_gadget()/gether_detach_gadget() helpers and use __free(detach_gadget) macro to undo attachment on bind failure. The bind_count ensures device_move executes only on the first bind. [1] https://lore.kernel.org/lkml/f2a4f9847617a0929d62025748384092e5f35cce.camel@crapouillou.net/ [2] https://lore.kernel.org/linux-usb/795ea759-7eaf-4f78-81f4-01ffbf2d7961@ixit.cz/ | 2026-05-08 | not yet calculated | CVE-2026-43421 | https://git.kernel.org/stable/c/93f116c3393a22acab96ad1bef12b2572eb80ca4 https://git.kernel.org/stable/c/e584cb58a2ea7ff4d3a4bc43d5ca512ed3ecb77d https://git.kernel.org/stable/c/85acaba2f42b557499bab3608307f17bf13beb69 https://git.kernel.org/stable/c/ec35c1969650e7cb6c8a91020e568ed46e3551b0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: legacy: ncm: Fix NPE in gncm_bind Commit 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle with bind/unbind") deferred the allocation of the net_device. This change leads to a NULL pointer dereference in the legacy NCM driver as it attempts to access the net_device before it's fully instantiated. Store the provided qmult, host_addr, and dev_addr into the struct ncm_opts->net_opts during gncm_bind(). These values will be properly applied to the net_device when it is allocated and configured later in the binding process by the NCM function driver. | 2026-05-08 | not yet calculated | CVE-2026-43422 | https://git.kernel.org/stable/c/be5738d19bed244ede84da45bc45395bcb1d99e0 https://git.kernel.org/stable/c/b23e86a3a15803c3dcb24701285f73e65099fdf9 https://git.kernel.org/stable/c/fde0634ad9856b3943a2d1a8cc8de174a63ac840 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix atomic context locking issue The ncm_set_alt function was holding a mutex to protect against races with configfs, which invokes the might-sleep function inside an atomic context. Remove the struct net_device pointer from the f_ncm_opts structure to eliminate the contention. The connection state is now managed by a new boolean flag to preserve the use-after-free fix from commit 6334b8e4553c ("usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error"). BUG: sleeping function called from invalid context Call Trace: dump_stack_lvl+0x83/0xc0 dump_stack+0x14/0x16 __might_resched+0x389/0x4c0 __might_sleep+0x8e/0x100 ... __mutex_lock+0x6f/0x1740 ... ncm_set_alt+0x209/0xa40 set_config+0x6b6/0xb40 composite_setup+0x734/0x2b40 ... | 2026-05-08 | not yet calculated | CVE-2026-43423 | https://git.kernel.org/stable/c/e533a44fb1b337d14f772585b67328bee2e0b5e3 https://git.kernel.org/stable/c/e95120b4b95ef1c16d8e94e201ae89f5e59e2612 https://git.kernel.org/stable/c/0d6c8144ca4d93253de952a5ea0028c19ed7ab68 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically managed and tied to userspace configuration via ConfigFS. It can be NULL if the USB host sends requests before the nexus is fully established or immediately after it is dropped. Currently, functions like `bot_submit_command()` and the data transfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately dereference `tv_nexus->tvn_se_sess` without any validation. If a malicious or misconfigured USB host sends a BOT (Bulk-Only Transport) command during this race window, it triggers a NULL pointer dereference, leading to a kernel panic (local DoS). This exposes an inconsistent API usage within the module, as peer functions like `usbg_submit_command()` and `bot_send_bad_response()` correctly implement a NULL check for `tv_nexus` before proceeding. Fix this by bringing consistency to the nexus handling. Add the missing `if (!tv_nexus)` checks to the vulnerable BOT command and request processing paths, aborting the command gracefully with an error instead of crashing the system. | 2026-05-08 | not yet calculated | CVE-2026-43424 | https://git.kernel.org/stable/c/b9b26d7f3aa288cfa54a7bc68612bab1f153f156 https://git.kernel.org/stable/c/2a2ef846a54a06c33b5c2d4b0d918583e1e7c0b7 https://git.kernel.org/stable/c/d146f27758049fa55ae4c53785a852d3cf7a18d6 https://git.kernel.org/stable/c/f962ca3b020e13d6714f27e8c36fe742441c58d1 https://git.kernel.org/stable/c/679d9535aeb15c10bce89c44102004b96624d706 https://git.kernel.org/stable/c/3d309b37633c4a847fc149939a2c9576f1aa1065 https://git.kernel.org/stable/c/b9fde507355342a2d64225d582dc8b98ff5ecb19 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: image: mdc800: kill download URB on timeout mdc800_device_read() submits download_urb and waits for completion. If the timeout fires and the device has not responded, the function returns without killing the URB, leaving it active. A subsequent read() resubmits the same URB while it is still in-flight, triggering the WARN in usb_submit_urb(): "URB submitted while active" Check the return value of wait_event_timeout() and kill the URB if it indicates timeout, ensuring the URB is complete before its status is inspected or the URB is resubmitted. Similar to - commit 372c93131998 ("USB: yurex: fix control-URB timeout handling") - commit b98d5000c505 ("media: rc: iguanair: handle timeouts") | 2026-05-08 | not yet calculated | CVE-2026-43425 | https://git.kernel.org/stable/c/9fa5a49760979ba016506fe292a431c8b83f043e https://git.kernel.org/stable/c/15536f6c15f48037a1672cbdea53266d67861ff6 https://git.kernel.org/stable/c/9bf877cc67309b2a063b0087c3ad8585fb11cec3 https://git.kernel.org/stable/c/155f471e38aa516f6c58c2ae03ca3dc222fa2fdb https://git.kernel.org/stable/c/d4a400a6a4c4d49f77a04a3f401df5ae1a10657c https://git.kernel.org/stable/c/b7fed917f84e484e06c5e9926746d0b524e3a93e https://git.kernel.org/stable/c/cc7398447810c9450c90d092efe9997569f8d96f https://git.kernel.org/stable/c/1be3b77de4eb89af8ae2fd6610546be778e25589 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: fix use-after-free in ISR during device removal In usbhs_remove(), the driver frees resources (including the pipe array) while the interrupt handler (usbhs_interrupt) is still registered. If an interrupt fires after usbhs_pipe_remove() but before the driver is fully unbound, the ISR may access freed memory, causing a use-after-free. Fix this by calling devm_free_irq() before freeing resources. This ensures the interrupt handler is both disabled and synchronized (waits for any running ISR to complete) before usbhs_pipe_remove() is called. | 2026-05-08 | not yet calculated | CVE-2026-43426 | https://git.kernel.org/stable/c/c7012fc73dab4829404fedeeaa8531f12ac8545f https://git.kernel.org/stable/c/51afaf919bbaacdd9cc9e146033ae0a743a42dd7 https://git.kernel.org/stable/c/1899edac312ef17a7234851686e8a703f56d0a84 https://git.kernel.org/stable/c/9c6159d5b72d5fc265cce5da04f27d730b552e69 https://git.kernel.org/stable/c/6287e0c01ccb818e7214f88d885ffb7c9e81b0e0 https://git.kernel.org/stable/c/0b7d11fd6e742ecc0b1eca44b4f0b93140c74bae https://git.kernel.org/stable/c/6ffe44f022c95b1b29c691d2169c5abc046f7580 https://git.kernel.org/stable/c/3cbc242b88c607f55da3d0d0d336b49bf1e20412 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: class: cdc-wdm: fix reordering issue in read code path Quoting the bug report: Due to compiler optimization or CPU out-of-order execution, the desc->length update can be reordered before the memmove. If this happens, wdm_read() can see the new length and call copy_to_user() on uninitialized memory. This also violates LKMM data race rules [1]. Fix it by using WRITE_ONCE and memory barriers. | 2026-05-08 | not yet calculated | CVE-2026-43427 | https://git.kernel.org/stable/c/638328ca9c17ae6511ad62198c57bae32ffa3c91 https://git.kernel.org/stable/c/170e8daca24da6edb4be82ab01abf44e87af387b https://git.kernel.org/stable/c/c8fa96ed021923dae147bcd9f9205b8df7b82360 https://git.kernel.org/stable/c/4ee3062bf2c9a722afef429826e8607eaf3fc6a0 https://git.kernel.org/stable/c/276aef0fd2b92f41b920ac891c72cadeee957934 https://git.kernel.org/stable/c/67ed312124bb1b61858778ac0b985b48961c862a https://git.kernel.org/stable/c/e3c874b05901dc519054b5107d16620e6d2b5fea https://git.kernel.org/stable/c/8df672bfe3ec2268c2636584202755898e547173 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: USB: core: Limit the length of unkillable synchronous timeouts The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in usbcore allow unlimited timeout durations. And since they use uninterruptible waits, this leaves open the possibility of hanging a task for an indefinitely long time, with no way to kill it short of unplugging the target device. To prevent this sort of problem, enforce a maximum limit on the length of these unkillable timeouts. The limit chosen here, somewhat arbitrarily, is 60 seconds. On many systems (although not all) this is short enough to avoid triggering the kernel's hung-task detector. In addition, clear up the ambiguity of negative timeout values by treating them the same as 0, i.e., using the maximum allowed timeout. | 2026-05-08 | not yet calculated | CVE-2026-43428 | https://git.kernel.org/stable/c/4e86f5b79e62ded7e3c3ebd688cf5775e618148a https://git.kernel.org/stable/c/06d2bbc4c66c6b0e8a43728c4949026026a5be67 https://git.kernel.org/stable/c/6c62935670acdbb7687ced20494923b66fbb0367 https://git.kernel.org/stable/c/659c0c7d50a4b0f6aa197c4c098cfd91daf63862 https://git.kernel.org/stable/c/24b31a227f679a942d820840a4dea7f0c09a387f https://git.kernel.org/stable/c/64f3d75633aedc12bdff220e9a4337177430bd9d https://git.kernel.org/stable/c/2d34cb4d1d6283b4be9c78f4a83ed6956d3069ec https://git.kernel.org/stable/c/1015c27a5e1a63efae2b18a9901494474b4d1dc3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts The usbtmc driver accepts timeout values specified by the user in an ioctl command, and uses these timeouts for some usb_bulk_msg() calls. Since the user can specify arbitrarily long timeouts and usb_bulk_msg() uses unkillable waits, call usb_bulk_msg_killable() instead to avoid the possibility of the user hanging a kernel thread indefinitely. | 2026-05-08 | not yet calculated | CVE-2026-43429 | https://git.kernel.org/stable/c/e14a0dcdf468c3ad616bb06696c7c64c36e736d8 https://git.kernel.org/stable/c/7fa72c369c23c27d1f64883c1e276af950557fb1 https://git.kernel.org/stable/c/72c0a063489be183cfb99e7050aaef503bdb6449 https://git.kernel.org/stable/c/39bd4097292fd8564cf2cfba9356f8ab11e38d12 https://git.kernel.org/stable/c/0535f84cb94c9d8bcba0a2a5b3fac81b7d97235d https://git.kernel.org/stable/c/6cb7dc91f057dd8ce44f6caa2995d8e22784ed0a https://git.kernel.org/stable/c/d4f1c45bdff3f393f9ab7e76795901c442b9eb76 https://git.kernel.org/stable/c/7784caa413a89487dd14dd5c41db8753483b2acb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: yurex: fix race in probe The bbu member of the descriptor must be set to the value standing for uninitialized values before the URB whose completion handler sets bbu is submitted. Otherwise there is a window during which probing can overwrite already retrieved data. | 2026-05-08 | not yet calculated | CVE-2026-43430 | https://git.kernel.org/stable/c/a7934d7202a39c3160aa30521c382c7b744ae4a2 https://git.kernel.org/stable/c/a8b3b3d730acea1640bc89465f2832cf06a1e13a https://git.kernel.org/stable/c/687d26d43a5aaf44323ce7d601cf242bb87e9559 https://git.kernel.org/stable/c/939e3d17b843b0bae70467fef4481069d73c8520 https://git.kernel.org/stable/c/3cec135415a89723e2d38e1c8cc5098203355965 https://git.kernel.org/stable/c/a41d3d9202e951995cfac6248c565423079c71fa https://git.kernel.org/stable/c/af83e92c329f11139d5eea2b5b7b83c26c3f67e7 https://git.kernel.org/stable/c/7a875c09899ba0404844abfd8f0d54cdc481c151 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xhci: Fix NULL pointer dereference when reading portli debugfs files Michal reported and debgged a NULL pointer dereference bug in the recently added portli debugfs files Oops is caused when there are more port registers counted in xhci->max_ports than ports reported by Supported Protocol capabilities. This is possible if max_ports is more than maximum port number, or if there are gaps between ports of different speeds the 'Supported Protocol' capabilities. In such cases port->rhub will be NULL so we can't reach xhci behind it. Add an explicit NULL check for this case, and print portli in hex without dereferencing port->rhub. | 2026-05-08 | not yet calculated | CVE-2026-43431 | https://git.kernel.org/stable/c/9c8bef223c6e991276188d30d74bdb2cbd8be652 https://git.kernel.org/stable/c/ae4ff9dead5efa2025eddfcdb29411432bf40a7c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix memory leak in xhci_disable_slot() xhci_alloc_command() allocates a command structure and, when the second argument is true, also allocates a completion structure. Currently, the error handling path in xhci_disable_slot() only frees the command structure using kfree(), causing the completion structure to leak. Use xhci_free_command() instead of kfree(). xhci_free_command() correctly frees both the command structure and the associated completion structure. Since the command structure is allocated with zero-initialization, command->in_ctx is NULL and will not be erroneously freed by xhci_free_command(). This bug was found using an experimental static analysis tool we are developing. The tool is based on the LLVM framework and is specifically designed to detect memory management issues. It is currently under active development and not yet publicly available, but we plan to open-source it after our research is published. The bug was originally detected on v6.13-rc1 using our static analysis tool, and we have verified that the issue persists in the latest mainline kernel. We performed build testing on x86_64 with allyesconfig using GCC=11.4.0. Since triggering these error paths in xhci_disable_slot() requires specific hardware conditions or abnormal state, we were unable to construct a test case to reliably trigger these specific error paths at runtime. | 2026-05-08 | not yet calculated | CVE-2026-43432 | https://git.kernel.org/stable/c/1e800e26d54ccf2ddf2ea6d6cbe021c804d8aa62 https://git.kernel.org/stable/c/6288baf0c8c4dcfbf206773aede9c1f2269cec28 https://git.kernel.org/stable/c/46aea90763832cd6e9b0c2e1c00e6a9512156d4b https://git.kernel.org/stable/c/2e2baa8fb5aa4d080cbfeb84c51eff797529f413 https://git.kernel.org/stable/c/807e4fb5140c73eb5dba1e399a990db5c1f3cdf8 https://git.kernel.org/stable/c/c65f1b840ab8ce72ba68f1b63bab7960f8fdfa89 https://git.kernel.org/stable/c/078b446efc0f5e496c31bccb72b98af979963a83 https://git.kernel.org/stable/c/c1c8550e70401159184130a1afc6261db01fc0ce |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rust_binder: fix oneway spam detection The spam detection logic in TreeRange was executed before the current request was inserted into the tree. So the new request was not being factored in the spam calculation. Fix this by moving the logic after the new range has been inserted. Also, the detection logic for ArrayRange was missing altogether which meant large spamming transactions could get away without being detected. Fix this by implementing an equivalent low_oneway_space() in ArrayRange. Note that I looked into centralizing this logic in RangeAllocator but iterating through 'state' and 'size' got a bit too complicated (for me) and I abandoned this effort. | 2026-05-08 | not yet calculated | CVE-2026-43435 | https://git.kernel.org/stable/c/edf685946c4acbe57cb96f8d5f3c07e9a2e973c8 https://git.kernel.org/stable/c/8d34c993a9a156e657e43cb95186980745cc3597 https://git.kernel.org/stable/c/4fc87c240b8f30e22b7ebaae29d57105589e1c0b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces The Scarlett2 mixer quirk in USB-audio driver may hit a NULL dereference when a malformed USB descriptor is passed, since it assumes the presence of an endpoint in the parsed interface in scarlett2_find_fc_interface(), as reported by fuzzer. For avoiding the NULL dereference, just add the sanity check of bNumEndpoints and skip the invalid interface. | 2026-05-08 | not yet calculated | CVE-2026-43436 | https://git.kernel.org/stable/c/b014cc945baba75816cda0cf8934be87c9ed4947 https://git.kernel.org/stable/c/c5c5a6c53cf3b658f1d4512dfa61f3cd25bc34ba https://git.kernel.org/stable/c/b267255c15d2a5b90c4e926146aa155e5161e264 https://git.kernel.org/stable/c/3d542cf3c4c854cdf5d58049771f68926b9eb2b9 https://git.kernel.org/stable/c/3d4f23885e4b90347c9a1d779af6e79a99b5172a https://git.kernel.org/stable/c/df1d8abf36ca3681c21a6809eaa9a1e01ef897a6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cgroup: fix race between task migration and iteration When a task is migrated out of a css_set, cgroup_migrate_add_task() first moves it from cset->tasks to cset->mg_tasks via: list_move_tail(&task->cg_list, &cset->mg_tasks); If a css_task_iter currently has it->task_pos pointing to this task, css_set_move_task() calls css_task_iter_skip() to keep the iterator valid. However, since the task has already been moved to ->mg_tasks, the iterator is advanced relative to the mg_tasks list instead of the original tasks list. As a result, remaining tasks on cset->tasks, as well as tasks queued on cset->mg_tasks, can be skipped by iteration. Fix this by calling css_set_skip_task_iters() before unlinking task->cg_list from cset->tasks. This advances all active iterators to the next task on cset->tasks, so iteration continues correctly even when a task is concurrently being migrated. This race is hard to hit in practice without instrumentation, but it can be reproduced by artificially slowing down cgroup_procs_show(). For example, on an Android device a temporary /sys/kernel/cgroup/cgroup_test knob can be added to inject a delay into cgroup_procs_show(), and then: 1) Spawn three long-running tasks (PIDs 101, 102, 103). 2) Create a test cgroup and move the tasks into it. 3) Enable a large delay via /sys/kernel/cgroup/cgroup_test. 4) In one shell, read cgroup.procs from the test cgroup. 5) Within the delay window, in another shell migrate PID 102 by writing it to a different cgroup.procs file. Under this setup, cgroup.procs can intermittently show only PID 101 while skipping PID 103. Once the migration completes, reading the file again shows all tasks as expected. Note that this change does not allow removing the existing css_set_skip_task_iters() call in css_set_move_task(). The new call in cgroup_migrate_add_task() only handles iterators that are racing with migration while the task is still on cset->tasks. Iterators may also start after the task has been moved to cset->mg_tasks. If we dropped css_set_skip_task_iters() from css_set_move_task(), such iterators could keep task_pos pointing to a migrating task, causing css_task_iter_advance() to malfunction on the destination css_set, up to and including crashes or infinite loops. The race window between migration and iteration is very small, and css_task_iter is not on a hot path. In the worst case, when an iterator is positioned on the first thread of the migrating process, cgroup_migrate_add_task() may have to skip multiple tasks via css_set_skip_task_iters(). However, this only happens when migration and iteration actually race, so the performance impact is negligible compared to the correctness fix provided here. | 2026-05-08 | not yet calculated | CVE-2026-43439 | https://git.kernel.org/stable/c/7c85debc35e6d131bd29c64f2ae78c6ede0e55c4 https://git.kernel.org/stable/c/3b95abab7369235a37b15eaec6e1a0b443bba7c7 https://git.kernel.org/stable/c/4a9654a2b46cfdaae287fb8995f536245635e467 https://git.kernel.org/stable/c/3dfd1328c05234e8d8fa61948b2ba82680594988 https://git.kernel.org/stable/c/9cca530c7cc1b3e02cb8fa7f80060dd4b38562ce https://git.kernel.org/stable/c/86ceaccfdfa16dad05addb33dc206e03589bcfd1 https://git.kernel.org/stable/c/9dc76f6fc0d28d2382583715bc4ec22f28104845 https://git.kernel.org/stable/c/5ee01f1a7343d6a3547b6802ca2d4cdce0edacb1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mana: Null service_wq on setup error to prevent double destroy In mana_gd_setup() error path, set gc->service_wq to NULL after destroy_workqueue() to match the cleanup in mana_gd_cleanup(). This prevents a use-after-free if the workqueue pointer is checked after a failed setup. | 2026-05-08 | not yet calculated | CVE-2026-43440 | https://git.kernel.org/stable/c/59489ce60d7412ed82fb1d8002faa3102dcd4916 https://git.kernel.org/stable/c/6c92392602b451e3869f15ab685f8f650e942b13 https://git.kernel.org/stable/c/87c2302813abc55c46485711a678e3c312b00666 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp-mach-common: Add missing error check for clock acquisition The acp_card_rt5682_init() and acp_card_rt5682s_init() functions did not check the return values of clk_get(). This could lead to a kernel crash when the invalid pointers are later dereferenced by clock core functions. Fix this by: 1. Changing clk_get() to the device-managed devm_clk_get(). 2. Adding IS_ERR() checks immediately after each clock acquisition. | 2026-05-08 | not yet calculated | CVE-2026-43443 | https://git.kernel.org/stable/c/0cee68fb7f4cf1562e067c5a82d25062a973b0d0 https://git.kernel.org/stable/c/30c64fb9839949f085c8eb55b979cbd8a4c51f00 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Unreserve bo if queue update failed Error handling path should unreserve bo then return failed. (cherry picked from commit c24afed7de9ecce341825d8ab55a43a254348b33) | 2026-05-08 | not yet calculated | CVE-2026-43444 | https://git.kernel.org/stable/c/781110700ada22168fbb490dd61432d23a17a5b4 https://git.kernel.org/stable/c/529c985da1b277b36dc99aad660f96dc70f3c467 https://git.kernel.org/stable/c/b2b7742c465c8e3b36dc325a48abb4b9f2aaa38b https://git.kernel.org/stable/c/2ce75a0b7e1bfddbcb9bc8aeb2e5e7fa99971acf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: e1000/e1000e: Fix leak in DMA error cleanup If an error is encountered while mapping TX buffers, the driver should unmap any buffers already mapped for that skb. Because count is incremented after a successful mapping, it will always match the correct number of unmappings needed when dma_error is reached. Decrementing count before the while loop in dma_error causes an off-by-one error. If any mapping was successful before an unsuccessful mapping, exactly one DMA mapping would leak. In these commits, a faulty while condition caused an infinite loop in dma_error: Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000e driver") Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver") Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of unsigned in *_tx_map()") fixed the infinite loop, but introduced the off-by-one error. This issue may still exist in the igbvf driver, but I did not address it in this patch. | 2026-05-08 | not yet calculated | CVE-2026-43445 | https://git.kernel.org/stable/c/7eaeb778bfaa3b2a804f89321c234d59c74569db https://git.kernel.org/stable/c/0606c24a745bafd1be5d66c48361638cd9cad74b https://git.kernel.org/stable/c/519051c711dfd239ef6e4b28878efee400a035f9 https://git.kernel.org/stable/c/0a1fc25deabab4efce64610e3c449485c4fa8f5f https://git.kernel.org/stable/c/fa5ba9867a55e640df0dc79bf0199770fb043f03 https://git.kernel.org/stable/c/30e87ade8d678c25a8546cf38c0b498fa5cb27d3 https://git.kernel.org/stable/c/10b5e65959e955a1c8894e0a5413944b5a70204a https://git.kernel.org/stable/c/e94eaef11142b01f77bf8ba4d0b59720b7858109 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix runtime suspend deadlock when there is pending job The runtime suspend callback drains the running job workqueue before suspending the device. If a job is still executing and calls pm_runtime_resume_and_get(), it can deadlock with the runtime suspend path. Fix this by moving pm_runtime_resume_and_get() from the job execution routine to the job submission routine, ensuring the device is resumed before the job is queued and avoiding the deadlock during runtime suspend. | 2026-05-08 | not yet calculated | CVE-2026-43446 | https://git.kernel.org/stable/c/ac72e7385a2c7533dd766de4197134d96230be85 https://git.kernel.org/stable/c/6b13cb8f48a42ddf6dd98865b673a82e37ff238b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-pci: Fix race bug in nvme_poll_irqdisable() In the following scenario, pdev can be disabled between (1) and (3) by (2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() will return MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2). This causes IRQ warning because it tries to enable INTx IRQ that has never been disabled before. To fix this, save IRQ number into a local variable and ensure disable_irq() and enable_irq() operate on the same IRQ number. Even if pci_free_irq_vectors() frees the IRQ concurrently, disable_irq() and enable_irq() on a stale IRQ number is still valid and safe, and the depth accounting reamins balanced. task 1: nvme_poll_irqdisable() disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(1) enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(3) task 2: nvme_reset_work() nvme_dev_disable() pdev->msix_enable = 0; ...(2) crash log: ------------[ cut here ]------------ Unbalanced enable for IRQ 10 WARNING: kernel/irq/manage.c:753 at __enable_irq+0x102/0x190 kernel/irq/manage.c:753, CPU#1: kworker/1:0H/26 Modules linked in: CPU: 1 UID: 0 PID: 26 Comm: kworker/1:0H Not tainted 6.19.0-dirty #9 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: kblockd blk_mq_timeout_work RIP: 0010:__enable_irq+0x107/0x190 kernel/irq/manage.c:753 Code: ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 79 48 8d 3d 2e 7a 3f 05 41 8b 74 24 2c <67> 48 0f b9 3a e8 ef b9 21 00 5b 41 5c 5d e9 46 54 66 03 e8 e1 b9 RSP: 0018:ffffc900001bf550 EFLAGS: 00010046 RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffffffffb20c0e90 RDX: 0000000000000000 RSI: 000000000000000a RDI: ffffffffb74b88f0 RBP: ffffc900001bf560 R08: ffff88800197cf00 R09: 0000000000000001 R10: 0000000000000003 R11: 0000000000000003 R12: ffff8880012a6000 R13: 1ffff92000037eae R14: 000000000000000a R15: 0000000000000293 FS: 0000000000000000(0000) GS:ffff8880b49f7000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555da4a25fa8 CR3: 00000000208e8000 CR4: 00000000000006f0 Call Trace: <TASK> enable_irq+0x121/0x1e0 kernel/irq/manage.c:797 nvme_poll_irqdisable+0x162/0x1c0 drivers/nvme/host/pci.c:1494 nvme_timeout+0x965/0x14b0 drivers/nvme/host/pci.c:1744 blk_mq_rq_timed_out block/blk-mq.c:1653 [inline] blk_mq_handle_expired+0x227/0x2d0 block/blk-mq.c:1721 bt_iter+0x2fc/0x3a0 block/blk-mq-tag.c:292 __sbitmap_for_each_set include/linux/sbitmap.h:269 [inline] sbitmap_for_each_set include/linux/sbitmap.h:290 [inline] bt_for_each block/blk-mq-tag.c:324 [inline] blk_mq_queue_tag_busy_iter+0x969/0x1e80 block/blk-mq-tag.c:536 blk_mq_timeout_work+0x627/0x870 block/blk-mq.c:1763 process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 kthread+0x41a/0x930 kernel/kthread.c:463 ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> irq event stamp: 74478 hardirqs last enabled at (74477): [<ffffffffb5720a9c>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline] hardirqs last enabled at (74477): [<ffffffffb5720a9c>] _raw_spin_unlock_irq+0x2c/0x60 kernel/locking/spinlock.c:202 hardirqs last disabled at (74478): [<ffffffffb57207b5>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (74478): [<ffffffffb57207b5>] _raw_spin_lock_irqsave+0x85/0xa0 kernel/locking/spinlock.c:162 softirqs last enabled at (74304): [<ffffffffb1e9466c>] __do_softirq kernel/softirq.c:656 [inline] softirqs last enabled at (74304): [<ffffffffb1e9466c>] invoke_softirq kernel/softirq.c:496 [inline] softirqs last enabled at (74304): [<ffffffffb1e9466c>] __irq_exit_rcu+0xdc/0x120 ---truncated--- | 2026-05-08 | not yet calculated | CVE-2026-43448 | https://git.kernel.org/stable/c/265dbc9bc33c29f60f90be3e0afe1c4067ebb70b https://git.kernel.org/stable/c/628773eba024d1107cc9ec157a682cbb42ac912a https://git.kernel.org/stable/c/843e913cef4e33723663a899727f685a95ab53fe https://git.kernel.org/stable/c/b56c49897bdac5cb49e3495ef421c391628ee9bb https://git.kernel.org/stable/c/e311d84c62eb76e025e11a44155b402e55950b83 https://git.kernel.org/stable/c/fc71f409b22ca831a9f87a2712eaa09ef2bb4a5e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set dev->online_queues is a count incremented in nvme_init_queue. Thus, valid indices are 0 through dev->online_queues − 1. This patch fixes the loop condition to ensure the index stays within the valid range. Index 0 is excluded because it is the admin queue. KASAN splat: ================================================================== BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74 CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: nvme-reset-wq nvme_reset_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xce/0x5d0 mm/kasan/report.c:482 kasan_report+0xdc/0x110 mm/kasan/report.c:595 __asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379 nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252 process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 kthread+0x41a/0x930 kernel/kthread.c:463 ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> Allocated by task 34 on cpu 1 at 4.241550s: kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57 kasan_save_track+0x1c/0x70 mm/kasan/common.c:78 kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5657 [inline] __kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663 kmalloc_array_node_noprof include/linux/slab.h:1075 [inline] nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline] nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534 local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324 pci_call_probe drivers/pci/pci-driver.c:392 [inline] __pci_device_probe drivers/pci/pci-driver.c:417 [inline] pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451 call_driver_probe drivers/base/dd.c:583 [inline] really_probe+0x29b/0xb70 drivers/base/dd.c:661 __driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803 driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833 __driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159 async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129 process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 kthread+0x41a/0x930 kernel/kthread.c:463 ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 The buggy address belongs to the object at ffff88800592a000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 244 bytes to the right of allocated 1152-byte region [ffff88800592a000, ffff88800592a480) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff) page_type: f5(slab) raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 head: 000fffffc0000040 ffff888001042000 00000 ---truncated--- | 2026-05-08 | not yet calculated | CVE-2026-43449 | https://git.kernel.org/stable/c/2b9d605c3f0d3262142f196249cd3bd58c857c71 https://git.kernel.org/stable/c/86183d550559e45e07059bbdf17331fea469e38c https://git.kernel.org/stable/c/d7990c936e25f484b61a5adeeadc1d290a9fd16e https://git.kernel.org/stable/c/83e6edd6358326c9c2de31a54bb4a1ec50703f1f https://git.kernel.org/stable/c/50bad78f03a02d3c0f228edf9912b494d3e7acb9 https://git.kernel.org/stable/c/328c551f0cc81ee776b186b86cc6e5253bb6fda7 https://git.kernel.org/stable/c/78279d2d74c58a0ed64e43cf601a02649771182e https://git.kernel.org/stable/c/b4e78f1427c7d6859229ae9616df54e1fc05a516 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label inside the for loop body. When the "last" helper saved in cb->args[1] is deleted between dump rounds, every entry fails the (cur != last) check, so cb->args[1] is never cleared. The for loop finishes with cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back into the loop body bypassing the bounds check, causing an 8-byte out-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize]. The 'goto restart' block was meant to re-traverse the current bucket when "last" is no longer found, but it was placed after the for loop instead of inside it. Move the block into the for loop body so that the restart only occurs while cb->args[0] is still within bounds. BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0 Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131 Call Trace: nfnl_cthelper_dump_table+0x9f/0x1b0 netlink_dump+0x333/0x880 netlink_recvmsg+0x3e2/0x4b0 sock_recvmsg+0xde/0xf0 __sys_recvfrom+0x150/0x200 __x64_sys_recvfrom+0x76/0x90 do_syscall_64+0xc3/0x6e0 Allocated by task 1: __kvmalloc_node_noprof+0x21b/0x700 nf_ct_alloc_hashtable+0x65/0xd0 nf_conntrack_helper_init+0x21/0x60 nf_conntrack_init_start+0x18d/0x300 nf_conntrack_standalone_init+0x12/0xc0 | 2026-05-08 | not yet calculated | CVE-2026-43450 | https://git.kernel.org/stable/c/0605e1985a95d4334a67869aee45a47e82301abf https://git.kernel.org/stable/c/92441f6d9405a0c18d03f278b395e782f79a4a30 https://git.kernel.org/stable/c/3cc328ffc32ddb389cba7b78b6aa95d995c2876e https://git.kernel.org/stable/c/4a1f6ee69267a5f524102c028981410eeacfa3da https://git.kernel.org/stable/c/894c5780ddadd5fde0e16f66587918e6be1504c4 https://git.kernel.org/stable/c/05018cd9370f77bb18fbf6e15ff33c7a06f10b3c https://git.kernel.org/stable/c/61b3a1f8621df1a5928118313f133996f6a786db https://git.kernel.org/stable/c/6dcee8496d53165b2d8a5909b3050b62ae71fe89 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue entry from the queue data structures, taking ownership of the entry. For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN present but NFQA_VLAN_TCI missing), the function returns immediately without freeing the dequeued entry or its sk_buff. This leaks the nf_queue_entry, its associated sk_buff, and all held references (net_device refcounts, struct net refcount). Repeated triggering exhausts kernel memory. Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict on the error path, consistent with other error handling in this file. | 2026-05-08 | not yet calculated | CVE-2026-43451 | https://git.kernel.org/stable/c/a907bea273b60d3e604ec4e8e1f6c49954805794 https://git.kernel.org/stable/c/0b18d1b834ab5a5009be70b530f978d7989e445b https://git.kernel.org/stable/c/b38d2b4603fd3dda24eb8b3dd81c18a0930be97b https://git.kernel.org/stable/c/47b1c5d1b0944aa88299f55a846fabaefc756982 https://git.kernel.org/stable/c/cf4a4df38d1747e06fc54f9879bd7a6f4178032f https://git.kernel.org/stable/c/9853d94b82d303fc4ac37d592a23a154096ecd41 https://git.kernel.org/stable/c/208669df703a25a601f45822b10c413f258bf275 https://git.kernel.org/stable/c/f1ba83755d81c6fc66ac7acd723d238f974091e9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the to_offset argument on every iteration, including the last one where i == m->field_count - 1. This reads one element past the end of the stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS] with NFT_PIPAPO_MAX_FIELDS == 16). Although pipapo_unmap() returns early when is_last is true without using the to_offset value, the argument is evaluated at the call site before the function body executes, making this a genuine out-of-bounds stack read confirmed by KASAN: BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables] Read of size 4 at addr ffff8000810e71a4 This frame has 1 object: [32, 160) 'rulemap' The buggy address is at offset 164 -- exactly 4 bytes past the end of the rulemap array. Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid the out-of-bounds read. | 2026-05-08 | not yet calculated | CVE-2026-43453 | https://git.kernel.org/stable/c/1957e793196e7f8557374fd4eda53abcbb42e1c0 https://git.kernel.org/stable/c/57fb87ca095d5127cd7a27583b8ec43dcf7c9e9e https://git.kernel.org/stable/c/60c1d18781e37bfb96290b86510eb01c5fa24d75 https://git.kernel.org/stable/c/0a55d62cdb628923d8a21724374a70c76ac7d19d https://git.kernel.org/stable/c/dfbdac719198778b581bc0dd055df2542edb8c62 https://git.kernel.org/stable/c/e047f6fbb975f685d6c9fcef95b3b7787a79b46d https://git.kernel.org/stable/c/324b749aa5b2d516ccfab933df9d3f56e7807f5f https://git.kernel.org/stable/c/d6d8cd2db236a9dd13dbc2d05843b3445cc964b5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mctp: route: hold key->lock in mctp_flow_prepare_output() mctp_flow_prepare_output() checks key->dev and may call mctp_dev_set_key(), but it does not hold key->lock while doing so. mctp_dev_set_key() and mctp_dev_release_key() are annotated with __must_hold(&key->lock), so key->dev access is intended to be serialized by key->lock. The mctp_sendmsg() transmit path reaches mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output() without holding key->lock, so the check-and-set sequence is racy. Example interleaving: CPU0 CPU1 ---- ---- mctp_flow_prepare_output(key, devA) if (!key->dev) // sees NULL mctp_flow_prepare_output( key, devB) if (!key->dev) // still NULL mctp_dev_set_key(devB, key) mctp_dev_hold(devB) key->dev = devB mctp_dev_set_key(devA, key) mctp_dev_hold(devA) key->dev = devA // overwrites devB Now both devA and devB references were acquired, but only the final key->dev value is tracked for release. One reference can be lost, causing a resource leak as mctp_dev_release_key() would only decrease the reference on one dev. Fix by taking key->lock around the key->dev check and mctp_dev_set_key() call. | 2026-05-08 | not yet calculated | CVE-2026-43455 | https://git.kernel.org/stable/c/47893166bc5611ee9a20de6b8d2933b2320fb772 https://git.kernel.org/stable/c/86f5334fcb48a5b611c33364ab52ca684d0f6d91 https://git.kernel.org/stable/c/0695712f3a6f1a48915f95767cfb42077683dcdc https://git.kernel.org/stable/c/925a5ffd99cddd7a7e41d5ad120c7a2c6d50260f https://git.kernel.org/stable/c/8d27d9b260dd19c1b519e1a13de6448f9984e30e https://git.kernel.org/stable/c/7d86aa41c073c4e7eb75fd2e674f1fd8f289728a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mctp: i2c: fix skb memory leak in receive path When 'midev->allow_rx' is false, the newly allocated skb isn't consumed by netif_rx(), it needs to free the skb directly. | 2026-05-08 | not yet calculated | CVE-2026-43457 | https://git.kernel.org/stable/c/0fb2adbdd5c03e8c9ebcdc48afd414b2724c85eb https://git.kernel.org/stable/c/d7900a43b0a314a645ca0a2adf45928dbc7001f4 https://git.kernel.org/stable/c/9f81be2ab9d8e4744871bfb3e868ef413413829f https://git.kernel.org/stable/c/1ec54187e1aa40a4cfa2b265e9a311179f24b98d https://git.kernel.org/stable/c/1b1be322342a6b0085bf6ee52235e5ac9834ec25 https://git.kernel.org/stable/c/e3f5e0f22cfc2371e7471c9fd5b4da78f9df7c69 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: serial: caif: hold tty->link reference in ldisc_open and ser_release A reproducer triggers a KASAN slab-use-after-free in pty_write_room() when caif_serial's TX path calls tty_write_room(). The faulting access is on tty->link->port. Hold an extra kref on tty->link for the lifetime of the caif_serial line discipline: get it in ldisc_open() and drop it in ser_release(), and also drop it on the ldisc_open() error path. With this change applied, the reproducer no longer triggers the UAF in my testing. | 2026-05-08 | not yet calculated | CVE-2026-43458 | https://git.kernel.org/stable/c/23a3ac2e2262a291498567418227b99e1f3606b1 https://git.kernel.org/stable/c/52135420e9f75853ea0c6cea7b736e3e98495f7d https://git.kernel.org/stable/c/ca2ceba983bb23ea0202c2882d963253416654a3 https://git.kernel.org/stable/c/8460187b4852fd00bd1c76394358053f3fa4d089 https://git.kernel.org/stable/c/27e43356d0defb9fc7fa25265219a3ffeb7b3e98 https://git.kernel.org/stable/c/35b58d3bc716ebb9ebd10fe1cac8c1177242511c https://git.kernel.org/stable/c/97a0bb491cae39478c6225381f14e9ac67b7bba7 https://git.kernel.org/stable/c/288598d80a068a0e9281de35bcb4ce495f189e2a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: rockchip-sfc: Fix double-free in remove() callback The driver uses devm_spi_register_controller() for registration, which automatically unregisters the controller via devm cleanup when the device is removed. The manual call to spi_unregister_controller() in the remove() callback can lead to a double-free. And to make sure controller is unregistered before DMA buffer is unmapped, switch to use spi_register_controller() in probe(). | 2026-05-08 | not yet calculated | CVE-2026-43460 | https://git.kernel.org/stable/c/b6051f2bdd4bd3dde85b68558edd3a6843489221 https://git.kernel.org/stable/c/85fb53351e6a3b921357a2178671e847a087e400 https://git.kernel.org/stable/c/111e2863372c322e836e0c896f6dd9cf4ee08c71 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer() rxrpc_kernel_lookup_peer() can also return error pointers in addition to NULL, so just checking for NULL is not sufficient. Fix this by: (1) Changing rxrpc_kernel_lookup_peer() to return -ENOMEM rather than NULL on allocation failure. (2) Making the callers in afs use IS_ERR() and PTR_ERR() to pass on the error code returned. | 2026-05-08 | not yet calculated | CVE-2026-43463 | https://git.kernel.org/stable/c/d55fa7cd4b19ba91b34b307d769c149e56ad0a75 https://git.kernel.org/stable/c/54331c5dcc6d97683d7ca2788e7ef9c9505e1477 https://git.kernel.org/stable/c/4245a79003adf30e67f8e9060915bd05cb31d142 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix crash when moving to switchdev mode When moving to switchdev mode when the device doesn't support IPsec, we try to clean up the IPsec resources anyway which causes the crash below, fix that by correctly checking for IPsec support before trying to clean up its resources. [27642.515799] WARNING: arch/x86/mm/fault.c:1276 at do_user_addr_fault+0x18a/0x680, CPU#4: devlink/6490 [27642.517159] Modules linked in: xt_conntrack xt_MASQUERADE ip6table_nat ip6table_filter ip6_tables iptable_nat nf_nat xt_addrtype rpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_fwctl nfnetlink zram zsmalloc mlx5_ib fuse rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_core ib_core [27642.521358] CPU: 4 UID: 0 PID: 6490 Comm: devlink Not tainted 6.19.0-rc5_for_upstream_min_debug_2026_01_14_16_47 #1 NONE [27642.522923] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [27642.524528] RIP: 0010:do_user_addr_fault+0x18a/0x680 [27642.525362] Code: ff 0f 84 75 03 00 00 48 89 ee 4c 89 e7 e8 5e b9 22 00 49 89 c0 48 85 c0 0f 84 a8 02 00 00 f7 c3 60 80 00 00 74 22 31 c9 eb ae <0f> 0b 48 83 c4 10 48 89 ea 48 89 de 4c 89 f7 5b 5d 41 5c 41 5d 41 [27642.528166] RSP: 0018:ffff88810770f6b8 EFLAGS: 00010046 [27642.529038] RAX: 0000000000000000 RBX: 0000000000000002 RCX: ffff88810b980f00 [27642.530158] RDX: 00000000000000a0 RSI: 0000000000000002 RDI: ffff88810770f728 [27642.531270] RBP: 00000000000000a0 R08: 0000000000000000 R09: 0000000000000000 [27642.532383] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888103f3c4c0 [27642.533499] R13: 0000000000000000 R14: ffff88810770f728 R15: 0000000000000000 [27642.534614] FS: 00007f197c741740(0000) GS:ffff88856a94c000(0000) knlGS:0000000000000000 [27642.535915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [27642.536858] CR2: 00000000000000a0 CR3: 000000011334c003 CR4: 0000000000172eb0 [27642.537982] Call Trace: [27642.538466] <TASK> [27642.538907] exc_page_fault+0x76/0x140 [27642.539583] asm_exc_page_fault+0x22/0x30 [27642.540282] RIP: 0010:_raw_spin_lock_irqsave+0x10/0x30 [27642.541134] Code: 07 85 c0 75 11 ba ff 00 00 00 f0 0f b1 17 75 06 b8 01 00 00 00 c3 31 c0 c3 90 0f 1f 44 00 00 53 9c 5b fa 31 c0 ba 01 00 00 00 <f0> 0f b1 17 75 05 48 89 d8 5b c3 89 c6 e8 7e 02 00 00 48 89 d8 5b [27642.543936] RSP: 0018:ffff88810770f7d8 EFLAGS: 00010046 [27642.544803] RAX: 0000000000000000 RBX: 0000000000000202 RCX: ffff888113ad96d8 [27642.545916] RDX: 0000000000000001 RSI: ffff88810770f818 RDI: 00000000000000a0 [27642.547027] RBP: 0000000000000098 R08: 0000000000000400 R09: ffff88810b980f00 [27642.548140] R10: 0000000000000001 R11: ffff888101845a80 R12: 00000000000000a8 [27642.549263] R13: ffffffffa02a9060 R14: 00000000000000a0 R15: ffff8881130d8a40 [27642.550379] complete_all+0x20/0x90 [27642.551010] mlx5e_ipsec_disable_events+0xb6/0xf0 [mlx5_core] [27642.552022] mlx5e_nic_disable+0x12d/0x220 [mlx5_core] [27642.552929] mlx5e_detach_netdev+0x66/0xf0 [mlx5_core] [27642.553822] mlx5e_netdev_change_profile+0x5b/0x120 [mlx5_core] [27642.554821] mlx5e_vport_rep_load+0x419/0x590 [mlx5_core] [27642.555757] ? xa_load+0x53/0x90 [27642.556361] __esw_offloads_load_rep+0x54/0x70 [mlx5_core] [27642.557328] mlx5_esw_offloads_rep_load+0x45/0xd0 [mlx5_core] [27642.558320] esw_offloads_enable+0xb4b/0xc90 [mlx5_core] [27642.559247] mlx5_eswitch_enable_locked+0x34e/0x4f0 [mlx5_core] [27642.560257] ? mlx5_rescan_drivers_locked+0x222/0x2d0 [mlx5_core] [27642.561284] mlx5_devlink_eswitch_mode_set+0x5ac/0x9c0 [mlx5_core] [27642.562334] ? devlink_rate_set_ops_supported+0x21/0x3a0 [27642.563220] devlink_nl_eswitch_set_doit+0x67/0xe0 [27642.564026] genl_family_rcv_msg_doit+0xe0/0x130 [27642.564816] genl_rcv_msg+0x183/0x290 [27642.565466] ? __devlink_nl_pre_doit.isra.0+0x160/0x160 [27642.566329] ? d ---truncated--- | 2026-05-08 | not yet calculated | CVE-2026-43467 | https://git.kernel.org/stable/c/05c9a6df3646cdd25e0e10e6ef2d20cdba3ed8f9 https://git.kernel.org/stable/c/835778685f157b4fd4683b670cfe4010265bac60 https://git.kernel.org/stable/c/bc72f739f398d9d2e4f3d06f3f75fe98876d5579 https://git.kernel.org/stable/c/24b2795f9683e092dc22a68f487e7aaaf2ddafea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix deadlock between devlink lock and esw->wq esw->work_queue executes esw_functions_changed_event_handler -> esw_vfs_changed_event_handler and acquires the devlink lock. .eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) -> mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked -> mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlocks when esw_vfs_changed_event_handler executes. Fix that by no longer flushing the work to avoid the deadlock, and using a generation counter to keep track of work relevance. This avoids an old handler manipulating an esw that has undergone one or more mode changes: - the counter is incremented in mlx5_eswitch_event_handler_unregister. - the counter is read and passed to the ephemeral mlx5_host_work struct. - the work handler takes the devlink lock and bails out if the current generation is different than the one it was scheduled to operate on. - mlx5_eswitch_cleanup does the final draining before destroying the wq. No longer flushing the workqueue has the side effect of maybe no longer cancelling pending vport_change_handler work items, but that's ok since those are disabled elsewhere: - mlx5_eswitch_disable_locked disables the vport eq notifier. - mlx5_esw_vport_disable disarms the HW EQ notification and marks vport->enabled under state_lock to false to prevent pending vport handler from doing anything. - mlx5_eswitch_cleanup destroys the workqueue and makes sure all events are disabled/finished. | 2026-05-08 | not yet calculated | CVE-2026-43468 | https://git.kernel.org/stable/c/0de867f6e34eae6907b367fd152c55e61cb98608 https://git.kernel.org/stable/c/957d2a58f7f8ebcbdd0a85935e0d2675134b890d https://git.kernel.org/stable/c/3c7313cb41b1b427078440364d2f042c276a1c0b https://git.kernel.org/stable/c/4a7838bebc38374f74baaf88bf2cf8d439a92923 https://git.kernel.org/stable/c/90e7e5d14d0bd25ffd019a3aa39d9f1c05fedbe1 https://git.kernel.org/stable/c/aed763abf0e905b4b8d747d1ba9e172961572f57 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfs: return EISDIR on nfs3_proc_create if d_alias is a dir If we found an alias through nfs3_do_create/nfs_add_or_obtain /d_splice_alias which happens to be a dir dentry, we don't return any error, and simply forget about this alias, but the original dentry we were adding and passed as parameter remains negative. This later causes an oops on nfs_atomic_open_v23/finish_open since we supply a negative dentry to do_dentry_open. This has been observed running lustre-racer, where dirs and files are created/removed concurrently with the same name and O_EXCL is not used to open files (frequent file redirection). While d_splice_alias typically returns a directory alias or NULL, we explicitly check d_is_dir() to ensure that we don't attempt to perform file operations (like finish_open) on a directory inode, which triggers the observed oops. | 2026-05-08 | not yet calculated | CVE-2026-43470 | https://git.kernel.org/stable/c/7e2963773760a664684435201960dd2fb712f1b5 https://git.kernel.org/stable/c/203c792cb4315360d49973ae2e57feeb6d3dcf7e https://git.kernel.org/stable/c/9ee1770fcb2f1b48354622b926e7dc10222805f5 https://git.kernel.org/stable/c/410666a298c34ebd57256fde6b24c96bd23059a2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() The kernel log indicates a crash in ufshcd_add_command_trace, due to a NULL pointer dereference when accessing hwq->id. This can happen if ufshcd_mcq_req_to_hwq() returns NULL. This patch adds a NULL check for hwq before accessing its id field to prevent a kernel crash. Kernel log excerpt: [<ffffffd5d192dc4c>] notify_die+0x4c/0x8c [<ffffffd5d1814e58>] __die+0x60/0xb0 [<ffffffd5d1814d64>] die+0x4c/0xe0 [<ffffffd5d181575c>] die_kernel_fault+0x74/0x88 [<ffffffd5d1864db4>] __do_kernel_fault+0x314/0x318 [<ffffffd5d2a3cdf8>] do_page_fault+0xa4/0x5f8 [<ffffffd5d2a3cd34>] do_translation_fault+0x34/0x54 [<ffffffd5d1864524>] do_mem_abort+0x50/0xa8 [<ffffffd5d2a297dc>] el1_abort+0x3c/0x64 [<ffffffd5d2a29718>] el1h_64_sync_handler+0x44/0xcc [<ffffffd5d181133c>] el1h_64_sync+0x80/0x88 [<ffffffd5d255c1dc>] ufshcd_add_command_trace+0x23c/0x320 [<ffffffd5d255bad8>] ufshcd_compl_one_cqe+0xa4/0x404 [<ffffffd5d2572968>] ufshcd_mcq_poll_cqe_lock+0xac/0x104 [<ffffffd5d11c7460>] ufs_mtk_mcq_intr+0x54/0x74 [ufs_mediatek_mod] [<ffffffd5d19ab92c>] __handle_irq_event_percpu+0xc8/0x348 [<ffffffd5d19abca8>] handle_irq_event+0x3c/0xa8 [<ffffffd5d19b1f0c>] handle_fasteoi_irq+0xf8/0x294 [<ffffffd5d19aa778>] generic_handle_domain_irq+0x54/0x80 [<ffffffd5d18102bc>] gic_handle_irq+0x1d4/0x330 [<ffffffd5d1838210>] call_on_irq_stack+0x44/0x68 [<ffffffd5d183af30>] do_interrupt_handler+0x78/0xd8 [<ffffffd5d2a29c00>] el1_interrupt+0x48/0xa8 [<ffffffd5d2a29ba8>] el1h_64_irq_handler+0x14/0x24 [<ffffffd5d18113c4>] el1h_64_irq+0x80/0x88 [<ffffffd5d2527fb4>] arch_local_irq_enable+0x4/0x1c [<ffffffd5d25282e4>] cpuidle_enter+0x34/0x54 [<ffffffd5d195a678>] do_idle+0x1dc/0x2f8 [<ffffffd5d195a7c4>] cpu_startup_entry+0x30/0x3c [<ffffffd5d18155c4>] secondary_start_kernel+0x134/0x1ac [<ffffffd5d18640bc>] __secondary_switched+0xc4/0xcc | 2026-05-08 | not yet calculated | CVE-2026-43471 | https://git.kernel.org/stable/c/0614f5618c24fbc3d555efade22887b102ad7ad6 https://git.kernel.org/stable/c/be730f9ee92ae08f2bc4b336967bcfd8183c06fe https://git.kernel.org/stable/c/f4f590c6c9df7453bbda2ef9170b1b09e42a124c https://git.kernel.org/stable/c/93b9e7ee9e93629db80bbc9dab8a874215b89ccf https://git.kernel.org/stable/c/30df81f2228d65bddf492db3929d9fcaffd38fc5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: unshare: fix unshare_fs() handling There's an unpleasant corner case in unshare(2), when we have a CLONE_NEWNS in flags and current->fs hadn't been shared at all; in that case copy_mnt_ns() gets passed current->fs instead of a private copy, which causes interesting warts in proof of correctness] > I guess if private means fs->users == 1, the condition could still be true. Unfortunately, it's worse than just a convoluted proof of correctness. Consider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS (and current->fs->users == 1). We pass current->fs to copy_mnt_ns(), all right. Suppose it succeeds and flips current->fs->{pwd,root} to corresponding locations in the new namespace. Now we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM). We call put_mnt_ns() on the namespace created by copy_mnt_ns(), it's destroyed and its mount tree is dissolved, but... current->fs->root and current->fs->pwd are both left pointing to now detached mounts. They are pinning those, so it's not a UAF, but it leaves the calling process with unshare(2) failing with -ENOMEM _and_ leaving it with pwd and root on detached isolated mounts. The last part is clearly a bug. There is other fun related to that mess (races with pivot_root(), including the one between pivot_root() and fork(), of all things), but this one is easy to isolate and fix - treat CLONE_NEWNS as "allocate a new fs_struct even if it hadn't been shared in the first place". Sure, we could go for something like "if both CLONE_NEWNS *and* one of the things that might end up failing after copy_mnt_ns() call in create_new_namespaces() are set, force allocation of new fs_struct", but let's keep it simple - the cost of copy_fs_struct() is trivial. Another benefit is that copy_mnt_ns() with CLONE_NEWNS *always* gets a freshly allocated fs_struct, yet to be attached to anything. That seriously simplifies the analysis... FWIW, that bug had been there since the introduction of unshare(2) ;-/ | 2026-05-08 | not yet calculated | CVE-2026-43472 | https://git.kernel.org/stable/c/845bf3c6963a52096d0d3866e4a92db77a0c03d8 https://git.kernel.org/stable/c/d3ffc8f13034af895531a02c30b1fe3a34b46432 https://git.kernel.org/stable/c/d0d99f60538ddb4a62ccaac2168d8f448965f083 https://git.kernel.org/stable/c/d7963d6997fea86a6def242ac36198b86655f912 https://git.kernel.org/stable/c/aa9ebc084505fb26dd90f4d7a249045aad152043 https://git.kernel.org/stable/c/af8f4be3b68ac8caa41c8e5ead0eeaf5e85e42d0 https://git.kernel.org/stable/c/42e21e74061b0ebbd859839f81acf10efad02a27 https://git.kernel.org/stable/c/6c4b2243cb6c0755159bd567130d5e12e7b10d9f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Add NULL checks when resetting request and reply queues The driver encountered a crash during resource cleanup when the reply and request queues were NULL due to freed memory. This issue occurred when the creation of reply or request queues failed, and the driver freed the memory first, but attempted to mem set the content of the freed memory, leading to a system crash. Add NULL pointer checks for reply and request queues before accessing the reply/request memory during cleanup | 2026-05-08 | not yet calculated | CVE-2026-43473 | https://git.kernel.org/stable/c/7df0296ad4e9253d12c6dbe7f120044dddc95600 https://git.kernel.org/stable/c/7da755e0d02e9ca035065127e108d1fed8950dc8 https://git.kernel.org/stable/c/78d3f201f8b609928eade53cf03a52df5415aaf7 https://git.kernel.org/stable/c/e978a36f332ede78eb4de037b517db16265d420d https://git.kernel.org/stable/c/220d7ca70611a73d50ef8e9edac630ed1ececb7c https://git.kernel.org/stable/c/fa96392ebebc8fade2b878acb14cce0f71016503 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs: init flags_valid before calling vfs_fileattr_get syzbot reported a uninit-value bug in [1]. Similar to the "*get" context where the kernel's internal file_kattr structure is initialized before calling vfs_fileattr_get(), we should use the same mechanism when using fa. [1] BUG: KMSAN: uninit-value in fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517 fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517 vfs_fileattr_get fs/file_attr.c:94 [inline] __do_sys_file_getattr fs/file_attr.c:416 [inline] Local variable fa.i created at: __do_sys_file_getattr fs/file_attr.c:380 [inline] __se_sys_file_getattr+0x8c/0xbd0 fs/file_attr.c:372 | 2026-05-08 | not yet calculated | CVE-2026-43474 | https://git.kernel.org/stable/c/379e19e820dd1c6145426b97467728b3b89c0b42 https://git.kernel.org/stable/c/b8c182b2c8c44c6016b11d8af61715ad7ef958a1 https://git.kernel.org/stable/c/cb184dd19154fc486fa3d9e02afe70a97e54e055 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT This resolves the follow splat and lock-up when running with PREEMPT_RT enabled on Hyper-V: [ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002 [ 415.140822] INFO: lockdep is turned off. [ 415.140823] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec ghash_clmulni_intel aesni_intel rapl binfmt_misc nls_ascii nls_cp437 vfat fat snd_pcm hyperv_drm snd_timer drm_client_lib drm_shmem_helper snd sg soundcore drm_kms_helper pcspkr hv_balloon hv_utils evdev joydev drm configfs efi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_common hv_sock vmw_vsock_vmci_transport vsock vmw_vmci efivarfs autofs4 ext4 crc16 mbcache jbd2 sr_mod sd_mod cdrom hv_storvsc serio_raw hid_generic scsi_transport_fc hid_hyperv scsi_mod hid hv_netvsc hyperv_keyboard scsi_common [ 415.140846] Preemption disabled at: [ 415.140847] [<ffffffffc0656171>] storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc] [ 415.140854] CPU: 8 UID: 0 PID: 1048 Comm: stress-ng-iomix Not tainted 6.19.0-rc7 #30 PREEMPT_{RT,(full)} [ 415.140856] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/04/2024 [ 415.140857] Call Trace: [ 415.140861] <TASK> [ 415.140861] ? storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc] [ 415.140863] dump_stack_lvl+0x91/0xb0 [ 415.140870] __schedule_bug+0x9c/0xc0 [ 415.140875] __schedule+0xdf6/0x1300 [ 415.140877] ? rtlock_slowlock_locked+0x56c/0x1980 [ 415.140879] ? rcu_is_watching+0x12/0x60 [ 415.140883] schedule_rtlock+0x21/0x40 [ 415.140885] rtlock_slowlock_locked+0x502/0x1980 [ 415.140891] rt_spin_lock+0x89/0x1e0 [ 415.140893] hv_ringbuffer_write+0x87/0x2a0 [ 415.140899] vmbus_sendpacket_mpb_desc+0xb6/0xe0 [ 415.140900] ? rcu_is_watching+0x12/0x60 [ 415.140902] storvsc_queuecommand+0x669/0xbe0 [hv_storvsc] [ 415.140904] ? HARDIRQ_verbose+0x10/0x10 [ 415.140908] ? __rq_qos_issue+0x28/0x40 [ 415.140911] scsi_queue_rq+0x760/0xd80 [scsi_mod] [ 415.140926] __blk_mq_issue_directly+0x4a/0xc0 [ 415.140928] blk_mq_issue_direct+0x87/0x2b0 [ 415.140931] blk_mq_dispatch_queue_requests+0x120/0x440 [ 415.140933] blk_mq_flush_plug_list+0x7a/0x1a0 [ 415.140935] __blk_flush_plug+0xf4/0x150 [ 415.140940] __submit_bio+0x2b2/0x5c0 [ 415.140944] ? submit_bio_noacct_nocheck+0x272/0x360 [ 415.140946] submit_bio_noacct_nocheck+0x272/0x360 [ 415.140951] ext4_read_bh_lock+0x3e/0x60 [ext4] [ 415.140995] ext4_block_write_begin+0x396/0x650 [ext4] [ 415.141018] ? __pfx_ext4_da_get_block_prep+0x10/0x10 [ext4] [ 415.141038] ext4_da_write_begin+0x1c4/0x350 [ext4] [ 415.141060] generic_perform_write+0x14e/0x2c0 [ 415.141065] ext4_buffered_write_iter+0x6b/0x120 [ext4] [ 415.141083] vfs_write+0x2ca/0x570 [ 415.141087] ksys_write+0x76/0xf0 [ 415.141089] do_syscall_64+0x99/0x1490 [ 415.141093] ? rcu_is_watching+0x12/0x60 [ 415.141095] ? finish_task_switch.isra.0+0xdf/0x3d0 [ 415.141097] ? rcu_is_watching+0x12/0x60 [ 415.141098] ? lock_release+0x1f0/0x2a0 [ 415.141100] ? rcu_is_watching+0x12/0x60 [ 415.141101] ? finish_task_switch.isra.0+0xe4/0x3d0 [ 415.141103] ? rcu_is_watching+0x12/0x60 [ 415.141104] ? __schedule+0xb34/0x1300 [ 415.141106] ? hrtimer_try_to_cancel+0x1d/0x170 [ 415.141109] ? do_nanosleep+0x8b/0x160 [ 415.141111] ? hrtimer_nanosleep+0x89/0x100 [ 415.141114] ? __pfx_hrtimer_wakeup+0x10/0x10 [ 415.141116] ? xfd_validate_state+0x26/0x90 [ 415.141118] ? rcu_is_watching+0x12/0x60 [ 415.141120] ? do_syscall_64+0x1e0/0x1490 [ 415.141121] ? do_syscall_64+0x1e0/0x1490 [ 415.141123] ? rcu_is_watching+0x12/0x60 [ 415.141124] ? do_syscall_64+0x1e0/0x1490 [ 415.141125] ? do_syscall_64+0x1e0/0x1490 [ 415.141127] ? irqentry_exit+0x140/0 ---truncated--- | 2026-05-08 | not yet calculated | CVE-2026-43475 | https://git.kernel.org/stable/c/cf00cb15f2515e38d3b7571bf6800b7c6ce70a84 https://git.kernel.org/stable/c/b82462af23e45e066dd56d2736ea70159a6ad647 https://git.kernel.org/stable/c/91ab59f76d0866079420ebff1c7959fcd87a242e https://git.kernel.org/stable/c/e7919a293f9b6101e38bde0d8613daea6c9955df https://git.kernel.org/stable/c/f8db760f4f52a73a022a3d6c84c488ead952a9b5 https://git.kernel.org/stable/c/c2e73d8acd056347a70047e6be7cd98e0e811dfa https://git.kernel.org/stable/c/c7984d196476adcbd51c0ce386d7e90277198d57 https://git.kernel.org/stable/c/57297736c08233987e5d29ce6584c6ca2a831b12 |
| Apache Software Foundation--Apache Wicket | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue. | 2026-05-06 | not yet calculated | CVE-2026-43646 | https://lists.apache.org/thread/6zqcvjyz4lsqty1z2g5hg7pl5fqk88rs |
| Apache Software Foundation--Apache Thrift | Memory Allocation with Excessive Size Value vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. | 2026-05-05 | not yet calculated | CVE-2026-43868 | https://lists.apache.org/thread/zj76dtwnbbs1m7z3focf4wd51pqpsmn9 |
| Apache Software Foundation--Apache Thrift | Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. | 2026-05-05 | not yet calculated | CVE-2026-43869 | https://lists.apache.org/thread/3hsgl1b69wzq3ry39scqbv2dhyl3j52r |
| Apache Software Foundation--Apache Thrift | Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. | 2026-05-05 | not yet calculated | CVE-2026-43870 | https://lists.apache.org/thread/pgtfq44ltc9t63kxcbqmwqzt45pnhqdy |
| electerm--electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From versions 3.0.6 to before 3.8.15, electerm is vulnerable to arbitrary local code execution via deep links, CLI --opts, or crafted shortcuts. Exploit requires clicking a crafted electerm://... link or opening a crafted shortcut/command that launches electerm with attacker-controlled opts. This issue has been patched in version 3.8.15. | 2026-05-08 | not yet calculated | CVE-2026-43944 | https://github.com/electerm/electerm/security/advisories/GHSA-mpm8-cx2p-626q https://github.com/electerm/electerm/commit/8a6a17951e96d715f5a231532bbd8303fe208700 https://github.com/electerm/electerm/commit/a79e06f4a1f0ac6376c3d2411ef4690fa0377742 https://github.com/electerm/electerm/releases/tag/v3.8.15 |
| absinthe-graphql--absinthe | Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. 'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) - a full linear scan of the fragment list. The result is O(N²) comparisons per document, where N is the number of fragment definitions supplied by the caller. Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 × 10⁹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required. This issue affects absinthe: from 1.2.0 before 1.10.2. | 2026-05-08 | not yet calculated | CVE-2026-43967 | https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-9mhv-8h52-q7q2 https://cna.erlef.org/cves/CVE-2026-43967.html https://osv.dev/vulnerability/EEF-CVE-2026-43967 https://github.com/absinthe-graphql/absinthe/commit/223600c520493dcaf95080af552c413099f92c9d |
| Apache Software Foundation--Apache Wicket | FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before constructing file paths, allowing an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on the server. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue. | 2026-05-06 | not yet calculated | CVE-2026-43975 | https://github.com/apache/wicket/pull/1432 https://lists.apache.org/thread/xp2jrdk6ppv1zcmxb4w1mk2lg1dw3hbr |
| SEPPmail AG--Secure Email Gateway | SEPPmail Secure Email Gateway before version 15.0.4 fails to enforce authorization checks for multiple endpoints in the new GINA UI, allowing unauthenticated remote attackers to access functionality that should require a valid session. | 2026-05-08 | not yet calculated | CVE-2026-44125 | https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security |
| SEPPmail AG--Secure Email Gateway | SEPPmail Secure Email Gateway before version 15.0.4 insecurely deserializes untrusted data, which can be reached from the new GINA UI and may allow unauthenticated remote attackers to execute code via a crafted serialized object. | 2026-05-08 | not yet calculated | CVE-2026-44126 | https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security |
| SEPPmail AG--Secure Email Gateway | SEPPmail Secure Email Gateway before version 15.0.4 contains an unauthenticated path traversal vulnerability in the identifier parameter of /api.app/attachment/preview that allows remote attackers to read arbitrary local files and trigger deletion of files in the targeted directory with the privileges of the api.app process. | 2026-05-08 | not yet calculated | CVE-2026-44127 | https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security |
| SEPPmail AG--Secure Email Gateway | SEPPmail Secure Email Gateway before version 15.0.2.1 allows unauthenticated remote code execution in the new GINA UI because an endpoint passes attacker-controlled input from a parameter to Perl's eval. | 2026-05-08 | not yet calculated | CVE-2026-44128 | https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security |
| SEPPmail AG--Secure Email Gateway | SEPPmail Secure Email Gateway before version 15.0.4 contains a server-side template injection vulnerability in the new GINA UI because an endpoint accepts attacker-controlled template, allowing remote attackers to execute arbitrary template expressions and potentially achieve remote code execution depending on the enabled template plugins. | 2026-05-08 | not yet calculated | CVE-2026-44129 | https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security |
| gitpython-developers--GitPython | GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository's .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations. This issue has been patched in version 3.1.48. | 2026-05-07 | not yet calculated | CVE-2026-44243 | https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-7545-fcxq-7j24 https://github.com/gitpython-developers/GitPython/releases/tag/3.1.48 |
| labring--FastGPT | FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows attackers (or authenticated users with App editing privileges) to send arbitrary HTTP requests to internal/private network addresses. The fetchData function in the lafModule workflow node uses axios to fetch user-controlled URLs without validating them against the application's internal network blocklist guard (isInternalAddress), bypassing SSRF protections. This issue has been patched in version 4.14.17. | 2026-05-08 | not yet calculated | CVE-2026-44286 | https://github.com/labring/FastGPT/security/advisories/GHSA-xpx6-xcpf-76qg https://github.com/labring/FastGPT/releases/tag/v4.14.17 |
| The Document Foundation--LibreOffice | Out-of-bounds write vulnerability in The Document Foundation LibreOffice via crafted OOXML documents with mismatched encryption salt parameters. This issue affects LibreOffice: from 26.2 before 26.2.3, from 25.8 before 25.8.7. | 2026-05-07 | not yet calculated | CVE-2026-4430 | https://www.libreoffice.org/about-us/security/advisories/cve-2026-4430 |
| MervinPraison--PraisonAI | PraisonAI is a multi-agent teams system. Prior to version 1.6.32, the URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. This issue has been patched in version 1.6.32. | 2026-05-08 | not yet calculated | CVE-2026-44335 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q9pw-vmhh-384g |
| MervinPraison--PraisonAI | PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Protocol) server (praisonai mcp serve) registers four file-handling tools by default - praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments and joins it onto ~/.praison/rules/ (or, for workflow.show, accepts an absolute path) with no containment check. The JSON-RPC dispatcher passes params["arguments"] blind to each handler via **kwargs without validating against the advertised input schema. By setting rule_name="../../<some-path>" an attacker walks out of the rules directory and writes any file the running user can write. Dropping a Python .pth file into the user site-packages directory escalates this primitive to arbitrary code execution in any subsequent Python process the user spawns - the next praisonai CLI invocation, an IDE script run, the user's python REPL, or any background Python service. This issue has been patched in version 4.6.34. | 2026-05-08 | not yet calculated | CVE-2026-44336 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9mqq-jqxf-grvw |
| MervinPraison--PraisonAI | PraisonAI is a multi-agent teams system. Prior to version 4.6.37, the _safe_extractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape - but does not validate member.linkname, does not reject symlink/hardlink members, and calls tar.extractall(dest_dir) without filter="data". A bundle that contains a symlink with a name inside dest_dir but a linkname pointing outside it, followed by a regular file whose path traverses through the just-created symlink, escapes dest_dir and lets the attacker write arbitrary content to an attacker-chosen location on the victim's filesystem. This issue has been patched in version 4.6.37. | 2026-05-08 | not yet calculated | CVE-2026-44340 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9q28-ghcr-c4x3 |
| daptin--daptin | Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resource_findallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.L(fmt.Sprintf("LOWER(%s) LIKE ?", prefix+col)) raw SQL with no column whitelist check. The entry point is GET /api/<entity> with operator=fuzzy (or fuzzy_any, fuzzy_all). Any authenticated user - including one who self-registered with no admin involvement - can read the entire database. This issue has been patched in version 0.11.5. | 2026-05-07 | not yet calculated | CVE-2026-44349 | https://github.com/daptin/daptin/security/advisories/GHSA-pwqg-q8pg-pp6r https://github.com/daptin/daptin/releases/tag/v0.11.5 |
| ZcashFoundation--zebra | ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0 and prior to zebra-script version 6.0.0, the fix for CVE-2026-41583 introduced a separate issue due to insufficient error handling of the case where the sighash type is invalid, during sighash computation. Instead of returning an error, the normal flow would resume, and the input sighash buffer would be left untouched. In scenarios where a previous signature validation could leave a valid sighash in the buffer, an invalid hash-type could be incorrectly accepted, which would create a consensus split between Zebra and zcashd nodes. This issue has been patched in zebrad version 4.4.0 and zebra-script version 6.0.0. | 2026-05-08 | not yet calculated | CVE-2026-44497 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-gq4h-3grw-2rhv |
| ZcashFoundation--zebra | ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit (MAX_BLOCK_SIGOPS), allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a block can split the network: Zebra nodes follow the offending chain while zcashd nodes do not. This issue has been patched in version 4.4.0. | 2026-05-08 | not yet calculated | CVE-2026-44498 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-jv4h-j224-23cc https://github.com/ZcashFoundation/zebra/releases/tag/v4.4.0 |
| ZcashFoundation--zebra | ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent weaknesses in the gossip, syncer, and download subsystems - all exercisable from a single TCP connection - to create a monotonically growing block deficit that never self-heals. This issue has been patched in version 4.4.0. | 2026-05-08 | not yet calculated | CVE-2026-44499 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-h9hm-m2xj-4rq9 |
| vim--vim | Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435. | 2026-05-08 | not yet calculated | CVE-2026-44656 | https://github.com/vim/vim/security/advisories/GHSA-hwg5-3cxw-wvvg https://github.com/vim/vim/commit/190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0 https://github.com/vim/vim/releases/tag/v9.2.0435 |
| czlonkowski--n8n-mcp | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. From version 2.18.7 to before version 2.50.2, there is an authenticated server-side request forgery vulnerability affecting the webhook trigger tools, the n8n API client (N8N_API_URL), and per-request URLs supplied via the x-n8n-url header in multi-tenant HTTP mode. This issue has been patched in version 2.50.2. | 2026-05-08 | not yet calculated | CVE-2026-44694 | https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-cmrh-wvq6-wm9r https://github.com/czlonkowski/n8n-mcp/commit/bcaba839409d470abeb4a6ad9b361b553a1098eb https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.50.2 |
| RRWO--Plack::Middleware::Statsd | Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' IP addresses may be leaked. Since version 0.9.0, the IP address is no longer logged to statsd unless configured. When configured, an HMAC signature of the IP address is logged instead. | 2026-05-10 | not yet calculated | CVE-2026-45179 | https://github.com/robrwo/Plack-Middleware-Statsd/security/advisories/GHSA-9gwm-665p-w2xx https://metacpan.org/release/RRWO/Plack-Middleware-Statsd-v0.9.0/changes |
| RRWO--Catalyst::Plugin::Statsd | Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked. This may allow an attacker to use session ids as authentication tokens. | 2026-05-10 | not yet calculated | CVE-2026-45180 | https://github.com/robrwo/CatalystX-Statsd/security/advisories/GHSA-gjvr-hq83-fc38 https://metacpan.org/release/RRWO/Catalyst-Plugin-Statsd-v0.10.0/changes https://www.cve.org/CVERecord?id=CVE-2026-45179 https://github.com/robrwo/Plack-Middleware-Statsd/security/advisories/GHSA-9gwm-665p-w2xx |
| STIGTSP--Net::CIDR::Lite | Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass. Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the input string spelled. find() and bin_find() can match or miss addresses as a result. Example: my $cidr = Net::CIDR::Lite->new(); $cidr->add("::1\n/128"); $cidr->find("::1a"); # incorrectly returns true See also CVE-2026-45191. | 2026-05-10 | not yet calculated | CVE-2026-45190 | https://github.com/stigtsp/Net-CIDR-Lite/commit/ca9542adec87110556601d7ce48381ea8d13e692.patch https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.24/changes https://www.cve.org/CVERecord?id=CVE-2026-45191 |
| STIGTSP--Net::CIDR::Lite | Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass. Mask forms like "/00" and "/01" pass validation and parse to the same prefix as their unpadded value. See also CVE-2026-45190. | 2026-05-10 | not yet calculated | CVE-2026-45191 | https://github.com/stigtsp/Net-CIDR-Lite/commit/24e2c439ec405e5256024b9acefd4f7008c5ed0c.patch https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.24/changes https://www.cve.org/CVERecord?id=CVE-2026-45190 |
| Unknown--OttoKit: All-in-One Automation Platform | The OttoKit: All-in-One Automation Platform WordPress plugin before 1.1.23 does not properly sanitize user input before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks. | 2026-05-08 | not yet calculated | CVE-2026-4935 | https://wpscan.com/vulnerability/54bc1bf4-1033-49e2-aff9-a14c834c35bd/ |
| CHORNY--Apache::Session::Generate::ModUniqueId | Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure. Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_ID environment variable for the session id. The UNIQUE_ID variable is set by the Apache mod_unique_id plugin, which generates unique ids for the request. The id is based on the IPv4 address, the process id, the epoch time, a 16-bit counter and a thread index, with no obfuscation. The server IP is often available to the public, and if not available, can be guessed from previous session ids being issued. The process ids may also be guessed from previous session ids. The timestamp is easily guessed (and leaked in the HTTP Date response header). The purpose of mod_unique_id is to assign a unique id to requests so that events can be correlated in different logs. The id is not designed, nor is it suitable for security purposes. | 2026-05-06 | not yet calculated | CVE-2026-5081 | https://httpd.apache.org/docs/current/mod/mod_unique_id.html https://metacpan.org/pod/Apache::Session::Generate::Random |
| Unknown--Magic Export & Import | The Magic Export & Import WordPress plugin before 1.2.0 stores exported CSV files at a publicly accessible location, making it possible for any visitors to leak sensitive user information. | 2026-05-04 | not yet calculated | CVE-2026-5335 | https://wpscan.com/vulnerability/ed6f00de-bbae-4e89-9d0e-ded0d70e781c/ |
| PHP Group--PHP | In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings. | 2026-05-10 | not yet calculated | CVE-2026-6104 | https://github.com/php/php-src/security/advisories/GHSA-74r9-qxhc-fx53 |
| PaperCut--PaperCut NG/MF | A race condition exists in PaperCut MF when processing badge-swipe data from certain HP multifunction devices. Under specific network conditions involving dropped packets and out-of-order sequence counters, the server may incorrectly process fragmented data chunks. If a sequence reset notification fails to reach the server, the server may reject the initial data chunk while erroneously accepting subsequent chunks before a connection reset completes. This leads to the registration of a truncated badge ID string. While this typically results in an authentication failure, the vulnerability is compounded in environments utilizing custom badge-ID post-processing scripts. In such configurations, the truncated string may be transformed into a valid ID belonging to a different user, leading to unauthorized session establishment (Incorrect User Login) on the device. | 2026-05-05 | not yet calculated | CVE-2026-6180 | https://www.papercut.com/kb/Main/papercut-ng-mf-and-papercut-hive-security-bulletin-may-2026/ |
| The Qt Company--Qt | A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image. When processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without verifying the node type. A non-marker element (such as a <line> element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker, followed by an endless recursion that bypasses the marker recursion guard through incorrect virtual dispatch. The result is an application crash (denial of service). This issue affects Qt SVG: from 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1. | 2026-05-06 | not yet calculated | CVE-2026-6210 | https://codereview.qt-project.org/c/qt/qtsvg/+/724887 https://issues.oss-fuzz.com/issues/496327371 |
| Remote Spark (https://www.remotespark.com/)--SparkView | A vulnerability in Remote Spark SparkView before build 1122 allows an attacker to bypasses the local connection check and achieve arbitrary code execution as root on the server side. Depending on implementation the vulnerability can be exploited by an unauthenticated attacker. | 2026-05-08 | not yet calculated | CVE-2026-6213 | https://www.remotespark.com/view/new.html |
| PaperCut--PaperCut NG/MF | An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization. Due to a lack of proper path validation and sanitization, an authenticated user with administrative privileges can specify arbitrary file paths on the local file system. This allows for the enumeration of directory structures and the unauthorized reading of sensitive text-based configuration or system files. When the synchronization process is triggered, the application attempts to parse the contents of the specified file, subsequently exposing the data within the application's account management interface. This vulnerability could lead to the disclosure of sensitive system information or configuration details, depending on the permissions of the service account under which the application is running. | 2026-05-05 | not yet calculated | CVE-2026-6418 | https://www.papercut.com/kb/Main/papercut-ng-mf-and-papercut-hive-security-bulletin-may-2026/ |
| ILM Informatique--OpenConcerto | Incorrect Permission Assignment for Critical Resource vulnerability in ILM Informatique OpenConcerto allows Replace Binaries. This issue affects OpenConcerto: 1.7.5. | 2026-05-04 | not yet calculated | CVE-2026-6499 | https://www.openconcerto.org/fr/version-1.7.html |
| ILM Informatique--OpenConcerto | Plaintext storage of a password vulnerability in ILM Informatique OpenConcerto allows Retrieve Embedded Sensitive Data. This issue affects OpenConcerto: 1.7.5. | 2026-05-04 | not yet calculated | CVE-2026-6500 | https://www.openconcerto.org/fr/version-1.7.html |
| ILM Informatique--jOpenDocument | Improper restriction of XML external entity reference vulnerability in ILM Informatique jOpenDocument allows Data Serialization External Entities Blowup. This issue affects jOpenDocument: 1.5. | 2026-05-04 | not yet calculated | CVE-2026-6501 | https://www.jopendocument.org/documentation.html |
| RSAVAGE--Crypt::PasswdMD5 | Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts. The built-in rand function is predictable, and unsuitable for cryptography. | 2026-05-08 | not yet calculated | CVE-2026-6659 | https://metacpan.org/release/RSAVAGE/Crypt-PasswdMD5-1.42/source/lib/Crypt/PasswdMD5.pm#L35-47 |
| PHP Group--PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution. | 2026-05-10 | not yet calculated | CVE-2026-6722 | https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5 |
| PHP Group--PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page. | 2026-05-10 | not yet calculated | CVE-2026-6735 | https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv |
| GitHub--Enterprise Server | An authentication bypass vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to create a local user account, bypassing the configured external identity provider. When external authentication was enabled, the signup endpoint did not properly enforce the authentication restriction, allowing account creation and session establishment without identity provider validation. The created account was limited to the default base permissions configured on the instance. Exploitation required network access to a GHES instance configured with an external authentication provider. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18. | 2026-05-07 | not yet calculated | CVE-2026-6736 | https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.18 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.15 https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.9 https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6 https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2 |
| ASUS--AsusPTPFilter | An Exposed IOCTL with Insufficient Access Control vulnerability in AsusPTPFilter allows a local user to bypass driver security mechanisms and obtain restricted touchpad information or render the touchpad unusable via crafted IOCTL requests.Refer to the ' Security Update for ASUS Precision Touchpad ' section on the ASUS Security Advisory for more information. | 2026-05-08 | not yet calculated | CVE-2026-6737 | https://www.asus.com/security-advisory |
| WatchGuard--WatchGuard Agent | Use of Hard-coded Cryptographic Key vulnerability in WatchGuard Agent on Windows allows Inclusion of Code in Existing Process.This issue affects WatchGuard Agent: before 1.25.03.0000. | 2026-05-06 | not yet calculated | CVE-2026-6787 | https://www.watchguard.com/wgrd-psirt/advisory/WGSA-2026-00013 |
| WatchGuard--WatchGuard Agent | Uncontrolled Search Path Element vulnerability in WatchGuard Agent on Windows allows Using Malicious Files.This issue affects WatchGuard Agent before 1.25.03.0000. | 2026-05-06 | not yet calculated | CVE-2026-6788 | https://www.watchguard.com/wgrd-psirt/advisory/WGSA-2026-00013 |
| Ercom--Cryptobox | Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link. | 2026-05-07 | not yet calculated | CVE-2026-6805 | https://info.cryptobox.com/doc/v4.40/4.40.en/ |
| Eclipse Foundation--Eclipse Vert.x | A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used. | 2026-05-06 | not yet calculated | CVE-2026-6860 | https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381 https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6 https://github.com/eclipse-vertx/vert.x/pull/6102 |
| Eclipse Foundation--Eclipse OpenJ9 | In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP message. | 2026-05-05 | not yet calculated | CVE-2026-6918 | https://github.com/eclipse-openj9/openj9/security/advisories/GHSA-q393-vr4c-969r https://github.com/eclipse-openj9/openj9/pull/23793 |
| PHP Group--PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service. | 2026-05-10 | not yet calculated | CVE-2026-7258 | https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4 |
| PHP Group--PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding(). | 2026-05-10 | not yet calculated | CVE-2026-7259 | https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75 |
| PHP Group--PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system. | 2026-05-10 | not yet calculated | CVE-2026-7261 | https://github.com/php/php-src/security/advisories/GHSA-m33r-qmcv-p97q |
| PHP Group--PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service. | 2026-05-10 | not yet calculated | CVE-2026-7262 | https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv |
| PHP Group--PHP | In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application. | 2026-05-10 | not yet calculated | CVE-2026-7263 | https://github.com/php/php-src/security/advisories/GHSA-4jhr-8w89-j733 |
| GitHub--Enterprise Server | A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodies without size or depth limits, causing excessive CPU and memory consumption. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18. This vulnerability was reported via the GitHub Bug Bounty program. | 2026-05-07 | not yet calculated | CVE-2026-7541 | https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.18 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.15 https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.9 https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6 https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2 |
| PHP Group--PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process. | 2026-05-10 | not yet calculated | CVE-2026-7568 | https://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57 |
| PaperCut--PaperCut Hive | An issue was discovered in the PaperCut Hive Ricoh embedded application. When the "Deep Logging" (diagnostic) mode is enabled, the application inadvertently records administrative credentials in plain text within the log files. An attacker with administrative access to the PaperCut Hive management portal could remotely enable deep logging and subsequently retrieve sensitive device passwords from the logs after an authorized user authenticates at the device. This exposure allows for the lateral movement or unauthorized configuration of the physical print hardware. | 2026-05-05 | not yet calculated | CVE-2026-7824 | https://www.papercut.com/kb/Main/papercut-ng-mf-and-papercut-hive-security-bulletin-may-2026/ |
| SEPPmail AG--Secure Email Gateway | SEPPmail Secure Email Gateway before version 15.0.4 exposes server environment variables through an unauthenticated endpoint in the new GINA UI, allowing remote attackers to obtain sensitive system information. | 2026-05-08 | not yet calculated | CVE-2026-7864 | https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security |
| Crestron Electronics--Touchpanels (x60/x70) | A hidden console command is vulnerable to command injection flaw when control characters are passed to its second argument. A third party researcher Eugene Lim had discovered vulnerability in the way console command passes to a popen function call. Attackers with authenticated access to SSH console of Crestron devices may use to run underlying OS commands. | 2026-05-05 | not yet calculated | CVE-2026-7865 | https://www.crestron.com/Software-Firmware/Firmware/Touchpanels/TS-770-TS-1070-TSS-770-TSS-1070-TSW-570/3-003-0015-001 https://www.crestron.com/release_notes/tsw-xx70_3.003.0015.001_release_notes.pdf |
| DIVD--VerySecureApp | The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though no access rights are explicitly configured on that role. Anonymous users are required to make a Mendix Entity available publicly. All versions of Mendix Studio Pro up to 11.8.0 Beta silently make an Anonymous user role follow user inheritance rules, without mentioning this explicitly in the documentation. | 2026-05-07 | not yet calculated | CVE-2026-7891 | https://csirt.divd.nl/DIVD-2026-00006/ https://www.divd.nl/mendix.html |
| Google--Chrome | Integer overflow in Blink in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-06 | not yet calculated | CVE-2026-7896 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/493747582 |
| Google--Chrome | Use after free in Mobile in Google Chrome on iOS prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-06 | not yet calculated | CVE-2026-7897 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504069514 |
| Google--Chrome | Use after free in Chromoting in Google Chrome on Linux prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical) | 2026-05-06 | not yet calculated | CVE-2026-7898 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504587882 |
| Google--Chrome | Out of bounds read and write in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7899 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/505481948 |
| Google--Chrome | Heap buffer overflow in ANGLE in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7900 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496503799 |
| Google--Chrome | Use after free in ANGLE in Google Chrome on Mac prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7901 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497724490 |
| Google--Chrome | Out of bounds memory access in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7902 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502030575 |
| Google--Chrome | Integer overflow in ANGLE in Google Chrome on Mac,Windows prior to 148.0.7778.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7903 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/491760376 |
| Google--Chrome | Out of bounds read in Fonts in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7904 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/492350406 |
| Google--Chrome | Insufficient validation of untrusted input in Media in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7905 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495259842 |
| Google--Chrome | Use after free in SVG in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7906 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496284584 |
| Google--Chrome | Use after free in DOM in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7907 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496292089 |
| Google--Chrome | Use after free in Fullscreen in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7908 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497436531 |
| Google--Chrome | Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7909 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497437113 |
| Google--Chrome | Use after free in Views in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7910 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497543810 |
| Google--Chrome | Use after free in Aura in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7911 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497548912 |
| Google--Chrome | Integer overflow in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7912 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497639714 |
| Google--Chrome | Insufficient policy enforcement in DevTools in Google Chrome on Android prior to 148.0.7778.96 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7913 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497936728 |
| Google--Chrome | Type Confusion in Accessibility in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7914 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498401609 |
| Google--Chrome | Insufficient data validation in DevTools in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7915 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498454478 |
| Google--Chrome | Insufficient data validation in InterestGroups in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7916 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498720754 |
| Google--Chrome | Use after free in Fullscreen in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7917 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498752242 |
| Google--Chrome | Use after free in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7918 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498780188 |
| Google--Chrome | Use after free in Aura in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7919 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498832921 |
| Google--Chrome | Use after free in Skia in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7920 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498989348 |
| Google--Chrome | Use after free in Passwords in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7921 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499062376 |
| Google--Chrome | Use after free in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7922 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499449324 |
| Google--Chrome | Out of bounds write in Skia in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7923 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500080194 |
| Google--Chrome | Uninitialized Use in Dawn in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7924 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500087204 |
| Google--Chrome | Use after free in Chromoting in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7925 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501833981 |
| Google--Chrome | Use after free in PresentationAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7926 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502249087 |
| Google--Chrome | Type Confusion in Runtime in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7927 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502830119 |
| Google--Chrome | Use after free in WebRTC in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7928 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504612429 |
| Google--Chrome | Use after free in MediaRecording in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7929 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504660052 |
| Google--Chrome | Insufficient validation of untrusted input in Cookies in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7930 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/434825208 |
| Google--Chrome | Insufficient validation of untrusted input in iOS in Google Chrome on iOS prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7931 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/474338157 |
| Google--Chrome | Insufficient policy enforcement in Downloads in Google Chrome prior to 148.0.7778.96 allowed a local attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7932 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/481634116 |
| Google--Chrome | Out of bounds read in WebCodecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform an out of bounds memory read via a crafted video file. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7933 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/488585490 |
| Google--Chrome | Insufficient validation of untrusted input in Popup Blocker in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7934 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/489023922 |
| Google--Chrome | Inappropriate implementation in Speech in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7935 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/489624550 |
| Google--Chrome | Object lifecycle issue in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7936 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/490485402 |
| Google--Chrome | Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7937 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/491766258 |
| Google--Chrome | Use after free in CSS in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7938 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/492735384 |
| Google--Chrome | Inappropriate implementation in SanitizerAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7939 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/492963096 |
| Google--Chrome | Use after free in V8 in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code inside a sandbox via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7940 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/493631402 |
| Google--Chrome | Insufficient validation of untrusted input in Mobile in Google Chrome on Android prior to 148.0.7778.96 allowed a local attacker to inject arbitrary scripts or HTML (UXSS) via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7941 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/493955234 |
| Google--Chrome | Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7942 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495363705 |
| Google--Chrome | Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7943 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495373657 |
| Google--Chrome | Insufficient validation of untrusted input in Persistent Cache in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7944 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495783187 |
| Google--Chrome | Insufficient validation of untrusted input in COOP in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7945 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495802788 |
| Google--Chrome | Insufficient policy enforcement in WebUI in Google Chrome on Linux, Mac, Windows, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7946 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496016840 |
| Google--Chrome | Insufficient validation of untrusted input in Network in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7947 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496169594 |
| Google--Chrome | Race in Chromoting in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7948 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496193452 |
| Google--Chrome | Out of bounds read in Skia in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7949 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496206134 |
| Google--Chrome | Out of bounds read and write in GFX in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform arbitrary read/write via malicious network traffic. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7950 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496259890 |
| Google--Chrome | Out of bounds write in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7951 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496266456 |
| Google--Chrome | Insufficient policy enforcement in Extensions in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7952 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496279876 |
| Google--Chrome | Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via malicious network traffic. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7953 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496379792 |
| Google--Chrome | Race in Shared Storage in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7954 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496380960 |
| Google--Chrome | Uninitialized Use in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7955 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496441232 |
| Google--Chrome | Use after free in Navigation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7956 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496463315 |
| Google--Chrome | Out of bounds write in Media in Google Chrome on Mac, iOS prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7957 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496607380 |
| Google--Chrome | Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UXSS) via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7958 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496632973 |
| Google--Chrome | Inappropriate implementation in Navigation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7959 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496645205 |
| Google--Chrome | Race in Speech in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7960 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497007825 |
| Google--Chrome | Insufficient validation of untrusted input in Permissions in Google Chrome prior to 148.0.7778.96 allowed an attacker on the local network segment to leak cross-origin data via malicious network traffic. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7961 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497008295 |
| Google--Chrome | Insufficient policy enforcement in DirectSockets in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform arbitrary read/write via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7962 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497081987 |
| Google--Chrome | Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7963 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497250399 |
| Google--Chrome | Insufficient validation of untrusted input in FileSystem in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7964 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497254383 |
| Google--Chrome | Insufficient validation of untrusted input in DevTools in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7965 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497255035 |
| Google--Chrome | Insufficient validation of untrusted input in SiteIsolation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7966 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497341787 |
| Google--Chrome | Insufficient validation of untrusted input in Navigation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7967 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497365545 |
| Google--Chrome | Insufficient validation of untrusted input in CORS in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7968 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497432281 |
| Google--Chrome | Integer overflow in Network in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7969 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497450574 |
| Google--Chrome | Use after free in TopChrome in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7970 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497487462 |
| Google--Chrome | Inappropriate implementation in ORB in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7971 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497529290 |
| Google--Chrome | Uninitialized Use in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7972 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497546281 |
| Google--Chrome | Integer overflow in Dawn in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7973 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497565944 |
| Google--Chrome | Use after free in Blink in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7974 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497649372 |
| Google--Chrome | Use after free in DevTools in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7975 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497735587 |
| Google--Chrome | Use after free in Views in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7976 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497736679 |
| Google--Chrome | Inappropriate implementation in Canvas in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7977 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497821223 |
| Google--Chrome | Inappropriate implementation in Companion in Google Chrome on Mac prior to 148.0.7778.96 allowed a remote attacker to perform OS-level privilege escalation via malicious network traffic. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7978 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497828892 |
| Google--Chrome | Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7979 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497849876 |
| Google--Chrome | Use after free in WebAudio in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7980 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497859275 |
| Google--Chrome | Out of bounds read in Codecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7981 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497926602 |
| Google--Chrome | Uninitialized Use in WebCodecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7982 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497952533 |
| Google--Chrome | Out of bounds read in Dawn in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7983 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497975608 |
| Google--Chrome | Use after free in ReadingMode in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7984 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498277368 |
| Google--Chrome | Use after free in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7985 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498352423 |
| Google--Chrome | Insufficient policy enforcement in Autofill in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7986 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498396238 |
| Google--Chrome | Use after free in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7987 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498696266 |
| Google--Chrome | Type Confusion in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7988 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498753456 |
| Google--Chrome | Insufficient data validation in DataTransfer in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7989 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498765082 |
| Google--Chrome | Insufficient validation of untrusted input in Updater in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7990 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498892267 |
| Google--Chrome | Use after free in UI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7991 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499065126 |
| Google--Chrome | Insufficient validation of untrusted input in UI in Google Chrome on Linux, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7992 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499067529 |
| Google--Chrome | Insufficient validation of untrusted input in Payments in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7993 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499099003 |
| Google--Chrome | Inappropriate implementation in Chromoting in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7994 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499116954 |
| Google--Chrome | Out of bounds read in AdFilter in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7995 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501745798 |
| Google--Chrome | Insufficient validation of untrusted input in SSL in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-7996 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/484547631 |
| Google--Chrome | Insufficient validation of untrusted input in Updater in Google Chrome on Mac prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-7997 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/487960705 |
| Google--Chrome | Insufficient validation of untrusted input in Dialog in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-7998 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/491676472 |
| Google--Chrome | Inappropriate implementation in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-7999 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/493099941 |
| Google--Chrome | Insufficient validation of untrusted input in ChromeDriver in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8000 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/494464734 |
| Google--Chrome | Use After Free in Printing in Google Chrome on Linux, Mac, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8001 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/494764371 |
| Google--Chrome | Use after free in Audio in Google Chrome on Mac prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8002 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495779613 |
| Google--Chrome | Insufficient validation of untrusted input in TabGroups in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8003 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495985532 |
| Google--Chrome | Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8004 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496189510 |
| Google--Chrome | Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed an attacker on the local network segment to bypass same origin policy via malicious network traffic. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8005 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496298665 |
| Google--Chrome | Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8006 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496373088 |
| Google--Chrome | Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8007 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496399759 |
| Google--Chrome | Inappropriate implementation in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8008 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496426191 |
| Google--Chrome | Inappropriate implementation in Cast in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8009 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496555077 |
| Google--Chrome | Insufficient validation of untrusted input in SiteIsolation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8010 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496624084 |
| Google--Chrome | Insufficient policy enforcement in Search in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8011 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496626029 |
| Google--Chrome | Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8012 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496628298 |
| Google--Chrome | Insufficient validation of untrusted input in FedCM in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8013 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497427430 |
| Google--Chrome | Inappropriate implementation in Preload in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8014 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497490364 |
| Google--Chrome | Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8015 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497548558 |
| Google--Chrome | Use after free in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8016 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497695401 |
| Google--Chrome | Side-channel information leakage in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8017 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497722578 |
| Google--Chrome | Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8018 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498292657 |
| Google--Chrome | Insufficient policy enforcement in WebApp in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8019 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498353173 |
| Google--Chrome | Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8020 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498382925 |
| Google--Chrome | Script injection in UI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8021 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498417031 |
| Google--Chrome | Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted MHTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8022 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499194407 |
| GitHub--Enterprise Server | A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a different URL parser than the request library, enabling a crafted URL to pass validation while directing the request to an unintended host. Exploitation required network access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program. | 2026-05-07 | not yet calculated | CVE-2026-8034 | https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.18 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.15 https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.9 https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6 https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2 |
| Acer--PredatorSense V3 | PredatorSense version 3.00.3136 to 3.00.3196 contain Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITY\SYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges. | 2026-05-08 | not yet calculated | CVE-2026-8069 | https://community.acer.com/en/kb/articles/19652 |
| CashDro--CashDro 3 Administration Panel | Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system supports the use of PIN-based credentials, maintaining compatibility with POS software integrations deployed since 2012. This could allow an attacker to easily perform a brute-force attack against a user and gain access by trying different PINs without the account being locked. Successful exploitation of this vulnerability could result in unauthorized access to confidential configuration settings, compromising the security of the system. | 2026-05-08 | not yet calculated | CVE-2026-8076 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cashdro-3 https://labs.itresit.es/2026/05/07/cashdro-vulnerabilities-from-pentest-to-stealing-money/ |
| CashDro--CashDro 3 Administration Panel | Lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the 'Permissions' field of the JSON response, an attacker could escalate privileges and gain full administrative access. This vulnerability allows all restrictions to be bypassed and completely compromises system management. | 2026-05-08 | not yet calculated | CVE-2026-8077 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cashdro-3 https://labs.itresit.es/2026/05/07/cashdro-vulnerabilities-from-pentest-to-stealing-money/ |
| misp--misp | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission to create or modify template element attributes could store a crafted type value. This affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38 | 2026-05-07 | not yet calculated | CVE-2026-8080 | https://github.com/MISP/MISP/commit/62824e5ca0056d01b195f70466ea0d382cca06d0 |
| Mozilla--Firefox | Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbird 150.0.2, and Thunderbird 140.10.2. | 2026-05-07 | not yet calculated | CVE-2026-8090 | https://bugzilla.mozilla.org/show_bug.cgi?id=2034352 https://www.mozilla.org/security/advisories/mfsa2026-40/ https://www.mozilla.org/security/advisories/mfsa2026-41/ https://www.mozilla.org/security/advisories/mfsa2026-42/ https://www.mozilla.org/security/advisories/mfsa2026-43/ https://www.mozilla.org/security/advisories/mfsa2026-44/ |
| Mozilla--Firefox | Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thunderbird 140.10.1, and Firefox ESR 115.35.2. | 2026-05-07 | not yet calculated | CVE-2026-8091 | https://bugzilla.mozilla.org/show_bug.cgi?id=2029301 https://www.mozilla.org/security/advisories/mfsa2026-30/ https://www.mozilla.org/security/advisories/mfsa2026-33/ https://www.mozilla.org/security/advisories/mfsa2026-36/ https://www.mozilla.org/security/advisories/mfsa2026-39/ https://www.mozilla.org/security/advisories/mfsa2026-42/ |
| Mozilla--Firefox | Memory safety bugs present in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbird 150.0.2, and Thunderbird 140.10.2. | 2026-05-07 | not yet calculated | CVE-2026-8092 | Memory safety bugs fixed in Thunderbird ESR 140.10.2 and Thunderbird 150.0.2 https://www.mozilla.org/security/advisories/mfsa2026-40/ https://www.mozilla.org/security/advisories/mfsa2026-41/ https://www.mozilla.org/security/advisories/mfsa2026-42/ https://www.mozilla.org/security/advisories/mfsa2026-43/ https://www.mozilla.org/security/advisories/mfsa2026-44/ |
| Mozilla--Firefox | Memory safety bugs present in Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2 and Thunderbird 150.0.2. | 2026-05-07 | not yet calculated | CVE-2026-8093 | Memory safety bugs fixed in Thunderbird 150.0.2 https://www.mozilla.org/security/advisories/mfsa2026-40/ https://www.mozilla.org/security/advisories/mfsa2026-43/ |
| Mozilla--Firefox | Other issue in the WebRTC component. This vulnerability was fixed in Firefox ESR 140.10.2 and Thunderbird 140.10.2. | 2026-05-07 | not yet calculated | CVE-2026-8094 | https://bugzilla.mozilla.org/show_bug.cgi?id=2035939 https://www.mozilla.org/security/advisories/mfsa2026-41/ https://www.mozilla.org/security/advisories/mfsa2026-44/ |
| GitHub--Enterprise Server | A reflected HTML injection vulnerability was identified in the GitHub Enterprise Server Management Console login page that could allow credential theft. The redirect_to query parameter on the /setup/unlock endpoint was reflected into an HTML attribute without proper sanitization, enabling an attacker to inject a form element that could capture administrator credentials. Exploitation required an administrator to click a crafted link and enter their credentials. This vulnerability affected GitHub Enterprise Server versions 3.19.1 through 3.19.5 and 3.20.0 through 3.20.1, and was fixed in versions 3.19.6 and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program. | 2026-05-07 | not yet calculated | CVE-2026-8106 | https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6 https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2 |
| CERT/CC--VINCE | VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates. | 2026-05-07 | not yet calculated | CVE-2026-8142 | https://kb.cert.org/vince https://github.com/CERTCC/VINCE |
| NAVER--NAVER MYBOX Explorer | NAVER MYBOX Explorer for Windows before 3.0.11.160 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM via registry manipulation due to improper privilege checks. | 2026-05-08 | not yet calculated | CVE-2026-8148 | https://cve.naver.com/detail/cve-2026-8148.html |
| Legion of the Bouncy Castle Inc.--BC-FJA | A vulnerability in Legion of the Bouncy Castle Inc. BC-FJA BC-FIPS on Linux, X86_64, AVX, AVX-512f. This vulnerability is associated with program files gcm128w, gcm512w. This issue affects BC-FJA: from 2.1.0 through 2.1.2. | 2026-05-08 | not yet calculated | CVE-2026-8149 | https://do-not-publish.bouncycastle.org/do_not_publish |
| SHLOMIF--XML::LibXML | XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory. Any Perl process that passes attacker controlled strings to XML::LibXML's DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service. | 2026-05-10 | not yet calculated | CVE-2026-8177 | https://github.com/cpan-authors/XML-LibXML/issues/146 https://github.com/cpan-authors/XML-LibXML/pull/149 https://github.com/cpan-authors/XML-LibXML/commit/15652bd905a6c9dda59a81b14d4766adbbae2ea8.patch |
| gibbonedu--gibbon | Gibbon versions before v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the Tracking/graphing https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.php#L145 feature. Successful exploitation requires Teacher or higher privileges. Exploitation could result in unintended read/write activities to the underlying database. | 2026-05-09 | not yet calculated | CVE-2026-8207 | https://projectblack.io/blog/gibbon-v30-authenticated-sql-injection-and-rce/#sql-injectiongetting-warmed-up https://github.com/GibbonEdu/core/releases/tag/v30.0.01 |
| gibbonedu--gibbon | Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation could result in compromise of the underlying web server. | 2026-05-09 | not yet calculated | CVE-2026-8208 | https://projectblack.io/blog/gibbon-v30-authenticated-sql-injection-and-rce/#local-file-inclusionthe-next-shiny-new-thing https://github.com/GibbonEdu/core/releases/tag/v30.0.01 |
| gibbonedu--gibbon | Gibbon versions before v30.0.01 are affected by a path traversal vulnerability resulting in DOS by attempting extraction of web application PHP files, failed .zip extraction results in deletion of the file and a DOS condition. Successful exploitation requires Teacher or higher privileges. Exploitation could result in loss of availability of the web application. | 2026-05-09 | not yet calculated | CVE-2026-8209 | https://github.com/GibbonEdu/core/releases/tag/v30.0.01 https://projectblack.io/blog/gibbon-v30-authenticated-sql-injection-and-rce/#denial-of-service-via-path-traversal |
Vulnerability Summary for the Week of April 27, 2026
Posted on Wednesday May 06, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| n/a-- OVMS3 3.3.005 | Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_gvret.cpp, the length field in GVRET binary data is not properly validated, allowing remote attackers to cause a denial of service or possibly execute arbitrary code via crafted GVRET frames. | 2026-05-01 | 10 | CVE-2026-37541 | https://github.com/openvehicles/Open-Vehicle-Monitoring-System-3 https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| tendacn[.]com-- W308R | Tenda W308R v2 V5.07.48 contains a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the goform/AdvSetDns endpoint with a crafted admin language cookie to change DNS servers and redirect user traffic to malicious sites. | 2026-04-29 | 9.8 | CVE-2018-25316 | ExploitDB-44373 VulnCheck Advisory: Tenda W308R v2 V5.07.48 Cookie Session Weakness DNS Change |
| tendacn[.]com--W3002R | Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin language cookie to change primary and secondary DNS servers, redirecting user traffic to malicious DNS servers. | 2026-04-29 | 9.8 | CVE-2018-25317 | ExploitDB-44380 VulnCheck Advisory: Tenda W3002R/A302/W309R V5.07.64_en Cookie Session Weakness DNS Change |
| tendacn[.]com--FH303/A300 | Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin cookie to change DNS servers and redirect user traffic to malicious sites. | 2026-04-29 | 9.8 | CVE-2018-25318 | ExploitDB-44381 VulnCheck Advisory: Tenda FH303/A300 V5.07.68_EN Cookie Session Weakness DNS Change |
| Weaver Network Co., Ltd.--E-office | Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an unauthenticated arbitrary file upload vulnerability in the OfficeServer.php endpoint that allows remote attackers to upload malicious files by sending multipart POST requests with arbitrary filenames and disguised content types. Attackers can upload PHP webshells to the Document directory and execute them via HTTP GET requests to achieve remote code execution as the web server user. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-10-10 (UTC). | 2026-04-30 | 9.8 | CVE-2022-50993 | https://service.e-office.cn/knowledge/detail/5 https://cn-sec.com/archives/1453025.html https://bbs.chaitin.cn/topic/37 https://www.vulncheck.com/advisories/weaver-e-office-10-0-20221201-unauthenticated-arbitrary-file-read-via-xmlrpcservlet |
| synway[.]net-- SMG Gateway Management | Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius.php where the radius_address POST parameter is split and interpolated directly into a sed command without sanitization. An unauthenticated remote attacker can inject arbitrary shell commands by submitting a POST request with crafted radius_address, radius_address2, shared_secret2, source_ip, timeout, or retry parameters along with save=1 and enable_radius=1 to achieve remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-11 (UTC). | 2026-04-30 | 9.8 | CVE-2025-71284 | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/synway/synwaysmg-radius-rce.yaml https://mrxn.net/jswz/synway-9-2radius-rce.html https://mp.weixin.qq.com/s/PyepoFSuQ63E3RnpQa9nsA https://www.synway.net/ https://www.vulncheck.com/advisories/synway-smg-gateway-management-software-os-command-injection-via-radius-address |
| Directorist Booking--Directorist Booking | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Directorist Booking allows SQL Injection.This issue affects Directorist Booking: from n/a before 3.0.2. | 2026-04-27 | 9.3 | CVE-2026-22336 | https://patchstack.com/database/wordpress/plugin/directorist-booking/vulnerability/wordpress-directorist-booking-plugin-2-4-1-sql-injection-vulnerability?_s_id=cve |
| Directorist--Directorist Social Login | Incorrect Privilege Assignment vulnerability in Directorist Directorist Social Login allows Privilege Escalation.This issue affects Directorist Social Login: from n/a before 2.1.4. | 2026-04-27 | 9.8 | CVE-2026-22337 | https://patchstack.com/database/wordpress/plugin/directorist-social-login/vulnerability/wordpress-directorist-social-login-plugin-2-1-1-privilege-escalation-vulnerability?_s_id=cve |
| Milesight--MS-Cxx63-PD | Specific firmware versions of Milesight AIOT cameras use SSL certificates with default private keys. | 2026-04-27 | 9.8 | CVE-2026-32644 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json https://www.milesight.com/support/download/firmware |
| n/a--Automotive Grade Linux (AGL) | AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability (CWE-22) combined with a TOCTOU race condition (CWE-367) in the widget installation flow. The is_valid_filename function in wgtpkg-zip.c validates ZIP entry names but does not check for dot notation directory traversal sequences it only blocks absolute paths. The zread extraction function uses openat(workdirfd, filename, O_CREAT) which resolves dot notation values relative to the work directory, allowing files to be written anywhere on the filesystem. Critically, in function install_widget in file wgtpkg-install.c, extraction via zread occurs BEFORE signature verification via check_all_signatures. Even if signature verification fails, the error cleanup (remove_workdir) only deletes the temporary work directory files written outside via path traversal persist permanently. | 2026-05-01 | 9.8 | CVE-2026-37531 | https://gerrit.automotivelinux.org/gerrit/src/app-framework-main https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643 |
| n/a-- cannelloni v2.0.0 | Buffer overflow vulnerability in cannelloni v2.0.0 in CAN frame parsing in parser.cpp in function parseCANFrame, and decoder.cpp in function decodeFrame allowing remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted CAN FD frames. | 2026-05-01 | 9.8 | CVE-2026-37539 | https://github.com/mguentner/cannelloni https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| Carlson Software--VASCO-B GNSS Receiver | The Carlson VASCO-B GNSS Receiver lacks an authentication mechanism, allowing an attacker with network access to directly access and modify its configuration and operational functions without needing credentials. | 2026-04-28 | 9.4 | CVE-2026-3893 | https://www.carlsonsw.com/support-and-training/ https://www.cve.org/CVERecord?id=CVE-2026-3893 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-02.json |
| Mersenne--Prime95 | Prime95 29.4b8 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by exploiting structured exception handling (SEH) mechanisms. Attackers can inject malicious payload through the optional proxy hostname field in the PrimeNet connection settings to trigger the overflow and execute system commands. | 2026-04-29 | 8.4 | CVE-2018-25299 | ExploitDB-44649 Official Product Homepage Product Reference VulnCheck Advisory: Prime95 29.4b8 Local Buffer Overflow via SEH |
| xataboost--XATABoost CMS | XATABoost CMS 1.0.0 contains a union-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id parameter. Attackers can send GET requests to news.php with malicious id values to extract sensitive database information. | 2026-04-29 | 8.2 | CVE-2018-25300 | ExploitDB-44622 Official Product Homepage VulnCheck Advisory: XATABoost CMS 1.0.0 SQL Injection via news.php |
| Easy MPEG--Easy MPEG to DVD Burner | Easy MPEG to DVD Burner 1.7.11 contains a structured exception handling (SEH) local buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious username string. Attackers can craft a payload containing junk data, SEH chain pointers, and shellcode that overwrites the SEH handler to redirect execution and run arbitrary commands like opening calc.exe. | 2026-04-29 | 8.4 | CVE-2018-25301 | ExploitDB-44565 Product Reference VulnCheck Advisory: Easy MPEG to DVD Burner 1.7.11 SEH Local Buffer Overflow |
| Alloksoft--Allok Video to DVD Burner | Allok Video to DVD Burner 2.6.1217 contains a stack-based buffer overflow vulnerability in the License Name field that allows local attackers to execute arbitrary code by triggering a structured exception handler (SEH) overwrite. Attackers can craft a malicious input string with 780 bytes of junk data followed by SEH chain pointers and shellcode, then paste it into the License Name field during registration to achieve code execution. | 2026-04-29 | 8.4 | CVE-2018-25303 | ExploitDB-44518 Official Product Homepage VulnCheck Advisory: Allok Video to DVD Burner 2.6.1217 Buffer Overflow SEH |
| Filehippo--Free Download Manager | Free Download Manager 2.0 Built 417 contains a local buffer overflow vulnerability in the URL import functionality that allows attackers to trigger a structured exception handler (SEH) chain exploitation. Attackers can craft a malicious URL file that, when imported through the File > Import > Import lists of downloads menu, causes a buffer overflow in the Location header response that overwrites the SEH chain and executes arbitrary code. | 2026-04-29 | 8.4 | CVE-2018-25304 | ExploitDB-44499 Product Reference VulnCheck Advisory: Free Download Manager 2.0 Built 417 Local Buffer Overflow SEH |
| Sysgauge--SysGauge Pro | SysGauge Pro 4.6.12 contains a local buffer overflow vulnerability in the Register function that allows local attackers to overwrite the structured exception handler by supplying a crafted unlock key. Attackers can inject shellcode through the Unlock Key field during registration to execute arbitrary code with application privileges. | 2026-04-29 | 8.4 | CVE-2018-25307 | ExploitDB-44455 VulnCheck Advisory: SysGauge Pro 4.6.12 Local Buffer Overflow SEH |
| donmik--Buddypress Xprofile Custom Fields Type | BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code execution vulnerability that allows authenticated users to delete arbitrary files by manipulating unescaped POST parameters. Attackers can modify the field_hiddenfile and field_deleteimg parameters during profile editing to unlink files from the server. | 2026-04-29 | 8.8 | CVE-2018-25308 | ExploitDB-44432 Official Product Homepage VulnCheck Advisory: BuddyPress Xprofile Custom Fields Type 2.6.3 Remote Code Execution |
| Alloksoft--WMV to AVI MPEG DVD WMV Converter | Allok soft WMV to AVI MPEG DVD WMV Converter 4.6.1217 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an oversized string in the License Name field. Attackers can craft a malicious input containing shellcode with structured exception handler (SEH) overwrite to bypass protections and execute code with application privileges. | 2026-04-29 | 8.4 | CVE-2018-25314 | ExploitDB-44365 Official Product Homepage Product Reference VulnCheck Advisory: Allok soft WMV to AVI MPEG DVD WMV Converter 4.6.1217 Buffer Overflow |
| Alloksoft--Video Joiner | Alloksoft Video joiner 4.6.1217 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the License Name field. Attackers can craft a payload with structured exception handler (SEH) overwrite and shellcode to achieve code execution when the application processes the license registration input. | 2026-04-29 | 8.4 | CVE-2018-25315 | ExploitDB-44364 Official Product Homepage Product Reference VulnCheck Advisory: Alloksoft Video joiner 4.6.1217 Buffer Overflow via License Name |
| marketingfire--Widget Options Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets | The Widget Options - Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.2 via the Display Logic feature. This is due to the plugin using eval() on user-supplied Display Logic expressions with an insufficient blocklist/allowlist that can be bypassed using array_map with string concatenation, combined with a lack of authorization enforcement on the extended_widget_opts_block attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. The vulnerability was partially patched in version 4.2.0. | 2026-05-02 | 8.8 | CVE-2026-2052 | https://www.wordfence.com/threat-intel/vulnerabilities/id/68023557-fc92-4cf6-96b4-405ff5a5fd5a?source=cve https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/widgets/gutenberg/gutenberg-toolbar.php#L843 https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/extras.php#L495 https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/extras.php#L534 https://plugins.trac.wordpress.org/changeset/3481338/ https://plugins.trac.wordpress.org/changeset/3514411/ |
| Milesight--MS-Cxx63-PD | An out-of-bounds memory access vulnerability exists in specific firmware versions of Milesight AIOT cameras. | 2026-04-27 | 8.8 | CVE-2026-20766 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json https://www.milesight.com/support/download/firmware |
| wclovers--WCFM Frontend Manager for WooCommerce | The WCFM - Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators. | 2026-05-02 | 8.1 | CVE-2026-2554 | https://www.wordfence.com/threat-intel/vulnerabilities/id/21e397a4-0b32-4b13-a46b-c465acea0796?source=cve https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-customer.php#L386 https://plugins.trac.wordpress.org/changeset/3483695/ |
| opencats--OpenCATS | OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define() string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete. | 2026-04-28 | 8.1 | CVE-2026-27760 | https://chocapikk.com/posts/2026/opencats-installer-rce/ https://github.com/opencats/OpenCATS/pull/706 https://github.com/opencats/OpenCATS/commit/3002a29f4c3cada1aa2c4f3d4ae4e189906606b6 https://github.com/opencats/OpenCATS/blob/46e4727/lib/CATSUtility.php#L142-L172 https://github.com/opencats/OpenCATS/blob/46e4727/modules/install/ajax/ui.php#L130 https://www.vulncheck.com/advisories/opencats-php-code-injection-via-installer-ajax-endpoint |
| Milesight--MS-Cxx63-PD | Specific firmware versions of Milesight AIOT camera firmware contain hard-coded credentials. | 2026-04-27 | 8.8 | CVE-2026-27785 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json https://www.milesight.com/support/download/firmware |
| Cockpit--Cockpit CMS | Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP code through rule parameters which is written directly to server-side PHP files and executed via include() to achieve arbitrary command execution on the underlying server. | 2026-04-29 | 8.8 | CVE-2026-34965 | https://github.com/agentejo/cockpit https://gist.github.com/thepiyushkumarshukla/64d2318518b17f529bc3ccb11fd5be90 https://github.com/agentejo/cockpit/commits/494765e4f0fb9484f320aee0c6ee889b6fa789b9 https://www.vulncheck.com/advisories/cockpit-cms-authenticated-remote-code-execution-via-collections |
| n/a--(UDS) & OBD-II (On Board Diagnostics for Vehicles) | miaofng/uds-c commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a (2016-10-05) contains a stack buffer overflow in send_diagnostic_request. A 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) receives memcpy at offset 1+pid_length with payload_length bytes. MAX_UDS_REQUEST_PAYLOAD_LENGTH=7, so 1+2+7=10 exceeds buffer by 4 bytes. No bounds check on payload_length before memcpy. | 2026-05-01 | 8.8 | CVE-2026-37536 | https://github.com/miaofng/uds-c https://github.com/openxc/uds-c https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| n/a--Open-SAE-J1939 (Daniel Martensson) | collin80/Open-SAE-J1939 thru commit 744024d4306bc387857dfce439558336806acb06 (2023-03-08) contains an integer underflow leading to out-of-bounds write in Transport Protocol Data Transfer handling. At line 23: uint8_t index = data[0] - 1. When data[0] (sequence number from CAN frame) is 0, index underflows to 255. Subsequent write at tp_dt->data[255*7 + i-1] reaches offset 1791, exceeding the MAX_TP_DT buffer (1785 bytes) by 6 bytes. | 2026-05-01 | 8.1 | CVE-2026-37537 | https://github.com/DanielMartensson/Open-SAE-J1939 https://github.com/collin80/Open-SAE-J1939 https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| openampproject[.]org--OpenAMP v2025.10.0 | OpenAMP v2025.10.0 ELF loader contains an integer overflow vulnerability in firmware image parsing. In elf_loader.c, it performs multiplication of two attacker-controlled 16-bit values from the ELF header without overflow checking. On 32-bit embedded systems (STM32MP1, Zynq, i.MX), large values can cause the product to wrap around to a small value. | 2026-05-01 | 8.4 | CVE-2026-37540 | https://github.com/OpenAMP/open-amp https://github.com/OpenAMP/open-amp/blob/main/lib/remoteproc/elf_loader.c https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| n/a--MixPHP Framework 2.x | Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server (Server.php:87) receives data from a TCP socket, passes it directly to Opis\Closure\unserialize(), then executes the result via call_user_func(). No authentication or signature verification exists on the TCP connection. An attacker with access to the localhost TCP port (server binds 127.0.0.1) can send a crafted serialized PHP closure to achieve arbitrary code execution. | 2026-05-01 | 8.4 | CVE-2026-37552 | https://github.com/mix-php/mix https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975 |
| benjaminprojas--WP Editor | The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9.2. This is due to missing nonce verification in the 'add_plugins_page' and 'add_themes_page' functions. This makes it possible for unauthenticated attackers to overwrite arbitrary plugin and theme PHP files with attacker-controlled code via a forged request, granted they can trick a site administrator into performing an action such as clicking a link. | 2026-05-01 | 8.8 | CVE-2026-3772 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b1bc4a87-d5de-4d66-9cc5-802ef11f886c?source=cve https://plugins.trac.wordpress.org/browser/wp-editor/trunk/classes/WPEditorPlugins.php#L60 https://plugins.trac.wordpress.org/browser/wp-editor/trunk/classes/WPEditorThemes.php#L103 https://plugins.trac.wordpress.org/changeset/3480577/ |
| chartbrew--chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different project. The affected routes authorize the caller against the project in the URL path, but they never verify that policy_id belongs to that project. This permits cross-project modification of dashboard sharing rules, including visibility, password requirements, allowed parameters, and expiration settings. This issue has been patched in version 5.0.0. | 2026-04-30 | 8.1 | CVE-2026-40600 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-pq8h-2h99-39xm https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0 |
| TRENDnet--TEW-821DAP | A security vulnerability has been detected in TRENDnet TEW-821DAP 1.12B01. Impacted is the function auto_update_firmware of the component Firmware Udpate. The manipulation of the argument str leads to buffer overflow. The attack may be initiated remotely. The vendor explains: "That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling". This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-02 | 8.8 | CVE-2026-7607 | VDB-360564 | TRENDnet TEW-821DAP Firmware Udpate auto_update_firmware buffer overflow VDB-360564 | CTI Indicators (IOB, IOC, IOA) Submit #806214 | Trendnet TEW-821DAP v1.12B01 CWE-120 Buffer Copy without Checking Size of Input https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_BO.md |
| carazo--Import and export users and customers | The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the `save_extra_user_profile_fields()` function. This is due to an incomplete blocklist that correctly restricts capability meta keys for the primary site (e.g., `wp_capabilities`, `wp_user_level`) but fails to block the equivalent meta keys for any other subsite in a WordPress Multisite network (e.g., `wp_2_capabilities`, `wp_2_user_level`), allowing these keys to pass the `in_array()` check and be written directly to user meta via `update_user_meta()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator on any subsite within the Multisite network by submitting a crafted profile update to `/wp-admin/profile.php`. Exploitation requires that an administrator has previously imported a CSV file containing multisite-prefixed capability column headers and has enabled the 'Show fields in profile?' option, which causes those keys to be stored in the `acui_columns` option and exposed as editable fields on the user profile page. | 2026-05-02 | 8.8 | CVE-2026-7641 | https://www.wordfence.com/threat-intel/vulnerabilities/id/368cff00-6a86-443e-aec4-4115a229a3c1?source=cve https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/columns.php#L221 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/columns.php#L221 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/columns.php#L198 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/columns.php#L198 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/helper.php#L150 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/helper.php#L150 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/multisite.php#L21 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/multisite.php#L21 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/columns.php#L221 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/columns.php#L198 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/helper.php#L150 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/multisite.php#L21 https://plugins.trac.wordpress.org/changeset/3515646 |
| Cozmoslabs--Profile Builder Pro | The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the attacker-controlled 'args' POST parameter within the wppb_request_users_pins_action_callback() AJAX handler, which lacked any nonce verification, type checking, or input validation before deserialization. Because the handler was registered with both wp_ajax_ and wp_ajax_nopriv_ hooks, it was reachable by completely unauthenticated users. This makes it possible for unauthenticated attackers to inject arbitrary PHP objects into application memory. | 2026-05-02 | 8.1 | CVE-2026-7647 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c7b897f5-f988-4515-83bc-456f041d7e2e?source=cve https://plugins.trac.wordpress.org/browser/profile-builder-pro/trunk/add-ons/user-listing/one-map-listing.php#L271 https://plugins.trac.wordpress.org/browser/profile-builder-pro/tags/3.14.5/add-ons/user-listing/one-map-listing.php#L271 https://plugins.trac.wordpress.org/browser/profile-builder-pro/trunk/add-ons/user-listing/one-map-listing.php#L13 https://plugins.trac.wordpress.org/browser/profile-builder-pro/tags/3.14.5/add-ons/user-listing/one-map-listing.php#L13 |
| Shenzhen Libituo Technology--LBT-T300-HW1 | A flaw has been found in Shenzhen Libituo Technology LBT-T300-HW1 up to 1.2.8. This issue affects the function start_single_service of the component Web Management Interface. Executing a manipulation of the argument vpn_pptp_server/vpn_l2tp_server can lead to buffer overflow. The attack can be executed remotely. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 8.8 | CVE-2026-7674 | VDB-360827 | Shenzhen Libituo Technology LBT-T300-HW1 Web Management start_single_service buffer overflow VDB-360827 | CTI Indicators (IOB, IOC, IOA) Submit #800705 | Libtor Technology lbt-t300-hw1 <=V1.2.8 Buffer Overflow Submit #800706 | Libtor Technology lbt-t300-hw1 <=V1.2.8 Buffer Overflow (Duplicate) https://github.com/hmKunlun/lbt-t300-hw1/blob/main/reselov_vpn_server%EF%BC%88vpn_pptp_server%EF%BC%89.md |
| Shenzhen Libituo Technology--LBT-T300-HW1 | A vulnerability has been found in Shenzhen Libituo Technology LBT-T300-HW1 up to 1.2.8. Impacted is the function start_lan of the file /apply.cgi. The manipulation of the argument Channel/ApCliSsid leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 8.8 | CVE-2026-7675 | VDB-360828 | Shenzhen Libituo Technology LBT-T300-HW1 apply.cgi start_lan buffer overflow VDB-360828 | CTI Indicators (IOB, IOC, IOA) Submit #800708 | Libtor Technology lbt-t300-hw1 <=V1.2.8 Buffer Overflow Submit #800709 | Libtor Technology <=V1.2.8 Buffer Overflow (Duplicate) https://github.com/hmKunlun/lbt-t300-hw1/blob/main/generate_conf_router(Channel).md |
| Edimax--BR-6428nC | A security vulnerability has been detected in Edimax BR-6428nC up to 1.16. This impacts an unknown function of the file /goform/setWAN. Such manipulation of the argument pptpDfGateway leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 8.8 | CVE-2026-7684 | VDB-360843 | Edimax BR-6428nC setWAN buffer overflow VDB-360843 | CTI Indicators (IOB, IOC, IOA) Submit #801599 | Edimax BR-6428nC v1.16 Buffer Overflow https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pptpDfGateway-Stack-Overflow-33db5c52018a80c1835dd4fab4b6c7f2 |
| Edimax--BR-6208AC | A vulnerability was detected in Edimax BR-6208AC up to 1.02. Affected is an unknown function of the file /goform/setWAN. Performing a manipulation of the argument pptpDfGateway results in buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 8.8 | CVE-2026-7685 | VDB-360844 | Edimax BR-6208AC setWAN buffer overflow VDB-360844 | CTI Indicators (IOB, IOC, IOA) Submit #801606 | Edimax BR-6208AC V2_1.02 Buffer Overflow https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pptpDfGateway-Stack-Overflow-33db5c52018a80c1835dd4fab4b6c7f2 |
| Alloksoft--Allok AVI to DVD SVCD VCD Converter | Allok AVI to DVD SVCD VCD Converter 4.0.1217 contains a structured exception handling (SEH) based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the License Name field. Attackers can craft a payload with junk data, NSEH bypass, SEH handler address, and shellcode that triggers the overflow when pasted into the License Name field and the Register button is clicked, resulting in code execution. | 2026-04-29 | 7.8 | CVE-2018-25302 | ExploitDB-44549 Official Product Homepage VulnCheck Advisory: Allok AVI to DVD SVCD VCD Converter 4.0.1217 Buffer Overflow SEH |
| mybb--MyBB Recent threads | MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Attackers can create threads with script tags in the subject parameter to execute arbitrary JavaScript in the browsers of all users viewing the index page. | 2026-04-29 | 7.2 | CVE-2018-25309 | ExploitDB-44420 Product Reference VulnCheck Advisory: MyBB Recent threads 17.0 Persistent Cross-Site Scripting |
| Weaver Network Co., Ltd.--E-cology | Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated remote attackers to read arbitrary files by supplying file paths to the WorkflowService.getAttachment and WorkflowService.LoadTemplateProp methods. Attackers can exploit these methods without authentication to retrieve sensitive files including system configuration files and database credentials from the server. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-12-14 (UTC). | 2026-04-30 | 7.5 | CVE-2022-50992 | https://www.weaver.com.cn/cs/securityDownload.html# https://www.weaver.com.cn/cs/ecology_full_log.html https://www.cnvd.org.cn/flaw/show/CNVD-2022-43245 https://blog.csdn.net/qq_36618918/article/details/135104295 https://blog.csdn.net/xiayu729100940/article/details/135205082 https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-arbitrary-file-read-via-xmlrpcservlet |
| n/a--django-mdeditor | All versions of the package django-mdeditor are vulnerable to Missing Authentication for Critical Function in the image upload endpoint. An attacker can upload malicious files and achieve arbitrary code execution since this endpoint lacks authentication protection and proper sanitisation of file names. | 2026-04-30 | 7.1 | CVE-2025-13030 | https://security.snyk.io/vuln/SNYK-PYTHON-DJANGOMDEDITOR-8630926 https://github.com/pylixm/django-mdeditor/blob/e8dd73fb8571ddff2e7a20a4bfa88c376cc33b62/mdeditor/views.py%23L25 https://github.com/pylixm/django-mdeditor/issues/151 https://github.com/pylixm/django-mdeditor/pull/185 https://github.com/pylixm/django-mdeditor/commit/3e80f9edcabc5d2fc136b05a501964b8a5e97cfe |
| CryptPad--CryptPad | CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2. | 2026-04-30 | 7.5 | CVE-2025-51846 | url url url url |
| Zyxel--DX3301-T0 firmware | A post-authentication command injection vulnerability in the "DomainName" parameter of the DHCP configuration file in Zyxel DX3301-T0 and EX3301-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device. | 2026-04-28 | 7.2 | CVE-2026-1460 | https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-extenders-04-28-2026 |
| OPPO--ColorOS Assistant | ColorOS Assistant has an unauthenticated start-download channel, leading to file path traversal. | 2026-04-30 | 7.1 | CVE-2026-22070 | https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-2049764240746881024 |
| VEGA Grieshaber--VEGAPULS 6X Two-wire PROFINET, Modbus TCP, OPC UA (Ethernet-APL) | An unsecured configuration interface on affected devices allows unauthenticated remote attackers to access sensitive information, including hashed credentials and access codes. | 2026-04-28 | 7.5 | CVE-2026-3323 | https://certvde.com/en/advisories/VDE-2026-016 https://vega.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-016.json |
| redhat[.]com--DTLS | A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service. | 2026-04-30 | 7.5 | CVE-2026-33845 | RHSA-2026:13274 https://access.redhat.com/security/cve/CVE-2026-33845 RHBZ#2450624 |
| Dell--iDRAC10 | Dell iDRAC10, versions 1.20.70.50 and 1.30.05.10, contains an Insufficiently Protected Credentials vulnerability. A race condition vulnerability exists that could allow an authenticated low‑privileged attacker to gain elevated access. | 2026-04-29 | 7.1 | CVE-2026-35155 | https://www.dell.com/support/kbdoc/en-us/000452298/dsa-2026-187-security-update-for-dell-idrac10-vulnerability |
| n/a--Automotive Grade Linux (AGL) afb-daemon v19.90.0 | AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The on_supervision_call function in src/afb-supervision.c explicitly nullifies the request credentials by calling afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-controlled API call via xapi->itf->call(xapi->closure, xreq). The NULL propagation chain through afb-context.c:110 (context->credentials = afb_cred_addref(NULL)) and afb-cred.c:163 (returns NULL when cred is NULL) confirms that credentials are zeroed before the target API executes. The attacker controls both api and verb parameters via JSON input, allowing execution of any registered API with a NULL credential context. APIs that rely on context->credentials for authorization decisions may fail open when receiving NULL credentials, enabling privilege escalation. This vulnerability was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14. | 2026-05-01 | 7.8 | CVE-2026-37525 | https://gerrit.automotivelinux.org/gerrit/src/app-framework-binder https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643 |
| n/a--Automotive Grade Linux (AGL) afb-daemon v19.90.0 | AGL app-framework-binder (afb-daemon) through v19.90.0 allows any local process to execute privileged supervision commands (Exit, Do, Sclose, Config, Trace, Debug, Token, slist) without authentication via the abstract Unix socket @urn:AGL:afs:supervision:socket. The on_supervision_call function in src/afb-supervision.c dispatches all 8 commands without any credential verification. The abstract socket has no DAC protection, as acknowledged in the official CAUTION comment in src/afs-supervision.h. This allows a low-privileged local process to kill the daemon (DoS via Exit command), execute arbitrary API calls (via Do command), close arbitrary user sessions (via Sclose command), or leak the entire global configuration (via Config command). The vulnerability was introduced in commit b8c9d5de384efcfa53ebdb3f0053d7b3723777e1 on 2017-06-29. | 2026-05-01 | 7.8 | CVE-2026-37526 | https://gerrit.automotivelinux.org/gerrit/src/app-framework-binder https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643 |
| n/a--Automotive Grade Linux (AGL) aglservice v17.1.12 | AGL agl-service-can-low-level thru 17.1.12 contains a heap buffer over-read in the isotp-c library. In isotp_continue_receive (receive.c:87-89), the payload_length for a Single Frame is extracted from a 4-bit nibble in the CAN frame data, yielding values 0-15. However, a standard CAN frame is only 8 bytes, with payload starting at data[1] (7 bytes available). When payload_length exceeds the available data (e.g., nibble=15 but only 7 payload bytes exist), memcpy(message.payload, &data[1], payload_length) reads up to 8 bytes past the end of the data buffer. | 2026-05-01 | 7.1 | CVE-2026-37532 | https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643 |
| n/a--Automotive Grade Linux (AGL) isotp-c | openxc/isotp-c thru commit 5a5d19245f65189202719321facd49ce6f5d46ac (2021-08-09) contains an out-of-bounds read in the ISO-TP Single Frame receive handler, where the 4-bit payload length nibble is used directly as the memcpy size without validating it against the actual CAN data length. A malicious CAN frame with an oversized length nibble can cause memory reads beyond the buffer, allowing attackers to cause a denial of service, or gain sensitive information. | 2026-05-01 | 7.1 | CVE-2026-37535 | https://github.com/openxc/isotp-c https://github.com/openxc/isotp-c/blob/master/src/isotp/receive.c https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| n/a-- Vanetza V2X v26.02 | An issue was discovered in Vanetza V2X v26.02 allowing remote unauthorized attackers to cause a denial of service. The vulnerability exists in the GeoNetworking packet processing pipeline where OpenSSL exceptions from ECC point validation (invalid compressed point, point not on curve) are not properly caught by the Router::indicate() call chain. The openssl_wrapper.cpp check() function (line 19) throws openssl::Exception when OpenSSL operations fail. The parser's catch block in parse_secured() should catch these, but the exception escapes through subsequent processing stages (indicate_common, indicate_extended). This causes std::terminate, crashing the V2X receiver. | 2026-05-01 | 7.5 | CVE-2026-37554 | https://github.com/riebl/vanetza https://github.com/riebl/vanetza/blob/master/vanetza/security/openssl_wrapper.cpp https://github.com/riebl/vanetza/blob/master/vanetza/geonet/router.cpp https://gist.github.com/sgInnora/45128ae15d52df7238680a8f2da8359f |
| chartbrew--chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes public chart retrieval and export routes that only verify project-level public access and, for exports, a team-level export toggle. The routes do not verify whether the target chart is actually allowed on the public report or whether the governing SharePolicy permits public access. An unauthenticated attacker who knows a chart identifier in a public project can read or export chart data for charts that were intentionally hidden from the report. This issue has been patched in version 5.0.0. | 2026-04-30 | 7.5 | CVE-2026-40595 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mq7q-6xh6-5649 https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0 |
| cyberhobo--Geo Mashup | The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'sort' parameter in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. The `esc_sql()` function is applied but is ineffective in the `ORDER BY` context because the value is not enclosed in quotes. Additionally, while a `sanitize_sort_arg()` allowlist-based sanitizer was added in version 1.13.18, it is only applied in the AJAX code path (`sanitize_query_args()`) and not in the `render-map.php` or template tag code paths. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach. | 2026-05-02 | 7.5 | CVE-2026-4060 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2fa5ae9a-532c-40f9-b70a-217f0f9cd473?source=cve https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1767 https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1785 https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/render-map.php#L166 https://plugins.trac.wordpress.org/changeset/3503627/ |
| chartbrew--chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chart_id/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify that the target chart belongs to a public report, that the project is public, or that sharing policy allows the operation. An unauthenticated attacker who knows a chart identifier can trigger a data refresh and retrieve the current data of private charts. This issue has been patched in version 5.0.0. | 2026-04-30 | 7.5 | CVE-2026-40601 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-cpr6-mhgm-893w https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0 |
| cyberhobo--Geo Mashup | The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'map_post_type' parameter in all versions up to, and including, 1.13.18. This is due to the `SearchResults` hook explicitly calling `stripslashes_deep($_POST)` which removes WordPress magic quotes protection, followed by the unsanitized `map_post_type` value being concatenated into an `IN(...)` clause without `esc_sql()` or `$wpdb->prepare()`. The 'any' branch of the same code correctly applies `array_map('esc_sql', ...)`, but the else branch does not. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach. Exploitation requires the Geo Search feature to be enabled in plugin settings. | 2026-05-02 | 7.5 | CVE-2026-4061 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cc3cf6c5-643e-49ca-b09c-bd7cfec328ee?source=cve https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1748 https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Hooks/SearchResults.php#L39 https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Search.php#L152 https://plugins.trac.wordpress.org/changeset/3503627/ |
| cyberhobo--Geo Mashup | The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'object_ids' and 'exclude_object_ids' parameters in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. The `esc_sql()` function is applied but is ineffective because the values are placed in an unquoted `IN(...)` / `NOT IN(...)` SQL context - `esc_sql()` only escapes quote characters and provides no protection against parenthesis or SQL keyword injection. Additionally, while a numeric-only sanitizer exists in `sanitize_query_args()`, it is only applied in the AJAX code path and not in the `render-map.php` or template tag code paths. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach. | 2026-05-02 | 7.5 | CVE-2026-4062 | https://www.wordfence.com/threat-intel/vulnerabilities/id/abc5ed0a-504f-4d8c-9662-a4c9f7c7acb8?source=cve https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1755 https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1759 https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/render-map.php#L166 https://plugins.trac.wordpress.org/changeset/3503627/ |
| n/a--libssh2 | A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue. | 2026-05-01 | 7.3 | CVE-2026-7598 | VDB-360555 | libssh2 userauth.c userauth_password integer overflow VDB-360555 | CTI Indicators (IOB, IOC, IOA) Submit #805564 | libssh2 <= 1.11.1 Integer Overflow https://github.com/libssh2/libssh2/pull/1858 https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1 https://github.com/libssh2/libssh2/ |
| innocommerce--InnoShop | A vulnerability has been found in innocommerce InnoShop up to 0.7.8. The affected element is the function InstallServiceProvider::boot of the file innopacks/install/src/InstallServiceProvider.php of the component Installation Endpoint. The manipulation leads to improper authentication. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The identifier of the patch is 45758e4ec22451ab944ae2ae826b1e70f6450dc9. It is recommended to apply a patch to fix this issue. | 2026-05-02 | 7.3 | CVE-2026-7630 | VDB-360576 | innocommerce InnoShop Installation Endpoint InstallServiceProvider.php boot improper authentication VDB-360576 | CTI Indicators (IOB, IOC, IOA) Submit #806484 | innocommerce innoshop <= 0.7.3 Missing Authorization https://github.com/innocommerce/innoshop/issues/314 https://github.com/innocommerce/innoshop/issues/314#issuecomment-4357464458 https://github.com/innocommerce/innoshop/commit/45758e4ec22451ab944ae2ae826b1e70f6450dc9 https://github.com/innocommerce/innoshop/ |
| code-projects--Online Hospital Management System | A vulnerability was determined in code-projects Online Hospital Management System 1.0. This affects an unknown function of the file /viewappointment.php. This manipulation of the argument delid causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-02 | 7.3 | CVE-2026-7632 | VDB-360578 | code-projects Online Hospital Management System viewappointment.php sql injection VDB-360578 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806633 | code-projects Online Hospital Management System In PHP 1.0 SQL Injection https://github.com/Sh1tKing/cve/blob/main/time-blind-sql.md https://github.com/Sh1tKing/cve/blob/main/CVE-2026-7632.md https://code-projects.org/ |
| ChatGPTNextWeb--NextChat | A vulnerability has been found in ChatGPTNextWeb NextChat up to 2.16.1. Affected is the function addMcpServer of the file app/mcp/actions.ts. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 7.3 | CVE-2026-7644 | VDB-360756 | ChatGPTNextWeb NextChat actions.ts addMcpServer improper authorization VDB-360756 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806851 | ChatGPTNextWeb NextChat 2.16.1 Unauthenticated Remote Code Execution https://github.com/ChatGPTNextWeb/NextChat/issues/6757 https://github.com/ChatGPTNextWeb/NextChat/ |
| reputeinfosystems--ARMember Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | The ARMember - Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.0.60 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-02 | 7.5 | CVE-2026-7649 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eb064156-f54b-4401-9d4f-29f0952deb24?source=cve https://plugins.trac.wordpress.org/browser/armember-membership/trunk/core/classes/class.arm_members_directory.php#L1019 https://plugins.trac.wordpress.org/browser/armember-membership/tags/4.0.60/core/classes/class.arm_members_directory.php#L1019 https://plugins.trac.wordpress.org/browser/armember-membership/trunk/core/classes/class.arm_shortcodes.php#L434 https://plugins.trac.wordpress.org/browser/armember-membership/tags/4.0.60/core/classes/class.arm_shortcodes.php#L434 https://plugins.trac.wordpress.org/browser/armember-membership/trunk/core/classes/class.arm_shortcodes.php#L36 https://plugins.trac.wordpress.org/browser/armember-membership/tags/4.0.60/core/classes/class.arm_shortcodes.php#L36 |
| MikroTik--RouterOS | A vulnerability was identified in MikroTik RouterOS 6.49.8. This vulnerability affects the function ASN1_STRING_data in the library nova/lib/www/scep.p of the component SCEP Endpoint. The manipulation of the argument transactionID/messageType leads to out-of-bounds read. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-02 | 7.3 | CVE-2026-7668 | VDB-360804 | MikroTik RouterOS SCEP Endpoint scep.p ASN1_STRING_data out-of-bounds VDB-360804 | CTI Indicators (IOB, IOC, IOA) Submit #798623 | MikroTik RouterOS 6.49.8 Out-of-Bounds Read https://github.com/ezio315/cve/issues/4 |
| Jinher--OA | A flaw has been found in Jinher OA 1.0. The affected element is an unknown function of the file /C6/JHSoft.Web.PlanSummarize/UserSel.aspx. This manipulation of the argument DeptIDList causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-02 | 7.3 | CVE-2026-7670 | VDB-360818 | Jinher OA UserSel.aspx sql injection VDB-360818 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #799506 | Jinhe OA V1.0 SQL Injection https://github.com/zzlln/cvecve/issues/1 |
| YunaiV--yudao-cloud | A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This impacts the function getAccessToken of the file yudao-module-system-biz/src/main/java/io/github/ruoyi/common/oauth2/service/impl/OAuth2TokenServiceImpl.java. Performing a manipulation results in improper authentication. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 7.3 | CVE-2026-7679 | VDB-360832 | YunaiV yudao-cloud OAuth2TokenServiceImpl.java getAccessToken improper authentication VDB-360832 | CTI Indicators (IOB, IOC, IOA) Submit #800866 | YunaiV yudao-cloud up to 2026.01 Authentication Bypass by Primary Weakness https://github.com/9str0IL/CVE/issues/1 |
| Acrel Electrical--ECEMS Enterprise Microgrid Energy Efficiency Management System | A flaw has been found in Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System 1.3.0. The impacted element is an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. Executing a manipulation of the argument fCircuitids can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 7.3 | CVE-2026-7694 | VDB-360863 | Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System elecMaxMinAvgValue sql injection VDB-360863 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #803271 | Acrel Electric Co., Ltd. Enterprise Microgrid Energy Efficiency Management System (ECEMS) 1.3.0 SQL Injection https://ucn9h68n9289.feishu.cn/wiki/WZMewApmsiT3PMkCJfzcASEznOb |
| Acrel Electrical--EEMS Enterprise Power Operation and Maintenance Cloud Platform | A vulnerability has been found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This affects an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. The manipulation of the argument fCircuitids leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 7.3 | CVE-2026-7695 | VDB-360864 | Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform elecMaxMinAvgValue sql injection VDB-360864 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #803275 | Acrel Electric Co., Ltd. EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 SQL Injection https://ucn9h68n9289.feishu.cn/wiki/QoXfwTAOiiYw2OkO0vAc7b7SnGg |
| Tiandy--Easy7 Integrated Management Platform | A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Affected by this vulnerability is an unknown functionality of the file /Easy7/rest/systemInfo/updateDbBackupInfo. Such manipulation of the argument week leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 7.3 | CVE-2026-7698 | VDB-360867 | Tiandy Easy7 Integrated Management Platform updateDbBackupInfo os command injection VDB-360867 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #804048 | Tiandy Technologies Co., Ltd. Tiandy-Easy7 7.17.0 OS Command Injection https://ucn9h68n9289.feishu.cn/wiki/Yslcw7QqWiRjUZkCcvkcJI62n2c |
| AV Stumpfl--Pixera Two Media Server | A flaw has been found in AV Stumpfl Pixera Two Media Server up to 25.2 R2. Impacted is an unknown function of the component Websocket API. This manipulation causes code injection. The attack can be initiated remotely. The exploit has been published and may be used. Upgrading to version 25.2 R3 is recommended to address this issue. Upgrading the affected component is advised. | 2026-05-03 | 7.3 | CVE-2026-7703 | VDB-360872 | AV Stumpfl Pixera Two Media Server Websocket API code injection VDB-360872 | CTI Indicators (IOB, IOC, TTP) Submit #805274 | AV Stumpfl Pixera Two Media Server < 25.2 R3 Remote Code Execution https://gist.github.com/TrebledJ/585a20525e45549f299d282233632608 https://help.pixera.one/changelogs-version-overviews/pixera-252-overview-changelog |
| YunaiV--yudao-cloud | A security flaw has been discovered in YunaiV yudao-cloud up to 3.8.0. This affects the function doFilterInternal of the file JwtAuthenticationTokenFilter.java of the component Ruoyi-Vue-Pro. Performing a manipulation of the argument mock-token results in improper authentication. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 7.3 | CVE-2026-7710 | VDB-360886 | YunaiV yudao-cloud Ruoyi-Vue-Pro JwtAuthenticationTokenFilter.java doFilterInternal improper authentication VDB-360886 | CTI Indicators (IOB, IOC, IOA) Submit #806493 | YunaiV yudao-cloud yudao-cloud up to 2026.01 Authentication Bypass by Primary Weakness https://github.com/9str0IL/CVE/issues/5 |
| n/a--MindsDB | A weakness has been identified in MindsDB up to 26.01. This impacts the function exec of the file mindsdb/integrations/handlers/byom_handler/proc_wrapper.py of the component Engine Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 7.3 | CVE-2026-7711 | VDB-360887 | MindsDB Engine proc_wrapper.py exec unrestricted upload VDB-360887 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806822 | mindsdb <=26.01 Remote Code Execution https://github.com/nn0nkey/JD-Security-SHENYI-Team/blob/main/MindsDB_BYOM_RCE.md |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| xenial--RSVG | librsvg2-bin 2.40.13 contains a buffer overflow vulnerability that allows local attackers to cause a denial of service by processing malformed SVG files. Attackers can supply crafted SVG input to the rsvg conversion tool to trigger a segmentation fault in the cairo image compositor. | 2026-04-29 | 6.2 | CVE-2018-25305 | ExploitDB-44491 VulnCheck Advisory: librsvg2-bin 2.40.13 Buffer Overflow via Malformed SVG |
| poppler-utils--PDFunite | PDFunite 0.41.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by processing malformed PDF files during merge operations. Attackers can trigger a segmentation fault in the XRef::getEntry function within libpoppler by providing a specially crafted PDF file to the pdfunite utility. | 2026-04-29 | 6.2 | CVE-2018-25306 | ExploitDB-44490 Official Product Homepage Product Reference VulnCheck Advisory: PDFunite 0.41.0 Buffer Overflow via Malformed PDF |
| VideoFlow Ltd.--VideoFlow Digital Video Protection | VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows authenticated attackers to disclose arbitrary files by injecting path traversal sequences in the ID parameter. Attackers can submit requests to downloadsys.pl, download_xml.pl, download.pl, downloadmib.pl, or downloadFile.pl with directory traversal payloads to read sensitive system files like /etc/passwd. | 2026-04-29 | 6.5 | CVE-2018-25311 | ExploitDB-44386 Vulnerability Advisory VulnCheck Advisory: VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traversal 2.10 (X-Prototype-Version: 1.6.0.2) |
| LifeSize--ClearSea | LifeSize ClearSea 3.1.4 contains directory traversal vulnerabilities that allow authenticated attackers to download and upload arbitrary files by manipulating path parameters in the smartgui interface. Attackers can exploit the upload endpoint with directory traversal sequences to write files to arbitrary locations on the system, enabling remote code execution. | 2026-04-29 | 6.5 | CVE-2018-25312 | ExploitDB-44390 VulnCheck Advisory: LifeSize ClearSea 3.1.4 Directory Traversal Remote Code Execution |
| Sysgauge--SysGauge | SysGauge 4.5.18 contains a buffer overflow vulnerability in the proxy configuration handler that allows local attackers to cause a denial of service by supplying an oversized string. Attackers can inject a large payload through the Proxy Server Host Name field in the Options menu to crash the application. | 2026-04-29 | 6.2 | CVE-2018-25313 | ExploitDB-44372 VulnCheck Advisory: SysGauge 4.5.18 Local Denial of Service via Proxy Configuration |
| sebet--Go Fetch Jobs (for WP Job Manager) | Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-05-01 | 6.1 | CVE-2024-13362 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d694491c-c0f5-4418-805a-db792ea4f712?source=cve https://plugins.trac.wordpress.org/browser/tablepress/trunk/libraries/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/widgets-on-pages/trunk/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/menu-image/trunk/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/simply-gallery-block/trunk/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/foobox-image-lightbox/tags/2.7.33/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/featured-images-for-rss-feeds/trunk/includes/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/wpide/tags/3.5.0/dist/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/add-search-to-menu/trunk/includes/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/master-addons/trunk/lib/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/foogallery/tags/2.4.27/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/ocean-extra/trunk/includes/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/internal-links/trunk/vendor/freemius/wordpress-sdk/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/interactive-geo-maps/tags/1.6.21/vendor/freemius/wordpress-sdk/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/independent-analytics/trunk/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/spotlight-social-photo-feeds/trunk/ui/freemius-pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/woo-permalink-manager/tags/2.3.11/assets/admin/js/pricing-page/freemius-pricing.js https://plugins.trac.wordpress.org/browser/pdf-poster/trunk/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/wp-meta-and-date-remover/tags/2.3.4/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/provider/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/trunk/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/changeset/3235286/ https://plugins.trac.wordpress.org/changeset/3249130/ https://plugins.trac.wordpress.org/changeset/3229060/ |
| WSO2--WSO2 Identity Server | The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting. An attacker can leverage this vulnerability to redirect the user's browser to a malicious website, modify the user interface of the web page, retrieve information from the browser, or cause other harmful actions. However, due to the protection of session-related cookies with the httpOnly flag, session hijacking is not possible. | 2026-04-29 | 6.1 | CVE-2025-10503 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4577/ |
| trustindex--Widgets for Social Photo Feed | The Widgets for Social Photo Feed plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the '/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data' REST API endpoints in all versions up to, and including, 1.8. This makes it possible for unauthenticated attackers to access and update plugin settings. | 2026-05-02 | 6.5 | CVE-2025-14726 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ab15fa8b-4072-435a-8a1c-ca6fd964a260?source=cve https://plugins.trac.wordpress.org/changeset/3513612/social-photo-feed-widget |
| IBM--Db2 | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service using a specially crafted SQL query due to improper allocation of system resources. | 2026-04-30 | 6.5 | CVE-2025-36122 | https://www.ibm.com/support/pages/node/7267642 |
| IBM--watsonx.data intelligence | IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.3.0, 5.3.1 stores user credentials in plain text which can be read by a local user. | 2026-04-30 | 6.2 | CVE-2025-36335 | https://www.ibm.com/support/pages/node/7270923 |
| xlplugins--NextMove Lite Thank You Page for WooCommerce | The NextMove Lite - Thank You Page for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xlwcty_current_date' shortcode in all versions up to, and including, 2.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-02 | 6.4 | CVE-2026-0703 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a8eab201-04a5-43df-bb9b-2964c50a1833?source=cve https://plugins.trac.wordpress.org/browser/woo-thank-you-page-nextmove-lite/tags/2.23.0/merge-tags/xlwcty-shortcode-merge-tags.php#L79 https://plugins.trac.wordpress.org/browser/woo-thank-you-page-nextmove-lite/tags/2.23.0/merge-tags/xlwcty-shortcode-merge-tags.php#L87 https://plugins.trac.wordpress.org/changeset/3482613/ |
| Zyxel--DX3300-T0 firmware | A post-authentication command injection vulnerability in the EasyMesh-related APIs of Zyxel DX3300-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated, adjacent attacker with administrator privileges to execute OS commands on an affected device. | 2026-04-28 | 6.8 | CVE-2026-0711 | https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-extenders-04-28-2026 |
| IBM--Db2 | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-04-30 | 6.5 | CVE-2026-1577 | https://www.ibm.com/support/pages/node/7269434 |
| Dell--Alienware Command Center (AWCC) | Dell Alienware Command Center (AWCC), versions prior to 6.13.8.0, contain an Execution with Unnecessary Privileges vulnerability in the AWCC. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. | 2026-04-27 | 6.7 | CVE-2026-25908 | https://www.dell.com/support/kbdoc/en-us/000451018/dsa-2026-192-security-update-for-dell-alienware-command-center-6-x-for-multiple-vulnerabilities |
| wazuh--wazuh | Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, Wazuh's server API brute-force protection for POST /security/user/authenticate can be bypassed by sending concurrent authentication requests. Although the configured threshold (max_login_attempts, default 50) is enforced correctly for sequential requests, a parallel burst allows significantly more failed login attempts to be processed before the IP block is applied. This enables an attacker to perform more password guesses than the configured policy intends (e.g., 100 attempts processed where 50 should be allowed). This issue has been patched in version 4.14.4. | 2026-04-29 | 6.5 | CVE-2026-26206 | https://github.com/wazuh/wazuh/security/advisories/GHSA-m2mr-xhhv-jx58 https://github.com/wazuh/wazuh/releases/tag/v4.14.4 |
| Dell--Dell/Alienware Purchased Apps | Dell/Alienware Purchased Apps, versions prior to 1.1.31.0, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Arbitrary File Write | 2026-04-29 | 6.3 | CVE-2026-27105 | https://www.dell.com/support/kbdoc/en-us/000438321/dsa-2026-131-security-update-for-dell-alienware-purchased-apps-for-an-improper-link-resolution-before-file-access-vulnerability |
| Milesight--MS-Cxx63-PD | A command injection vulnerability exists in the web server of specific firmware versions of Milesight cameras. | 2026-04-27 | 6.8 | CVE-2026-32649 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json https://www.milesight.com/support/download/firmware |
| IBM--Langflow Desktop | IBM Langflow Desktop 1.0.0 through 1.8.4 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. | 2026-04-30 | 6.5 | CVE-2026-3340 | https://www.ibm.com/support/pages/node/7271096 |
| IBM--Langflow Desktop | IBM Langflow Desktop <=1.8.4 Langflow could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. | 2026-04-30 | 6.5 | CVE-2026-3345 | https://www.ibm.com/support/pages/node/7271094 |
| IBM--Langflow Desktop | IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-04-30 | 6.4 | CVE-2026-3346 | https://www.ibm.com/support/pages/node/7271095 |
| chartbrew--chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoint directly to create a fully active account and receive a valid JWT - even when the instance has existing users and signupRestricted is enabled. This bypass is distinct from the normal registration endpoint (POST /user) which enforces signupRestricted and sets active: false pending verification. This issue has been patched in version 5.0.0. | 2026-04-30 | 6.5 | CVE-2026-35514 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-g47g-v5cp-j8hp https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0 |
| n/a-- V2Board v1.7.4 | Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling cookie theft, session hijacking, or phishing. | 2026-05-01 | 6.9 | CVE-2026-37503 | https://github.com/v2board/v2board https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9 |
| redhat[.]com--gnutls | A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure. | 2026-04-30 | 6.5 | CVE-2026-3833 | RHSA-2026:13274 https://access.redhat.com/security/cve/CVE-2026-3833 RHBZ#2445763 https://gitlab.com/gnutls/gnutls/-/issues/1803 |
| chartbrew--chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes a legacy dashboard route that returns a project's report data to any authenticated member of the same team, even when that user does not have access to the specific project. The route bypasses project-level authorization and returns the raw project object. As a result, a low-privileged same-team user can read another project's dashboard data and recover the project's stored report password from the response. This issue has been patched in version 5.0.0. | 2026-04-30 | 6.5 | CVE-2026-40603 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-6qr3-g75h-xm3f https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0 |
| nextlevelbuilder--ui-ux-pro-max-skill | A flaw has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this vulnerability is the function _format_plugins of the file .claude/skills/ui-styling/scripts/tailwind_config_gen.py of the component Tailwind Config Generator. This manipulation causes code injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-05-01 | 6.3 | CVE-2026-7595 | VDB-360548 | nextlevelbuilder ui-ux-pro-max-skill Tailwind Config Generator tailwind_config_gen.py _format_plugins code injection VDB-360548 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805509 | nextlevelbuilder ui-ux-pro-max-skill 2.5.0 Tailwind Config Generator Code Injection Leading to RCE https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/246 https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/pull/275 https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/ |
| mem0ai--mem0 | A vulnerability was found in mem0ai mem0 up to 1.0.11. This affects the function pickle.load/pickle.dump of the file mem0/vector_stores/faiss.py. Performing a manipulation results in deserialization. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The patch is named 62dca096f9236010ca15fea9ba369ba740b86b7a. Applying a patch is the recommended action to fix this issue. | 2026-05-01 | 6.3 | CVE-2026-7597 | VDB-360550 | mem0ai mem0 faiss.py pickle.dump deserialization VDB-360550 | CTI Indicators (IOB, IOC, IOA) Submit #805562 | Mem0 <= v1.0.11 Unsafe Deserialization https://github.com/mem0ai/mem0/issues/3778 https://github.com/mem0ai/mem0/pull/4833 https://github.com/mem0ai/mem0/commit/62dca096f9236010ca15fea9ba369ba740b86b7a https://github.com/mem0ai/mem0/ |
| Dayoooun--hwpx-mcp | A vulnerability was detected in Dayoooun hwpx-mcp 0.2.0. This affects the function save_document/export_to_text/export_to_html of the file mcp-server/src/index.ts of the component MCP Interface. Performing a manipulation of the argument output_path results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-01 | 6.3 | CVE-2026-7599 | VDB-360556 | Dayoooun hwpx-mcp MCP index.ts export_to_html path traversal VDB-360556 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805608 | Dayoooun hwpx-mcp Commit 87850fd67f0488d79fcbf061a29938cae914a15d Path Traversal https://github.com/Dayoooun/hwpx-mcp/issues/3 https://github.com/BruceJqs/public_exp/issues/28 https://github.com/Dayoooun/hwpx-mcp/ |
| ArtMin96--yii2-mcp-server | A flaw has been found in ArtMin96 yii2-mcp-server 1.0.2. This impacts the function yii_command_help/yii_execute_command of the file src/index.ts of the component MCP Interface. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 6.3 | CVE-2026-7600 | VDB-360557 | ArtMin96 yii2-mcp-server MCP index.ts yii_execute_command os command injection VDB-360557 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805613 | ArtMin96 yii2-mcp-server 1.0.2 Command Injection https://github.com/ArtMin96/yii2-mcp-server/issues/3 https://github.com/BruceJqs/public_exp/issues/29 https://github.com/ArtMin96/yii2-mcp-server/ |
| n/a--JeecgBoot | A vulnerability was found in JeecgBoot up to 3.9.1. Affected by this vulnerability is an unknown functionality of the file /sys/fillRule/edit of the component FillRuleUtil Component. The manipulation of the argument ruleClass results in improper authorization. The attack may be performed from remote. The exploit has been made public and could be used. You should upgrade the affected component. The vendor confirmed the issue and will provide a fix in the upcoming release. | 2026-05-02 | 6.3 | CVE-2026-7602 | VDB-360559 | JeecgBoot FillRuleUtil edit improper authorization VDB-360559 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805706 | jeecgboot JeecgBoot <= v3.9.1 Remote Code Execution https://github.com/jeecgboot/JeecgBoot/issues/9552 https://github.com/jeecgboot/JeecgBoot/issues/9552#issuecomment-4251391314 https://github.com/jeecgboot/JeecgBoot/ |
| n/a--JeecgBoot | A vulnerability was determined in JeecgBoot up to 3.9.1. Affected by this issue is the function checkPathTraversalBatch of the file FileDownloadUtils.jav of the component LoadFile Endpoint. This manipulation of the argument files causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The affected component should be upgraded. The vendor confirmed the issue and will provide a fix in the upcoming release. | 2026-05-02 | 6.3 | CVE-2026-7603 | VDB-360560 | JeecgBoot LoadFile Endpoint FileDownloadUtils.jav checkPathTraversalBatch server-side request forgery VDB-360560 | CTI Indicators (IOB, IOC, IOA) Submit #805707 | jeecgboot JeecgBoot <= v3.9.1 SSRF https://github.com/jeecgboot/JeecgBoot/issues/9553 https://github.com/jeecgboot/JeecgBoot/issues/9553#issuecomment-4251745014 https://github.com/jeecgboot/JeecgBoot/ |
| n/a--JeecgBoot | A vulnerability was identified in JeecgBoot up to 3.9.1. This affects the function OpenApiController.add/OpenApiController.call of the file OpenApiController.java of the component OpenApi Service. Such manipulation of the argument originUrl database leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. It is suggested to upgrade the affected component. The vendor confirmed the issue and will provide a fix in the upcoming release. | 2026-05-02 | 6.3 | CVE-2026-7604 | VDB-360561 | JeecgBoot OpenApi Service OpenApiController.java OpenApiController.call server-side request forgery VDB-360561 | CTI Indicators (IOB, IOC, IOA) Submit #805708 | jeecgboot JeecgBoot <= v3.9.1 SSRF https://github.com/jeecgboot/JeecgBoot/issues/9554 https://github.com/jeecgboot/JeecgBoot/issues/9554#issuecomment-4251574151 https://github.com/jeecgboot/JeecgBoot/ |
| n/a--JeecgBoot | A security flaw has been discovered in JeecgBoot up to 3.9.1. This vulnerability affects the function CommonController.uploadImgByHttp/HttpFileToMultipartFileUtil.httpFileToMultipartFile/HttpFileToMultipartFileUtil.downloadImageData of the file CommonController.java of the component uploadImgByHttpEndpoint. Performing a manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Upgrading the affected component is recommended. The vendor confirmed the issue and will provide a fix in the upcoming release. | 2026-05-02 | 6.3 | CVE-2026-7605 | VDB-360562 | JeecgBoot uploadImgByHttpEndpoint CommonController.java HttpFileToMultipartFileUtil.downloadImageData server-side request forgery VDB-360562 | CTI Indicators (IOB, IOC, IOA) Submit #805709 | jeecgboot JeecgBoot <= v3.9.1 SSRF https://github.com/jeecgboot/JeecgBoot/issues/9555 https://github.com/jeecgboot/JeecgBoot/issues/9555#issuecomment-4251745271 https://github.com/jeecgboot/JeecgBoot/ |
| TRENDnet--TEW-821DAP | A flaw has been found in TRENDnet TEW-821DAP up to 1.12B01. The impacted element is the function tools_diagnostic of the file /tmp/diagnostic of the component Firmware Udpate. This manipulation causes os command injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor explains: "That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling". This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-02 | 6.3 | CVE-2026-7609 | VDB-360566 | TRENDnet TEW-821DAP Firmware Udpate diagnostic tools_diagnostic os command injection VDB-360566 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806216 | Trendnet TEW-821DAP v1.12B01 CWE-78 Improper Neutralization of Special Elements used in an O https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_CI2.md |
| 8nite--metatrader-4-mcp | A security vulnerability has been detected in 8nite metatrader-4-mcp 1.0.0. This vulnerability affects the function CallToolRequestSchema of the file src/index.ts of the component sync_ea_from_file. Such manipulation of the argument ea_name leads to path traversal. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 6.3 | CVE-2026-7627 | VDB-360573 | 8nite metatrader-4-mcp sync_ea_from_file index.ts CallToolRequestSchema path traversal VDB-360573 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806286 | 8nite metatrader-4-mcp 1.0.0 Path Traversal https://github.com/8nite/metatrader-4-mcp/issues/1 https://github.com/8nite/metatrader-4-mcp/ |
| crazyrabbitLTC--mcp-code-review-server | A vulnerability was detected in crazyrabbitLTC mcp-code-review-server up to 0.1.0. This issue affects the function executeRepomix of the file src/repomix.ts of the component RepoMix Command Handler. Performing a manipulation results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-05-02 | 6.3 | CVE-2026-7628 | VDB-360574 | crazyrabbitLTC mcp-code-review-server RepoMix repomix.ts executeRepomix command injection VDB-360574 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806469 | crazyrabbitLTC mcp-code-review-server <=0.1.0 Command Injection https://github.com/crazyrabbitLTC/mcp-code-review-server/issues/4 https://github.com/crazyrabbitLTC/mcp-code-review-server/pull/5 https://github.com/user-attachments/files/26018245/mcp-code-review-server_bug.pdf https://github.com/crazyrabbitLTC/mcp-code-review-server/ |
| kleneway--awesome-cursor-mpc-server | A flaw has been found in kleneway awesome-cursor-mpc-server up to 2.0.1. Impacted is the function runCodeReviewTool of the file src/tools/codeReview.ts of the component Ccode-Review Tool. Executing a manipulation can lead to command injection. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-05-02 | 6.3 | CVE-2026-7629 | VDB-360575 | kleneway awesome-cursor-mpc-server Ccode-Review Tool codeReview.ts runCodeReviewTool command injection VDB-360575 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806470 | kleneway awesome-cursor-mpc-server <=2.0.1 Command Injection https://github.com/kleneway/awesome-cursor-mpc-server/issues/6 https://github.com/kleneway/awesome-cursor-mpc-server/pull/14 https://github.com/user-attachments/files/26019723/awesome-cursor-mpc-server_bug.pdf https://github.com/kleneway/awesome-cursor-mpc-server/ |
| Totolink--N300RH | A vulnerability was identified in Totolink N300RH 6.1c.1353_B20190305. This impacts the function setUploadSetting of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument FileName leads to file inclusion. The attack may be performed from remote. The exploit is publicly available and might be used. | 2026-05-02 | 6.5 | CVE-2026-7633 | VDB-360579 | Totolink N300RH cstecgi.cgi setUploadSetting file inclusion VDB-360579 | CTI Indicators (IOB, IOC, IOA) Submit #806597 | TOTOLINK N300RH_V4 V6.1c.1353_B20190305 External Control of System or Configuration Setting https://github.com/xyh4ck/iot_poc/tree/main/TOTOLINK/N300RHv4/03_setUploadSetting_ECFNP https://www.totolink.net/ |
| pskill9--website-downloader | A vulnerability was detected in pskill9 website-downloader up to 0.1.0. This affects the function download_website of the file src/index.ts of the component MCP Interface. Performing a manipulation of the argument outputPath results in os command injection. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 6.3 | CVE-2026-7642 | VDB-360754 | pskill9 website-downloader MCP index.ts download_website os command injection VDB-360754 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806812 | pskill9 website-downloader Commit 5b399bebad1800ac6df5052b63eaea37117092b6 Command Injection https://github.com/pskill9/website-downloader/issues/7 https://github.com/BruceJqs/public_exp/issues/31 https://github.com/pskill9/website-downloader/ |
| ruvnet--sublinear-time-solver | A vulnerability was found in ruvnet sublinear-time-solver 1.5.0. Affected by this vulnerability is the function export_state of the file src/consciousness-explorer/mcp/server.js of the component MCP Interface. The manipulation results in path traversal. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 6.5 | CVE-2026-7645 | VDB-360757 | ruvnet sublinear-time-solver MCP server.js export_state path traversal VDB-360757 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806895 | ruvnet sublinear-time-solver / consciousness-explorer sublinear-time-solver 1.5.0, consciousness-explorer 1.1.1, commit 1210646955f33abe5c91f894cc7b04d024f62408 Path Traversal https://github.com/ruvnet/sublinear-time-solver/issues/19 https://github.com/ruvnet/sublinear-time-solver/ |
| r-huijts--mcp-server-rijksmuseum | A security flaw has been discovered in r-huijts mcp-server-rijksmuseum up to 1.0.4. Affected is the function open_image_in_browser of the file src/index.ts of the component MCP Interface. Performing a manipulation of the argument imageUrl results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 6.3 | CVE-2026-7653 | VDB-360778 | r-huijts mcp-server-rijksmuseum MCP index.ts open_image_in_browser os command injection VDB-360778 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806909 | r-huijts mcp-server-rijksmuseum 1.0.4 Command Injection https://github.com/r-huijts/rijksmuseum-mcp/issues/9 |
| youlaitech--youlai-boot | A security vulnerability has been detected in youlaitech youlai-boot up to 2.21.1. This affects the function getUserList of the file src/main/java/com/youlai/boot/system/controller/UserController.java of the component Users Endpoint. Such manipulation of the argument order leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7672 | VDB-360825 | youlaitech youlai-boot Users Endpoint UserController.java getUserList sql injection VDB-360825 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800658 | youlaitech youlai-boot v2.21.1 SQL Injection https://fx4tqqfvdw4.feishu.cn/docx/EBZLdUqt4ogm4Px7jxuck1RQnHe?from=from_copylink |
| YunaiV--yudao-cloud | A vulnerability was identified in YunaiV yudao-cloud up to 2026.01. This affects the function getDataBySQL of the file yudao-module-report-biz/src/main/java/io/github/ruoyi/report/service/impl/GoViewDataServiceImpl.java. Such manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7678 | VDB-360831 | YunaiV yudao-cloud GoViewDataServiceImpl.java getDataBySQL sql injection VDB-360831 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800865 | YunaiV yudao-cloud yudao-cloud up to 2026.01 SQL Injection https://github.com/9str0IL/CVE/issues/2 |
| jsbroks--COCO Annotator | A security vulnerability has been detected in jsbroks COCO Annotator up to 0.11.1. Affected by this vulnerability is an unknown functionality of the file backend/webserver/api/datasets.py of the component Dataset API. The manipulation of the argument DatasetId leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.5 | CVE-2026-7681 | VDB-360834 | jsbroks COCO Annotator Dataset API datasets.py authorization VDB-360834 | CTI Indicators (IOB, IOC, IOA) Submit #801408 | jsbroks COCO Annotator 0.11.1 Authorization Bypass https://github.com/natanmorette-thoropass/thoropass-vuln-research-program/tree/main/2026/Unauthenticated%20Dataset%20Modification%20via%20Missing%20Authentication |
| Edimax--BR-6208AC | A security flaw has been discovered in Edimax BR-6208AC 1.02. The impacted element is the function setWAN of the file /goform/setWAN of the component L2TP Mode. The manipulation of the argument L2TPUserName results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7682 | VDB-360841 | Edimax BR-6208AC L2TP Mode setWAN command injection VDB-360841 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #801572 | Edimax BR-6208AC V2_1.02 Command Injection https://tzh00203.notion.site/Edimax-BR-6208AC-V2-1-02-setWAN-L2TPUserName-Command-Injection-33db5c52018a80c1b3aac6db8927bd0f |
| Edimax--BR-6428nC | A weakness has been identified in Edimax BR-6428nC up to 1.16. This affects an unknown function of the file /goform/setWAN of the component Web Interface. This manipulation of the argument pppUserName/pptpUserName causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7683 | VDB-360842 | Edimax BR-6428nC Web setWAN command injection VDB-360842 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #801597 | Edimax BR-6428nC v1.16 v1.16 Command Injection Submit #801598 | Edimax BR-6428nC v1.16 v1.16 Command Injection (Duplicate) https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pppUserName-Command-Injection-33db5c52018a80dab299ef508e810d00 https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pptpUserName-Command-Injection-33db5c52018a80949cfbcc2091340c80 |
| langflow-ai--langflow | A vulnerability was determined in langflow-ai langflow up to 1.8.4. Affected by this issue is the function CodeParser.parse_callable_details of the file src/lfx/src/lfx/custom/code_parser/code_parser.py of the component Full Builtins Module Handler. Executing a manipulation can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7687 | VDB-360857 | langflow-ai langflow Full Builtins code_parser.py CodeParser.parse_callable_details command injection VDB-360857 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #798731 | langflow-ai langflow 1.8.4 Command Injection https://www.yuque.com/yuqueyonghuqy8yu4/ghuay4/ylrgoyyfrucp8opo?singleDoc=#g4kyb |
| Wavlink--WL-WN570HA1 | A weakness has been identified in Wavlink WL-WN570HA1 R70HA1 V1410_221110. This issue affects the function set_sys_adm of the file /cgi-bin/adm.cgi. This manipulation of the argument Username causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Once again the vendors acted very professional and confirms, "that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-03 | 6.3 | CVE-2026-7690 | VDB-360860 | Wavlink WL-WN570HA1 adm.cgi set_sys_adm command injection VDB-360860 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807805 | Wavlink WN570HA1 WL-WN570HA1 221110 Command Injection https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA1-set_sys_adm-34753a41781f809d8043f0a7a3e07e50?source=copy_link |
| Wavlink--WL-WN570HA1 | A security vulnerability has been detected in Wavlink WL-WN570HA1 R70HA1 V1410_221110. Impacted is the function set_sys_cmd of the file /cgi-bin/adm.cgi. Such manipulation of the argument command leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Once again the vendors acted very professional and confirms, "that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-03 | 6.3 | CVE-2026-7691 | VDB-360861 | Wavlink WL-WN570HA1 adm.cgi set_sys_cmd command injection VDB-360861 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807806 | Wavlink WN570HA1 WL-WN570HA1 221110 Command Injection https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA1-set_sys_cmd-34753a41781f80ab88a1d95d4f798d1f?source=copy_link |
| Wavlink--WL-WN570HA1 | A vulnerability was detected in Wavlink WL-WN570HA1 R70HA1 V1410_221110. The affected element is the function ping_ddns of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument DDNS results in command injection. The attack can be initiated remotely. The exploit is now public and may be used. Once again the vendors acted very professional and confirms, "that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-03 | 6.3 | CVE-2026-7692 | VDB-360862 | Wavlink WL-WN570HA1 adm.cgi ping_ddns command injection VDB-360862 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807807 | Wavlink WN570HA1 WL-WN570HA1 221110 Command Injection https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA1-ping_ddns-34753a41781f80c0a6c6c1b09b7cdf1c?source=copy_link |
| Acrel Electrical--EEMS Enterprise Power Operation and Maintenance Cloud Platform | A vulnerability was found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This impacts an unknown function of the file /SubstationWEBV2/main/uploadH5Files. The manipulation of the argument File results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7696 | VDB-360865 | Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform uploadH5Files unrestricted upload VDB-360865 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807944 | Acrel Electric Co., Ltd. EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 Unrestricted Upload of File with Dangerous Type https://ucn9h68n9289.feishu.cn/wiki/X9PAw4i5kiPueKkZqCCcNVYZnnc?from=from_copylink |
| Dromara--MaxKey | A security flaw has been discovered in Dromara MaxKey up to 3.5.13. Affected by this issue is the function StrUtils.checkSqlInjection of the file StrUtils.java. Performing a manipulation of the argument filtersfields results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7699 | VDB-360868 | Dromara MaxKey StrUtils.java StrUtils.checkSqlInjection sql injection VDB-360868 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #804260 | Dromara MaxKey 3.5.13 SQL Injection https://github.com/xpp3901/CVE_APPLY/tree/main/V-M001_MaxKey_Filters_SQL_Injection |
| langflow-ai--langflow | A weakness has been identified in langflow-ai langflow up to 1.8.4. This affects the function eval of the file src/lfx/src/lfx/components/llm_operations/lambda_filter.p of the component LambdaFilterComponent. Executing a manipulation can lead to code injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7700 | VDB-360869 | langflow-ai langflow LambdaFilterComponent lambda_filter.p eval code injection VDB-360869 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #804305 | langflow-ai Langflow Desktop 1.8.3 Execution with Unnecessary Privileges https://www.yuque.com/mengnanbulalei/ognlsk/hte2a98ro5gf8tp9?singleDoc#%20%E3%80%8AFirst%20release%20of%20Langflow%201.8.3%20Smart%20Transform%20eval()/Lambda%20injection%20RCE%20vulnerability%20analysis+POC%E3%80%8B |
| JD Cloud--JDCOS | A flaw has been found in JD Cloud JDCOS 4.5.1.r4518. This vulnerability affects the function set_iptv_info of the file /jdcap of the component Service Interface. Executing a manipulation of the argument vid can lead to command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7705 | VDB-360881 | JD Cloud JDCOS Service jdcap set_iptv_info command injection VDB-360881 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805644 | jdcloud 京东云无线宝ER1 太乙 有线路由 千兆路由器 JDCOS-JDC08-4.5.1.r4518 Remote code execution https://www.notion.so/3430c75766a8802dbde3dc8a372c7f46 |
| janeczku--Calibre-Web | A vulnerability was identified in janeczku Calibre-Web up to 0.6.26. The impacted element is the function generate_auth_token of the file cps/kobo_auth.py of the component Endpoint. Such manipulation of the argument user_id leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7709 | VDB-360885 | janeczku Calibre-Web Endpoint kobo_auth.py generate_auth_token improper authorization VDB-360885 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805823 | Janeczku Calibre-web V0.6.7-V0.6.26 IDOR in auth-token generation leading to account takeover / user https://drive.google.com/drive/folders/1rosrcfxcHrQM7_GOiBwzY_GnCfXoFuVR?usp=drive_link |
| n/a--MindsDB | A security vulnerability has been detected in MindsDB up to 26.01. Affected is the function pickle.loads of the component Pickle Handler. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7712 | VDB-360888 | MindsDB Pickle pickle.loads deserialization VDB-360888 | CTI Indicators (IOB, IOC, IOA) Submit #806827 | https://github.com/mindsdb/mindsdb <=26.01 Remote Code Execution https://github.com/nn0nkey/JD-Security-SHENYI-Team/blob/main/MindsDB_Pickle_RCE.md |
| Merge--Merge PACS | Merge PACS 7.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms targeting the merge-viewer endpoint. Attackers can submit POST requests to /servlet/actions/merge-viewer/summary with login credentials to hijack user sessions and gain unauthorized access to the PACS system. | 2026-04-29 | 5.3 | CVE-2018-25298 | ExploitDB-44681 Official Product Homepage VulnCheck Advisory: Merge PACS 7.0 Cross-Site Request Forgery via merge-viewer |
| IBM--Db2 | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic when certain configurations exist. | 2026-04-30 | 5.3 | CVE-2025-14688 | https://www.ibm.com/support/pages/node/7269424 |
| IBM--watsonx.data | IBM watsonx.data 2.2 through 2.3 IBM Lakehouse does not properly restrict communication between pods which could allow an attacker to transfer data between pods without restrictions. | 2026-04-30 | 5.3 | CVE-2025-36180 | https://www.ibm.com/support/pages/node/7270593 |
| Dell--Alienware Command Center (AWCC) | Dell Alienware Command Center (AWCC), versions prior to 6.13.8.0, contain a Least Privilege Violation vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. | 2026-04-27 | 5.3 | CVE-2026-32655 | https://www.dell.com/support/kbdoc/en-us/000451018/dsa-2026-192-security-update-for-dell-alienware-command-center-6-x-for-multiple-vulnerabilities |
| Elastic--Elastic Package Registry | Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closed. | 2026-04-28 | 5.9 | CVE-2026-33467 | https://discuss.elastic.co/t/elastic-package-registry-1-38-0-security-update-esa-2026-27/386081 |
| dokaninc--Dokan: AI Powered WooCommerce Multivendor Marketplace Solution Build Your Own Amazon, eBay, Etsy | The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.1 via the '/dokan/v1/stores/{id}/reviews' REST API endpoint. This is due to the 'prepare_reviews_for_response' method including reviewer email addresses, usernames, and user IDs in the API response. This makes it possible for unauthenticated attackers to extract email addresses, usernames, and user IDs of all customers who left reviews on any vendor's store. The Pro version of the plugin must be installed and activated, with store reviews enabled, in order to exploit the vulnerability. | 2026-05-02 | 5.3 | CVE-2026-3504 | https://www.wordfence.com/threat-intel/vulnerabilities/id/02b0d7d7-8a10-48de-b1e1-7e1f1fda6ffe?source=cve https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreController.php#L125 https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreController.php#L835 https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreController.php#L854 https://plugins.trac.wordpress.org/changeset/3481799/ |
| n/a-- V2Board v1.7.4 | Sensitive server_token exposed via GET parameter in V2Board thru 1.7.4. In app/Http/Controllers/Server/UniProxyController.php, the server authentication token is accepted via GET parameter transmission. The token appears in URLs such as /api/v1/server/UniProxy/user?token=SECRET, causing it to be recorded in web server access logs, browser history, HTTP Referer headers, and proxy/CDN logs. An attacker who gains access to any log source can extract the token and impersonate a proxy server node, potentially intercepting all user traffic. | 2026-05-01 | 5.3 | CVE-2026-37504 | https://github.com/v2board/v2board https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9 |
| complianz--Complianz GDPR/CCPA Cookie Consent | The Complianz - GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to unauthorized data access in all versions up to, and including, 7.4.5 This is due to the REST API endpoint at /wp-json/complianz/v1/consent-area/{post_id}/{block_id} using __return_true as the permission_callback, allowing any unauthenticated user to access it. The cmplz_rest_consented_content() function retrieves a post by ID via get_post() and returns the consentedContent attribute of any complianz/consent-area block found in it, without checking if the post is published or if the user has permission to read it. This makes it possible for unauthenticated attackers to read the consent area block content from private, draft, or unpublished posts. | 2026-04-29 | 5.3 | CVE-2026-4019 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3892489e-6ff7-4664-bb06-b8edff6dd659?source=cve https://github.com/complianz/complianz-gdpr/blob/64c09657bd028f62d7b50a54d83ca19b87df2cef/rest-api/rest-api.php#L61 https://plugins.trac.wordpress.org/browser/complianz-gdpr/tags/7.4.4.2/rest-api/rest-api.php#L54 https://plugins.trac.wordpress.org/browser/complianz-gdpr/tags/7.4.4.2/rest-api/rest-api.php#L61 https://plugins.trac.wordpress.org/changeset/3508713/complianz-gdpr/trunk/rest-api/rest-api.php https://plugins.trac.wordpress.org/changeset?old_path=%2Fcomplianz-gdpr/tags/7.4.5&new_path=%2Fcomplianz-gdpr/tags/7.4.6 |
| diplodoc-platform--@diplodoc/search-extension | @diplodoc/search-extension 1.0.0 through 3.x before 3.0.3 allows stored XSS via the title in a .md file. | 2026-05-01 | 5.4 | CVE-2026-40201 | https://github.com/diplodoc-platform/search-extension/releases https://github.com/diplodoc-platform/search-extension/pull/41 https://github.com/diplodoc-platform/search-extension/releases/tag/v3.0.3 https://github.com/eyelessgoddd/eyelessgoddd/blob/main/README.md |
| wproyal--Royal Addons for Elementor Addons and Templates Kit for Elementor | The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wpr_update_form_action_meta` AJAX action in all versions up to, and including, 1.7.1056. The handler is registered on both `wp_ajax` and `wp_ajax_nopriv` hooks, making it accessible to unauthenticated users. Although a nonce is verified, the nonce (`wpr-addons-js`) is publicly exposed in frontend JavaScript via `WprConfig.nonce` on any page that loads Royal Addons widgets, rendering the protection ineffective. The endpoint also lacks any capability or ownership checks and directly calls `update_post_meta()` with user-controlled input on a whitelisted set of form action meta keys. This makes it possible for unauthenticated attackers to modify form action configuration metadata (email, submissions, Mailchimp, and webhook settings) on any post, potentially leading to webhook/email action tampering and data exfiltration via modified webhook URLs. | 2026-05-02 | 5.3 | CVE-2026-4024 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2ecec7d7-d1b2-4ccf-ade6-1f78224968c6?source=cve https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L21 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/classes/modules/forms/wpr-actions-status.php#L21 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L73 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/classes/modules/forms/wpr-actions-status.php#L73 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/plugin.php#L592 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/plugin.php#L592 |
| MIT--Kerberos 5 | In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message. | 2026-04-28 | 5.9 | CVE-2026-40355 | https://web.mit.edu/kerberos/advisories/ https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f |
| MIT--Kerberos 5 | In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message. | 2026-04-28 | 5.9 | CVE-2026-40356 | https://web.mit.edu/kerberos/advisories/ https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f |
| SmarterTools Inc.--SmarterMail | SmarterTools SmarterMail builds prior to 9610 contain a cryptographic weakness in the file and email sharing endpoints that use DES-CBC encryption with keys and initialization vectors derived from System.Random seeded with insufficient entropy, reducing the seed space to approximately 19,000 possible values. An unauthenticated attacker can use the attachment download endpoint as an oracle to determine the seed in use and derive encryption keys and initialization vectors to forge sharing tokens for arbitrary emails, attachments, or file storage contents without prior access to the targeted content. | 2026-04-27 | 5.9 | CVE-2026-40514 | https://www.smartertools.com/smartermail/release-notes/current https://www.vulncheck.com/advisories/smartertools-smartermail-build-9610-cryptographic-weakness-via-weak-rng |
| Exim--Exim | In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing. | 2026-04-30 | 5.9 | CVE-2026-40684 | https://www.openwall.com/lists/oss-security/2026/04/30/21 https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40684.assessment https://code.exim.org/exim/exim/commit/628bbaca7672748d941a12e7cd5f0122a4e18c81 https://exim.org/static/doc/security/CVE-2026-40684.txt |
| TRENDnet--TEW-821DAP | A vulnerability was detected in TRENDnet TEW-821DAP up to 1.12B01. The affected element is the function tools_diagnostic. The manipulation results in os command injection. The exploit is now public and may be used. The vendor explains: "That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling". This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-02 | 5.5 | CVE-2026-7608 | VDB-360565 | TRENDnet TEW-821DAP tools_diagnostic os command injection VDB-360565 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806215 | Trendnet TEW-821DAP v1.12B01 CWE-78 Improper Neutralization of Special Elements used in an OS https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_CI1.md |
| code-projects--Online Hospital Management System | A vulnerability was found in code-projects Online Hospital Management System 1.0. The impacted element is an unknown function of the component Registration Handler. The manipulation of the argument Username results in improper authorization. The attack can be executed remotely. The exploit has been made public and could be used. | 2026-05-02 | 5.4 | CVE-2026-7631 | VDB-360577 | code-projects Online Hospital Management System Registration improper authorization VDB-360577 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806565 | Code-projects Online Hospital Management System V1.0 unauthorized access https://github.com/MyMySSS/CVE123/blob/main/cve2/cve2.md https://code-projects.org/ |
| appcheap--App Builder Create Native Android & iOS Apps On The Flight | The App Builder - Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 5.6.0. This is due to missing authorization validation in the `upload_avatar()` function, which accepts an attacker-controlled `user_id` parameter from the POST request body and uses it to update user meta without verifying that the authenticated requester owns or has permission to modify the target account. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the profile avatar of any arbitrary user on the site, including administrators, by supplying a target `user_id` in the request body to the `/wp-json/app-builder/v1/upload-avatar` endpoint. | 2026-05-02 | 5.3 | CVE-2026-7638 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2d532ffc-c6f1-41e3-9a59-0706802ab8e2?source=cve https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Di/Service/Auth/UploadAvatar.php#L80 https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/Di/Service/Auth/UploadAvatar.php#L80 https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Di/Service/Auth/UploadAvatar.php#L161 https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/Di/Service/Auth/UploadAvatar.php#L161 https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Traits/Permission.php#L33 https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/Traits/Permission.php#L33 https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/UploadAvatar.php#L80 https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/UploadAvatar.php#L161 https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Traits/Permission.php#L33 |
| sgl-project--SGLang | A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacted is the function get_tokenizer of the file python/sglang/srt/utils/hf_transformers_utils.py of the component HuggingFace Transformer Handler. The manipulation of the argument trust_remote_code with the input False as part of Boolean results in code injection. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. In get_tokenizer(), when the caller passes trust_remote_code=False and HuggingFace transformers v5 returns a TokenizersBackend instance (the generic fallback for tokenizer classes not in the registry), SGLang silently re-invokes AutoTokenizer.from_pretrained with trust_remote_code=True, overriding the caller's explicit security setting. A model repository containing a malicious tokenizer.py referenced via auto_map in tokenizer_config.json will execute arbitrary Python in the SGLang process during this second call. No log line or warning is emitted. The override affects all current SGLang versions because transformers==5.3.0 is pinned in pyproject.toml. Both tokenizer_mode="auto" and tokenizer_mode="slow" are affected. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-02 | 5.6 | CVE-2026-7669 | VDB-360817 | sgl-project SGLang HuggingFace Transformer hf_transformers_utils.py get_tokenizer code injection VDB-360817 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #799263 | sgl-project sglang <=0.5.9 Protection Mechanism Failure https://github.com/gouldnicholas/CVE-2026-7669-PoC |
| eyeo--Adblock Plus | A vulnerability was found in eyeo Adblock Plus up to 4.36.2 on Chrome. Affected by this vulnerability is the function postMessage of the file premium.preload.js of the component Legacy Premium Activation. Performing a manipulation results in improper access controls. Remote exploitation of the attack is possible. The exploit has been made public and could be used. Upgrading the affected component is recommended. The vendor provides additional details: "The affected code path is a legacy Premium activation flow that has been deprecated. eyeo has already migrated to a new user account-based licensing system. The exploit does not grant permanent Premium access. The licensing server issues a short-lived trial license (valid for approximately 24 hours) for any submitted userId. On the next license check, the server validates against a real subscription and the trial expires if no valid subscription is found. The researcher's claim of permanently unlocking all Premium features is therefore incorrect. (...) The old flow has been present for years and has not been weaponized at scale to our knowledge. The risk to eyeo and to users is minimal." | 2026-05-03 | 5.3 | CVE-2026-7686 | VDB-360856 | eyeo Adblock Plus Legacy Premium Activation premium.preload.js postMessage access control VDB-360856 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #793551 | Eyeo GmbH Adblock Plus 4.36.2 Privilege Escalation https://github.com/xryj920/CVE/blob/main/adblock_plus_CVE_report.md https://adblockplus.org/en/download |
| Dolibarr--ERP CRM | A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. This affects the function _checkValForAPI of the file htdocs/expedition/class/expedition.class.php of the component Shipments API Endpoint. The manipulation of the argument fields leads to sql injection. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 5 | CVE-2026-7688 | VDB-360858 | Dolibarr ERP CRM Shipments API Endpoint expedition.class.php _checkValForAPI sql injection VDB-360858 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #799337 | Dolibarr Dolibarr ERP CRM 23.0.2 and earlier SQL Injection |
| toeverything--AFFiNE | A vulnerability was detected in toeverything AFFiNE up to 0.26.3. This issue affects the function allowDocPreview of the file /workspace/:workspaceId/:docId of the component Public Markdown Preview Endpoint. The manipulation results in authorization bypass. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 5.3 | CVE-2026-7702 | VDB-360871 | toeverything AFFiNE Public Markdown Preview Endpoint :docId allowDocPreview authorization VDB-360871 | CTI Indicators (IOB, IOC, IOA) Submit #804455 | AFFiNE AFFiNE (https://github.com/toeverything/AFFiNE) 0.26.3 Authorization Bypass https://github.com/ngocnn97/security-advisories/blob/main/AFFiNE_BAC_PoC.mp4 |
| VideoFlow Ltd.--VideoFlow Digital Video Protection | VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting a cross-site request forgery flaw in the web management interface. Attackers with valid credentials can leverage the CSRF vulnerability to inject and execute system commands through the Tools > System > Shell interface, gaining root-level access to the device. | 2026-04-29 | 4.3 | CVE-2018-25310 | ExploitDB-44387 Vulnerability Advisory VulnCheck Advisory: VideoFlow Digital Video Protection DVP 10 Authenticated Remote Code Execution |
| gnu--wget2 | wget2 accepts a server certificate with incorrect Key Usage (KU) or Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication. | 2026-04-29 | 4.8 | CVE-2026-1858 | https://www.tenable.com/security/research/tra-2026-37 |
| wazuh--wazuh | Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 1.0.0 to before version 4.14.4, a heap-based out-of-bounds WRITE occurs in GetAlertData, resulting in writing a NULL byte exactly 1 byte before the start of the buffer allocated by strdup. Due to unsigned integer underflow and pointer arithmetic wrapping, the write lands at offset -1 from the buffer, corrupting heap metadata. A malicious actor can potentially leverage this issue through a compromised agent to cause denial of service or heap corruption by injecting a specially crafted alert into the alerts log file monitored by wazuh-logcollector. This issue has been patched in version 4.14.4. | 2026-04-29 | 4.4 | CVE-2026-26204 | https://github.com/wazuh/wazuh/security/advisories/GHSA-j4c7-hwjw-8857 https://github.com/wazuh/wazuh/releases/tag/v4.14.4 |
| Oracle Corporation--Oracle Linux | An unprivileged attacker can craft a user-space process with a malicious ELF binary containing an out-of-range sh_link field. When root-level dtrace attaches to -- or instruments -- that process (via dtrace -p , pid probes, or USDT), the ELF parser reads heap memory beyond the allocated section cache array without any bounds check. This results in an uninitialized/out-of-bounds heap read that can cause a NULL pointer dereference crash of the dtrace process (DoS), or -- depending on heap layout -- a read-then-use of a garbage pointer controlled by adjacent allocations, providing a foothold toward further exploitation in a privileged context. | 2026-05-01 | 4.4 | CVE-2026-35233 | Oracle Advisory |
| n/a-- V2Board v1.7.4 | SQL Injection via ORDER BY clause in V2Board thru 1.7.4. In app/Http/Controllers/Admin/UserController.php, the sort parameter from user input is passed directly to User::orderBy($sort, $sortType) without validation. An authenticated admin can sort users by any database column including password, remember_token, and other sensitive fields, enabling information disclosure through ordering analysis. | 2026-05-01 | 4.9 | CVE-2026-37505 | https://github.com/v2board/v2board https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9 |
| nextlevelbuilder--ui-ux-pro-max-skill | A vulnerability has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this issue is the function data.get of the file .claude/skills/design-system/scripts/generate-slide.py of the component Slide Generator. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-05-01 | 4.3 | CVE-2026-7596 | VDB-360549 | nextlevelbuilder ui-ux-pro-max-skill Slide Generator generate-slide.py data.get cross site scripting VDB-360549 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805510 | nextlevelbuilder ui-ux-pro-max-skill 2.5.0 Slide Generator Multiple Stored XSS https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/247 https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/pull/274 https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/ |
| n/a--Open5GS | A vulnerability has been found in Open5GS up to 2.7.6. Affected is an unknown function of the file src/amf/gmm-handler.c of the component AMF. The manipulation of the argument reg_type leads to denial of service. The attack is possible to be carried out remotely. Upgrading to version 2.7.7 is able to address this issue. The identifier of the patch is ebc66942b6f8f1fab2d640e71cf4e9f1a423b426. It is advisable to upgrade the affected component. | 2026-05-02 | 4.3 | CVE-2026-7601 | VDB-360558 | Open5GS AMF gmm-handler.c denial of service VDB-360558 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805675 | Open5GS v.2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4321 https://github.com/open5gs/open5gs/commit/ebc66942b6f8f1fab2d640e71cf4e9f1a423b426 https://github.com/open5gs/open5gs/releases/tag/v2.7.7 https://github.com/open5gs/open5gs/ |
| itsourcecode--Courier Management System | A vulnerability was determined in itsourcecode Courier Management System 1.0. Affected is an unknown function of the file /edit_user.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2026-05-02 | 4.7 | CVE-2026-7612 | VDB-360569 | itsourcecode Courier Management System edit_user.php sql injection VDB-360569 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806275 | itsourcecode Courier Management System V1.0 SQL Injection https://github.com/ltranquility/submit/issues/12 https://itsourcecode.com/ |
| ChatGPTNextWeb--NextChat | A flaw has been found in ChatGPTNextWeb NextChat up to 2.16.1. This impacts an unknown function of the file Next.js of the component API Endpoint. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 4.3 | CVE-2026-7643 | VDB-360755 | ChatGPTNextWeb NextChat API Endpoint Next.js cross-domain policy VDB-360755 | CTI Indicators (IOB, IOC, IOA) Submit #806833 | ChatGPTNextWeb NextChat 2.16.1 Permissive CORS Wildcard Policy https://github.com/ChatGPTNextWeb/NextChat/issues/6756 https://github.com/ChatGPTNextWeb/NextChat/ |
| n/a--crmeb_java | A vulnerability was detected in crmeb_java up to 1.3.4. This vulnerability affects unknown code of the file crmeb/crmeb-service/src/main/java/com/zbkj/service/service/impl/UploadServiceImpl.java of the component Admin Upload. Performing a manipulation of the argument model results in unrestricted upload. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 4.7 | CVE-2026-7673 | VDB-360826 | crmeb_java Admin Upload UploadServiceImpl.java unrestricted upload VDB-360826 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800684 | crmeb crmeb_java 1.3.4 Unrestricted Upload https://fx4tqqfvdw4.feishu.cn/docx/EgMOdHyq6oyxhux5vpJcr5cgnAf?from=from_copylink |
| kerwincui--FastBee | A vulnerability was found in kerwincui FastBee up to 1.2.1. The affected element is the function ToolController.download of the file springboot/fastbee-open-api/src/main/java/com/fastbee/data/controller/ToolController.java of the component Tool Download Endpoint. The manipulation of the argument fileName results in path traversal. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 4.3 | CVE-2026-7676 | VDB-360829 | kerwincui FastBee Tool Download Endpoint ToolController.java ToolController.download path traversal VDB-360829 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800723 | kerwincui FastBee ≤ 1.2.1 Path Traversal https://fx4tqqfvdw4.feishu.cn/docx/Yv1gdAzFpoHCUUxDdKSculR4nKf?from=from_copylink |
| jsbroks--COCO Annotator | A weakness has been identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file backend/webserver/api/datasets.py of the component Data Endpoint. Executing a manipulation of the argument folder can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 4.3 | CVE-2026-7680 | VDB-360833 | jsbroks COCO Annotator Data Endpoint datasets.py path traversal VDB-360833 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #801150 | jsbroks COCO Annotator 0.11.1 Absolute Path Traversal https://github.com/natanmorette-thoropass/thoropass-vuln-research-program/tree/main/2026/Path%20Traversal%20via%20Dataset%20Folder%20Parameter |
| AMTT--Hotel Broadband Operation System | A vulnerability was determined in AMTT Hotel Broadband Operation System 1.0. Affected is an unknown function of the file /manager/card/cardhand_submit.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 4.7 | CVE-2026-7697 | VDB-360866 | AMTT Hotel Broadband Operation System cardhand_submit.php sql injection VDB-360866 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #803272 | Anmei Century (Beijing) Technology Co., Ltd. Hotel Broadband Operation System v1.0 SQL Injection https://github.com/testnet0/testnet/issues/74 |
| Telegram--Desktop | A security vulnerability has been detected in Telegram Desktop up to 6.7.5. This vulnerability affects the function RequestButton of the file Telegram/SourceFiles/boxes/url_auth_box.cpp of the component Bot API. The manipulation of the argument login_url leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 4.3 | CVE-2026-7701 | VDB-360870 | Telegram Desktop Bot API url_auth_box.cpp RequestButton null pointer dereference VDB-360870 | CTI Indicators (IOB, IOC, IOA) Submit #804341 | Telegram Telegram Desktop <= 6.7.5 NULL Pointer Dereference https://www.youtube.com/watch?v=xo9Bplsy1K8 |
| AV Stumpfl--Pixera Two Media Server | A vulnerability has been found in AV Stumpfl Pixera Two Media Server up to 25.1 R2. The affected element is an unknown function of the component Service Port 1338. Such manipulation leads to path traversal. The exploit has been disclosed to the public and may be used. Upgrading to version 25.2 R3 is sufficient to fix this issue. It is advisable to upgrade the affected component. | 2026-05-03 | 4.3 | CVE-2026-7704 | VDB-360873 | AV Stumpfl Pixera Two Media Server Service Port 1338 path traversal VDB-360873 | CTI Indicators (IOB, IOC, TTP) Submit #805275 | AV Stumpfl Pixera Two Media Server < 25.2 R3 Arbitrary File Read https://gist.github.com/TrebledJ/585a20525e45549f299d282233632608 https://help.pixera.one/changelogs-version-overviews/pixera-252-overview-changelog |
| n/a--Open5GS | A vulnerability has been found in Open5GS up to 2.7.7. This issue affects the function gmm_handle_service_request of the file /src/amf/gmm-handler.c of the component AMF. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-03 | 4.3 | CVE-2026-7706 | VDB-360882 | Open5GS AMF gmm-handler.c gmm_handle_service_request denial of service VDB-360882 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805698 | Open5GS AMF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4409 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability was found in Open5GS up to 2.7.7. Impacted is the function udr_nudr_dr_handle_subscription_context of the file /src/udr/nudr-handler.c of the component UDR. The manipulation of the argument pei results in denial of service. The attack can be launched remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-03 | 4.3 | CVE-2026-7707 | VDB-360883 | Open5GS UDR nudr-handler.c udr_nudr_dr_handle_subscription_context denial of service VDB-360883 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805699 | Open5gs UDR v2.7.7 Denial of Service Submit #805700 | Open5gs UDR v2.7.7 Denial of Service (Duplicate) https://github.com/open5gs/open5gs/issues/4410 https://github.com/open5gs/open5gs/issues/4411 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability was determined in Open5GS up to 2.7.7. The affected element is the function ogs_dbi_subscription_data in the library /lib/dbi/subscription.c of the component UDR. This manipulation of the argument supi_id causes denial of service. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-03 | 4.3 | CVE-2026-7708 | VDB-360884 | Open5GS UDR subscription.c ogs_dbi_subscription_data denial of service VDB-360884 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805701 | Open5gs UDR v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4412 https://github.com/open5gs/open5gs/ |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Oracle Corporation--Oracle Linux | An unprivileged attacker can reliably trigger a crash of the dtrace process with a malicious ELF binary due to an integer Divide-by-Zero in Pbuild_file_symtab() | 2026-05-01 | 3.3 | CVE-2026-21996 | Oracle Advisory |
| redhat[.]com--gnutls | A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust. | 2026-04-30 | 3.7 | CVE-2026-3832 | RHSA-2026:13274 https://access.redhat.com/security/cve/CVE-2026-3832 RHBZ#2445762 https://gitlab.com/gnutls/gnutls/-/issues/1801 |
| TRENDnet--TEW-821DAP | A weakness has been identified in TRENDnet TEW-821DAP 1.12B01. This issue affects the function find_hwid/new_gui_update_firmware of the component Firmware Update Handler. Executing a manipulation of the argument dest can lead to insufficient verification of data authenticity. The attack can be launched remotely. Attacks of this nature are highly complex. The exploitability is assessed as difficult. The vendor explains: "That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling". This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-02 | 3.7 | CVE-2026-7606 | VDB-360563 | TRENDnet TEW-821DAP Firmware Update new_gui_update_firmware data authenticity VDB-360563 | CTI Indicators (IOB, IOC, IOA) Submit #806213 | Trendnet TEW-821DAP v1.12B01 CWE-287 Improper Authentication https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_Auth.md |
| TRENDnet--TEW-821DAP | A vulnerability has been found in TRENDnet TEW-821DAP 1.12B01. This affects an unknown function of the file /www/cgi/ssi of the component Firmware Update. Such manipulation leads to cleartext transmission of sensitive information. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been disclosed to the public and may be used. The vendor explains: "That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling". This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-02 | 3.7 | CVE-2026-7610 | VDB-360567 | TRENDnet TEW-821DAP Firmware Update ssi cleartext transmission VDB-360567 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806217 | Trendnet TEW-821DAP v1.12B01 CWE-319: Cleartext Transmission of Sensitive Information https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_Down.md |
| TRENDnet--TEW-821DAP | A vulnerability was found in TRENDnet TEW-821DAP up to 1.12B01. This impacts the function platform_do_upgrade_cameo_dev of the file cameo_dev.sh of the component Firmware Update Handler. Performing a manipulation results in insufficient verification of data authenticity. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is said to be difficult. The vendor explains: "That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling". This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-02 | 3.7 | CVE-2026-7611 | VDB-360568 | TRENDnet TEW-821DAP Firmware Update cameo_dev.sh platform_do_upgrade_cameo_dev data authenticity VDB-360568 | CTI Indicators (IOB, IOC, IOA) Submit #806218 | Trendnet TEW-821DAP v1.12B01 CWE-327 Use of a Broken or Risky Cryptographic Algorithm https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_Inte.md |
| CodeWise--Tornet Scooter Mobile App | A vulnerability has been found in CodeWise Tornet Scooter Mobile App 4.75 on iOS/Android. The impacted element is an unknown function of the file /TwoFactor. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-02 | 3.7 | CVE-2026-7671 | VDB-360819 | CodeWise Tornet Scooter Mobile App TwoFactor excessive authentication VDB-360819 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #799987 | CodeWise Technologies, Tornet Scooter (Mobile APP) 4.75 Improper Restriction of Excessive Authentication Attempts (CWE-3 https://drive.proton.me/urls/M0WFM4137W#MY0jA6pjHYPO |
| kerwincui--FastBee | A vulnerability was determined in kerwincui FastBee up to 1.2.1. The impacted element is the function Add of the file springboot/fastbee-admin/src/main/java/com/fastbee/web/controller/system/SysNoticeController.java of the component System Notice Handler. This manipulation of the argument noticeContent causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 3.5 | CVE-2026-7677 | VDB-360830 | kerwincui FastBee System Notice SysNoticeController.java add cross site scripting VDB-360830 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800724 | kerwincui FastBee ≤ 1.2.1 Improper Neutralization of Alternate XSS Syntax https://fx4tqqfvdw4.feishu.cn/docx/Iu5Dd558UoS4uIxhH9YcgNsWnjc?from=from_copylink |
| Dolibarr--ERP CRM | A security flaw has been discovered in Dolibarr ERP CRM up to 23.0.2. This vulnerability affects the function dol_verifyHash in the library htdocs/core/lib/security.lib.php of the component Online Signature Module. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 3.7 | CVE-2026-7689 | VDB-360859 | Dolibarr ERP CRM Online Signature security.lib.php dol_verifyHash signature verification VDB-360859 | CTI Indicators (IOB, IOC, IOA) Submit #801794 | Dolibarr Dolibarr ERP/CRM 23.0.2 Authentication Bypass Issues https://gist.github.com/Shaon-Xis/d6ae069fc54f006457b68a91d5a8e158 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| n/a--Sourcecodester Online Job Portal phppdo 1.0 | SQL Injection vulnerability exists in Sourcecodester Online Job Portal phppdo 1.0 ivia the category parameter in /jobportal/index.php. | 2026-04-27 | not yet calculated | CVE-2021-36438 | https://www.linkedin.com/in/mohamed-elobeid-oscp-ewptxv2-crtp-cissp-mba-537ba485/ https://thecyberpost.com/tools/exploits-cve/online-job-portal-in-php-pdo-1-0-sql-injection/ |
| Lobster GmbH--Lobster_pro | Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobster_pro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services. | 2026-04-30 | not yet calculated | CVE-2024-13971 | https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-005/ |
| 4D--4D Server | Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services. | 2026-04-30 | not yet calculated | CVE-2024-39847 | https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-002/ https://4d.com |
| n/a--NASA EOSDIS MODAPS | NASA Earth Observing System Data and Information System (EOSDIS) MODAPS v8.1 was discovered to contain a SQL injection vulnerability in the category parameter | 2026-04-27 | not yet calculated | CVE-2024-46636 | https://www.linkedin.com/in/abdulrahman-aldossary-842b6b26b/ https://bugcrowd.com/Xnu11 https://github.com/NU1L0/CVE-2024-46636-SQLi-MODAPS |
| Hanwha Vision--QND-8080R | Penetration Testing engineers at Amazon have discovered a flaw where the camera system fails to properly handle data supplied in certain requests, causing a service disruption. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds. | 2026-04-28 | not yet calculated | CVE-2024-54011 | https://www.hanwhavision.com/wp-content/uploads/2026/04/Camera-Vulnerability-ReportCVE-2024-5401154013.pdf |
| Hanwha Vision--QND-8080R | Penetration Testing engineers at Amazon discovered a vulnerability where the camera system failed to properly validate input, allowing specially crafted requests containing malicious commands to be executed on the device. The manufacturer has released patch firmware for the flaw; please refer to the manufacturer's report for details and workarounds. | 2026-04-28 | not yet calculated | CVE-2024-54012 | https://www.hanwhavision.com/wp-content/uploads/2026/04/Camera-Vulnerability-ReportCVE-2024-5401154013.pdf |
| Hanwha Vision--QND-8080R | Penetration Testing engineers at Amazon have identified a security flaw related to request handling in the web server component that could, under certain conditions, lead to unintended access to protected functions. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds | 2026-04-28 | not yet calculated | CVE-2024-54013 | https://www.hanwhavision.com/wp-content/uploads/2026/04/Camera-Vulnerability-ReportCVE-2024-5401154013.pdf |
| DeskTime--DeskTime Time Tracking App | Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client. | 2026-04-28 | not yet calculated | CVE-2025-10539 | https://r.sec-consult.com/desktime https://desktime.com/download |
| RTI--Connext Professional | Improper Restriction of XML External Entity Reference vulnerability in Connext Professional (Core Libraries) allows Serialized Data External Linking.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 4.3x before 5.2.*. | 2026-04-30 | not yet calculated | CVE-2025-14543 | https://www.rti.com/vulnerabilities/#cve-2025-14543 |
| The Qt Company--Qt | Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access. | 2026-04-30 | not yet calculated | CVE-2025-14576 | Qt Code Review - Fix for QTBUG-142556 |
| Ribblr--Crotchet and Knitting | Authenticated user can bypass authorization in Ribblr - Crochet & Knitting iOS application | 2026-04-27 | not yet calculated | CVE-2025-15626 | https://ribblr.com/ |
| Apache Software Foundation--Apache Thrift | Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. Description: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal "free(): invalid pointer" error message. | 2026-04-28 | not yet calculated | CVE-2025-48431 | https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql |
| n/a--B1 Free Archiver v1.5.86 | A vulnerability in B1 Free Archiver v1.5.86 allows files extracted from downloaded archives to bypass Windows Mark of the Web (MotW) protections. When an archive is downloaded from the internet and extracted using B1 Free Archiver, the software fails to propagate the 'Zone.Identifier' alternate data stream to the extracted files. As a result, these files can be executed without triggering Windows Defender SmartScreen warnings or security prompts, enabling untrusted code execution without standard security restrictions. | 2026-04-29 | not yet calculated | CVE-2025-50328 | https://b1.org/ https://github.com/math69b/B1FREE/blob/main/B1%20Free%20Archiver%20version |
| passmark[.]com-- BurnInTest v11.0 | An issue in the component DirectIo64.sys of PassMark BurnInTest v11.0 Build 1011, OSForensics v11.1 Build 1007, and PerformanceTest v11.1 Build 1004 allows attackers to access kernel memory and escalate privileges via a crafted IOCTL 0x8011E044 call. | 2026-05-01 | not yet calculated | CVE-2025-52347 | https://www.passmark.com/products/performancetest/history.php https://www.osforensics.com/whats-new.html https://www.passmark.com/products/burnintest/history.php https://github.com/netero1010/Vulnerability-Disclosure/tree/main/CVE-2025-52347 |
| n/a--Eprosima Micro-XREC-DDS Agent v.3.0.1 | An issue in Eprosima Micro-XREC-DDS Agent v.3.0.1 allows a remote attacker to cause a denial of service via a crafted packet to the MTU length field | 2026-05-01 | not yet calculated | CVE-2025-63547 | https://github.com/eProsima/Micro-XRCE-DDS-Agent/issues/390 https://github.com/j4kb4dw0lf/CVEs/blob/main/README.md |
| n/a--Eprosima Micro-XREC-DDS Agent v.3.0.1 | An issue in Eprosima Micro-XREC-DDS Agent v.3.0.1 allows a remote attacker to cause a denial of service via a packet specially crafted to bear a non-valid value in any Boolean field. | 2026-05-01 | not yet calculated | CVE-2025-63548 | https://github.com/eProsima/Micro-XRCE-DDS-Agent/issues/389 https://github.com/j4kb4dw0lf/CVEs/blob/main/README.md |
| n/a--Pro-Bit | An issue in Pro-Bit before v1.77.4 allows unauthenticated attackers to directly access sensitive directory and its subdirectories. | 2026-04-27 | not yet calculated | CVE-2025-69428 | https://github.com/jasetpen/CVE-2025-69428 |
| n/a--GSVoIP web panel v2.0.90 | Cross-Site Scripting (XSS) vulnerability was discovered in the GSVoIP web panel version 2.0.90. The `msg` parameter in the `/painel/gateways.php/error` endpoint does not properly sanitize user-supplied input, allowing attackers to inject arbitrary JavaScript into the HTML response. A remote attacker can exploit this vulnerability by sending a crafted URL to a victim, leading to unauthorized script execution, session hijacking, phishing, or other client-side attacks. | 2026-05-01 | not yet calculated | CVE-2025-69606 | https://sip2.solutionsvoip.com.br/painel/gateways.php/error?msg=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E https://www.solutionsvoip.com.br/ https://github.com/Razielx64/CVE-2025-69606-GSVoIP-XSS |
| getfancontrol[.]com--Fan Control App v251 | The Fan Control application V251 contains an improper privilege handling vulnerability in its Open File Dialog. The dialog processes user-supplied paths with elevated permissions, which can be exploited by a local attacker to perform actions with administrator-level privileges. | 2026-04-27 | not yet calculated | CVE-2025-69689 | https://getfancontrol.com https://github.com/Rem0o/FanControl.Releases https://github.com/Rem0o/FanControl.Releases/releases/tag/V251 https://gist.github.com/ahrixia/7c89bb3f1af6e85aeedde5ddb557a529 |
| SonicWall--SonicOS | A vulnerability in the access control mechanism of SonicOS may allow certain management interface functions to be accessible under specific conditions. | 2026-04-29 | not yet calculated | CVE-2026-0204 | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0004 |
| SonicWall--SonicOS | A post-authentication Path Traversal vulnerability in SonicOS allows an attacker to interact with usually restricted services. | 2026-04-29 | not yet calculated | CVE-2026-0205 | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0004 |
| SonicWall--SonicOS | A post-authentication Stack-based Buffer Overflow vulnerabilities in SonicOS allows a remote attacker to crash a firewall. | 2026-04-29 | not yet calculated | CVE-2026-0206 | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0004 |
| Wolters Kluwer Polska--LEX Baza Dokumentw | LEX Baza Dokumentów is vulnerable to DOM-based XSS in "em" cookie parameter. The application unsafely processes the parameter on the client side, allowing an attacker to execute arbitrary JavaScript in the context of the victim's browser. An attacker with ability to set a cookie can perform a more severe attack, so we evaluate the impact and risk of exploitation as minimal. However, the vendor considered this a vulnerability and released a security patch. This issue was fixed in version 1.3.4. | 2026-04-30 | not yet calculated | CVE-2026-1493 | https://www.wolterskluwer.com/pl-pl/solutions/lex-baza-dokumentow https://cert.pl/posts/2026/04/CVE-2025-1493 |
| Samsung Mobile--Samsung Mobile Devices | Insufficient verification of data authenticity in PackageManagerService prior to SMR Mar-2026 Release 1 allows local attackers to modify the installation restriction of specific application. | 2026-04-29 | not yet calculated | CVE-2026-21023 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=03 |
| OPPO--OPPO Wallet APP | OPPO Wallet APP contains a trusted domain validation flaw that allows attackers to bypass protected interface access restrictions, which may lead to account token hijacking and sensitive information disclosure. | 2026-04-27 | not yet calculated | CVE-2026-22077 | https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-2048652556296790016 |
| Imagination Technologies--Graphics DDK | A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger a write UAF crash in the GPU GLES user-space shared library. On certain platforms, when the process executing graphics workload has system privileges this could enable further exploits on the device. | 2026-05-01 | not yet calculated | CVE-2026-22165 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imagination Technologies--Graphics DDK | A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger write UAF crash in the GPU GLES user-space shared library. On certain platforms, when the process executing graphics workload has system privileges this could enable subsequent exploit on the system. | 2026-05-01 | not yet calculated | CVE-2026-22166 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to force GPU to write to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform altering their behaviour. This attack can lead the GPU to perform write operations on restricted internal GPU buffers that can lead to a second order affect of corrupted arbitrary physical memory. | 2026-05-01 | not yet calculated | CVE-2026-22167 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Acronis--Acronis DeviceLock DLP | Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212. | 2026-04-29 | not yet calculated | CVE-2026-25852 | SEC-7217 |
| arc53--DocsGPT | DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the "MCP test" behavior to achieve arbitrary remote code execution (RCE). This issue has been patched in version 0.16.0. | 2026-04-29 | not yet calculated | CVE-2026-26015 | https://github.com/arc53/DocsGPT/security/advisories/GHSA-gcrq-f296-2j74 https://github.com/arc53/DocsGPT/releases/tag/0.16.0 |
| aver[.]com-- web mgt interface v0.1.0000.65 | A Command Injection vulnerability in the web management interface in Aver PTC320UV2 0.1.0000.65 allows an unauthenticated attacker to execute arbitrary commands via a crafted web request. | 2026-05-01 | not yet calculated | CVE-2026-26461 | https://www.aver.com/Downloads/search?q=PTC320UV2 https://github.com/spaceraccoon/disclosures/blob/main/2026/CVE-2026-26461.md |
| Apache Software Foundation--Apache Camel | The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject() without configuring an ObjectInputFilter. An attacker who can write to the Consul KV store backing a Camel ConsulRegistry instance could inject a malicious serialized Java object that is deserialized the next time Camel performs a lookup against that registry, leading to arbitrary code execution in the Camel process. The issue mirrors the class of vulnerability already addressed for other Camel components in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747, and was overlooked during the original remediation of those CVEs. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.1. | 2026-04-27 | not yet calculated | CVE-2026-27172 | https://camel.apache.org/security/CVE-2026-27172.html |
| Netskope--Client | Netskope was notified about a potential gap in the Endpoint DLP Module for Netskope Client on Windows systems. The successful exploitation of the gap can potentially allow an unprivileged user to trigger an out-of-bounds read within a driver, leading to a Blue-Screen-of-Death (BSOD). Successful exploitation would require the Endpoint DLP module to be enabled in the client configuration. A successful exploit can potentially result in a denial-of-service for the local machine. | 2026-04-29 | not yet calculated | CVE-2026-2810 | https://www.netskope.com/resources/netskope-resources/netskope-security-advisory-nskpsa-2026-002 https://support.netskope.com/s/article/Netskope-Security-Advisory-NSKPSA-2026-002-Netskope-Endpoint-DLP-Driver-Security-Advisory |
| elixir-plug--plug_cowboy | Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plug_cowboy allows unauthenticated remote denial of service via atom table exhaustion. Plug.Cowboy.Conn.conn/1 in lib/plug/cowboy/conn.ex calls String.to_atom/1 on the value returned by :cowboy_req.scheme/1. For HTTP/2 connections, cowlib passes the client-supplied :scheme pseudo-header value through verbatim without validation. Each unique value permanently allocates a new entry in the BEAM atom table. Since atoms are never garbage-collected and the atom table has a fixed limit (default 1,048,576), an unauthenticated attacker can exhaust the table by sending HTTP/2 requests with unique :scheme values, causing the Erlang VM to abort with system_limit and taking down the entire node. This vulnerability does not affect HTTP/1.1, where cowboy derives the scheme from the listener type rather than from a client-supplied header. This issue affects plug_cowboy: from 2.0.0 before 2.8.1. | 2026-04-27 | not yet calculated | CVE-2026-32688 | https://github.com/elixir-plug/plug_cowboy/security/advisories/GHSA-q8x4-x7mp-5vg2 https://cna.erlef.org/cves/CVE-2026-32688.html https://osv.dev/vulnerability/EEF-CVE-2026-32688 https://github.com/elixir-plug/plug_cowboy/commit/bfb34cb45eb354e56437f7023fb306de1bf9c19b |
| CRM Sistemas de Fidelizacin--MegaCMS | SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the "id_territorio" parameter of the "/web_comunications/cms/get_provincias" endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the "id_territorio" parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries. | 2026-04-29 | not yet calculated | CVE-2026-3325 | https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-megacms-crm-sistemas-de-fidelizacion |
| Japan Computer Emergency Response Team Coordination Center (JPCERT/CC)--LogonTracer | An OS command Injection issue exists in LogonTracer prior to v2.0.0. An arbitrary OS command may be executed by a logged-in user. | 2026-04-27 | not yet calculated | CVE-2026-33277 | https://www.jpcert.or.jp/press/2026/PR20260423.html https://jvn.jp/en/jp/JVN57877356/ |
| Absolute Software--Secure Access | CVE-2026-33446 is a buffer overflow in the authentication sub-system of the Secure Access client prior to 14.50. Attackers with control of a modified server can send a special packet that can overwrite a small portion of memory conceivably leading to memory corruption or a denial of service. | 2026-04-30 | not yet calculated | CVE-2026-33446 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33446 |
| Absolute Software--Secure Access | CVE-2026-33447 is a buffer overflow in a message parsing function of the Secure Access client prior to 14.50. Attackers with control of a modified server can send a special packet that can overwrite a small portion of memory conceivably leading to memory corruption or denial of service. | 2026-04-30 | not yet calculated | CVE-2026-33447 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33447 |
| Absolute Software--Secure Access | CVE-2026-33448 is a format string vulnerability in the logging subsystem of Secure Access client for MacOS prior to 14.50. Attackers with control of a modified server can force the client to dump the contents of a small portion of memory to the log files potentially revealing secrets. | 2026-04-30 | not yet calculated | CVE-2026-33448 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33448 |
| Absolute Software--Secure Access | CVE-2026-33449 is a buffer overflow in a message handling function of the Secure Access client prior to 14.50. Attackers with control of a modified server can send a cryptographically valid message to the client, overwriting a small portion of memory conceivably leading to a denial of service. | 2026-04-30 | not yet calculated | CVE-2026-33449 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33449 |
| Absolute Software--Secure Access | CVE-2026-33450 is an out of bounds read vulnerability in the Secure Access MacOS client prior to 14.50. Attackers with control of a modified server can send a malformed packet to the client causing a denial of service. | 2026-04-30 | not yet calculated | CVE-2026-33450 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33450 |
| Absolute Software--Secure Access | CVE-2026-33451 is an arbitrary read/write vulnerability in the Secure Access Windows client prior to 14.50. Attackers with local control of the Windows client can send malformed data to an API and elevate their level of privilege to system. | 2026-04-30 | not yet calculated | CVE-2026-33451 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33451 |
| Absolute Software--Secure Access | CVE-2026-33452 is a buffer overflow vulnerability in the Secure Access Windows client prior to 14.50. Attackers with local control of the Windows client can use it to 'blue screen' the system. | 2026-04-30 | not yet calculated | CVE-2026-33452 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33452 |
| Apache Software Foundation--Apache Camel | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-sensitive producers (e.g. camel-exec) The camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy. Specifically, CamelCoapResource.handleRequest() iterates over OptionSet.getUriQuery() and calls camelExchange.getIn().setHeader(...) for every query parameter. CoAPEndpoint extends DefaultEndpoint rather than DefaultHeaderFilterStrategyEndpoint, and CoAPComponent does not implement HeaderFilterStrategyComponent; the component contains no references to HeaderFilterStrategy at all. As a result, an unauthenticated attacker who can send a single CoAP UDP packet to a Camel route consuming from coap:// can inject arbitrary Camel internal headers (those prefixed with Camel*) into the Exchange. When the route delivers the message to a header-sensitive producer such as camel-exec, camel-sql, camel-bean, camel-file, or template components (camel-freemarker, camel-velocity), the injected headers can alter the producer's behavior. In the case of camel-exec, the CamelExecCommandExecutable and CamelExecCommandArgs headers override the executable and arguments configured on the endpoint, resulting in arbitrary OS command execution under the privileges of the Camel process. The producer's output is written back to the Exchange body and returned in the CoAP response payload by CamelCoapResource, giving the attacker an interactive RCE channel without any need for out-of-band exfiltration. Exploitation prerequisites are minimal: a single unauthenticated UDP datagram to the CoAP port (default 5683). CoAP (RFC 7252) has no built-in authentication, and DTLS is optional and disabled by default. Because the protocol is UDP-based, HTTP-layer WAF/IDS controls do not apply. This issue affects Apache Camel: from 4.14.0 through 4.14.5, from 4.18.0 before 4.18.1, 4.19.0. Users are recommended to upgrade to version 4.18.1 or 4.19.0, fixing the issue. | 2026-04-27 | not yet calculated | CVE-2026-33453 | https://camel.apache.org/security/CVE-2026-33453.html |
| Apache Software Foundation--Apache Camel | The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a result, when a Camel application consumes mail through camel-mail (for example via from(\"imap://...\") or from(\"pop3://...\")) the inbound filter check is skipped and Camel-prefixed MIME headers are mapped unfiltered into the Exchange. An attacker who can deliver an email to a mailbox monitored by such a consumer can inject Camel-specific headers that, for some Camel components downstream of the mail consumer (such as camel-bean, camel-exec, or camel-sql), can alter the behaviour of the route. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177) and the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.1. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. | 2026-04-27 | not yet calculated | CVE-2026-33454 | https://camel.apache.org/security/CVE-2026-33454.html |
| Japan Computer Emergency Response Team Coordination Center (JPCERT/CC)--LogonTracer | There is a cypher injection issue in LogonTracer prior to v2.0.0. If specially crafted Windows event log data is loaded, the contents of the database may be altered. | 2026-04-27 | not yet calculated | CVE-2026-33566 | https://www.jpcert.or.jp/press/2026/PR20260423.html https://jvn.jp/en/jp/JVN57877356/ |
| traefik--traefik | Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2. | 2026-04-30 | not yet calculated | CVE-2026-35051 | https://github.com/traefik/traefik/security/advisories/GHSA-6384-m2mw-rf54 https://github.com/traefik/traefik/releases/tag/v2.11.43 https://github.com/traefik/traefik/releases/tag/v3.6.14 https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2 |
| FreeBSD--FreeBSD | When processing the header of an incoming message, libnv failed to properly validate the message size. The lack of validation allows a malicious program to write outside the bounds of a heap allocation. This can trigger a crash or system panic, and it may be possible for an unprivileged user to exploit the bug to elevate their privileges. | 2026-04-30 | not yet calculated | CVE-2026-35547 | https://security.freebsd.org/advisories/FreeBSD-SA-26:17.libnv.asc |
| merkurysmart[.]com-- MIPC252W v1.0.5 | A handling issue in the RTSP service of the Mercury MIPC252W 1.0.5 Build 230306 Rel.79931n allows an authenticated attacker to trigger session termination by repeatedly sending SETUP requests for the same media track within a single RTSP session. This causes the server to reset the RTSP connection, leading to a denial-of-service condition. | 2026-04-27 | not yet calculated | CVE-2026-35901 | https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_2th/README.md |
| merkurysmart[.]com-- MIPC252W v1.0.5 | The RTSP service of MERCURY IP camera MIPC252W 1.0.5 Build 230306 has an issue handling failed Digest authentication attempts. By repeatedly sending RTSP requests with invalid authentication parameters, an unauthenticated attacker can cause the RTSP service to enter a persistent authentication failure state, preventing legitimate clients from authenticating and leading to a denial of service. | 2026-04-27 | not yet calculated | CVE-2026-35902 | https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_3th/README.md |
| merkurysmart[.]com-- MIPC252W v1.0.5 | MERCURY MIPC252W IP camera 1.0.5 Build 230306 Rel.79931n contains an improper authentication vulnerability in the RTSP service. After successful Digest authentication in an initial DESCRIBE request, the device does not verify the Digest response parameter in subsequent RTSP requests within the same session. As a result, RTSP methods such as SETUP, PLAY, and TEARDOWN can be processed even when the Authorization header contains an empty or invalid response value, as long as the nonce and session identifier correspond to a previously authenticated session. This allows an attacker with network access to reuse session parameters and issue unauthorized RTSP control commands without computing a valid Digest response. | 2026-04-27 | not yet calculated | CVE-2026-35903 | https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_4th/README.md |
| n/a--Krayin CRM v.2.1.5 | An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function | 2026-04-30 | not yet calculated | CVE-2026-36340 | https://drive.google.com/file/d/1yBdvbrXGf9fsFckmK9zTe2v8_vDtdicH/view https://github.com/krayin/laravel-crm/releases/tag/v2.1.6 https://github.com/cybercrewinc/CVE-2026-36340 |
| n/a--halo v2.22.14 | A Server-Side Request Forgery (SSRF) in the /plugins/-/install-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | 2026-04-30 | not yet calculated | CVE-2026-36756 | https://github.com/halo-dev/halo https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf2/readme.md |
| n/a--halo v2.22.14 | A Server-Side Request Forgery (SSRF) in the /plugins/{name}/upgrade-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | 2026-04-30 | not yet calculated | CVE-2026-36757 | https://github.com/halo-dev/halo https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf1/readme.md |
| n/a--halo v2.22.14 | A Server-Side Request Forgery (SSRF) in the /themes/-/install-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | 2026-04-30 | not yet calculated | CVE-2026-36758 | https://github.com/halo-dev/halo https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf3/readme.md |
| n/a--halo v2.22.14 | A Server-Side Request Forgery (SSRF) in the /themes/{name}/upgrade-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | 2026-04-30 | not yet calculated | CVE-2026-36759 | https://github.com/halo-dev/halo https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf4/readme.md |
| n/a--JeeSite v5.15.1 | An issue in the fileMd5 parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations while chunked upload is enabled. | 2026-04-30 | not yet calculated | CVE-2026-36760 | https://github.com/thinkgem/jeesite https://github.com/thinkgem/jeesite/issues/530 |
| n/a--JeeSite v5.15.1 | A stored cross-site scripting (XSS) vulnerability in the /msg/msgInner/save endpoint of JeeSite v5.15.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the msgContent parameter. | 2026-04-30 | not yet calculated | CVE-2026-36761 | https://github.com/thinkgem/jeesite https://github.com/thinkgem/jeesite/issues/528 |
| n/a--JeeSite v5.15.1 | An issue in the fileEntityId parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations. | 2026-04-30 | not yet calculated | CVE-2026-36762 | https://github.com/thinkgem/jeesite https://github.com/thinkgem/jeesite/issues/529 |
| n/a--SpringBlade v4.8.0 | A stored cross-site scripting (XSS) vulnerability in the /api/blade-desk/notice/submit endpoint of SpringBlade v4.8.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the content parameter. | 2026-04-30 | not yet calculated | CVE-2026-36763 | https://github.com/chillzhuang/SpringBlade https://github.com/chillzhuang/SpringBlade/issues/38 https://github.com/shopizer-ecommerce/shopizer/issues/1091 |
| n/a--SpringBlade v4.8.0 | A Server-Side Request Forgery (SSRF) in the /ureport/datasource/testConnection endpoint of SpringBlade v4.8.0 allows authenticated attackers to scan internal resources via a crafted GET request. | 2026-04-30 | not yet calculated | CVE-2026-36764 | https://github.com/chillzhuang/SpringBlade https://github.com/chillzhuang/SpringBlade/issues/36 |
| n/a--SpringBlade v4.8.0 | An XML external entity (XXE) vulnerability in the /designer/loadReport endpoint of SpringBlade v4.8.0 allows authenticated attackers to execute arbitrary code via injecting a crafted payload. | 2026-04-30 | not yet calculated | CVE-2026-36765 | https://github.com/chillzhuang/SpringBlade https://github.com/chillzhuang/SpringBlade/issues/37 |
| n/a--shopizer v3.2.5 | Multiple authenticated cross-site scripting (XSS) vulnerabilities in the XssHttpServletRequestWrapper class of shopizer v3.2.5 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the getInputStream() or getReader() functions. | 2026-04-30 | not yet calculated | CVE-2026-36766 | https://github.com/shopizer-ecommerce/shopizer https://github.com/shopizer-ecommerce/shopizer/issues/1093 |
| n/a--shopizer v3.2.5 | A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary files to any writeable path via a crafted POST request. | 2026-04-30 | not yet calculated | CVE-2026-36767 | https://github.com/shopizer-ecommerce/shopizer https://github.com/shopizer-ecommerce/shopizer/issues/1091 |
| Totolink[.]net -- TOTOLINK A3002RU v3 | TOTOLINK A3002RU V3 <= V3.0.0-B20220304.1804 was discovered to contain a stack-based buffer overflow via the hostname parameter in the formMapDelDevice function. | 2026-04-29 | not yet calculated | CVE-2026-36837 | https://github.com/0xmania/cve/tree/main/TOTOLINK-A3002RUV3.0-boa-formMapDelDevice-StackOverflow |
| Totolink[.]net -- TOTOLINK N200RE v5 | TOTOLINK N200RE V5 was discovered to contain a command injection vulnerability via the macstr and bandstr parameters in the formMapDelDevice function. | 2026-04-29 | not yet calculated | CVE-2026-36841 | https://github.com/0xmania/cve/tree/main/TOTOLINK-N200RE_V5-cstecgi-formMapDelDevice-CommandInjection |
| Dbitnet[.]com -- Dbit N300 router v.1.0 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1.0.0. The router fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft a malicious webpage that sends forged HTTP requests to configuration endpoints such as /api/setWlan. If an authenticated administrator visits the malicious webpage, the victim's browser automatically includes the valid session cookie in the request, allowing the router to process the request as a legitimate administrative action. | 2026-04-30 | not yet calculated | CVE-2026-36956 | http://dbit.com https://github.com/kirubel-cve/CVE-2026-36956 |
| Dbitnet[.]com -- Dbit N300 router v.1.0 | Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router V1.0.0 is vulnerable to Denial of Service via the boa web server URI handler. By initiating a high-volume flood of HTTP GET requests to non-existent URIs, an attacker can exhaust critical system resources, including file descriptors and memory buffers. This results in a kernel deadlock or system hang that disables the web management portal and all routing capabilities. | 2026-04-30 | not yet calculated | CVE-2026-36957 | http://dbit.com https://github.com/kirubel-cve/CVE-2026-36957 |
| Dbitnet[.]com -- Dbit N300 router v.1.0 | A denial-of-service vulnerability exists in the U-SPEED N300 V1.0.0 wireless router. By sending a large number of concurrent HTTP requests to random or non-existent endpoints on the web management interface, an attacker can exhaust system resources in the embedded Boa HTTP server. This causes the router web interface to become unresponsive and may require manual reboot to restore normal operation. | 2026-04-30 | not yet calculated | CVE-2026-36958 | http://u-speed.com https://github.com/kirubel-cve/CVE-2026-36958 |
| Dbitnet[.]com -- Dbit N300 router v.1.0 | U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks against the administrator account and potential unauthorized access to the router management interface. | 2026-04-30 | not yet calculated | CVE-2026-36959 | http://u-speed.com https://github.com/kirubel-cve/CVE-2026-36959 |
| Dbitnet[.]com -- Dbit N300 router v.1.0 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft a malicious webpage that sends forged HTTP requests to configuration endpoints. If an authenticated administrator visits the malicious webpage, the victim's browser automatically includes the valid session cookie in the request, allowing the router to process the request as a legitimate administrative action. | 2026-04-30 | not yet calculated | CVE-2026-36960 | http://u-speed.com https://github.com/kirubel-cve/CVE-2026-36960 |
| n/a--FlowSpec operator array | An off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op_decode() function (bgpd/bgp_flowspec_util.c) of FRRouting (FRR) stable/10.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted FlowSpec component. | 2026-05-01 | not yet calculated | CVE-2026-37457 | https://github.com/FRRouting/frr/commit/0e6882bc72c0278988a47b2f0f73b7a91099a25c |
| n/a--Automotive Grade Linux (AGL) | AGL agl-service-can-low-level thru 17.1.12 contains a stack buffer overflow in the uds-c library. The send_diagnostic_request function in uds.c allocates a 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) but copies up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD_LENGTH=7) via memcpy at an offset of 1+pid_length (2-3 bytes), resulting in 1-4 bytes of controlled stack overflow. The payload_length field (uint8_t) has no bounds check against the destination buffer. On 32-bit ARM automotive ECUs without stack canaries, this can lead to return address overwrite and RCE. | 2026-05-01 | not yet calculated | CVE-2026-37530 | https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643 |
| n/a--Automotive Open SAE J1939 protocol CAN-Bus) | Integer underflow vulnerability in Open-SAE-J1939 thru commit b6caf884df46435e539b1ecbf92b6c29b345bdfe (2025-11-30) in SAE_J1939_Read_Transport_Protocol_Data_Transfer,allows attackers to write to arbitrary memory via crafted sequence number from the CAN frame. | 2026-05-01 | not yet calculated | CVE-2026-37534 | https://github.com/DanielMartensson/Open-SAE-J1939 https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| n/a--socketcand 0.4.2 | Buffer overflow vulnerability in socketcand 0.4.2 in file socketcand.c in function main allows attackers to cause a denial of service or other unspecified impacts via crafted bus_name. | 2026-05-01 | not yet calculated | CVE-2026-37538 | https://github.com/dschanoeh/socketcand https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| n/a--libsndfile 1.2.2 | An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065. | 2026-04-29 | not yet calculated | CVE-2026-37555 | https://github.com/libsndfile/libsndfile/issues/833 https://github.com/libsndfile/libsndfile/commit/9a829113c88a51e57c1e46473e90609e4b7df151 https://gist.github.com/sgInnora/a5f5c19e4bf6f4fb74fab7b0ef2bfcc1 |
| n/a--School Management System | A reflected Cross-Site Scripting (XSS) vulnerability in School Management System by mahmoudai1 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim's browsers via the unsanitized type parameter in register.php. | 2026-04-28 | not yet calculated | CVE-2026-37750 | https://github.com/mahmoudai1/school-management-system https://github.com/mahmoudai1/school-management-system/blob/main/register.php https://github.com/menevarad007/CVE-2026-37750 |
| n/a--Netmaker v1.5.0 | Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, gaining access to sensitive information | 2026-04-28 | not yet calculated | CVE-2026-38651 | https://github.com/gravitl/netmaker/commit/5309aa70d464ef565911369714d661a61481a79b https://www.zyenra.com/blog/netmaker-jwt-verification-bypass https://www.zyenra.com/advisories/netmaker-jwt-verification-bypass |
| Moxa--EDR-8010 Series | An improper ownership management vulnerability has been identified in Moxa's Secure Router. Because of improper ownership management, a low-privileged authenticated user may access a configuration file containing the hashed password of the administrative account. Successful exploitation of this vulnerability could allow an attacker to obtain sensitive information. Exploitation is only possible under a specific condition - when the configuration file has been exported. This vulnerability does not impact the integrity or availability of the affected product, and no confidentiality, integrity, or availability impact to the subsequent system has been identified. | 2026-04-27 | not yet calculated | CVE-2026-3867 | https://www.moxa.com/en/support/product-support/security-advisory/mpsa-261521-cve-2026-3867-cve-2026-3868-improper-ownership-management-and-improper-handling-of-length-parameter-incons |
| Moxa--EDR-8010 Series | An improper handling of the length parameter inconsistency vulnerability has been identified in Moxa's Secure Router. Because of improper validation of length parameters in the HTTPS management interface, an unauthenticated remote attacker could send specially crafted requests that trigger a buffer overflow condition, causing the web service to become unresponsive. Successful exploitation may result in a denial-of-service condition requiring a device reboot to restore normal operation. While successful exploitation can severely impact the availability of the affected device, no impact to the confidentiality or integrity of the affected product has been identified. Additionally, no confidentiality, integrity, or availability impact to the subsequent system has been identified. | 2026-04-27 | not yet calculated | CVE-2026-3868 | https://www.moxa.com/en/support/product-support/security-advisory/mpsa-261521-cve-2026-3867-cve-2026-3868-improper-ownership-management-and-improper-handling-of-length-parameter-incons |
| n/a--diskoverdata v.2.3.5 | Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settings_process.php | 2026-04-27 | not yet calculated | CVE-2026-38934 | http://diskover-community.com http://diskoverdata.com https://github.com/VadlaReddySai/diskoverdata-cve-writeups/blob/main/CVE-2026-38934 |
| n/a--diskoverdata v.2.3.5 | A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/view.php via the doctype parameter | 2026-04-27 | not yet calculated | CVE-2026-38935 | http://diskover-community.com http://diskoverdata.com https://github.com/VadlaReddySai/diskoverdata-cve-writeups/blob/main/CVE-2026-38935 |
| n/a--diskoverdata v.2.3.5 | A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/selectindices.php via the namecontains parameter | 2026-04-27 | not yet calculated | CVE-2026-38936 | http://diskover-community.com http://diskoverdata.com https://github.com/VadlaReddySai/diskoverdata-cve-writeups/blob/main/CVE-2026-38936 |
| n/a--mvc-ecommerce v.1.0 | Cross Site Scripting vulnerability in andrewtch88 mvc-ecommerce v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the product_catalogue.php component | 2026-04-30 | not yet calculated | CVE-2026-38939 | https://gist.github.com/spico8/3b8b64a58069fc189ca28563dd1249e8 |
| n/a--TOKO-ONLINE-ROTI v.1.0 | Cross Site Scripting vulnerability in RafyMrX TOKO-ONLINE-ROTI v.1.0 allows a remote attacker to execute arbitrary code via the detail_produk.php component | 2026-04-30 | not yet calculated | CVE-2026-38940 | https://gist.github.com/spico8/3b8b64a58069fc189ca28563dd1249e8 |
| n/a--FUEL CMS v1.5.2 | Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code. | 2026-04-28 | not yet calculated | CVE-2026-38948 | https://github.com/daylightstudio/FUEL-CMS https://www.youtube.com/watch?v=lLCF0xbjecQ https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38948/README.md |
| n/a--HTMLy v3.1.1 | Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code | 2026-04-28 | not yet calculated | CVE-2026-38949 | https://github.com/danpros/htmly https://youtu.be/3e-tzUMCox8 https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38949/README.md |
| n/a--Cockpit v2.13.5 | Cockpit 2.13.5 and earlier is affected by a misconfiguration within the Bucket component _isFileTypeAllowed function where a specially crafted filename bypasses an extension filter. This allows an authenticated attacker to rename arbitrary files with the .php file extension enabling arbitrary code to be executed on the underlying server. | 2026-04-29 | not yet calculated | CVE-2026-38991 | https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0 https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/ |
| n/a--Cockpit v2.13.5 | Cockpit v2.13.5 and earlier is vulnerable to arbitrary code execution via the filter parameter within multiple endpoints. This vulnerability allows an attacker to run system commands on the underlying infrastructure via the MongoLite $func operator. | 2026-04-29 | not yet calculated | CVE-2026-38992 | https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0 https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/ |
| n/a--Cockpit v2.13.5 | Cockpit 2.13.5 and earlier is vulnerable to directory traversal via the Buckets component. This vulnerability allows authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets with malicious versions. | 2026-04-29 | not yet calculated | CVE-2026-38993 | https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0 https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/ |
| FreeBSD--FreeBSD | When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (1024). An attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption. If the target application is setuid-root, then this could be used to elevate local privileges. | 2026-04-30 | not yet calculated | CVE-2026-39457 | https://security.freebsd.org/advisories/FreeBSD-SA-26:16.libnv.asc |
| mtrudel--bandit | Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled. 'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in lib/bandit/websocket/permessage_deflate.ex calls :zlib.inflate/2 with no output-size cap, then materializes the entire decompressed payload as a single binary via IO.iodata_to_binary/1. The websocket_options.max_frame_size option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g. uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs. An unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node's memory and trigger an OOM kill. This vulnerability requires both Bandit's server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false. This issue affects bandit: from 0.5.9 before 1.11.0. | 2026-05-01 | not yet calculated | CVE-2026-39804 | https://github.com/mtrudel/bandit/security/advisories/GHSA-frh3-6pv6-rc8j https://cna.erlef.org/cves/CVE-2026-39804.html https://osv.dev/vulnerability/EEF-CVE-2026-39804 https://github.com/mtrudel/bandit/commit/8156921a51e684a951221da7bc30a70a022f722e |
| mtrudel--bandit | Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers. 'Elixir.Bandit.Headers':get_content_length/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching header. When a request contains two Content-Length headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 §6.3 requires recipients to treat this as an unrecoverable framing error. When Bandit sits behind a proxy that picks the last Content-Length value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging. This issue affects bandit: before 1.11.0. | 2026-05-01 | not yet calculated | CVE-2026-39805 | https://github.com/mtrudel/bandit/security/advisories/GHSA-c67r-gc9j-2qf7 https://cna.erlef.org/cves/CVE-2026-39805.html https://osv.dev/vulnerability/EEF-CVE-2026-39805 https://github.com/mtrudel/bandit/commit/f2ca636eb6df385219957e8934e9fc6efa1630d1 |
| mtrudel--bandit | Reliance on Untrusted Inputs in a Security Decision vulnerability in mtrudel bandit allows unauthenticated transport-state spoofing on plaintext HTTP connections. 'Elixir.Bandit.Pipeline':determine_scheme/2 in lib/bandit/pipeline.ex returns the client-supplied URI scheme verbatim, ignoring the transport's secure? flag. HTTP/1.1 absolute-form request targets (e.g. GET https://victim/path HTTP/1.1) and the HTTP/2 :scheme pseudo-header are both attacker-controlled strings that flow through this function. Over a plaintext TCP connection, a client can declare https and Bandit will set conn.scheme = :https even though no TLS was negotiated. Downstream Plug consumers that branch on conn.scheme are silently misled: Plug.SSL's already-secure branch skips its HTTP→HTTPS redirect, cookies emitted with secure: true are sent over plaintext, audit logs record requests as having arrived over HTTPS, and CSRF/SameSite gating may make incorrect decisions. This issue affects bandit: from 1.0.0 before 1.11.0. | 2026-05-01 | not yet calculated | CVE-2026-39807 | https://github.com/mtrudel/bandit/security/advisories/GHSA-375f-4r2h-f99j https://cna.erlef.org/cves/CVE-2026-39807.html https://osv.dev/vulnerability/EEF-CVE-2026-39807 https://github.com/mtrudel/bandit/commit/45feea20dea8af7ffd7245271107b695c040e667 |
| traefik--traefik | Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context - such as a trusted scheme or host - through the alias headers and bypass authentication on protected routes without valid credentials. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2. | 2026-04-30 | not yet calculated | CVE-2026-39858 | https://github.com/traefik/traefik/security/advisories/GHSA-5m6w-wvh7-57vm https://github.com/traefik/traefik/releases/tag/v2.11.43 https://github.com/traefik/traefik/releases/tag/v3.6.14 https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2 |
| Apache Software Foundation--Apache Camel Platform HTTP Main | When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) and a non-root context path such as /api or /admin is configured via camel.server.path or camel.management.path, the BasicAuthenticationConfigurer and JWTAuthenticationConfigurer classes derive the authentication path from properties.getPath() when camel.server.authenticationPath / camel.management.authenticationPath is not explicitly set. Combined with the Vert.x sub-router mounting model - the sub-router is mounted at _path_* and the authentication handler is registered inside the sub-router at the resolved path - this causes the authentication handler to match only the exact configured context path, not its subpaths. Unauthenticated requests to subpaths such as /api/_route_ or /admin/observe/info therefore reach protected business routes and management endpoints without being challenged for credentials. The /observe/info endpoint can disclose runtime metadata such as the user, working directory, home directory, process ID, JVM and operating system information. This issue affects Apache Camel: from 4.14.1 before 4.14.6, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, they are suggested to upgrade to 4.14.6. If users are on the 4.18.x LTS releases stream, they are suggested to upgrade to 4.18.2. | 2026-04-27 | not yet calculated | CVE-2026-40022 | https://camel.apache.org/security/CVE-2026-40022.html |
| Apache Software Foundation--Apache Camel PQC | The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application - for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack - can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2. | 2026-04-27 | not yet calculated | CVE-2026-40048 | https://camel.apache.org/security/CVE-2026-40048.html |
| helpyio--helpy | Helpy contains a stored cross-site scripting vulnerability in the post author display logic. Any registered user can persist arbitrary HTML in their account name field and cause it to be rendered unescaped in public forum threads where they participate, in the admin ticket view, and in HTML notification emails sent to other users.This issue affects helpy: 2.8.0. | 2026-04-29 | not yet calculated | CVE-2026-40229 | https://fluidattacks.com/es/advisories/offspring https://github.com/helpyio/helpy |
| helpyio--helpy | Helpy contains a stored cross-site scripting vulnerability in the knowledge base Doc rendering logic. An authenticated attacker with admin or agent editor privileges can persist arbitrary HTML or JavaScript in the body field of a knowledge base Doc.This issue affects helpy: 2.8.0. | 2026-04-29 | not yet calculated | CVE-2026-40230 | https://fluidattacks.com/es/advisories/prisioneros https://github.com/helpyio/helpy |
| Apache Software Foundation--Apache Camel JMS | The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the broker consumed by a Camel route can inject case-variant Camel internal headers, which are then resolved by downstream components such as camel-exec and camel-file using their canonical casing. This enables remote code execution and arbitrary file write on routes that forward JMS messages to header-driven components. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2. | 2026-04-27 | not yet calculated | CVE-2026-40453 | https://camel.apache.org/security/CVE-2026-40453.html |
| Apache Software Foundation--Apache Camel Mina | The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject(). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2. | 2026-04-27 | not yet calculated | CVE-2026-40473 | https://camel.apache.org/security/CVE-2026-40473.html |
| BinSoft--mpGabinet | mpGabinet is vulnerable to Privilege Escalation due to excessive database privileges assigned to the user used by the application. An attacker with access to any running application instance connected to the backend server can extract database credentials from the application's memory by inspecting the running process. While ability to retrieve credentials from memory is expected behavior, the exposed credentials grant administrative access to the database, exceeding the privileges required for normal application functionality. This allows an attacker to perform actions beyond those permitted through the application interface. This issue affects mpGabinet version 23.12.19 and below. | 2026-04-28 | not yet calculated | CVE-2026-40550 | https://cert.pl/posts/2026/04/CVE-2026-40550/ https://www.mpgabinet.pl/ |
| BinSoft--mpGabinet | mpGabinet performs client-side authentication. An attacker with access to any application instance connected to the backend server can bypass the login verification process by manipulating the application binary and authenticate as an arbitrary user. This issue affects mpGabinet version 23.12.19 and below. | 2026-04-28 | not yet calculated | CVE-2026-40551 | https://cert.pl/posts/2026/04/CVE-2026-40550/ https://www.mpgabinet.pl/ |
| BinSoft--mpGabinet | mpGabinet is vulnerable to Remote Command Execution. An authorized user with access to the application and direct access to the backend database can achieve system command execution by uploading an attachment and modifying its storage path in the database to reference an attacker-controlled remote network resource. Alternatively, it is possible to use a previously uploaded file and change its reference. When the application processes the attachment, and a user tries to open it, the referenced resource is executed by the system. Critically, this vulnerability can be exploited by any unauthenticated attacker by chaining it with CVE-2026-40550 and CVE-2026-40551, which allows obtaining database access, and logging onto any account. This issue affects mpGabinet version 23.12.19 and below. | 2026-04-28 | not yet calculated | CVE-2026-40552 | https://cert.pl/posts/2026/04/CVE-2026-40550/ https://www.mpgabinet.pl/ |
| Apache Software Foundation--Apache Storm Prometheus Reporter | Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Description: In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon. The PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare() → INSECURE_CONNECTION_FACTORY → SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials. Mitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate. | 2026-04-27 | not yet calculated | CVE-2026-40557 | https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq |
| MIYAGAWA--Starman | Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy. | 2026-04-28 | not yet calculated | CVE-2026-40560 | https://github.com/miyagawa/Starman/commit/ced205f0805027e9d9c0731f8c40b104220604ed.patch https://metacpan.org/release/MIYAGAWA/Starman-0.4018/changes https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3 |
| KAZUHO--Starlet | Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy. | 2026-05-03 | not yet calculated | CVE-2026-40561 | https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3 https://github.com/kazuho/Starlet/commit/a7d5dfd1862aafa43e5eaca0fdb6acf4cc15b2d0.patch |
Vulnerability Summary for the Week of April 20, 2026
Posted on Tuesday April 28, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Thinkphp--ThinkPHP | ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges. | 2026-04-22 | 9.8 | CVE-2018-25270 | ExploitDB-45978 Official Product Homepage Product Reference VulnCheck Advisory: ThinkPHP 5.0.23 Remote Code Execution via invokefunction |
| Elba--ELBA5 | ELBA5 5.8.0 contains a remote code execution vulnerability that allows attackers to obtain database credentials and execute arbitrary commands with SYSTEM level permissions. Attackers can connect to the database using default connector credentials, decrypt the DBA password, and execute commands via the xp_cmdshell stored procedure or add backdoor users to the BEDIENER table. | 2026-04-22 | 9.8 | CVE-2018-25272 | ExploitDB-45905 Official Product Homepage VulnCheck Advisory: ELBA5 5.8.0 Remote Code Execution via Database Access |
| Lizardsystems--Terminal Services Manager | Terminal Services Manager 3.1 contains a stack-based buffer overflow vulnerability in the computer names field that allows local attackers to execute arbitrary code by triggering structured exception handling. Attackers can craft a malicious input file with shellcode and jump instructions that overwrite the SEH handler pointer to execute calc.exe or other payloads when imported through the add computers wizard. | 2026-04-22 | 8.4 | CVE-2018-25259 | ExploitDB-46058 Official Product Homepage VulnCheck Advisory: Terminal Services Manager 3.1 Buffer Overflow SEH |
| Magix--MAGIX Music Editor | MAGIX Music Editor 3.1 contains a buffer overflow vulnerability in the FreeDB Proxy Options dialog that allows local attackers to execute arbitrary code by exploiting structured exception handling. Attackers can craft a malicious payload, paste it into the Server field via the CD menu's FreeDB Proxy Options, and trigger code execution when settings are accepted. | 2026-04-22 | 8.4 | CVE-2018-25260 | ExploitDB-46056 Official Product Homepage Product Reference VulnCheck Advisory: MAGIX Music Editor 3.1 Buffer Overflow via SEH |
| Iperiusbackup--Iperius Backup | Iperius Backup 5.8.1 contains a local buffer overflow vulnerability in the structured exception handling (SEH) mechanism that allows local attackers to execute arbitrary code by supplying a malicious file path. Attackers can create a backup job with a crafted payload in the external file location field that triggers a buffer overflow when the backup job executes, enabling code execution with application privileges. | 2026-04-22 | 8.4 | CVE-2018-25261 | ExploitDB-46059 Official Product Homepage VulnCheck Advisory: Iperius Backup 5.8.1 Local Buffer Overflow SEH |
| faleemi--Faleemi Desktop Software | Faleemi Desktop Software 1.8.2 contains a local buffer overflow vulnerability in the Device alias field that allows local attackers to trigger a structured exception handler (SEH) overwrite. Attackers can craft a malicious payload and paste it into the Device alias field within the Managing Log interface to execute arbitrary code with calculator proof-of-concept execution. | 2026-04-26 | 8.4 | CVE-2018-25263 | ExploitDB-45492 Product Reference VulnCheck Advisory: Faleemi Desktop Software 1.8.2 Local Buffer Overflow SEH |
| Lizardsystems--LanSpy | LanSpy 2.0.1.159 contains a local buffer overflow vulnerability in the scan section that allows local attackers to execute arbitrary code by exploiting structured exception handling mechanisms. Attackers can craft malicious payloads using egghunter techniques to locate and execute shellcode, triggering code execution through SEH chain manipulation and controlled jumps. | 2026-04-22 | 8.4 | CVE-2018-25265 | ExploitDB-46018 Official Product Homepage VulnCheck Advisory: LanSpy 2.0.1.159 Local Buffer Overflow |
| Lizardsystems--LanSpy | LanSpy 2.0.1.159 contains a local buffer overflow vulnerability that allows attackers to overwrite the instruction pointer by supplying oversized input to the scan field. Attackers can craft a payload with 688 bytes of padding followed by 4 bytes of controlled data to crash the application or potentially achieve code execution. | 2026-04-22 | 8.4 | CVE-2018-25268 | ExploitDB-45968 Official Product Homepage VulnCheck Advisory: LanSpy 2.0.1.159 Local Buffer Overflow via Scan Field |
| Securimport--iSmartViewPro | iSmartViewPro 1.5 contains a structured exception handling (SEH) buffer overflow vulnerability in the 'Save Path for Snapshot and Record file' field that allows local attackers to execute arbitrary code. Attackers can input a crafted payload exceeding 260 bytes through the System Setup interface to overwrite SEH records and execute shellcode with application privileges. | 2026-04-26 | 8.4 | CVE-2018-25283 | ExploitDB-45349 Product Reference VulnCheck Advisory: iSmartViewPro 1.5 Buffer Overflow via SavePath Parameter |
| Cewe-Photoworld--CEWE Photoshow | CEWE Photoshow 6.3.4 contains a buffer overflow vulnerability in the login dialog that allows attackers to crash the application by submitting oversized input. Attackers can inject 4000 bytes of data into the email address and password fields to trigger a denial of service condition. | 2026-04-26 | 7.5 | CVE-2018-25294 | ExploitDB-45211 Official Product Homepage Product Reference VulnCheck Advisory: CEWE Photoshow 6.3.4 Buffer Overflow Denial of Service |
| Fortra--GoAnywhere MFT | The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force. | 2026-04-21 | 7.3 | CVE-2025-14362 | https://fortra.com/security/advisories/product-security/FI-2026-002 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Angryip--Angry IP Scanner for Linux | Angry IP Scanner for Linux 3.5.3 contains a denial of service vulnerability that allows local attackers to crash the application by supplying malformed input to the port selection field. Attackers can craft a malicious string containing buffer overflow patterns and paste it into the Preferences Ports tab to trigger an application crash. | 2026-04-22 | 6.2 | CVE-2018-25262 | ExploitDB-46038 Official Product Homepage VulnCheck Advisory: Angry IP Scanner for Linux 3.5.3 Denial of Service |
| Acutesystems--TransMac | TransMac 12.2 contains a buffer overflow vulnerability in the license key input field that allows local attackers to crash the application by submitting an oversized string. Attackers can generate a payload file containing 4000 bytes of data, paste it into the License Key field, and trigger a denial of service condition. | 2026-04-26 | 6.2 | CVE-2018-25264 | ExploitDB-45493 VulnCheck Advisory: TransMac 12.2 Denial of Service via License Key Field |
| Angryip--Angry IP Scanner | Angry IP Scanner 3.5.3 contains a buffer overflow vulnerability in the preferences dialog that allows local attackers to crash the application by supplying an excessively large string. Attackers can generate a file containing a massive buffer of repeated characters and paste it into the unavailable value field in the display preferences to trigger a denial of service. | 2026-04-22 | 6.2 | CVE-2018-25266 | ExploitDB-45993 Official Product Homepage VulnCheck Advisory: Angry IP Scanner 3.5.3 Denial of Service via Preferences Buffer Overflow |
| Ultraiso--UltraISO | UltraISO 9.7.1.3519 contains a local buffer overflow vulnerability in the Output FileName field of the Make CD/DVD Image dialog that allows attackers to overwrite SEH and SE handler records. Attackers can craft a malicious filename string with 304 bytes of data followed by SEH record overwrite values and paste it into the Output FileName field to trigger a denial of service crash. | 2026-04-22 | 6.2 | CVE-2018-25267 | ExploitDB-45996 Official Product Homepage VulnCheck Advisory: UltraISO 9.7.1.3519 Buffer Overflow via Output FileName |
| icewarp--ICEWARP Client | ICEWARP 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Attackers can craft emails containing data URIs with embedded scripts that execute in the client when the email is viewed, compromising user sessions and stealing sensitive information. | 2026-04-22 | 6.1 | CVE-2018-25269 | ExploitDB-45974 Official Product Homepage VulnCheck Advisory: ICEWARP 11.0.0.0 Cross-Site Scripting via Email HTML Injection |
| Textpad--Textpad | Textpad 8.1.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long buffer string through the Run command interface. Attackers can paste a 5000-byte payload into the Command field via Tools > Run to trigger a buffer overflow that crashes the application. | 2026-04-22 | 6.2 | CVE-2018-25271 | ExploitDB-45956 Official Product Homepage Product Reference VulnCheck Advisory: Textpad 8.1.2 Denial of Service via Run Command |
| Acutesystems--CrossFont | CrossFont 7.5 contains a buffer overflow vulnerability that allows local attackers to crash the application by submitting an oversized payload in the License Key field. Attackers can generate a malicious file containing 4000 bytes of data, paste it into the License Key input field, and trigger an application crash when processing the input. | 2026-04-26 | 6.2 | CVE-2018-25273 | ExploitDB-45494 VulnCheck Advisory: CrossFont 7.5 Denial of Service via License Key Field |
| infrarecorder--InfraRecorder | InfraRecorder 0.53 contains a denial of service vulnerability that allows local attackers to crash the application by importing a maliciously crafted text file. Attackers can create a text file containing 6000 bytes of data and import it through the Edit menu's Import function to trigger an application crash. | 2026-04-26 | 6.2 | CVE-2018-25274 | ExploitDB-45413 VulnCheck Advisory: InfraRecorder 0.53 Denial of Service via txt File Import |
| faleemi--Faleemi Plus | Faleemi Plus 1.0.2 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying oversized input strings. Attackers can paste a 2000-byte payload into the Camera name and DID number fields during camera addition to trigger an application crash. | 2026-04-26 | 6.2 | CVE-2018-25275 | ExploitDB-45414 Product Reference VulnCheck Advisory: Faleemi Plus 1.0.2 Denial of Service via Buffer Overflow |
| Br-Software--PixGPS | PixGPS 1.1.8 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized string to the folder path input field. Attackers can craft a payload exceeding 6000 bytes and paste it into the 'Folder with picture files' field to trigger a denial of service condition. | 2026-04-26 | 6.2 | CVE-2018-25277 | ExploitDB-45381 Product Reference VulnCheck Advisory: PixGPS 1.1.8 Buffer Overflow Denial of Service |
| Picajet--PicaJet FX | PicaJet FX 2.6.5 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input to registration fields. Attackers can paste a 6000-byte buffer into the Registration Name and Registration Key fields via the Help menu's Register PicaJet dialog to trigger an application crash. | 2026-04-26 | 6.2 | CVE-2018-25278 | ExploitDB-45383 VulnCheck Advisory: PicaJet FX 2.6.5 Denial of Service via Registration Fields |
| Convertimagetotext--jiNa OCR Image to Text | jiNa OCR Image to Text 1.0 contains a denial of service vulnerability that allows local attackers to crash the application by processing a malformed PNG file. Attackers can create a specially crafted PNG file with an oversized buffer and trigger the crash when the application attempts to convert the file to PDF. | 2026-04-26 | 6.2 | CVE-2018-25279 | ExploitDB-45380 Product Reference VulnCheck Advisory: jiNa OCR Image to Text 1.0 Denial of Service via PNG |
| ZenMap--ZenMap | Nmap 7.70 contains a denial of service vulnerability that allows local attackers to crash the application by processing malicious XML files with exponential entity expansion. Attackers can create a crafted XML file with nested entity definitions and open it through ZenMap's scan import functionality to cause the program to consume excessive system resources and crash. | 2026-04-26 | 6.2 | CVE-2018-25282 | ExploitDB-45357 Product Reference VulnCheck Advisory: Nmap 7.70 Denial of Service via XML Entity Expansion |
| Hdtune--HD Tune Pro | HD Tune Pro 5.70 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the folder/file name field. Attackers can trigger a denial of service by entering a 6000-byte payload through the File > Options > Save dialog's folder/file name input field. | 2026-04-26 | 6.2 | CVE-2018-25284 | ExploitDB-45298 Official Product Homepage Product Reference VulnCheck Advisory: HD Tune Pro 5.70 Denial of Service via Options Dialog |
| Hdtune--Easy PhotoResQ | Easy PhotoResQ 1.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Folder/filename field. Attackers can input a 6000-byte payload through the File Options dialog to trigger a denial of service condition. | 2026-04-26 | 6.2 | CVE-2018-25286 | ExploitDB-45300 Official Product Homepage VulnCheck Advisory: Easy PhotoResQ 1.0 Buffer Overflow Denial of Service |
| Editorsoftware--StyleWriter | StyleWriter 1.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string. Attackers can paste a 6000-byte payload into the Pattern to Find or Advice Message fields in the Add Pattern dialog to trigger a denial of service condition. | 2026-04-26 | 6.2 | CVE-2018-25288 | ExploitDB-45250 Official Product Homepage Product Reference VulnCheck Advisory: StyleWriter 1.0 Denial of Service via Pattern Input |
| Ezbsystems--Softdisk | Softdisk 3.0.3 contains a buffer overflow vulnerability in the registration code dialog that allows local attackers to crash the application by supplying an oversized string. Attackers can trigger the vulnerability by entering a 6000-byte payload in the Registration Name field through the Help menu's Enter Registration Code dialog to cause a denial of service. | 2026-04-26 | 6.2 | CVE-2018-25289 | ExploitDB-45245 Official Product Homepage Product Reference VulnCheck Advisory: Softdisk 3.0.3 Buffer Overflow Denial of Service |
| Ezbsystems--Easyboot | Easyboot 6.6.0 contains a buffer overflow vulnerability in the Replace Text function that allows local attackers to crash the application by supplying an oversized string. Attackers can trigger the vulnerability by accessing File > Tools > Replace Text and pasting a 7000-byte payload into the text fields to cause a denial of service. | 2026-04-26 | 6.2 | CVE-2018-25290 | ExploitDB-45241 Official Product Homepage VulnCheck Advisory: Easyboot 6.6.0 Buffer Overflow Denial of Service |
| Pj64-Emu--Project64 | Project64 2.3.2 contains a buffer overflow vulnerability in the Plugin Directory settings field that allows local attackers to crash the application by supplying an excessively long string. Attackers can input a 6000-byte payload into the Plugin Directory field through the Options > Settings > Directories interface to trigger an application crash when settings are reopened. | 2026-04-26 | 6.2 | CVE-2018-25291 | ExploitDB-45229 Official Product Homepage VulnCheck Advisory: Project64 2.3.2 Denial of Service via Plugin Directory |
| Bome--Restorator | Bome Restorator 1793 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can create a malicious payload exceeding 4000 bytes and paste it into the Name input field to trigger an application crash and denial of service. | 2026-04-26 | 6.2 | CVE-2018-25292 | ExploitDB-45223 Official Product Homepage Product Reference VulnCheck Advisory: Bome Restorator 1793 Denial of Service via Buffer Overflow |
| Mersenne--Prime95 | Prime95 29.4b7 contains a buffer overflow vulnerability in the PrimeNet connection dialog that allows local attackers to crash the application by supplying an excessively long string in the optional proxy password field. Attackers can trigger a denial of service by entering a 6000-byte payload into the proxy password parameter, causing the application to crash when processing the connection settings. | 2026-04-26 | 6.2 | CVE-2018-25293 | ExploitDB-45226 Official Product Homepage Product Reference VulnCheck Advisory: Prime95 29.4b7 Denial of Service via Proxy Password Field |
| P10--ObserverIP Scan Tool | ObserverIP Scan Tool 1.4.0.1 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string in the IP input field. Attackers can paste a 2000-byte buffer of repeated characters into the IP field and trigger a search operation to cause an application crash. | 2026-04-26 | 6.2 | CVE-2018-25295 | ExploitDB-45204 Official Product Homepage Product Reference VulnCheck Advisory: ObserverIP Scan Tool 1.4.0.1 Denial of Service via IP Field |
| Wansview--Wansview | Wansview 1.0.2 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying oversized input strings. Attackers can inject 2000-byte payloads into the Camera name and DID number fields during camera addition to trigger application crashes. | 2026-04-26 | 6.2 | CVE-2018-25297 | ExploitDB-45194 VulnCheck Advisory: Wansview 1.0.2 Denial of Service via Buffer Overflow |
| 94Cb--Carbon Forum | Carbon Forum 5.9.0 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript code through the Forum Name field in dashboard settings. Attackers with admin privileges can store JavaScript payloads in the Forum Name field that execute in the browsers of all users visiting the forum, enabling session hijacking and data theft. | 2026-04-22 | 6.4 | CVE-2024-58344 | ExploitDB-52043 Official Product Homepage Product Reference VulnCheck Advisory: Carbon Forum 5.9.0 Persistent XSS via Forum Name Field |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service under certain conditions by exhausting server resources by making crafted requests to a discussions endpoint. | 2026-04-22 | 6.5 | CVE-2025-0186 | HackerOne Bug Bounty Report #2915694 https://gitlab.com/gitlab-org/gitlab/-/work_items/511312 https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.4 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service by overwhelming system resources under certain conditions due to insufficient resource allocation limits in the GraphQL API. | 2026-04-22 | 6.5 | CVE-2025-3922 | HackerOne Bug Bounty Report #3098035 https://gitlab.com/gitlab-org/gitlab/-/work_items/537422 https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/ |
| Picajet--RoboImport | RoboImport 1.2.0.72 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input to registration fields. Attackers can paste a 6000-byte buffer into the Registration Name and Registration Key fields and click Register to trigger an application crash. | 2026-04-26 | 5.5 | CVE-2018-25276 | ExploitDB-45382 Product Reference VulnCheck Advisory: RoboImport 1.2.0.72 Denial of Service via Registration Fields |
| Infiltration-Systems--Infiltrator Network Security Scanner | Infiltrator Network Security Scanner 4.6 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized input string. Attackers can paste a 6000-byte payload into the Scan Target field and trigger a denial of service condition when the Scan button is clicked. | 2026-04-26 | 5.5 | CVE-2018-25280 | ExploitDB-45390 Product Reference VulnCheck Advisory: Infiltrator Network Security Scanner 4.6 Denial of Service |
| Maxprog--iCash | iCash 7.6.5 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized payload through the Connect to Server dialog. Attackers can paste a 7000-byte string into the Host field and click Connect to trigger an application crash. | 2026-04-26 | 5.5 | CVE-2018-25281 | ExploitDB-45388 VulnCheck Advisory: iCash 7.6.5 Denial of Service via Connect to Server |
| Fathom--Fathom | Fathom 2.4 contains a buffer overflow vulnerability in the Authorization Code field that allows local attackers to crash the application by submitting an oversized input string. Attackers can paste a 6000-byte payload into the Authorization Code field and click Activate to trigger a denial of service condition. | 2026-04-26 | 5.5 | CVE-2018-25285 | ExploitDB-45294 Official Product Homepage Product Reference VulnCheck Advisory: Fathom 2.4 Denial of Service via Authorization Code Buffer Overflow |
| Hdtune--Drive Power Manager | Drive Power Manager 1.10 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can paste a 6000-byte payload into the Name field and click Register to trigger a denial of service condition. | 2026-04-26 | 5.5 | CVE-2018-25287 | ExploitDB-45299 Official Product Homepage VulnCheck Advisory: Drive Power Manager 1.10 Denial of Service via Name Field |
| P10--Central Management Software | P10 Central Management Software 1.4.13 contains a buffer overflow vulnerability in the login password field that allows local attackers to crash the application by submitting an oversized input string. Attackers can paste a 2000-byte payload into the password field and click login to trigger an application crash and denial of service. | 2026-04-26 | 5.5 | CVE-2018-25296 | ExploitDB-45207 Official Product Homepage VulnCheck Advisory: P10 Central Management Software 1.4.13 Denial of Service |
| Fortra--GoAnywhere MFT | Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which allows admin users to brute-force decryption of data. | 2026-04-21 | 5.8 | CVE-2025-1241 | https://fortra.com/security/advisories/product-security/FI-2026-001 |
| OpenSC--OpenSC | Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs | 2026-04-23 | 5.7 | CVE-2025-13763 | https://access.redhat.com/security/cve/CVE-2025-13763 RHBZ#2417581 https://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv https://github.com/OpenSC/OpenSC/wiki/CVE-2025-13763 |
| HCLSoftware--BigFix Service Management (SM) | HCL BigFix Service Management (SM) Discovery is vulnerable to unenforced encryption due to port 80 (HTTP) being open, allowing unencrypted access. An attacker with access to the network traffic can sniff packets from the connection and uncover the data. | 2026-04-21 | 5.3 | CVE-2025-31981 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127605 |
| IBM--Security Verify Directory (Container) | IBM Security Verify Directory (Container) 10.0.0 through 10.0.0.3 IBM Security Verify Directory could be vulnerable to malicious file upload by not validating file type. A privileged user could upload malicious files into the system that can be sent to victims for performing further attacks against the system. | 2026-04-22 | 5.5 | CVE-2025-36074 | https://www.ibm.com/support/pages/node/7268907 |
| hubspotdev--HubSpot All-In-One Marketing Forms, Popups, Live Chat | The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks. | 2026-04-24 | 4.3 | CVE-2025-11762 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2a8c62e6-f459-433a-b0c4-c79285ea7fe9?source=cve https://research.cleantalk.org/CVE-2025-11762 https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.33/public/admin/class-adminconstants.php |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| HCLSoftware--BigFix Service Management (SM) | HCL BigFix Service Management is susceptible to HTTP Request Smuggling. HTTP request smuggling vulnerabilities arise when websites route HTTP requests through web servers with inconsistent HTTP parsing. HTTP Smuggling exploits inconsistencies in request parsing between front-end and back-end servers, allowing attackers to bypass security controls and perform attacks like cache poisoning or request hijacking. | 2026-04-21 | 3.7 | CVE-2025-31958 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124209 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| NWCLARK--Storable | Storable versions before 3.05 for Perl has a stack overflow. The retrieve_hook function stored the length of the class name into a signed integer but in read operations treated the length as unsigned. This allowed an attacker to craft data that could trigger the overflow. | 2026-04-21 | not yet calculated | CVE-2017-20230 | https://github.com/Perl/perl5/issues/15831 https://github.com/Perl/perl5/commit/a258c17c6937f79529c8319a829310e09cdbd216.patch https://metacpan.org/release/RURBAN/Storable-3.05/changes https://www.nntp.perl.org/group/perl.perl5.porters/2017/01/msg242533.html https://www.nntp.perl.org/group/perl.perl5.porters/2017/01/msg242703.html |
| Seeyon Internet Software--A8-V5 Collaborative Management Software | Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to write arbitrary files to the web application root by sending specially crafted POST requests with custom base64-encoded payloads. Attackers can write JSP webshells to the web root and execute them through the web server to achieve arbitrary OS command execution with web server privileges. Exploitation evidence was first observed by the Shadowserver Foundation on 2021-03-26 (UTC). | 2026-04-21 | not yet calculated | CVE-2019-25714 | https://sourceforge.net/software/product/A8/ https://web.archive.org/web/20190821034711/http://wyb0.com/posts/2019/seeyon-htmlofficeservlet-getshell/ https://wiki.96.mk/Web%E5%AE%89%E5%85%A8/%E8%87%B4%E8%BF%9Coa/%E8%87%B4%E8%BF%9C%20OA%20A8%20htmlofficeservlet%20getshell%20%E6%BC%8F%E6%B4%9E/ https://static-aliyun-doc.oss-cn-hangzhou.aliyuncs.com/download/pdf/90916/Security_Notification_reseller_en-US.pdf https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=31713 https://www.fortiguard.com/encyclopedia/ips/48874/seeyon-office-anywhere-htmlofficeservlet-arbitrary-file-upload https://www.vulncheck.com/advisories/seeyon-office-anywhere-oa-a8-unauthenticated-arbitrary-file-write-via-htmlofficeservlet |
| Unknown--Email Encoder | The Email Encoder WordPress plugin before 2.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 2026-04-20 | not yet calculated | CVE-2024-7083 | https://wpscan.com/vulnerability/7aeb6891-e159-4ed8-b1a9-a551140c9fcc/ |
| Semantic MediaWiki--Semantic MediaWiki | Cross-Site Scripting (XSS) vulnerability reflected in Semantic MediaWiki. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL using the '/index.php/Speciaal:GefacetteerdZoeken' endpoint parameter. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | 2026-04-21 | not yet calculated | CVE-2025-10354 | https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-semantic-mediawiki |
| EfficientLab, LLC--Controlio | EfficientLab Controlio before v1.3.95 contains a DLL hijacking vulnerability caused by weak folder permissions in the installation directory. A local attacker can place a specially crafted DLL in this directory and achieve arbitrary code execution with highest privileges, because the affected service runs as NT AUTHORITY\SYSTEM. | 2026-04-23 | not yet calculated | CVE-2025-10549 | https://r.sec-consult.com/controlio https://kb.controlio.net/hc/en-us/articles/45777908471185-Client-Update-April-15-2026-ver-1-3-95 |
| Fudo Security--Fudo Enterprise | Fudo Enterprise in versions from 5.5.0 through 5.6.2 allows low privileged users to access certain administrator-only resources via improperly protected API endpoints. This includes sensitive information such as system logs and parts of system configuration settings. This vulnerability has been fixed in version 5.6.3 | 2026-04-20 | not yet calculated | CVE-2025-13480 | https://www.fudosecurity.com/product/enterprise https://cert.pl/en/posts/2026/04/CVE-2025-13480 https://download.fudosecurity.com/documentation/fudo/5_6/rn/RN_5.6.3.pdf |
| Zervit--portable HTTP/Web server | Zervit's portable HTTP/web server is vulnerable to remote DoS attacks when a configuration reset request is made. The vulnerability is caused by inadequate validation of user-supplied input. An attacker can exploit this vulnerability by sending malicious requests. If the vulnerability is successfully exploited, the application can be made to stop responding, resulting in a DoS condition. It is possible to manually restart the application. | 2026-04-21 | not yet calculated | CVE-2025-13826 | https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-input-validation-zervit-portable-httpweb-server |
| ATRODO--Net:Dropbear | Net:Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt. Net:Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected by CVE-2016-6129 and CVE-2018-12437. | 2026-04-21 | not yet calculated | CVE-2025-15638 | https://www.cve.org/CVERecord?id=CVE-2016-6129 https://www.cve.org/CVERecord?id=CVE-2018-12437 https://metacpan.org/release/ATRODO/Net-Dropbear-0.14/source/dropbear/libtomcrypt/changes |
| PHP Point Of Sale--PHP Point Of Sale | HTML injection vulnerability in PHP Point of Sale v19.4. This vulnerability allows an attacker to render HTML in the victim's browser due to a lack of proper validation of user input by sending a request to '/reports/generate/specific_customer', ussing 'start_date_formatted' y 'end_date_formatted' parameters. | 2026-04-21 | not yet calculated | CVE-2025-41011 | https://www.incibe.es/en/incibe-cert/notices/aviso/html-injection-php-point-sale-0 |
| Zeon Global Tech--Zeon Academy Pro | SQL injection vulnerability in Zeon Academy Pro by Zeon Global Tech. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a POST request using the parameter 'phonenumber' in '/private/continue-upload.php'. | 2026-04-21 | not yet calculated | CVE-2025-41029 | https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-zeon-academy-pro-zeon-global-tech |
Vulnerability Summary for the Week of April 13, 2026
Posted on Tuesday April 21, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Grafana--Pyroscope | Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API. To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems. This vulnerability is fixed in versions: 1.15.x: 1.15.2 and above. 1.16.x: 1.16.1 and above. 1.17.x: 1.17.0 and above (i.e. all versions). Thanks to Théo Cusnir for reporting this vulnerability to us via our bug bounty program. | 2026-04-15 | 9.1 | CVE-2025-41118 | https://grafana.com/security/security-advisories/cve-2025-41118 |
| n/a--Grocery Store Management System v1.0 | Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL injection via the sitem_name POST parameter. | 2026-04-14 | 9.8 | CVE-2025-63939 | https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2025-63939 |
| n/a--manikandan580 School-management-system v1.0 | In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through the fromdate POST parameter. | 2026-04-14 | 9.8 | CVE-2025-65135 | https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2025-65135 |
| Owen--WebStack | The WebStack theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the io_img_upload() function in all versions up to, and including, 1.2024. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2026-04-15 | 9.8 | CVE-2026-1555 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b97805de-1b47-4c9f-baae-2e37c1b78570?source=cve https://github.com/owen0o0/WebStack/blob/master/inc/ajax.php#L5 https://github.com/owen0o0/WebStack/tree/master |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of this vulnerability could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored. | 2026-04-15 | 9.9 | CVE-2026-20147 | cisco-sa-ise-rce-traversal-8bYndVrZ |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of these vulnerabilities could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored. | 2026-04-15 | 9.9 | CVE-2026-20180 | cisco-sa-ise-rce-4fverepv |
| Cisco--Cisco Webex Meetings | A vulnerability in the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services could have allowed an unauthenticated, remote attacker to impersonate any user within the service. This vulnerability existed because of improper certificate validation. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by connecting to a service endpoint and supplying a crafted token. A successful exploit could have allowed the attacker to gain unauthorized access to legitimate Cisco Webex services. | 2026-04-15 | 9.8 | CVE-2026-20184 | cisco-sa-webex-cui-cert-8jSZYhWL |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of these vulnerabilities could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored. | 2026-04-15 | 9.9 | CVE-2026-20186 | cisco-sa-ise-rce-4fverepv |
| Ubiquiti Inc--UniFi Play PowerAmp | A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system that could be used for a remote code execution (RCE). Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version 1.0.24 and earlier) Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later Update UniFi Play Audio Port to Version 1.1.9 or later | 2026-04-13 | 9.8 | CVE-2026-22562 | https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83 |
| Ubiquiti Inc--UniFi Play PowerAmp | A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version 1.0.24 and earlier) Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later Update UniFi Play Audio Port to Version 1.1.9 or later | 2026-04-13 | 9.8 | CVE-2026-22563 | https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83 |
| Ubiquiti Inc--UniFi Play PowerAmp | An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the system. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version 1.0.24 and earlier) Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later Update UniFi Play Audio Port to Version 1.1.9 or later | 2026-04-13 | 9.8 | CVE-2026-22564 | https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83 |
| Festo--MSE6-C2M-5000-FB36-D-M-RG-BAR-M12L4-AGD | In products of the MSE6 product-family by Festo a remote authenticated, low privileged attacker could use functions of undocumented test mode which could lead to a complete loss of confidentiality, integrity and availability. | 2026-04-16 | 8.8 | CVE-2023-3634 | https://certvde.com/de/advisories/VDE-2023-020/ https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2023/fsa-202304.json |
| shahinurislam--Career Section | The Career Section plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Path Traversal and Arbitrary File Deletion in all versions up to, and including, 1.6. This is due to missing nonce validation and insufficient file path validation on the delete action in the 'appform_options_page_html' function. This makes it possible for unauthenticated attackers to delete arbitrary files on the server via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-04-16 | 8.8 | CVE-2025-14868 | https://www.wordfence.com/threat-intel/vulnerabilities/id/84936b68-923a-4da1-ae67-1d63d025342e?source=cve https://plugins.trac.wordpress.org/changeset/3474216/career-section |
| Nozomi Networks--Guardian | An access control vulnerability was discovered in the Threat Intelligence functionality due to a specific access restriction not being properly enforced for users with view-only privileges. An authenticated user with view-only privileges for the Threat Intelligence functionality can perform administrative actions on it, altering the rules configuration, and/or affecting their availability. | 2026-04-15 | 8.1 | CVE-2025-40897 | https://security.nozominetworks.com/NN-2026:1-01 |
| Nozomi Networks--Guardian | A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the victim views the Assets or Nodes pages, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information. | 2026-04-15 | 8.9 | CVE-2025-40899 | https://security.nozominetworks.com/NN-2026:2-01 |
| livemesh--Livemesh Addons by Elementor | The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an inadequate `str_replace()` approach that can be bypassed using recursive directory traversal patterns. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the attacker to include and execute local files via the widget's template parameter granted they can trick an administrator into performing an action or install Elementor. | 2026-04-16 | 8.8 | CVE-2026-1620 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2483875a-84de-4a40-a69e-aee68da1ce3b?source=cve https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/includes/helper-functions.php#L669 https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/includes/helper-functions.php#L669 https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/includes/helper-functions.php#L671 https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/includes/helper-functions.php#L671 |
| Cloud Foundry--UUA | Cloud Foundry UUA is vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems. This vulnerability exists when SAML 2.0 bearer assertions are enabled for a client, as the UAA accepts SAML 2.0 bearer assertions that are neither signed nor encrypted. This issue affects UUA from v77.30.0 to v78.7.0 (inclusive) and it affects CF Deployment from v48.7.0 to v54.14.0 (inclusive). | 2026-04-16 | 8.6 | CVE-2026-22734 | https://www.cloudfoundry.org/blog/cve-2026-22734-uaa-saml-2-0-signature-bypass/ |
| WSO2--WSO2 API Manager | The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources. By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources. | 2026-04-16 | 7.5 | CVE-2024-2374 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3255/ |
| Bosch--BVMS | Uncontrolled Resource Consumption in Bosch VMS Central Server in Bosch VMS 12.0.1 allows attackers to consume excessive amounts of disk space via network interface. | 2026-04-15 | 7.5 | CVE-2024-33618 | https://psirt.bosch.com/security-advisories/BOSCH-SA-162032-BT.html |
| Dell--PowerProtect Data Domain BoostFS | Dell PowerProtect Data Domain BoostFS for client of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain an insufficiently protected credentials vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to credential exposure. The attacker may be able to use the exposed credentials to access the system with privileges of the compromised account. | 2026-04-17 | 7.8 | CVE-2025-36568 | https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities |
| WC Lovers--WCFM Marketplace | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WC Lovers WCFM Marketplace allows SQL Injection.This issue affects WCFM Marketplace: from n/a through 3.7.1. | 2026-04-15 | 7.6 | CVE-2025-63029 | https://patchstack.com/database/wordpress/plugin/wc-multivendor-marketplace/vulnerability/wordpress-wcfm-marketplace-plugin-3-7-1-sql-injection-vulnerability?_s_id=cve |
| FirebirdSQL--firebird | Firebird is an open-source relational database management system. In versions FB3 of the client library placed incorrect data length values into XSQLDA fields when communicating with FB4 or higher servers, resulting in an information leak. This issue is fixed by upgrading to the FB4 client or higher. | 2026-04-17 | 7.9 | CVE-2025-65104 | https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-mfpr-9886-xjhg https://github.com/FirebirdSQL/firebird/releases/tag/v4.0.0 |
| Lenovo--Diagnostics | During an internal security assessment, a potential vulnerability was discovered in Lenovo Diagnostics and the HardwareScanAddin used in Lenovo Vantage that, during installation or when using hardware scan, could allow a local authenticated user to perform an arbitrary file write with elevated privileges. | 2026-04-15 | 7.1 | CVE-2026-0827 | https://support.lenovo.com/us/en/product_security/LEN-210693 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory. | 2026-04-15 | 7.1 | CVE-2026-20204 | https://advisory.splunk.com/advisories/SVD-2026-0403 |
| Splunk--Splunk MCP Server | In Splunk MCP Server app versions below 1.0.3 , a user who holds a role with access to the Splunk `_internal` index or possesses the high-privilege capability `mcp_tool_admin` could view users session and authorization tokens in clear text.<br><br>The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. <br><br>Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Connecting to MCP Server and Admin settings](https://help.splunk.com/en/splunk-enterprise/mcp-server-for-splunk-platform/connecting-to-mcp-server-and-admin-settings) in the Splunk documentation for more information. | 2026-04-15 | 7.2 | CVE-2026-20205 | https://advisory.splunk.com/advisories/SVD-2026-0407 |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-04-14 | 7.8 | CVE-2026-20930 | Windows Management Services Elevation of Privilege Vulnerability |
| Ubiquiti Inc--UniFi Play PowerAmp | An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to obtain UniFi Play WiFi credentials. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version 1.0.24 and earlier) Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later Update UniFi Play Audio Port to Version 1.1.9 or later | 2026-04-13 | 7.5 | CVE-2026-22566 | https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83 |
| Eaton--IPP software | Eaton Intelligent Power Protector (IPP) is affected by insecure library loading in its executable, which could lead to arbitrary code execution by an attacker with access to the software package. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download center. | 2026-04-16 | 7.8 | CVE-2026-22619 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf |
| easyappointments--Easy Appointments | The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the `/wp-json/wp/v2/eablocks/ea_appointments/` REST API endpoint. This is due to the endpoint being registered with `'permission_callback' => '__return_true'`, which allows access without any authentication or authorization checks. This makes it possible for unauthenticated attackers to extract sensitive customer appointment data including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information. | 2026-04-17 | 7.5 | CVE-2026-2262 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e681aa8e-522e-4092-aa1f-8ada3097c8d6?source=cve https://plugins.trac.wordpress.org/browser/easy-appointments/tags/3.12.19/ea-blocks/ea-blocks.php#L190 https://plugins.trac.wordpress.org/browser/easy-appointments/trunk/ea-blocks/ea-blocks.php#L190 https://plugins.trac.wordpress.org/browser/easy-appointments/tags/3.12.19/ea-blocks/ea-blocks.php#L141 https://plugins.trac.wordpress.org/changeset/3485692/easy-appointments/trunk/ea-blocks/ea-blocks.php https://plugins.trac.wordpress.org/changeset?old_path=%2Feasy-appointments/tags/3.12.21&new_path=%2Feasy-appointments/tags/3.12.22 |
| Barracuda Networks--RMM | Barracuda RMM versions prior to 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory. Attackers can modify existing automation content or place attacker-controlled files in this directory, which are then executed under the NT AUTHORITY\SYSTEM account during routine automation cycles, typically succeeding within the next execution cycle. | 2026-04-15 | 7.8 | CVE-2026-22676 | https://download.mw-rmm.barracudamsp.com/PDF/2025.2.2/RN_BRMM_2025.2.2_EN.pdf https://www.vulncheck.com/advisories/barracuda-rmm-privilege-escalation-via-insecure-directory-permissions |
| Fortinet--FortiAnalyzer Cloud | A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer Cloud 7.6.2 through 7.6.4, FortiManager Cloud 7.6.2 through 7.6.4 may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Successful exploitation would require a large amount of effort in preparation because of ASLR and network segmentation | 2026-04-14 | 7.3 | CVE-2026-22828 | https://fortiguard.fortinet.com/psirt/FG-IR-26-121 |
| Eclipse Foundation--Eclipse Jetty | In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request. | 2026-04-14 | 7.4 | CVE-2026-2332 | https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf https://gitlab.eclipse.org/security/cve-assignment/-/issues/89 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| WSO2--WSO2 API Manager | The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser. Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. However, the impact is limited as session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking. | 2026-04-16 | 6.1 | CVE-2024-10242 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3741/ |
| WSO2--WSO2 Identity Server | Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or actions until the tokens naturally expire. | 2026-04-16 | 6 | CVE-2025-12624 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4684/ |
| flippercode--WP Maps Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters | The WP Maps - Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'put_wpgm' shortcode in all versions up to, and including, 4.8.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-16 | 6.4 | CVE-2025-13364 | https://www.wordfence.com/threat-intel/vulnerabilities/id/91d6cf21-cb65-40cb-ad19-5a8e7179fd98?source=cve https://plugins.trac.wordpress.org/changeset?old_path=wp-google-map-plugin/tags/4.8.7/wp-google-map-plugin.php&new_path=wp-google-map-plugin/tags/4.8.8/wp-google-map-plugin.php |
| DesigningMedia--Eleganzo | The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akd_required_plugin_callback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary directories on the server, including the WordPress root directory. | 2026-04-14 | 6.5 | CVE-2025-15470 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7c5d7818-e548-4d8f-b847-396d528b58cd?source=cve https://testwp.local/wp-content/themes/eleganzo/welcome.php#L96 |
| Emarket-design--YouTube Showcase | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emarket-design YouTube Showcase allows Stored XSS.This issue affects YouTube Showcase: from n/a through 3.5.1. | 2026-04-15 | 6.5 | CVE-2025-15636 | https://patchstack.com/database/wordpress/plugin/youtube-showcase/vulnerability/wordpress-youtube-showcase-plugin-3-5-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| HCLSoftware--Velocity | Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit. This vulnerability is fixed in 5.1.7. | 2026-04-13 | 6.8 | CVE-2025-31991 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130138 |
| ABB--AC800M (System 800xA) | A vulnerability exists in the command handling of the IEC 61850 communication stack included in the product revisions listed as affected in this CVE. An attacker with access to IEC 61850 networks could exploit the vulnera bility by using a specially crafted 61850 packet, forcing the communication interfaces of the PM 877, CI850 and CI868 modules into fault mode or causing unavailability of the S+ Operations 61850 connectivity, resulting in a denial-of-service situation. The System 800xA IEC61850 Connect is not affected. Note: This vulnerability does not impact on the overall availability and functionality of the S+ Operations node, only the 61850 communication function. This issue affects AC800M (System 800xA): from 6.0.0x through 6.0.0303.0, from 6.1.0x through 6.1.0031.0, from 6.1.1x through 6.1.1004.0, from 6.1.1x through 6.1.1202.0, from 6.2.0x through 6.2.0006.0; Symphony Plus SD Series: A_0, A_1, A_2.003, A_3.005, A_4.001, B_0.005; Symphony Plus MR (Melody Rack): from 3.10 through 3.52; S+ Operations: 2.1, 2.2, 2.3, 3.3. | 2026-04-13 | 6.5 | CVE-2025-3756 | https://search.abb.com/library/Download.aspx?DocumentID=7PAA020125&LanguageCode=en&DocumentPartId=&Action=Launch |
| Dell--PowerScale OneFS | Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an insertion of sensitive information into log file vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. | 2026-04-16 | 6.6 | CVE-2025-43937 | https://www.dell.com/support/kbdoc/en-us/000376214/dsa-2025-347-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| Dell--PowerProtect Data Domain | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain a session fixation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access. | 2026-04-17 | 6.2 | CVE-2025-46605 | https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities |
| Dell--PowerProtect Data Domain | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper restriction of excessive authentication attempts vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access. | 2026-04-17 | 6.2 | CVE-2025-46606 | https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities |
| Dell--PowerProtect Data Domain | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper authentication vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access. | 2026-04-17 | 6.6 | CVE-2025-46607 | https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities |
| Dell--PowerProtect Data Domain | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper authentication vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access. | 2026-04-17 | 6.6 | CVE-2025-46641 | https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities |
| Fortinet--FortiOS | A missing authentication for critical function vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4 all versions, FortiOS 6.2.9 through 6.2.17 allows attacker to execute unauthorized code or commands via specially crafted packets. | 2026-04-14 | 6.2 | CVE-2025-53847 | https://fortiguard.fortinet.com/psirt/FG-IR-26-125 |
| WSO2--WSO2 API Manager | The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies. | 2026-04-16 | 6.1 | CVE-2025-6024 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4251/ |
| Fortinet--FortiManager | An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.8, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.8, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.8, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow a privileged authenticated attacker to execute unauthorized code or commands via JSON RPC API | 2026-04-14 | 6.8 | CVE-2025-61848 | https://fortiguard.fortinet.com/psirt/FG-IR-26-111 |
| leaflet[.]com--Leaflet 1.9.4 | Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes (e.g., <img src=x onerror="alert('XSS')">). When a victim views an affected map popup, the malicious script executes in the context of the victim's browser session. | 2026-04-14 | 6.1 | CVE-2025-69993 | http://leaflet.com https://github.com/PierfrancescoConti/leaflet-cve-2025-69993/blob/main/ADVISORY.md |
| Microsoft--Windows 10 Version 1607 | Reliance on untrusted inputs in a security decision in Windows Boot Loader allows an authorized attacker to bypass a security feature locally. | 2026-04-14 | 6.7 | CVE-2026-0390 | UEFI Secure Boot Security Feature Bypass Vulnerability |
| SAP_SE--SAP Supplier Relationship Management (SICF Handler in SRM Catalog) | Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could allow the attacker to access and modify information, impacting the confidentiality and integrity of the application, while availability remains unaffected. | 2026-04-14 | 6.1 | CVE-2026-0512 | https://me.sap.com/notes/3645228 https://url.sap/sapsecuritypatchday |
| turn2honey--EMC Easily Embed Calendly Scheduling | The EMC - Easily Embed Calendly Scheduling Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's calendly shortcode in all versions up to, and including, 4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-19 | 6.4 | CVE-2026-0868 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d5653ebe-7145-4b1c-94f8-ca87ed0dc4f5?source=cve https://plugins.trac.wordpress.org/changeset/3466576/embed-calendly-scheduling |
| vanderwijk--Content Blocks (Custom Post Widget) | The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's content_block shortcode in all versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping on user supplied values consumed from user-created content blocks. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-18 | 6.4 | CVE-2026-0894 | https://www.wordfence.com/threat-intel/vulnerabilities/id/246dee15-82e0-4630-8d95-d2419e9eaef8?source=cve https://plugins.trac.wordpress.org/changeset/3447914/custom-post-widget |
| youzify--Youzify BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress | The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'checkin_place_id' parameter in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-18 | 6.4 | CVE-2026-1559 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6bd69711-8303-4086-87c3-eb2935a89aff?source=cve https://plugins.trac.wordpress.org/browser/youzify/trunk/includes/public/core/wall/class-youzify-form.php#L506 https://plugins.trac.wordpress.org/browser/youzify/tags/1.3.6/includes/public/core/wall/class-youzify-form.php#L506 https://plugins.trac.wordpress.org/browser/youzify/trunk/includes/public/core/class-youzify-wall.php#L109 https://plugins.trac.wordpress.org/browser/youzify/tags/1.3.6/includes/public/core/class-youzify-wall.php#L109 https://plugins.trac.wordpress.org/changeset/3483281/youzify/trunk/includes/public/core/wall/class-youzify-form.php https://plugins.trac.wordpress.org/changeset?old_path=%2Fyouzify/tags/1.3.6&new_path=%2Fyouzify/tags/1.3.7 |
| livemesh--Livemesh Addons by Elementor | The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler `lae_admin_ajax()` and insufficient output escaping on multiple checkbox settings fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the plugin settings page that will execute whenever an administrator accesses the plugin settings page granted they can obtain a valid nonce, which can be leaked via the plugin's improper access control on settings pages. | 2026-04-16 | 6.4 | CVE-2026-1572 | https://www.wordfence.com/threat-intel/vulnerabilities/id/24b9bf5a-19ac-4e99-b32d-1ab681356a1b?source=cve https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/admin/admin-ajax.php#L28 https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/admin/admin-ajax.php#L64 https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/admin/admin-ajax.php#L64 https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/admin/admin-ajax.php#L28 https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/plugin.php#L207 https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/plugin.php#L207 https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/admin/views/settings.php#L707 https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/admin/views/settings.php#L707 |
| surbma--Surbma | Booking.com Shortcode | The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `surbma-bookingcom` shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-14 | 6.4 | CVE-2026-1607 | https://www.wordfence.com/threat-intel/vulnerabilities/id/01280afb-4745-4f36-823e-ed794bb3353a?source=cve https://plugins.trac.wordpress.org/browser/surbma-bookingcom-shortcode/tags/2.0/surbma-bookingcom-shortcode.php#L34 |
| Lenovo--Service Bridge | A potential DLL hijacking vulnerability was reported in Lenovo Service Bridge that, under certain conditions, could allow a local authenticated user to execute code with elevated privileges. | 2026-04-15 | 6.7 | CVE-2026-1636 | https://support.lenovo.com/us/en/product_security/LEN-211071 |
| prasunsen--Hostel | The Hostel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode_id' parameter in all versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-04-18 | 6.1 | CVE-2026-1838 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2b9da491-771a-4100-b41a-7411981dd34b?source=cve https://plugins.trac.wordpress.org/browser/hostel/trunk/hostel.php#L44 https://plugins.trac.wordpress.org/browser/hostel/tags/1.1.6/hostel.php#L44 https://plugins.trac.wordpress.org/browser/hostel/trunk/controllers/ajax.php#L28 https://plugins.trac.wordpress.org/browser/hostel/tags/1.1.6/controllers/ajax.php#L28 https://plugins.trac.wordpress.org/browser/hostel/trunk/views/partial/rooms-table.html.php#L29 https://plugins.trac.wordpress.org/browser/hostel/tags/1.1.6/views/partial/rooms-table.html.php#L29 https://plugins.trac.wordpress.org/changeset/3478265/hostel/trunk/hostel.php https://plugins.trac.wordpress.org/changeset?old_path=%2Fhostel/tags/1.1.6&new_path=%2Fhostel/tags/1.1.7 |
| woobeewoo--Product Pricing Table by WooBeWoo | The Product Pricing Table by WooBeWoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the updateLabel() and remove() functions. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages or delete pricing tables via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-04-15 | 6.1 | CVE-2026-1852 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a3b459e0-4bd9-443e-96e4-91663a35c26e?source=cve https://github.com/wpcodefactory/woo-product-pricing-tables/releases/tag/v1.1.1 |
| Cisco--Cisco Unity Connection | A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | 2026-04-15 | 6.1 | CVE-2026-20059 | cisco-sa-unity-vulns-n2EJSbbw |
| Cisco--Cisco Unity Connection | Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker to download arbitrary files from an affected system. To exploit these vulnerabilities, the attacker must have valid administrative credentials. These vulnerabilities are due to improper sanitization of user input to the web-based management interface. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from an affected system. | 2026-04-15 | 6.5 | CVE-2026-20078 | cisco-sa-unity-file-download-RmKEVWPx |
| Cisco--Cisco Unity Connection | Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker to download arbitrary files from an affected system. To exploit these vulnerabilities, the attacker must have valid administrative credentials. These vulnerabilities are due to improper sanitization of user input to the web-based management interface. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from an affected system. | 2026-04-15 | 6.5 | CVE-2026-20081 | cisco-sa-unity-file-download-RmKEVWPx |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in the CLI of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, local attacker with administrative privileges to perform a command injection attack on the underlying operating system and elevate privileges to root. This vulnerability is due to insufficient validation of user supplied input. An attacker could exploit this vulnerability by providing crafted input to a specific CLI command. A successful exploit could allow the attacker to elevate their privileges to root on the underlying operating system. | 2026-04-15 | 6 | CVE-2026-20136 | cisco-sa-ise-cmd-inj-5WSJcYJB |
| Cisco--Cisco Webex Contact Center | A vulnerability in the Desktop Agent functionality of Cisco Webex Contact Center could have allowed an unauthenticated, remote attacker to conduct cross-site scripting attacks. Cisco has addressed this vulnerability in the Cisco Webex Contact Center service, and no customer action is needed. This vulnerability existed because HTML and script content was not properly handled. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by persuading a user to follow a malicious link. A successful exploit could have allowed the attacker to steal sensitive information from the browser, including authentication and session information. | 2026-04-15 | 6.1 | CVE-2026-20170 | cisco-sa-webexcc-xss-WEX5nUnA |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.<br><br>This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users. | 2026-04-15 | 6.6 | CVE-2026-20202 | https://advisory.splunk.com/advisories/SVD-2026-0401 |
| Samsung Mobile--Samsung Mobile Devices | Improper input validation in Retail Mode prior to SMR Apr-2026 Release 1 allows local attackers to trigger privileged functions. | 2026-04-13 | 6.6 | CVE-2026-21010 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04 |
| Adobe--Adobe Connect | Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed. | 2026-04-14 | 6.1 | CVE-2026-21331 | https://helpx.adobe.com/security/products/connect/apsb26-37.html |
| Fortinet--FortiSOAR on-premise | A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow attacker to information disclosure via <insert attack vector here> | 2026-04-14 | 6.2 | CVE-2026-22155 | https://fortiguard.fortinet.com/psirt/FG-IR-26-106 |
| Fortinet--FortiSOAR on-premise | An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5 all versions, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5 all versions, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to perform path traversal attack via File Content Extraction actions. | 2026-04-14 | 6.2 | CVE-2026-22573 | https://fortiguard.fortinet.com/psirt/FG-IR-26-116 |
| Eaton--IPP Software | Due to improper input validation in one of the Eaton Intelligent Power Protector (IPP) XML, it is possible for an attacker with admin privileges and access to the local system to inject malicious code resulting in arbitrary command execution. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre. | 2026-04-16 | 6 | CVE-2026-22615 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf |
| Eaton--IPP Software | Eaton Intelligent Power Protector (IPP) software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton download centre. | 2026-04-16 | 6.5 | CVE-2026-22616 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf |
| Fortinet--FortiVoice | An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiNDR 7.6.0, FortiNDR 7.4.0 through 7.4.8, FortiNDR 7.2 all versions, FortiNDR 7.1 all versions, FortiNDR 7.0 all versions, FortiVoice 7.0.0 through 7.0.1 may allow a remote authenticated attacker with at least read-only permission on system maintenance to access backup information via crafted HTTP requests | 2026-04-14 | 5.4 | CVE-2024-23104 | https://fortiguard.fortinet.com/psirt/FG-IR-26-124 |
| WSO2--WSO2 API Manager | The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hijacking is not possible as all session-related sensitive cookies are protected by the httpOnly flag. | 2026-04-16 | 5.4 | CVE-2024-4867 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3391/ |
| cartasi--Nexi XPay | The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed. | 2026-04-14 | 5.3 | CVE-2025-15565 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f420151b-c783-49b1-b0e9-e936a904278a?source=cve https://plugins.trac.wordpress.org/browser/cartasi-x-pay/tags/8.2.0/src/classes/Nexi/WC_Gateway_XPay_Process_Completion.php#L268 |
| Dell--Dell Pro 14 Essential PV14250 | Dell Client Platform BIOS contains a Weak Password Recovery Mechanism vulnerability. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability, leading to unauthorized access. | 2026-04-16 | 5.1 | CVE-2025-36579 | https://www.dell.com/support/kbdoc/en-us/000300450/dsa-2025-153 |
| Fortinet--FortiOS | An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [CWE-22] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiPAM 1.7.0, FortiPAM 1.6 all versions, FortiPAM 1.5 all versions, FortiPAM 1.4 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.11, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiSwitchManager 7.2.0 through 7.2.7, FortiSwitchManager 7.0.0 through 7.0.6 may allow an authenticated attacker with admin profile and at least read-write permissions to write or delete arbitrary files via specific CLI commands. | 2026-04-14 | 5.4 | CVE-2025-61624 | https://fortiguard.fortinet.com/psirt/FG-IR-26-122 |
| Fortinet--FortiManager Cloud | An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.7, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.7, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow a privileged attacker to delete files from the underlying filesystem via crafted CLI requests. | 2026-04-14 | 5.4 | CVE-2025-68649 | https://fortiguard.fortinet.com/psirt/FG-IR-26-120 |
| wpxpo--Post Grid Gutenberg Blocks for News, Magazines, Blog Websites PostX | The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites - PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ultp_shareCount_callback() function in all versions up to, and including, 5.0.5. This makes it possible for unauthenticated attackers to modify the share_count post meta for any post, including private or draft posts. | 2026-04-16 | 5.3 | CVE-2026-0718 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c4b2cf3b-5d35-4ce6-9453-1538a6f7752f?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/ultimate-post/tags/5.0.5/classes/Blocks.php&new_path=/ultimate-post/tags/5.0.6/classes/Blocks.php |
| iberezansky--3D FlipBook PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery | The 3D FlipBook - PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the send_post_pages_json() function in all versions up to, and including, 1.16.17. This makes it possible for unauthenticated attackers to retrieve flipbook page metadata for draft, private and password-protected flipbooks. | 2026-04-14 | 5.3 | CVE-2026-1314 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d7e41753-2dbf-4afa-b61e-e617be2c4dc2?source=cve https://plugins.trac.wordpress.org/changeset/3467608/ |
| themefusion--Avada (Fusion) Builder | The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's `output_action_hook()` function accepting user-controlled input to trigger any registered WordPress action hook without proper authorization checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary WordPress action hooks via the Dynamic Data feature, potentially leading to privilege escalation, file inclusion, denial of service, or other security impacts depending on which action hooks are available in the WordPress installation. | 2026-04-15 | 5.4 | CVE-2026-1509 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fdc57b06-bae9-49a3-84dd-f593705330e9?source=cve https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226 https://avada.com/documentation/avada-changelog/ |
| Wpmet--MetForm Pro | The MetForm Pro plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 3.9.7 This is due to the payment integrations (Stripe/PayPal) trusting a user-submitted calculation field value without recomputing or validating it against the configured form price. This makes it possible for unauthenticated attackers to manipulate the payment amount via the 'mf-calculation' field in the form submission REST request granted there exists a specific form with this particular configuration. | 2026-04-15 | 5.3 | CVE-2026-1782 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a49dd64b-6ae8-49ed-9e8a-e5b73c2acf4b?source=cve https://wpmet.com/plugin/metform/ |
| Cisco--Cisco Secure Web Appliance | A vulnerability in the authentication service feature of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass authentication policy requirements. This vulnerability is due to improper validation of user-supplied authentication input in HTTP requests. An attacker could exploit this vulnerability by sending HTTP requests that contain specific authentication requests to an affected device. A successful exploit could allow the attacker to bypass policy enforcement on the device. There is no direct impact to the Cisco Secure Web Appliance. However, as a result of exploiting this vulnerability, an attacker could send HTTP requests that should be restricted through the device. | 2026-04-15 | 5.3 | CVE-2026-20152 | cisco-sa-wsa-auth-bypass-6YZkTQhd |
| Cisco--Cisco ThousandEyes Enterprise Agent | A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated, local attacker with low privileges to overwrite arbitrary files on the local system of an affected device. This vulnerability is due to improper access controls on files that are on the local file system of an affected device. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system. A successful exploit could allow the attacker to bypass file system permissions and overwrite arbitrary files on the affected device. | 2026-04-15 | 5.5 | CVE-2026-20161 | cisco-sa-te-agentfilewrite-tqUw3SMU |
| Microsoft--Windows 10 Version 1809 | Access of resource using incompatible type ('type confusion') in Windows COM allows an authorized attacker to disclose information locally. | 2026-04-14 | 5.5 | CVE-2026-20806 | Windows COM Server Information Disclosure Vulnerability |
| Grafana--Loki | The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this vulnerability. | 2026-04-15 | 5.3 | CVE-2026-21726 | https://grafana.com/security/security-advisories/cve-2026-21726 |
| Fortinet--FortiSOAR PaaS | A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated attacker to view cleartext password in response for Secure Message Exchange and Radius queries, if configured | 2026-04-14 | 5.4 | CVE-2026-21742 | https://fortiguard.fortinet.com/psirt/FG-IR-26-106 |
| Eaton--IPP Software | Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept the cookie and exploit it through a man‑in‑the‑middle attack. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre. | 2026-04-16 | 5.7 | CVE-2026-22617 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf |
| Eaton--IPP software | A security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web‑based attacks. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre. | 2026-04-16 | 5.9 | CVE-2026-22618 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf |
| Wago--Smart Designer | In Wago Smart Designer in versions up to 2.33.1 a low privileged remote attacker may enumerate projects and usernames through iterative requests to an specific endpoint. | 2026-04-16 | 4.3 | CVE-2023-5872 | https://certvde.com/de/advisories/VDE-2023-045 https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2023/vde-2023-045.json |
| Vision--Helpdesk | Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id. | 2026-04-16 | 4.3 | CVE-2024-58343 | https://github.com/websec/Vision-Helpdesk-Exploit https://websec.net/blog/critical-vulnerability-in-vision-helpdesk-allows-unauthorized-session-access-67264646bde7fa99ea26446f |
| Zaytech--Smart Online Order for Clover | Cross-Site Request Forgery (CSRF) vulnerability in Zaytech Smart Online Order for Clover allows Cross Site Request Forgery.This issue affects Smart Online Order for Clover: from n/a through 1.6.0. | 2026-04-15 | 4.3 | CVE-2025-15635 | https://patchstack.com/database/wordpress/plugin/clover-online-orders/vulnerability/wordpress-smart-online-order-for-clover-plugin-1-6-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Dell--PowerScale OneFS | Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper check for unusual or exceptional conditions vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service. | 2026-04-16 | 4.1 | CVE-2025-43883 | https://www.dell.com/support/kbdoc/en-us/000376214/dsa-2025-347-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| Dell--PowerScale OneFS | Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper resource shutdown or release vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service. | 2026-04-16 | 4.4 | CVE-2025-43935 | https://www.dell.com/support/kbdoc/en-us/000376214/dsa-2025-347-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| DeluxeThemes--Userpro | Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro allows Cross Site Request Forgery.This issue affects Userpro: from n/a before 5.1.11. | 2026-04-15 | 4.3 | CVE-2025-53444 | https://patchstack.com/database/wordpress/plugin/userpro/vulnerability/wordpress-userpro-plugin-5-1-11-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Fortinet--FortiSOAR on-premise | A server-side request forgery (ssrf) vulnerability [CWE-918] vulnerability in Fortinet FortiSOAR PaaS 7.6.4, FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.4, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated attacker to discover services running on local ports via crafted requests. | 2026-04-14 | 4.1 | CVE-2025-59809 | https://fortiguard.fortinet.com/psirt/FG-IR-26-103 |
| Fortinet--FortiSandbox PaaS | An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.4, FortiSandbox PaaS 5.0.0 through 5.0.4 may allow an attacker to perform an XSS attack via crafted HTTP requests. | 2026-04-14 | 4.9 | CVE-2025-61886 | https://fortiguard.fortinet.com/psirt/FG-IR-26-109 |
| themefusion--Avada (Fusion) Builder | The Avada (Fusion) Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's `fusion_get_post_custom_field()` function failing to validate whether metadata keys are protected (underscore-prefixed). This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract protected post metadata fields that should not be publicly accessible via the Dynamic Data feature's `post_custom_field` parameter. | 2026-04-15 | 4.3 | CVE-2026-1541 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f1f69f93-80e3-434d-98a6-fc8757b4e6d1?source=cve https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226 |
| Cisco--Cisco Unity Connection | A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of HTTP request parameters. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious web page. | 2026-04-15 | 4.7 | CVE-2026-20060 | cisco-sa-unity-vulns-n2EJSbbw |
| Cisco--Cisco Unity Connection | A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP(S) request to the web-based management interface of an affected device. A successful exploit could allow the attacker to view data on the affected device. | 2026-04-15 | 4.3 | CVE-2026-20061 | cisco-sa-unity-vulns-n2EJSbbw |
| Cisco--Cisco Identity Services Engine Software | Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker with administrative write privileges to conduct a stored cross-site scripting (XSS) attack or a reflected XSS attack against a user of the web-based management interface of an affected device. These vulnerabilities are due to insufficient sanitization of user-supplied data that is stored in the web page. An attacker could exploit these vulnerabilities by convincing a user of the interface to click a specific link or view an affected web page. The injected script code may be executed in the context of the web-based management interface or allow the attacker to access sensitive browser-based information. | 2026-04-15 | 4.8 | CVE-2026-20132 | cisco-sa-isexss-BS8ctE7U |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to perform path traversal attacks on the underlying operating system and read arbitrary files. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to access sensitive files on the affected system. | 2026-04-15 | 4.9 | CVE-2026-20148 | cisco-sa-ise-rce-traversal-8bYndVrZ |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles, has write permission on the app, and does not hold the high-privilege capability `accelerate_datamodel`, could turn on or off Data Model Acceleration due to improper access control. | 2026-04-15 | 4.3 | CVE-2026-20203 | https://advisory.splunk.com/advisories/SVD-2026-0402 |
| Microsoft--Windows 10 Version 1607 | Improper removal of sensitive information before storage or transfer in Windows Recovery Environment Agent allows an unauthorized attacker to bypass a security feature with a physical attack. | 2026-04-14 | 4.6 | CVE-2026-20928 | Windows Recovery Environment Security Feature Bypass Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-04-14 | 4.6 | CVE-2026-20945 | Microsoft SharePoint Server Spoofing Vulnerability |
| Fortinet--FortiSOAR PaaS | An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to perform a stored cross site scripting (XSS) attack via crafted HTTP Requests. | 2026-04-14 | 4.4 | CVE-2026-22154 | https://fortiguard.fortinet.com/psirt/FG-IR-26-117 |
| Fortinet--FortiSOAR PaaS | A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.4, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to retrieve Service account password via server address modification in LDAP configuration. | 2026-04-14 | 4.1 | CVE-2026-22574 | https://fortiguard.fortinet.com/psirt/FG-IR-26-105 |
| Fortinet--FortiSOAR PaaS | A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.4, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to retrieve passwords for multiple installed connectors via server address modification in connector configuration. | 2026-04-14 | 4.1 | CVE-2026-22576 | https://fortiguard.fortinet.com/psirt/FG-IR-26-104 |
| octobercms--october | October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability in the optional Twig safe mode feature (CMS_SAFE_MODE). Certain methods on the collect() helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections. Exploitation requires authenticated backend access with CMS template editing permissions and only affects installations with CMS_SAFE_MODE enabled (disabled by default). This issue has been fixed in versions 3.7.13 and 4.1.5. To workaround this issue, users can disable CMS_SAFE_MODE if untrusted template editing is not required, and restrict CMS template editing permissions to fully trusted administrators only. | 2026-04-14 | 4.9 | CVE-2026-22692 | https://github.com/octobercms/october/security/advisories/GHSA-m5qg-jc75-4jp6 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| WSO2--WSO2 API Manager | The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product. | 2026-04-16 | 3.5 | CVE-2024-8010 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3581/ |
| 1Panel-dev--MaxKB | A vulnerability has been found in 1Panel-dev MaxKB up to 2.4.2. Impacted is an unknown function of the file ui/src/chat.ts of the component MdPreview. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.5.0 is recommended to address this issue. The name of the patch is 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-04-13 | 3.5 | CVE-2025-15632 | VDB-356967 | 1Panel-dev MaxKB MdPreview chat.ts cross site scripting VDB-356967 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #782265 | 1Panel-dev MaxKB <= v2.6.1 Stored XSS https://github.com/AnalogyC0de/public_exp/issues/28 https://github.com/1Panel-dev/MaxKB/pull/4578 https://github.com/1Panel-dev/MaxKB/commit/7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8 https://github.com/1Panel-dev/MaxKB/releases/tag/v2.5.0 https://github.com/1Panel-dev/MaxKB/ |
| Siemens--Siemens Software Center | A vulnerability has been identified in Siemens Software Center (All versions < V3.5.8.2), Simcenter 3D (All versions < V2506.6000), Simcenter Femap (All versions < V2506.0002), Simcenter STAR-CCM+ (All versions < V2602), Solid Edge SE2025 (All versions < V225.0 Update 13), Solid Edge SE2026 (All versions < V226.0 Update 04), Tecnomatix Plant Simulation (All versions < V2504.0008). Affected applications do not properly validate client certificates to connect to Analytics Service endpoint. This could allow an unauthenticated remote attacker to perform man in the middle attacks. | 2026-04-14 | 3.7 | CVE-2025-40745 | https://cert-portal.siemens.com/productcert/html/ssa-981622.html |
| Grafana--Grafana Correlations | --- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana's Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4. Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability. | 2026-04-15 | 3.3 | CVE-2026-21727 | https://grafana.com/security/security-advisories/cve-2026-21727 |
| HCL--AION | HCL AION is affected by a vulnerability where certain system behaviours may allow exploration of internal filesystem structures. Exposure of such information may provide insights into the underlying environment, which could potentially aid in further targeted actions or limited information disclosure. | 2026-04-15 | 2.9 | CVE-2025-52641 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130007 |
| Fortinet--FortiNAC-F | An URL Redirection to Untrusted Site ('Open Redirect') vulnerability [CWE-601] vulnerability in Fortinet FortiNAC-F 7.6.0 through 7.6.5, FortiNAC-F 7.4 all versions, FortiNAC-F 7.2 all versions may allow a remote privileged attacker with system administrator role to redirect users to an arbitrary website via crafted CSV file. | 2026-04-14 | 2.2 | CVE-2026-21741 | https://fortiguard.fortinet.com/psirt/FG-IR-26-118 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| AMD--AMD EPYC 7003 Series Processors | Insufficient checks of the RMP on host buffer access in IOMMU may allow an attacker with privileges and a compromised hypervisor to trigger an out of bounds condition without RMP checks, resulting in a potential loss of confidential guest integrity. | 2026-04-16 | not yet calculated | CVE-2023-20585 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3016.html |
| n/a--NietThijmen ShoppingCart 0.0.2 | Command injection in the connect function in NietThijmen ShoppingCart 0.0.2 allows an attacker to execute arbitrary shell commands and achieve remote code execution via injection of malicious payloads into the Port field | 2026-04-15 | not yet calculated | CVE-2024-53412 | https://github.com/NietThijmen/ShoppingCart/issues/1 https://github.com/Buckdray/vulnerability-research/blob/main/CVE-2024-53412/README.md |
| Grafana--Grafana Alerting | In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions "alert.notifications:write" or "alert.notifications.receivers:test" that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations. | 2026-04-15 | not yet calculated | CVE-2025-12141 | https://grafana.com/security/security-advisories/cve-2025-12141/ |
| MCPHub--MCPHub | MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges. | 2026-04-14 | not yet calculated | CVE-2025-13822 | https://github.com/samanhappy/mcphub https://cert.pl/en/posts/2026/04/CVE-2025-13822 |
| Legion of the Bouncy Castle Inc.--BC-JAVA | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules). This vulnerability is associated with program files G3413CTRBlockCipher. GOSTCTR implementation unable to process more than 255 blocks correctly. This issue affects BC-JAVA: from 1.59 before 1.84. | 2026-04-15 | not yet calculated | CVE-2025-14813 | https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%9014813 https://github.com/bcgit/bc-java/commit/b42574345414e4b7c8051b16fa1fafe01c29871f https://github.com/bcgit/bc-java/commit/701686cb0184cd9ae103c801b3581fdf95c6d4f3 |
| Unknown--Form Maker by 10Web | The Form Maker by 10Web WordPress plugin before 1.15.38 does not properly prepare SQL queries when the "MySQL Mapping" feature is in use, which could make SQL Injection attacks possible in certain contexts. | 2026-04-13 | not yet calculated | CVE-2025-15441 | https://wpscan.com/vulnerability/41f69b0a-4d17-4a6b-b803-ea1c370e3cc0/ |
| OpenText, Inc--RightFax | Deserialization of untrusted data vulnerability in OpenText, Inc RightFax on Windows, 64 bit, 32 bit allows Object Injection.This issue affects RightFax: through 25.4. | 2026-04-15 | not yet calculated | CVE-2025-15610 | https://support.opentext.com/csm?id=ot_kb_unauthenticated&sysparm_article=KB0861863 |
| Sparx Systems Pty Ltd.--Sparx Enterprise Architect | Insufficiently Protected Credentials in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client does not verify the receiver of OAuth2 credentials during OpenID authentication | 2026-04-16 | not yet calculated | CVE-2025-15621 | https://sparxsystems.com/products/ea/17.1/history.html |
| Sparx Systems Pty Ltd.--Sparx Enterprise Architect | Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the OpenID authentication flow. | 2026-04-17 | not yet calculated | CVE-2025-15622 | https://sparxsystems.com/products/ea/17.1/history.html |
| Sparx Systems Pty Ltd.--Sparx Pro Cloud Server | Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. Unauthenticated user can retrieve database password in plaintext in certain situations | 2026-04-17 | not yet calculated | CVE-2025-15623 | https://sparxsystems.com/products/procloudserver/6.1/history.html |
| Sparx Systems Pty Ltd.--Sparx Pro Cloud Server | Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. In a setup where OpenID is used as the primary method of authentication to authenticate to Sparx EA, Pro Cloud Server creates local passwords to the users and stores them in plaintext. | 2026-04-17 | not yet calculated | CVE-2025-15624 | https://sparxsystems.com/products/procloudserver/6.1/history.html |
| Sparx Systems Pty Ltd.--Sparx Pro Cloud Server | Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases. | 2026-04-17 | not yet calculated | CVE-2025-15625 | https://sparxsystems.com/products/procloudserver/6.1/history.html |
| n/a--Phpgurukul Online Course | In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page. | 2026-04-13 | not yet calculated | CVE-2025-51414 | https://github.com/12T40910/CVE/issues/12 https://medium.com/@tanushkushtk01/cve-2025-51414-unrestricted-file-upload-in-online-course-registration-v3-1-bd8b839be1d7 |
| AMD--AMD EPYC 9004 Series Processors | Incorrect use of boot service in the AMD Platform Configuration Blob (APCB) SMM driver could allow a privileged attacker with local access (Ring 0) to achieve privilege escalation potentially resulting in arbitrary code execution. | 2026-04-16 | not yet calculated | CVE-2025-54502 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-7054.html |
| AMD--AMD EPYC 9004 Series Processors | A missing lock verification in AMD Secure Processor (ASP) firmware may permit a locally authenticated attacker with administrative privileges to alter MMIO routing on some Zen 5-based products, potentially compromising guest system integrity. | 2026-04-16 | not yet calculated | CVE-2025-54510 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3034.html |
| Apache Software Foundation--Apache Airflow | The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Since the UI users are already highly trusted, this is a Low severity vulnerability. It does not affect Airflow release - example_dags are not supposed to be enabled in production environment, however users following the example could replicate the bad pattern. Documentation of Airflow 3.2.0 contains version of the example with improved resiliance for that case. Users who followed that pattern are advised to adjust their implementations accordingly. | 2026-04-15 | not yet calculated | CVE-2025-54550 | https://lists.apache.org/thread/3mf4cfx070ofsnf9qy0s2v5gqb5sc2g1 https://github.com/apache/airflow/pull/63200 |
| Openai[.]com-- Codex CLI v0.23.0 | A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately. | 2026-04-14 | not yet calculated | CVE-2025-61260 | http://openai.com https://research.checkpoint.com/2025/openai-codex-cli-command-injection-vulnerability/ |
| Snipe-it[.]com--Snipe-IT asset management v8.3.0 | Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via "Name" and "Surname" fields. The JavaScript code is executed whenever "Activity Report" or modified profile is viewed directly by any user with sufficient permissions. Successful exploitation of this issue requires that the profile's "Display Name" is not set. The vulnerability is fixed in v8.3.2. | 2026-04-13 | not yet calculated | CVE-2025-63743 | http://grokability.com http://snipe-it.com https://github.com/grokability/snipe-it/commit/b6d397bcca4e8a05176b782de769d7160058bfc4#diff-7fe056d76c09808dac923c4639161d587c3fff281a01122f3e10c4a781674a65 https://github.com/mikust/CVEs/tree/main/CVE-2025-63743 |
| n/a-- hotel-management-php version 1.0 | alandsilva26 hotel-management-php 1.0 is vulnerable to Cross Site Scripting (XSS) in /public/admin/edit_room.php which allows an attacker to inject and execute arbitrary JavaScript via the room_id GET parameter. | 2026-04-14 | not yet calculated | CVE-2025-65132 | https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65132/README.md |
| n/a--School Management System v1.0 | A SQL injection vulnerability exists in the School Management System (version 1.0) by manikandan580. An unauthenticated or authenticated remote attacker can supply a crafted HTTP request to the affected endpoint to manipulate SQL query logic and extract sensitive database information. | 2026-04-14 | not yet calculated | CVE-2025-65133 | https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65133/README.md |
| n/a--School Management System v1.0 | In manikandan580 School-management-system 1.0, a reflected cross-site scripting (XSS) vulnerability exists in /studentms/admin/contact-us.php via the email POST parameter. | 2026-04-14 | not yet calculated | CVE-2025-65134 | https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65134/README.md |
| n/a--School Management System v1.0 | In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exists in /studentms/admin/contact-us.php via the pagedes POST parameter. | 2026-04-14 | not yet calculated | CVE-2025-65136 | https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65136/README.md |
| Apache Software Foundation--Apache Airflow | Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though Airflow's intentions and security model of Airflow did not suggest different assumptions. The overall security model [1], workload isolation [2], and JWT authentication details [3] are now described in more detail. Users concerned with role isolation and following the Airflow security model of Airflow are advised to upgrade to Airflow 3.2, where several security improvements have been implemented. They should also read and follow the relevant documents to make sure that their deployment is secure enough. It also clarifies that the Deployment Manager is ultimately responsible for securing your Airflow deployment. This had also been communicated via Airflow 3.2.0 Blog announcement [4]. [1] Security Model: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [2] Workload isolation: https://airflow.apache.org/docs/apache-airflow/stable/security/workload.html [3] JWT Token authentication: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [4] Airflow 3.2.0 Blog announcement: https://airflow.apache.org/blog/airflow-3.2.0/ Users are recommended to upgrade to version 3.2.0, which fixes this issue. | 2026-04-13 | not yet calculated | CVE-2025-66236 | https://github.com/apache/airflow/pull/58662 https://lists.apache.org/thread/g8fyy1tkmxkkfk7tx2v6h8mvwzpyykbo |
| gonitro[.]com-- Nitro PDF Pro v14.41.1.4 | A NULL pointer dereference in Nitro PDF Pro for Windows v14.41.1.4 allows attackers to cause a Denial of Service (DoS) via a crafted XFA packet. | 2026-04-13 | not yet calculated | CVE-2025-66769 | https://www.gonitro.com/ https://jeroscope.com/advisories/2025/jero-2025-015/ |
| nordicsemi[.]no--IronSide SE | Nordic Semiconductor IronSide SE for nRF54H20 before 23.0.2+17 has an Algorithmic complexity issue. | 2026-04-15 | not yet calculated | CVE-2025-67841 | https://nordicsemi.no https://docs.nordicsemi.com/bundle/SA/resource/SA-2025-447-v1.1.pdf |
| gonitro[.]com-- Nitro PDF Pro v14.41.1.4 | Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference vulnerability in the JavaScript implementation of app.alert(). When app.alert() is called with more than one argument and the first argument evaluates to null (for example, app.alert(app.activeDocs, true) when app.activeDocs is null), the engine routes the call through a fallback path intended for non-string arguments. In this path, js_ValueToString() is invoked on the null value and returns an invalid string pointer, which is then passed to JS_GetStringChars() without validation. Dereferencing this pointer leads to an access violation and application crash when opening a crafted PDF. | 2026-04-13 | not yet calculated | CVE-2025-69624 | http://nitro.com |
| gonitro[.]com-- Nitro PDF Pro v14.41.1.4 | Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc(). During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper functions. Because the freed memory region may contain unpredictable heap data or remnants of attacker-controlled JavaScript strings, downstream routines such as wcscmp() may process invalid or stale pointers. This can result in access violations and non-deterministic crashes. | 2026-04-13 | not yet calculated | CVE-2025-69627 | http://nitro.com https://jeroscope.com/advisories/2025/jero-2025-016/ |
| trezor[.]com--Trezor One v1.13.0 | A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Trezor One v1.13.0 to v1.14.0, Trezor T v1.13.0 to v1.14.0, and Trezor Safe v1.13.0 to v1.14.0 hardware wallets. This originates from the BIP-39 standard guidelines, which induce non-constant time execution and specific branch patterns for word searching. An attacker with physical access during the initial setup phase can collect a single side-channel trace. By utilizing profiling-based Deep Learning Side-Channel Analysis (DL-SCA), the attacker can recover the mnemonic code and subsequently steal the assets. The issue was patched. | 2026-04-14 | not yet calculated | CVE-2025-69893 | http://trezor.com https://trezor.io/vulnerability/fix-side-channel-in-bip-39-mnemonic-processing-when-unlocked |
| n/a-- transloadit uppy v0.25.6 | An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6. | 2026-04-14 | not yet calculated | CVE-2025-70023 | https://github.com/transloadi https://github.com/transloadit/uppy https://gist.github.com/zcxlighthouse/27926a85371ac5d2291f44903254753e |
| Safetica Application suite-- STProcessMonitor 11.11.4.0 | STProcessMonitor 11.11.4.0, part of the Safetica Application suite, allows an admin-privileged user to send crafted IOCTL requests to terminate processes that are protected through a third-party implementation. This is caused by insufficient caller validation in the driver's IOCTL handler, enabling unauthorized processes to perform those actions in kernel space. Successful exploitation can lead to denial of service by disrupting critical third-party services or applications. Unauthorized processes load the driver and send a crafted IOCTL request (0xB822200C) to terminate processes protected by a third-party implementation. This action exploits insufficient caller validation in the driver's IOCTL handler, allowing unauthorized processes to perform termination operations in kernel space. Successful exploitation can lead to denial of service by disrupting critical third-party services or applications. | 2026-04-17 | not yet calculated | CVE-2025-70795 | https://bbs.kafan.cn/thread-2287429-1-1.html https://bbs.kafan.cn/thread-2287429-2-1.html https://www.virustotal.com/gui/file/70bcec00c215fe52779700f74e9bd669ff836f594df92381cbfb7ee0568e7a8b https://www.virustotal.com/gui/file/9ace6a1e4bee5834be38b4c2fd26780d1fcc18ea9d58224e31d6382c19e53296 https://www.virustotal.com/gui/file/fc3588482f596a067b65d5d64d21fe62463b38a138fc87d8d2350efa86d34284 https://github.com/magicsword-io/LOLDrivers/commit/eea8326bf891d810902203e9ac5cfdeaf5a17a1c https://github.com/magicsword-io/LOLDrivers/issues/268 |
| Vtiger[.]com-- Vtiger CRM 8.4.0 | Vtiger CRM 8.4.0 contains a reflected cross-site scripting (XSS) vulnerability in the MailManager module. Improper handling of user-controlled input in the _folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an authenticated user s session. | 2026-04-13 | not yet calculated | CVE-2025-70936 | https://www.vtiger.com/open-source-crm/ https://www.simonjuguna.com/cve-2025-70936-reflected-xss-vulnerability-in-vtiger-crm-v8-4-0/ |
| Progress Software Corporation--OpenEdge | A vulnerability in the AdminServer component of OpenEdge on all supported platforms grants its authenticated users OS-level access to the server through the adopted authority of the AdminServer process itself. The delegated authority of the AdminServer could allow its users the ability to read arbitrary files on the host system through the misuse of the setFile() and openFile() methods exposed through the RMI interface. Misuse was limited only by OS-level authority of the AdminServer's elevated privileges granted and the user's access to these methods enabled through RMI. The exploitable methods have been removed thus eliminating their access through RMI or downstream of the RMI registry. | 2026-04-14 | not yet calculated | CVE-2025-7389 | https://community.progress.com/s/article/Important-Arbitrary-File-Ready-Security-Update-for-OpenEdge-AdminServer |
| Progress Software Corporation--OpenEdge | The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform. It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications. OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption. | 2026-04-14 | not yet calculated | CVE-2025-8095 | https://community.progress.com/s/article/Unintended-Use-of-OECH1-for-Password-Secrets-Protection |
| PureStorage--FlashBlade | A vulnerability exists in FlashBlade whereby sensitive information may be logged under specific conditions. | 2026-04-14 | not yet calculated | CVE-2026-0207 | https://support.purestorage.com/bundle/m_security_bulletins/page/Pure_Security/topics/concept/c_security_bulletins.html |
| PureStorage--FlashArray | Under certain administrative conditions, FlashArray Purity may apply snapshot retention policies earlier or later than configured. | 2026-04-14 | not yet calculated | CVE-2026-0209 | https://support.purestorage.com/bundle/m_security_bulletins/page/Pure_Security/topics/concept/c_security_bulletins.html |
| Palo Alto Networks--Cortex XDR Agent | A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent. This issue may be leveraged by malware to perform malicious activity without detection. | 2026-04-13 | not yet calculated | CVE-2026-0232 | https://security.paloaltonetworks.com/CVE-2026-0232 |
| Palo Alto Networks--Autonomous Digital Experience Manager | A certificate validation vulnerability in Palo Alto Networks Autonomous Digital Experience Manager on Windows allows an unauthenticated attacker with adjacent network access to execute arbitrary code with NT AUTHORITY\SYSTEM privileges. | 2026-04-13 | not yet calculated | CVE-2026-0233 | https://security.paloaltonetworks.com/CVE-2026-0233 |
| Palo Alto Networks--Cortex XSOAR Microsoft Teams Marketplace | An improper verification of cryptographic signature vulnerability exists in Cortex XSOAR and Cortex XSIAM platforms during integration of Microsoft Teams that enables an unauthenticated user to access and modify protected resources. | 2026-04-13 | not yet calculated | CVE-2026-0234 | https://security.paloaltonetworks.com/CVE-2026-0234 |
| Legion of the Bouncy Castle Inc.--BC-JAVA | Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.84. | 2026-04-15 | not yet calculated | CVE-2026-0636 | https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%900636 https://github.com/bcgit/bc-java/commit/d20cdb8430e09224114fec0179a71859929fcbde |
| keras-team--keras-team/keras | A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the security guarantees of `safe_mode` and enables arbitrary attacker-controlled code execution during model inference under the victim's privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the `from_config()` method. | 2026-04-13 | not yet calculated | CVE-2026-1462 | https://huntr.com/bounties/7e78d6f1-6977-4300-b595-e81bdbda331c https://github.com/keras-team/keras/commit/b6773d3decaef1b05d8e794458e148cb362f163f |
| Pegasystems--Pega Infinity | Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role. | 2026-04-15 | not yet calculated | CVE-2026-1564 | https://support.pega.com/support-doc/pega-security-advisory-b26-vulnerability-remediation-note |
| Pegasystems--Pega Infinity | Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role. | 2026-04-15 | not yet calculated | CVE-2026-1711 | https://support.pega.com/support-doc/pega-security-advisory-d26-vulnerability-remediation-note |
| ASUS--DriverHub | An Incorrect Permission Assignment for Critical Resource vulnerability in the ASUS DriverHub update process allows privilege escalation due to improper protection of required execution resources during the validation phase, permitting a local user to make unprivileged modifications. This allows the altered resource to pass system checks and be executed with elevated privileges upon a user-initiated update. Refer to the 'Security Update for ASUS DriverHub' section on the ASUS Security Advisory for more information. | 2026-04-16 | not yet calculated | CVE-2026-1880 | https://www.asus.com/security-advisory |
| Samsung Mobile--Samsung Mobile Devices | Improper input validation in data related to network restrictions prior to SMR Apr-2026 Release 1 allows physical attackers to bypass the restrictions. | 2026-04-13 | not yet calculated | CVE-2026-21003 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04 |
| Samsung Mobile--Samsung Mobile Devices | Improper access control in Samsung DeX prior to SMR Apr-2026 Release 1 allows physical attackers to access to hidden notification contents. | 2026-04-13 | not yet calculated | CVE-2026-21006 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04 |
| Samsung Mobile--Samsung Mobile Devices | Improper check for exceptional conditions in Device Care prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Knox Guard. | 2026-04-13 | not yet calculated | CVE-2026-21007 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04 |
| Samsung Mobile--Samsung Mobile Devices | Exposure of sensitive information in S Share prior to SMR Apr-2026 Release 1 allows adjacent attacker to access sensitive information. | 2026-04-13 | not yet calculated | CVE-2026-21008 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04 |
| Samsung Mobile--Samsung Mobile Devices | Improper check for exceptional conditions in Recents prior to SMR Apr-2026 Release 1 allows physical attacker to bypass App Pinning. | 2026-04-13 | not yet calculated | CVE-2026-21009 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04 |
| Samsung Mobile--Samsung Mobile Devices | Incorrect privilege assignment in Bluetooth in Maintenance mode prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Extend Unlock. | 2026-04-13 | not yet calculated | CVE-2026-21011 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04 |
| Samsung Mobile--Samsung Mobile Devices | External control of file name in AODManager prior to SMR Apr-2026 Release 1 allows privileged local attacker to create file with system privilege. | 2026-04-13 | not yet calculated | CVE-2026-21012 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04 |
| Samsung Mobile--Galaxy Wearable | Incorrect default permission in Galaxy Wearable prior to version 2.2.68.26 allows local attackers to access sensitive information. | 2026-04-13 | not yet calculated | CVE-2026-21013 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=04 |
| Samsung Mobile--Samsung Camera | Improper access control in Samsung Camera prior to version 16.5.00.28 allows local attacker to access location data. User interaction is required for triggering this vulnerability. | 2026-04-13 | not yet calculated | CVE-2026-21014 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=04 |
| Veeam--Backup and Replication | A vulnerability allowing a local attacker with administrator privileges to bypass Windows Driver Signature Enforcement. | 2026-04-17 | not yet calculated | CVE-2026-21709 | https://www.veeam.com/kb4830 https://www.veeam.com/kb4831 |
| CubeCart Limited--CubeCart | An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS command. | 2026-04-17 | not yet calculated | CVE-2026-21719 | https://community.cubecart.com/t/cubecart-6-6-0-released-the-biggest-update-in-years/62405 https://jvn.jp/en/jp/JVN78422311/ |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permission to read-only wrapped user-mode memory and files. This is caused by improper handling of GPU memory reservation protections. | 2026-04-17 | not yet calculated | CVE-2026-21733 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Ubiquiti Inc--UniFi Play PowerAmp | An Improper Input Validation vulnerability could allow a malicious actor with access to the UniFi Play network to cause the device to stop responding. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version 1.0.24 and earlier) Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later Update UniFi Play Audio Port to Version 1.1.9 or later | 2026-04-13 | not yet calculated | CVE-2026-22565 | https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83 |
| Microchip--IStaX | A privilege escalation vulnerability in Microchip IStaX allows an authenticated low-privileged user to recover a shared per-device cookie secret from their own webstax_auth session cookie and forge a new cookie with administrative privileges.This issue affects IStaX before 2026.03. | 2026-04-16 | not yet calculated | CVE-2026-2336 | https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/istax-privilege-escalation-via-weak-cookie-authentication |
Vulnerability Summary for the Week of April 6, 2026
Posted on Tuesday April 14, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| nyariv--SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process. This vulnerability is fixed in 0.8.36. | 2026-04-06 | 10 | CVE-2026-34208 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-2gg9-6p7w-6cpj |
| Davidtavarez--CF Image Hosting Script | CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download and decode the application database by accessing the imgdb.db file in the upload/data directory. Attackers can extract delete IDs stored in plaintext from the deserialized database and use them to delete all pictures via the d parameter. | 2026-04-12 | 9.8 | CVE-2019-25709 | ExploitDB-46094 Official Product Homepage Product Reference VulnCheck Advisory: CF Image Hosting Script 1.6.5 Unauthorized Database Access |
| Beijing Topsec Network Security Technology Co., Ltd.--Tianxin Internet Behavior Management System | Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Attackers can exploit this vulnerability to write malicious PHP files into the web root and achieve remote code execution with the privileges of the web server process. This vulnerability has been fixed in version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-01 (UTC). | 2026-04-07 | 9.8 | CVE-2021-4473 | https://www.cnvd.org.cn/flaw/show/CNVD-2021-41972 https://www.cnvd.org.cn/patchInfo/show/280166 https://cn-sec.com/archives/4631959.html https://avd.aliyun.com/detail?id=AVD-2021-890232 https://www.vulncheck.com/advisories/tianxin-internet-behavior-management-system-command-injection-via-toquery-php |
| Contemporary Controls--BASControl20 | An attacker could use data obtained by sniffing the network traffic to forge packets in order to make arbitrary requests to Contemporary Controls BASC 20T. | 2026-04-09 | 9.8 | CVE-2025-13926 | https://www.ccontrols.com/support/contacttech.htm https://www.cisa.gov/news-events/ics-advisories/icsa-26-099-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-099-01.json |
| SaturdayDrive--Ninja Forms - File Uploads | The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability was partially patched in version 3.3.25 and fully patched in version 3.3.27. | 2026-04-07 | 9.8 | CVE-2026-0740 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0b606ded-ab50-486a-9337-97ee9f452f12?source=cve https://ninjaforms.com/extensions/file-uploads/ |
| IBM--Verify Identity Access Container | IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to escalate their privileges to root due to execution with unnecessary privileges than required. | 2026-04-08 | 9.3 | CVE-2026-1346 | https://www.ibm.com/support/pages/node/7268253 |
| davidfcarr--Quick Playground | The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server. | 2026-04-09 | 9.8 | CVE-2026-1830 | https://www.wordfence.com/threat-intel/vulnerabilities/id/308cd28a-a477-4bc6-a392-ad5a9eca1cb5?source=cve https://plugins.trac.wordpress.org/browser/quick-playground/trunk/api.php#L39 https://plugins.trac.wordpress.org/browser/quick-playground/trunk/expro-api.php#L419 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3500839%40quick-playground&new=3500839%40quick-playground&sfp_email=&sfph_mail= |
| LibRaw--LibRaw | A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. | 2026-04-07 | 9.8 | CVE-2026-20889 | https://talosintelligence.com/vulnerability_reports/TALOS-2026-2358 |
| LibRaw--LibRaw | A heap-based buffer overflow vulnerability exists in the HuffTable::initval functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. | 2026-04-07 | 9.8 | CVE-2026-20911 | https://talosintelligence.com/vulnerability_reports/TALOS-2026-2330 |
| LibRaw--LibRaw | A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. | 2026-04-07 | 9.8 | CVE-2026-21413 | https://talosintelligence.com/vulnerability_reports/TALOS-2026-2331 |
| Weaver Network Co., Ltd.--E-cology | Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-03-31 (UTC). | 2026-04-07 | 9.8 | CVE-2026-22679 | https://www.weaver.com.cn/cs/securityDownload.html# https://h4cker.zip/post/d5d211/ https://ti.qianxin.com/vulnerability/notice-detail/1760 https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-rce-via-dubboapi-debug-endpoint |
| prosolution--ProSolution WP Client | The ProSolution WP Client plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'proSol_fileUploadProcess' function in all versions up to, and including, 1.9.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2026-04-08 | 9.8 | CVE-2026-2942 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3852aef6-42e7-4b71-a1ba-dd41284fd07b?source=cve https://plugins.trac.wordpress.org/browser/prosolution-wp-client/trunk/public/class-prosolwpclient-public.php?rev=3331282#L993 https://plugins.trac.wordpress.org/changeset/3484577/prosolution-wp-client |
| Rukovoditel--Rukovoditel CRM | A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response without proper sanitization, output encoding, or content-type restrictions. The vulnerable code is: if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']); An unauthenticated attacker can exploit this issue by crafting a malicious URL containing JavaScript payloads. When a victim visits the link, the payload executes in the context of the application within the victim's browser, potentially leading to session hijacking, credential theft, phishing, or account takeover. The issue is fixed in version 3.7, which introduces proper input validation and output encoding to prevent script injection. | 2026-04-11 | 9.3 | CVE-2026-31845 | https://forum.rukovoditel.net/viewtopic.php?p=22499#p22499 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshellarg(). When a user moves a document via document.php, the move_to POST parameter - which only passes through Security::remove_XSS() (an HTML-only filter) - is concatenated directly into shell commands such as exec("mv $source $target"). By default, Chamilo allows all authenticated users to create courses (allow_users_to_create_courses = true). Any user who is a teacher in a course (including self-created courses) can move documents, making this vulnerability exploitable by any authenticated user. The attacker must first place a directory with shell metacharacters in its name on the filesystem (achievable via Course Backup Import), then move a document into that directory to trigger arbitrary command execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 9.1 | CVE-2026-32892 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-59cv-qh65-vvrr https://github.com/chamilo/chamilo-lms/commit/3597b19b73d73d681e4fb503285e9bbfe71714bf https://github.com/chamilo/chamilo-lms/commit/62671e5e268f235cddfba704edee90f35c234df1 |
| wpeverest--Everest Forms Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe unserialize() call processes the stored data without class restrictions. | 2026-04-08 | 9.8 | CVE-2026-3296 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2693ae37-790d-4b18-a9ec-054c8c27b8bc?source=cve https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/admin/views/html-admin-page-entries-view.php#L133 https://plugins.trac.wordpress.org/browser/everest-forms/trunk/includes/admin/views/html-admin-page-entries-view.php#L133 https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/evf-core-functions.php#L5594 https://plugins.trac.wordpress.org/changeset/3489938/everest-forms/tags/3.4.4/readme.txt?old=3464753&old_path=everest-forms%2Ftags%2F3.4.3%2Freadme.txt https://plugins.trac.wordpress.org/changeset?old_path=/everest-forms/tags/3.4.3&new_path=/everest-forms/tags/3.4.4 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no random component, no expiration, and no rate limiting. An attacker who knows a user's email can compute the reset token and change the victim's password without authentication. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 9.4 | CVE-2026-33707 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-f27g-66gq-g7v2 https://github.com/chamilo/chamilo-lms/commit/078d7e5b77679fa7ccfcd6783bd5cc683db0bda8 https://github.com/chamilo/chamilo-lms/commit/750a45312a0d5c3ad60dbfbd0d959ca40be4a18c |
| Juniper Networks--JSI LWC | A Use of Default Password vulnerability in the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device. vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94. | 2026-04-09 | 9.8 | CVE-2026-33784 | https://kb.juniper.net/JSA107871 |
| Canonical--lxd | Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacker with can_edit permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration that bridges the LXD Unix socket into the guest VM, enabling privilege escalation to LXD cluster administrator and subsequently to host root. | 2026-04-09 | 9.1 | CVE-2026-34177 | VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf lxd: Prevent use of raw.apparmor and raw.qemu.conf when low level options are blocked |
| Canonical--lxd | In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=true or raw.lxc directives, bypassing all project restriction enforcement and allowing full host compromise. | 2026-04-09 | 9.1 | CVE-2026-34178 | Importing a crafted backup leads to project restriction bypass Import: Create backup config from index |
| Canonical--lxd | In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin. | 2026-04-09 | 9.1 | CVE-2026-34179 | Update of type field in restricted TLS certificate allows privilege escalation to cluster admin Improve validation on certificate edit |
| Nextendweb--Smart Slider 3 Pro for WordPress | Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system that allows unauthenticated attackers to execute arbitrary code and commands. Attackers can trigger pre-authentication remote shell execution via HTTP headers, establish authenticated backdoors accepting arbitrary PHP code or OS commands, create hidden administrator accounts, exfiltrate credentials and access keys, and maintain persistence through multiple injection points including must-use plugins and core file modifications. | 2026-04-09 | 9.8 | CVE-2026-34424 | https://smartslider.helpscoutdocs.com/article/2144-wordpress-security-advisory-smart-slider-3-pro-3-5-1-35-compromise https://smartslider.helpscoutdocs.com/article/2143-joomla-security-advisory-smart-slider-3-pro-3-5-1-35-compromise https://patchstack.com/database/wordpress/plugin/nextend-smart-slider3-pro/vulnerability/wordpress-smart-slider-3-plugin-3-5-1-35-backdoor-vulnerability https://patchstack.com/articles/critical-supply-chain-compromise-in-smart-slider-3-pro-full-malware-analysis/ https://mysites.guru/blog/smart-slider-3-pro-supply-chain-compromise/ |
| usebruno--bruno | Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted. Upgrade to 3.2.1 | 2026-04-06 | 9.8 | CVE-2026-34841 | https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g https://github.com/axios/axios/issues/10604 https://github.com/usebruno/bruno/pull/7632 https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat |
| R-Project--RGui | RGui 3.5.0 contains a local buffer overflow vulnerability in the GUI preferences dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can craft malicious input in the Language for menus and messages field to trigger a stack-based buffer overflow, execute a ROP chain for VirtualAlloc allocation, and achieve arbitrary code execution. | 2026-04-12 | 8.4 | CVE-2018-25258 | ExploitDB-46107 Official Product Homepage Product Reference VulnCheck Advisory: RGui 3.5.0 Local Buffer Overflow SEH DEP Bypass |
| Html5Videoplayer--HTML5 Video Player | HTML5 Video Player 1.2.5 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying an oversized key code string. Attackers can craft a malicious payload exceeding 997 bytes and paste it into the KEY CODE field in the Help Register dialog to trigger code execution and spawn a calculator process. | 2026-04-12 | 8.4 | CVE-2019-25689 | ExploitDB-46279 Official Product Homepage VulnCheck Advisory: HTML5 Video Player 1.2.5 Local Buffer Overflow Non-SEH |
| Faleemi--Faleemi Desktop Software | Faleemi Desktop Software 1.8 contains a local buffer overflow vulnerability in the System Setup dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can inject a crafted payload into the Save Path for Snapshot and Record file field to trigger a buffer overflow and execute arbitrary code via ROP chain gadgets. | 2026-04-12 | 8.4 | CVE-2019-25691 | ExploitDB-46269 Official Product Homepage VulnCheck Advisory: Faleemi Desktop Software 1.8 Local Buffer Overflow SEH DEP Bypass |
| r-project--R | R 3.4.4 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by injecting malicious input into the GUI Preferences language field. Attackers can craft a payload with a 292-byte offset and JMP ESP instruction to execute commands like calc.exe when the payload is pasted into the Language for menus and messages field. | 2026-04-12 | 8.4 | CVE-2019-25695 | ExploitDB-46265 Official Product Homepage VulnCheck Advisory: R 3.4.4 Local Buffer Overflow Windows XP SP3 |
| VictorAlagwu--CMSsite | CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Attackers can send GET requests to category.php with malicious cat_id values to extract sensitive database information including usernames and credentials. | 2026-04-12 | 8.2 | CVE-2019-25697 | ExploitDB-46259 Product Reference VulnCheck Advisory: CMSsite 1.0 SQL Injection via category.php |
| Divxtodvd--Easy Video to iPod Converter | Easy Video to iPod Converter 1.6.20 contains a local buffer overflow vulnerability in the user registration field that allows local attackers to overwrite the structured exception handler. Attackers can input a crafted payload exceeding 996 bytes in the username field to trigger SEH overwrite and execute arbitrary code with user privileges. | 2026-04-12 | 8.4 | CVE-2019-25701 | ExploitDB-46255 Official Product Homepage Product Reference VulnCheck Advisory: Easy Video to iPod Converter 1.6.20 Local Buffer Overflow SEH |
| Sourceforge--Echo Mirage | Echo Mirage 3.1 contains a stack buffer overflow vulnerability that allows local attackers to crash the application or execute arbitrary code by supplying an oversized string in the Rules action field. Attackers can create a malicious text file with a crafted payload exceeding buffer boundaries and paste it into the action field through the Rules dialog to trigger the overflow and overwrite the return address. | 2026-04-12 | 8.4 | CVE-2019-25705 | ExploitDB-46216 Official Product Homepage Product Reference VulnCheck Advisory: Echo Mirage 3.1 Stack Buffer Overflow via Rules Action Field |
| Dolibarr--Dolibarr ERP-CRM | Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques. | 2026-04-12 | 8.2 | CVE-2019-25710 | ExploitDB-46095 Official Product Homepage Product Reference VulnCheck Advisory: Dolibarr ERP-CRM 8.0.4 SQL Injection via rowid Parameter |
| Synology--Synology SSL VPN Client | A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access or influence the user's PIN code due to insecure storage. This may lead to unauthorized VPN configuration and potential interception of subsequent VPN traffic when combined with user interaction. | 2026-04-10 | 8.1 | CVE-2021-47961 | Synology-SA-26:05 Synology SSL VPN Client |
| Adivaha--WordPress adivaha Travel Plugin | WordPress adivaha Travel Plugin 2.3 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pid' GET parameter. Attackers can send requests to the /mobile-app/v3/ endpoint with crafted 'pid' values using XOR-based payloads to extract sensitive database information or cause denial of service. | 2026-04-09 | 8.2 | CVE-2023-54359 | ExploitDB-51655 Official Product Homepage Product Reference VulnCheck Advisory: WordPress adivaha Travel Plugin 2.3 SQL Injection via pid |
| Juniper Networks--Apstra | A Key Exchange without Entity Authentication vulnerability in the SSH implementation of Juniper Networks Apstra allows a unauthenticated, MITM attacker to impersonate managed devices. Due to insufficient SSH host key validation an attacker can perform a machine-in-the-middle attack on the SSH connections from Apstra to managed devices, enabling an attacker to impersonate a managed device and capture user credentials. This issue affects all versions of Apstra before 6.1.1. | 2026-04-09 | 8.7 | CVE-2025-13914 | https://kb.juniper.net/JSA107862 |
| Qualcomm, Inc.--Snapdragon | Memory corruption when decoding corrupted satellite data files with invalid signature offsets. | 2026-04-06 | 8.8 | CVE-2025-47392 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| CactusThemes--VideoPro | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through 2.3.8.1. | 2026-04-10 | 8.1 | CVE-2025-58913 | https://patchstack.com/database/wordpress/theme/videopro/vulnerability/wordpress-videopro-theme-2-3-8-1-local-file-inclusion-vulnerability?_s_id=cve |
| Hitachi--JP1/IT Desktop Management 2 - Manager | Remote Code Execution Vulnerability in JP1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management 2 - Operations Director on Windows, Job Management Partner 1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management - Manager on Windows, Job Management Partner 1/IT Desktop Management - Manager on Windows, JP1/NETM/DM Manager on Windows, JP1/NETM/DM Client on Windows, Job Management Partner 1/Software Distribution Manager on Windows, Job Management Partner 1/Software Distribution Client on Windows.This issue affects JP1/IT Desktop Management 2 - Manager: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; JP1/IT Desktop Management 2 - Operations Director: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; Job Management Partner 1/IT Desktop Management 2 - Manager: from 10-50 through 10-50-11; JP1/IT Desktop Management - Manager: from 09-50 through 10-10-16; Job Management Partner 1/IT Desktop Management - Manager: from 09-50 through 10-10-16; JP1/NETM/DM Manager: from 09-00 through 10-20-02; JP1/NETM/DM Client: from 09-00 through 10-20-02; Job Management Partner 1/Software Distribution Manager: from 09-00 through 09-51-13; Job Management Partner 1/Software Distribution Client: from 09-00 through 09-51-13. | 2026-04-07 | 8.8 | CVE-2025-65115 | https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-118/index.html |
| IBM--Verify Identity Access Container | IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to execute malicious scripts from outside of its control sphere. | 2026-04-07 | 8.5 | CVE-2026-1342 | https://www.ibm.com/support/pages/node/7268253 |
| LibRaw--LibRaw | An integer overflow vulnerability exists in the deflate_dng_load_raw functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. | 2026-04-07 | 8.1 | CVE-2026-20884 | https://talosintelligence.com/vulnerability_reports/TALOS-2026-2364 |
| Windmill Labs--Windmill CE (Community Edition) | Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0. | 2026-04-07 | 8.8 | CVE-2026-22683 | https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/ https://github.com/Chocapikk/Windfall https://github.com/windmill-labs/windmill/releases/tag/v1.615.0 https://github.com/windmill-labs/windmill/commit/c621a74804f4f6e8318819c01e3a23a17698588b https://www.windmill.dev/ https://apps.nextcloud.com/apps/flow/releases |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from $_REQUEST['test'] is concatenated directly into filesystem path without canonicalization or traversal checks. This vulnerability is fixed in 1.11.38. | 2026-04-10 | 8.3 | CVE-2026-31939 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx https://github.com/chamilo/chamilo-lms/commit/4dddcc19d36119da27b7c49eb84a035800abae78 https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38 |
| danbilabs--Advanced Members for ACF | The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the create_crop function in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability was partially patched in version 1.2.5. | 2026-04-08 | 8.8 | CVE-2026-3243 | https://www.wordfence.com/threat-intel/vulnerabilities/id/22b63369-c6ea-42e9-bea3-d15837da7732?source=cve https://plugins.trac.wordpress.org/browser/advanced-members/tags/1.2.4/core/modules/class-avatar.php#L57 https://plugins.trac.wordpress.org/browser/advanced-members/tags/1.2.4/core/modules/class-avatar.php#L266 https://plugins.trac.wordpress.org/browser/advanced-members/trunk/core/modules/class-avatar.php#L710 https://plugins.trac.wordpress.org/changeset/3479725/ https://plugins.trac.wordpress.org/changeset/3492372/ |
| Elastic--Logstash | Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution. | 2026-04-08 | 8.1 | CVE-2026-33466 | https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-update-esa-2026-29/385816 |
| homarr-labs--homarr | Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter (callbackUrl), which is passed to redirect and router.push. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. This vulnerability is fixed in 1.57.0. | 2026-04-06 | 8.8 | CVE-2026-33510 | https://github.com/homarr-labs/homarr/security/advisories/GHSA-79pg-554g-rw82 |
| IBM--Langflow Desktop | IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component. | 2026-04-08 | 8.8 | CVE-2026-3357 | https://www.ibm.com/support/pages/node/7268428 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings, which is then executed when any user (including unauthenticated) requests /platform-config/list. This vulnerability is fixed in 2.0.0-RC.3. | 2026-04-10 | 8.8 | CVE-2026-33618 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-hp4w-jmwc-pg7w https://github.com/chamilo/chamilo-lms/commit/f2c382c94a3f153a4d7e5ce5686c5a219fd09b3b |
| lexiforest--curl_cffi | curl_cffi is the a Python binding for curl. Prior to 0.15.0, curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi's TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls. This vulnerability is fixed in 0.15.0. | 2026-04-06 | 8.6 | CVE-2026-33752 | https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmpp |
| Juniper Networks--Junos OS | A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS on MX Series allows a local, authenticated user with low privileges to execute specific commands which will lead to a complete compromise of managed devices. Any user logged in, without requiring specific privileges, can issue 'request csds' CLI operational commands. These commands are only meant to be executed by high privileged or users designated for Juniper Device Manager (JDM) / Connected Security Distributed Services (CSDS) operations as they will impact all aspects of the devices managed via the respective MX. This issue affects Junos OS on MX Series: * 24.4 releases before 24.4R2-S3, * 25.2 releases before 25.2R2. This issue does not affect Junos OS releases before 24.4. | 2026-04-09 | 8.8 | CVE-2026-33785 | https://kb.juniper.net/JSA107872 |
| podman-desktop--podman-desktop | Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows any network attacker to remotely trigger denial-of-service conditions and extract sensitive information. By abusing missing connection limits and timeouts, an attacker can exhaust file descriptors and kernel memory, leading to application crash or full host freeze. Additionally, verbose error responses disclose internal paths and system details (including usernames on Windows), aiding further exploitation. The issue requires no authentication or user interaction and is exploitable over the network. This vulnerability is fixed in 1.26.2. | 2026-04-07 | 8.2 | CVE-2026-34045 | https://github.com/podman-desktop/podman-desktop/security/advisories/GHSA-2q88-39rh-gxvv |
| OpenClaw--OpenClaw | OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:sessionKey/kill route that allows any bearer-authenticated user to invoke admin-level session termination functions without proper scope validation. Attackers can exploit this by sending authenticated requests to kill arbitrary subagent sessions via the killSubagentRunAdmin function, bypassing ownership and operator scope restrictions. | 2026-04-09 | 8.1 | CVE-2026-34512 | GitHub Security Advisory (GHSA-9p93-7j67-5pc2) Patch Commit VulnCheck Advisory: OpenClaw < 2026.3.25 - Improper Access Control in /sessions/:sessionKey/kill Endpoint |
| opnsense--core | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, the same injection can be used to bypass that group membership restriction and authenticate as any LDAP user whose password is known, regardless of group membership. This vulnerability is fixed in 26.1.6. | 2026-04-09 | 8.2 | CVE-2026-34578 | https://github.com/opnsense/core/security/advisories/GHSA-jpm7-f59c-mp54 https://github.com/opnsense/core/commit/016f66cb4620cd48183fa97843f343bb71813c6e |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-04-11 | 8.6 | CVE-2026-34621 | https://helpx.adobe.com/security/products/acrobat/apsb26-43.html |
| MontFerret--ferret | Ferret is a declarative system for working with web data. Prior to 2.0.0-alpha.4, a path traversal vulnerability in Ferret's IO::FS::WRITE standard library function allows a malicious website to write arbitrary files to the filesystem of the machine running Ferret. When an operator scrapes a website that returns filenames containing ../ sequences, and uses those filenames to construct output paths (a standard scraping pattern), the attacker controls both the destination path and the file content. This can lead to remote code execution via cron jobs, SSH authorized_keys, shell profiles, or web shells. This vulnerability is fixed in 2.0.0-alpha.4. | 2026-04-06 | 8.1 | CVE-2026-34783 | https://github.com/MontFerret/ferret/security/advisories/GHSA-j6v5-g24h-vg4j https://github.com/MontFerret/ferret/commit/160ebad6bd50f153453e120f6d909f5b83322917 |
| David Lingren--Media LIbrary Assistant | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.This issue affects Media LIbrary Assistant: from n/a through 3.34. | 2026-04-06 | 8.5 | CVE-2026-34885 | https://patchstack.com/database/wordpress/plugin/media-library-assistant/vulnerability/wordpress-media-library-assistant-plugin-3-34-sql-injection-vulnerability?_s_id=cve |
| adianti--Adianti Framework | Adianti Framework 5.5.0 and 5.6.0 contains an SQL injection vulnerability that allows authenticated users to manipulate database queries by injecting SQL code through the name field in SystemProfileForm. Attackers can submit crafted SQL statements in the profile edit endpoint to modify user credentials and gain administrative access. | 2026-04-12 | 7.1 | CVE-2018-25257 | ExploitDB-46217 VulnCheck Advisory: Adianti Framework 5.5.0 and 5.6.0 SQL Injection via Profile |
| Resourcespace--ResourceSpace | ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to extract sensitive database information including schema names, user credentials, and other confidential data. | 2026-04-12 | 7.1 | CVE-2019-25693 | ExploitDB-46274 Official Product Homepage Product Reference VulnCheck Advisory: ResourceSpace 8.6 SQL Injection via collection_edit.php |
| Newsbull--Newsbull Haber Script | Newsbull Haber Script 1.0.0 contains multiple SQL injection vulnerabilities in the search parameter that allow authenticated attackers to extract database information through time-based, blind, and boolean-based injection techniques. Attackers can inject malicious SQL code through the search parameter in endpoints like /admin/comment/records, /admin/category/records, /admin/news/records, and /admin/menu/childs to manipulate database queries and retrieve sensitive data. | 2026-04-12 | 7.1 | CVE-2019-25699 | ExploitDB-46266 Official Product Homepage Product Reference VulnCheck Advisory: Newsbull Haber Script 1.0.0 Authenticated SQL Injection via search parameter |
| Impresscms--ImpressCMS | ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information. | 2026-04-12 | 7.1 | CVE-2019-25703 | ExploitDB-46239 Official Product Homepage Product Reference VulnCheck Advisory: ImpressCMS 1.3.11 SQL Injection via bid Parameter |
| Across--DR-810 | Across DR-810 contains an unauthenticated file disclosure vulnerability that allows remote attackers to download the rom-0 backup file containing sensitive information by sending a simple GET request. Attackers can access the rom-0 endpoint without authentication to retrieve and decompress the backup file, exposing router passwords and other sensitive configuration data. | 2026-04-12 | 7.5 | CVE-2019-25706 | ExploitDB-46132 Official Product Homepage VulnCheck Advisory: Across DR-810 ROM-0 Unauthenticated File Disclosure |
| Ebrigade--eBrigade ERP | eBrigade ERP 4.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to pdf.php with crafted SQL payloads in the 'id' parameter to extract sensitive database information including table names and schema details. | 2026-04-12 | 7.1 | CVE-2019-25707 | ExploitDB-46117 Official Product Homepage Product Reference VulnCheck Advisory: eBrigade ERP 4.5 SQL Injection via pdf.php |
| MyT--Project Management | MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Attackers can submit crafted POST requests to the /charge/admin endpoint with error-based, time-based blind, or stacked query payloads to extract sensitive database information or manipulate data. | 2026-04-12 | 7.1 | CVE-2019-25713 | ExploitDB-46084 Official Product Homepage Product Reference VulnCheck Advisory: MyT-PM 1.5.1 SQL Injection via Charge[group_total] Parameter |
| Twitch--Twitch Studio | Twitch Studio version 0.114.8 and prior contain a privilege escalation vulnerability in its privileged helper tool that allows local attackers to execute arbitrary code as root by exploiting an unprotected XPC service. Attackers can invoke the installFromPath:toPath:withReply: method to overwrite system files and privileged binaries, achieving full system compromise. Twitch Studio was discontinued in May 2024. | 2026-04-06 | 7.8 | CVE-2024-14032 | https://www.iru.com/blog/twitch-privileged-helper https://help.twitch.tv/s/topic/0TO3a000000kZfYGAU/twitch-studio https://help.twitch.tv/s/article/recommended-software-for-broadcasting https://www.vulncheck.com/advisories/twitch-studio-launcherhelper-xpc-missing-authorization-to-root-file-write |
| WAGO--CC100 (0751-9x01) | An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. If user-defined scripts are permitted, OpenVPN may allow the execution of arbitrary shell commands enabling the attacker to run arbitrary commands on the device. | 2026-04-09 | 7.2 | CVE-2024-1490 | https://certvde.com/de/advisories/VDE-2024-008 https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2024-008.json |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries. | 2026-04-08 | 7.5 | CVE-2025-12664 | HackerOne Bug Bounty Report #3377091 https://gitlab.com/gitlab-org/gitlab/-/work_items/579376 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\etc directory, which can be created and modified by unprivileged local users. | 2026-04-07 | 7.8 | CVE-2025-14821 | https://access.redhat.com/security/cve/CVE-2025-14821 RHBZ#2423148 https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/ |
| Qualcomm, Inc.--Snapdragon | Memory corruption when buffer copy operation fails due to integer overflow during attestation report generation. | 2026-04-06 | 7.8 | CVE-2025-47389 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while preprocessing IOCTL request in JPEG driver. | 2026-04-06 | 7.8 | CVE-2025-47390 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing a frame request from user. | 2026-04-06 | 7.8 | CVE-2025-47391 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Cryptographic issue while copying data to a destination buffer without validating its size. | 2026-04-06 | 7.1 | CVE-2025-47400 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Case Themes--Case Theme User | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case Themes Case Theme User allows PHP Local File Inclusion.This issue affects Case Theme User: from n/a before 1.0.4. | 2026-04-10 | 7.5 | CVE-2025-5804 | https://patchstack.com/database/wordpress/plugin/case-theme-user/vulnerability/wordpress-case-theme-user-1-0-4-local-file-inclusion-vulnerability?_s_id=cve |
| Zootemplate--Cerato | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zootemplate Cerato allows Reflected XSS.This issue affects Cerato: from n/a through 2.2.18. | 2026-04-10 | 7.1 | CVE-2025-58920 | https://patchstack.com/database/wordpress/theme/cerato/vulnerability/wordpress-cerato-theme-2-2-18-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service due to improper input validation of JSON payloads. | 2026-04-08 | 7.5 | CVE-2026-1092 | HackerOne Bug Bounty Report #3487030 https://gitlab.com/gitlab-org/gitlab/-/work_items/586479 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| IBM--Verify Identity Access Container | IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 allows an attacker to contact internal authentication endpoints which are protected by the Reverse Proxy. | 2026-04-08 | 7.2 | CVE-2026-1343 | https://www.ibm.com/support/pages/node/7268253 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in gnutls. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted ClientHello message with an invalid Pre-Shared Key (PSK) binder value during the TLS handshake. This can lead to a NULL pointer dereference, causing the server to crash and resulting in a remote Denial of Service (DoS) condition. | 2026-04-09 | 7.5 | CVE-2026-1584 | https://access.redhat.com/security/cve/CVE-2026-1584 RHBZ#2435258 |
| Qualcomm, Inc.--Snapdragon | Transient DOS when processing nonstandard FILS Discovery Frames with out-of-range action sizes during initial scans. | 2026-04-06 | 7.6 | CVE-2026-21367 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when retrieving output buffer with insufficient size validation. | 2026-04-06 | 7.8 | CVE-2026-21371 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when sending IOCTL requests with invalid buffer sizes during memcpy operations. | 2026-04-06 | 7.8 | CVE-2026-21372 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when accessing an output buffer without validating its size during IOCTL processing. | 2026-04-06 | 7.8 | CVE-2026-21373 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when processing auxiliary sensor input/output control commands with insufficient buffer size validation. | 2026-04-06 | 7.8 | CVE-2026-21374 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when accessing an output buffer without validating its size during IOCTL processing. | 2026-04-06 | 7.8 | CVE-2026-21375 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when accessing an output buffer without validating its size during IOCTL processing in a camera sensor driver. | 2026-04-06 | 7.8 | CVE-2026-21376 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when accessing an output buffer without validating its size during IOCTL processing in a camera sensor driver. | 2026-04-06 | 7.8 | CVE-2026-21378 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when using deprecated DMABUF IOCTL calls to manage video memory. | 2026-04-06 | 7.8 | CVE-2026-21380 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Transient DOS when receiving a service data frame with excessive length during device matching over a neighborhood awareness network protocol connection. | 2026-04-06 | 7.6 | CVE-2026-21381 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when handling power management requests with improperly sized input/output buffers. | 2026-04-06 | 7.8 | CVE-2026-21382 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Juniper Networks--Junos OS | A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Juniper Networks Junos OS allows a local, authenticated attacker with low privileges to escalate their privileges to root which will lead to a complete compromise of the system. When after a user has performed a specific 'file link ...' CLI operation, another user commits (unrelated configuration changes), the first user can login as root. This issue affects Junos OS: * all versions before 23.2R2-S7, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions before 25.2R2. This issue does not affect versions 25.4R1 or later. | 2026-04-09 | 7.3 | CVE-2026-21916 | https://kb.juniper.net/JSA107807 |
| Dolibarr--Dolibarr ERP/CRM | Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator privileges can inject malicious payloads through computed extrafields or other evaluation paths using PHP dynamic callable syntax to bypass validation and achieve arbitrary command execution via eval(). | 2026-04-07 | 7.2 | CVE-2026-22666 | https://jivasecurity.com/writeups/dolibarr-remote-code-execution-cve-2026-22666 https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-vmvw-qq8w-wqhg https://github.com/Dolibarr/dolibarr/commit/6f425521b3e6f9f27eca05228e02093dbaa40dea https://github.com/Dolibarr/dolibarr/releases/tag/23.0.2 https://www.vulncheck.com/advisories/dolibarr-erp-crm-authenticated-rce-via-dol-eval-standard |
| HKUDS--OpenHarness | OpenHarness prior to commit 166fcfe contains an improper access control vulnerability in built-in file tools due to inconsistent parameter handling in permission enforcement, allowing attackers who can influence agent tool execution to read arbitrary local files outside the intended repository scope. Attackers can exploit the path parameter not being passed to the PermissionChecker in read_file, write_file, edit_file, and notebook_edit tools to bypass deny rules and access sensitive files such as configuration files, credentials, and SSH material, or create and overwrite files in restricted host paths in full_auto mode. | 2026-04-07 | 7.1 | CVE-2026-22682 | https://github.com/HKUDS/OpenHarness/pull/32 https://github.com/HKUDS/OpenHarness/commit/166fcfefb7614dbac51bd061f56542725b0298e9 https://www.vulncheck.com/advisories/openharness-improper-access-control-via-file-tools |
| VMware--Spring Cloud Gateway | When configuring SSL bundles in Spring Cloud Gateway by using the configuration property spring.ssl.bundle, the configuration was silently ignored and the default SSL configuration was used instead. Note: The 4.2.x branch is no longer under open source support. If you are using Spring Cloud Gateway 4.2.0 and are not an enterprise customer, you can upgrade to any Spring Cloud Gateway 4.2.x release newer than 4.2.0 available on Maven Centeral https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-gateway/ . Ideally if you are not an enterprise customer, you should be upgrading to 5.0.2 or 5.1.1 which are the current supported open source releases. | 2026-04-10 | 7.5 | CVE-2026-22750 | https://spring.io/security/cve-2026-22750 |
| Dell--Elastic Cloud Storage | Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectScale, versions prior to 4.1.0.3 and version 4.2.0.0, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to secret exposure. The attacker may be able to use the exposed secret to access the vulnerable system with privileges of the compromised account. | 2026-04-08 | 7.8 | CVE-2026-28261 | https://www.dell.com/support/kbdoc/en-us/000449325/dsa-2026-143-security-update-for-dell-objectscale-prior-to-4-1-0-3-and-4-2-0-0-insertion-of-sensitive-information-into-log-file-vulnerability |
| CouchCMS--CouchCMS | CouchCMS contains a privilege escalation vulnerability that allows authenticated Admin-level users to create SuperAdmin accounts by tampering with the f_k_levels_list parameter in user creation requests. Attackers can modify the parameter value from 4 to 10 in the HTTP request body to bypass authorization validation and gain full application control, circumventing restrictions on SuperAdmin account creation and privilege assignment. | 2026-04-10 | 7.2 | CVE-2026-29002 | https://gist.github.com/thepiyushkumarshukla/477e2d2bbbe8cc3ec0d640c50f0cf9e1 https://www.couchcms.com/ https://www.vulncheck.com/advisories/couchcms-privilege-escalation-via-f-k-levels-list-parameter |
| glpi-project--glpi | GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6. | 2026-04-06 | 7.2 | CVE-2026-29047 | https://github.com/glpi-project/glpi/security/advisories/GHSA-3m49-qf92-vccr |
| open-telemetry--opentelemetry-go | OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0. | 2026-04-07 | 7.5 | CVE-2026-29181 | https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475 |
| Tinyproxy Project--Tinyproxy | Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against "chunked", even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass. | 2026-04-07 | 7.5 | CVE-2026-31842 | Upstream issue report and reproduction details Tinyproxy upstream project RFC 7230: transfer-coding names are case-insensitive |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.5 | CVE-2026-31940 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-4gp7-cfjh-77gv https://github.com/chamilo/chamilo-lms/commit/ce0192c62e48c9d9474d915c541b3274844afbf9 https://github.com/chamilo/chamilo-lms/commit/e337b7cc74a0276a0b4f91f9282204d20cac1869 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerability in the Social Wall feature. The endpoint read_url_with_open_graph accepts a URL from the user via the social_wall_new_msg_main POST parameter and performs two server-side HTTP requests to that URL without validating whether the target is an internal or external resource. This allows an authenticated attacker to force the server to make arbitrary HTTP requests to internal services, scan internal ports, and access cloud instance metadata. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.7 | CVE-2026-31941 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-q74c-mx8x-489h https://github.com/chamilo/chamilo-lms/commit/e3790c5f0ff3b4dc547c2099fadf5c438c1bb265 https://github.com/chamilo/chamilo-lms/commit/ea6b7b7e90580c9b01dc4bcafe4ad737061e0ead |
| chartbrew--chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:team_id/template/generate/:project_id. The GET handler calls checkAccess(req, "updateAny", "chart") without awaiting the returned promise, and it does not verify that the supplied project_id belongs to req.params.team_id or to the caller's team. As a result, an authenticated attacker with valid template-generation permissions in their own team can request the template model for a project belonging to another team and receive victim project data. This vulnerability is fixed in 4.9.0. | 2026-04-10 | 7.7 | CVE-2026-32252 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mw4f-cf22-qpcj https://github.com/chartbrew/chartbrew/commit/bf5919043d3587fcbe76123aaabd9a0a9d1033f1 |
| Red Hat--mirror registry for Red Hat OpenShift | A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload. | 2026-04-08 | 7.1 | CVE-2026-32589 | https://access.redhat.com/security/cve/CVE-2026-32589 RHBZ#2446963 |
| Red Hat--mirror registry for Red Hat OpenShift | A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server. | 2026-04-08 | 7.1 | CVE-2026-32590 | https://access.redhat.com/security/cve/CVE-2026-32590 RHBZ#2446964 |
| NI--LabVIEW | There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVLIB file in NI LabVIEW. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted .lvlib file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions. | 2026-04-07 | 7.8 | CVE-2026-32860 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/lv-project-library-file-parsing-memory-corruption-vulnerability-in-ni-labview.html |
| NI--LabVIEW | There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVCLASS file in NI LabVIEW. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted .lvclass file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions. | 2026-04-07 | 7.8 | CVE-2026-32861 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/lv-class-file-parsing-memory-corruption-vulnerability-in-ni-labview.html |
| NI--LabVIEW | There is a memory corruption vulnerability due to an out-of-bounds write in ResFileFactory::InitResourceMgr() in NI LabVIEW. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions. | 2026-04-07 | 7.8 | CVE-2026-32862 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/memory-corruption-vulnerabilities-in-ni-labview.html |
| NI--LabVIEW | There is a memory corruption vulnerability due to an out-of-bounds read in sentry_transaction_context_set_operation() in NI LabVIEW. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions. | 2026-04-07 | 7.8 | CVE-2026-32863 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/memory-corruption-vulnerabilities-in-ni-labview.html |
| NI--LabVIEW | There is a memory corruption vulnerability due to an out-of-bounds read in mgcore_SH_25_3!aligned_free() in NI LabVIEW. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions. | 2026-04-07 | 7.8 | CVE-2026-32864 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/memory-corruption-vulnerabilities-in-ni-labview.html |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.1 | CVE-2026-32894 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98 https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b27f518ab151 https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86401b1d2c519 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of evaluations belonging to any other course by manipulating the editeval GET parameter. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.1 | CVE-2026-32930 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-9h22-wrg7-82q6 https://github.com/chamilo/chamilo-lms/commit/63e1e6d3d717bd537c7c61719416da35aaa658dd https://github.com/chamilo/chamilo-lms/commit/f03f681df939db0429edc8414fb3ce4e4b80d79d |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its original .php extension and is placed in a web-accessible directory, enabling Remote Code Execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.5 | CVE-2026-32931 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-863j-h6pf-3xhx https://github.com/chamilo/chamilo-lms/commit/8cbe660de267f2b6ed625433bdfcf38dee8752b4 https://github.com/chamilo/chamilo-lms/commit/d5ef5153df3d1b2de112cbeb190cdd10bea457f3 |
| aces--Loris | LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, a SQL injection has been identified in some code sections for the MRI feedback popup window of the imaging browser. Attackers can use SQL ingestion to access/alter data on the server. This vulnerability is fixed in 27.0.3 and 28.0.1. | 2026-04-08 | 7.5 | CVE-2026-33350 | https://github.com/aces/Loris/security/advisories/GHSA-9r29-6jgc-3ggh |
| Elastic--Kibana | Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs. | 2026-04-08 | 7.7 | CVE-2026-33461 | https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-24/385812 |
| distribution--distribution | Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0. | 2026-04-06 | 7.5 | CVE-2026-33540 | https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The function accepts an attacker-controlled `order_id` parameter and uses it to look up order data, then writes billing fields to the order owner's profile (`$order_data->user_id`) without verifying the requester's identity or ownership. Because the Tutor nonce (`_tutor_nonce`) is exposed on public frontend pages, this makes it possible for unauthenticated attackers to overwrite the billing profile (name, email, phone, address) of any user who has an incomplete manual order, by sending a crafted POST request with a guessed or enumerated `order_id`. | 2026-04-10 | 7.5 | CVE-2026-3360 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7f365519-dd0a-4f39-880d-7216ce2f7d1e?source=cve https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Tutor.php#L563 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L108 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L1059 https://plugins.trac.wordpress.org/browser/tutor/trunk/ecommerce/CheckoutController.php#L1059 https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/ecommerce/CheckoutController.php |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning Path progress saving endpoint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter directly from $_REQUEST and uses it to load and modify another user's Learning Path progress - including score, status, completion, and time - without verifying that the requesting user matches the target user ID. Any authenticated user enrolled in a course can overwrite another user's Learning Path progress by simply changing the uid parameter in the request. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.1 | CVE-2026-33702 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654 https://github.com/chamilo/chamilo-lms/commit/6331d051b4468deb5830c01d1e047c5e5cf2c74f https://github.com/chamilo/chamilo-lms/commit/bf3f6c6949b5c882b48a9914baa19910417e4551 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw POST body becomes the file content. While .php extensions are filtered to .phps, the .pht extension passes through unmodified. On Apache configurations where .pht is handled as PHP, this leads to Remote Code Execution. This vulnerability is fixed in 1.11.38. | 2026-04-10 | 7.1 | CVE-2026-33704 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-phfx-pwwg-945v https://github.com/chamilo/chamilo-lms/commit/9748f1ffbdb8b6dc84c0e0591c9d3c1d92e21c00 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the update_user_from_username endpoint. A student (status=5) can change their status to Teacher/CourseManager (status=1), gaining course creation and management privileges. This vulnerability is fixed in 1.11.38. | 2026-04-10 | 7.1 | CVE-2026-33706 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3gqc-xr75-pcpw https://github.com/chamilo/chamilo-lms/commit/0acf8a196307c66c049f97f5ff76cf21c4a08127 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always returns exactly 10000 (min == max), making the formula effectively md5(timestamp + user_id*5 - 10000). An attacker who knows a username and approximate key creation time can brute-force the API key. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.5 | CVE-2026-33710 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rpmg-j327-mr39 https://github.com/chamilo/chamilo-lms/commit/4448701bb8ec557e94ef02d19c72cbe9c49c2d09 https://github.com/chamilo/chamilo-lms/commit/e7400dd840586ae134b286d0a2374f3d269a9a9d |
| saleor--saleor | Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a JSON array but wasn't enforcing any upper limit on the number of operations. This allowed an unauthenticated attacker to send a single HTTP request many operations (bypassing the per query complexity limit) to exhaust resources. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. | 2026-04-08 | 7.5 | CVE-2026-33756 | https://github.com/saleor/saleor/security/advisories/GHSA-24jw-f244-qfpp https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64 https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8 https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464 |
| Juniper Networks--CTP OS | A Weak Password Requirements vulnerability in the password management function of Juniper Networks CTP OS might allow an unauthenticated, network-based attacker to exploit weak passwords of local accounts and potentially take full control of the device. The password management menu enables the administrator to set password complexity requirements, but these settings are not saved. The issue can be verified with the menu option "Show password requirements". Failure to enforce the intended requirements can lead to weak passwords being used, which significantly increases the likelihood that an attacker can guess these and subsequently attain unauthorized access. This issue affects CTP OS versions 9.2R1 and 9.2R2. | 2026-04-09 | 7.4 | CVE-2026-33771 | https://kb.juniper.net/JSA107864 |
| Juniper Networks--Junos OS | An Improper Validation of Syntactic Correctness of Input vulnerability in the IPsec library used by kmd and iked of Juniper Networks Junos OS on SRX Series and MX Series allows an unauthenticated, network-based attacker to cause a complete Denial-of-Service (DoS). If an affected device receives a specifically malformed first ISAKMP packet from the initiator, the kmd/iked process will crash and restart, which momentarily prevents new security associations (SAs) for from being established. Repeated exploitation of this vulnerability causes a complete inability to establish new VPN connections. This issue affects Junos OS on SRX Series and MX Series: * all versions before 22.4R3-S9, * 23.2 version before 23.2R2-S6, * 23.4 version before 23.4R2-S7, * 24.2 versions before 24.2R2-S4, * 24.4 versions before 24.4R2-S3, * 25.2 versions before 25.2R1-S2, 25.2R2. | 2026-04-09 | 7.5 | CVE-2026-33778 | https://kb.juniper.net/JSA107868 |
| Juniper Networks--Junos OS Evolved | A Missing Authentication for Critical Function vulnerability in the Flexible PIC Concentrators (FPCs) of Juniper Networks Junos OS Evolved on PTX Series allows a local, authenticated attacker with low privileges to gain direct access to FPCs installed in the device. A local user with low privileges can gain direct access to the installed FPCs as a high privileged user, which can potentially lead to a full compromise of the affected component. This issue affects Junos OS Evolved on PTX10004, PTX10008, PTX100016, with JNP10K-LC1201 or JNP10K-LC1202: * All versions before 21.2R3-S8-EVO, * 21.4-EVO versions before 21.4R3-S7-EVO, * 22.2-EVO versions before 22.2R3-S4-EVO, * 22.3-EVO versions before 22.3R3-S3-EVO, * 22.4-EVO versions before 22.4R3-S2-EVO, * 23.2-EVO versions before 23.2R2-EVO. | 2026-04-09 | 7.8 | CVE-2026-33788 | https://kb.juniper.net/JSA107806 |
| Juniper Networks--Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the flow daemon (flowd) of Juniper Networks Junos OS on SRX Series allows an attacker sending a specific, malformed ICMPv6 packet to cause the srxpfe process to crash and restart. Continued receipt and processing of these packets will repeatedly crash the srxpfe process and sustain the Denial of Service (DoS) condition. During NAT64 translation, receipt of a specific, malformed ICMPv6 packet destined to the device will cause the srxpfe process to crash and restart. This issue cannot be triggered using IPv4 nor other IPv6 traffic. This issue affects Junos OS on SRX Series: * all versions before 21.2R3-S10, * all versions of 21.3, * from 21.4 before 21.4R3-S12, * all versions of 22.1, * from 22.2 before 22.2R3-S8, * all versions of 22.4, * from 22.4 before 22.4R3-S9, * from 23.2 before 23.2R2-S6, * from 23.4 before 23.4R2-S7, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S3, * from 25.2 before 25.2R1-S2, 25.2R2. | 2026-04-09 | 7.5 | CVE-2026-33790 | https://kb.juniper.net/JSA107874 |
| Juniper Networks--Junos OS | An Execution with Unnecessary Privileges vulnerability in the User Interface (UI) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker to gain root privileges, thus compromising the system. When a configuration that allows unsigned Python op scripts is present on the device, a non-root user is able to execute malicious op scripts as a root-equivalent user, leading to privilege escalation. This issue affects Junos OS: * All versions before 22.4R3-S7, * from 23.2 before 23.2R2-S4, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R1-S2, 24.2R2, * from 24.4 before 24.4R1-S2, 24.4R2; Junos OS Evolved: * All versions before 22.4R3-S7-EVO, * from 23.2 before 23.2R2-S4-EVO, * from 23.4 before 23.4R2-S6-EVO, * from 24.2 before 24.2R2-EVO, * from 24.4 before 24.4R1-S1-EVO, 24.4R2-EVO. | 2026-04-09 | 7.8 | CVE-2026-33793 | https://kb.juniper.net/JSA103142 |
| Juniper Networks--Junos OS | An Improper Input Validation vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker, sending a specific genuine BGP packet in an already established BGP session to reset only that session causing a Denial of Service (DoS). An attacker repeatedly sending the packet will sustain the Denial of Service (DoS).This issue affects Junos OS: * 25.2 versions before 25.2R2 This issue doesn't not affected Junos OS versions before 25.2R1. This issue affects Junos OS Evolved: * 25.2-EVO versions before 25.2R2-EVO This issue doesn't not affected Junos OS Evolved versions before 25.2R1-EVO. eBGP and iBGP are affected. IPv4 and IPv6 are affected. | 2026-04-09 | 7.4 | CVE-2026-33797 | https://kb.juniper.net/JSA107850 |
| shamimmoeen--WCAPF Ajax Product Filter for WooCommerce | WCAPF - WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter in all versions up to, and including, 4.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-04-08 | 7.5 | CVE-2026-3396 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ee0a762e-9159-4dab-a7be-9cbe332effb1?source=cve https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L739 https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L689 https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L81 https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L65 https://plugins.trac.wordpress.org/changeset/3484080/ |
| @fedify--fedify | Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1. | 2026-04-06 | 7.5 | CVE-2026-34148 | https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp https://github.com/fedify-dev/fedify/releases/tag/1.10.5 https://github.com/fedify-dev/fedify/releases/tag/1.9.6 https://github.com/fedify-dev/fedify/releases/tag/2.0.8 https://github.com/fedify-dev/fedify/releases/tag/2.1.1 |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a misaligned memory write vulnerability exists in LossyDctDecoder_execute() in src/lib/OpenEXRCore/internal_dwa_decoder.h:749. When decoding a DWA or DWAB-compressed EXR file containing a FLOAT-type channel, the decoder performs an in-place HALF→FLOAT conversion by casting an unaligned uint8_t * row pointer to float * and writing through it. Because the row buffer may not be 4-byte aligned, this constitutes undefined behavior under the C standard and crashes immediately on architectures that enforce alignment (ARM, RISC-V, etc.). On x86 it is silently tolerated at runtime but remains exploitable via compiler optimizations that assume aligned access. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. | 2026-04-06 | 7.1 | CVE-2026-34379 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-w88v-vqhq-5p24 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9 |
| aces--Loris | LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, a bug in the static file router can allow an attacker to traverse outside of the intended directory, allowing unintended files to be downloaded through the static, css, and js endpoints. This vulnerability is fixed in 27.0.3 and 28.0.1. | 2026-04-08 | 7.5 | CVE-2026-34392 | https://github.com/aces/Loris/security/advisories/GHSA-rfj5-58hv-wc5f |
| go-vikunja--vikunja | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped. This vulnerability is fixed in 2.3.0. | 2026-04-10 | 7.4 | CVE-2026-34727 | https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8jvc-mcx6-r4cg |
| HDFGroup--hdf5 | HDF5 is software for managing data. In 1.14.1-2 and earlier, a heap-use-after-free was found in the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger a heap use-after-free. The freed object is referenced in a memmove call from H5T__conv_struct. The original object was allocated by H5D__typeinfo_init_phase3 and freed by H5D__typeinfo_term. | 2026-04-09 | 7.8 | CVE-2026-34734 | https://github.com/HDFGroup/hdf5/security/advisories/GHSA-w7v2-9cmr-pwwj |
| Analytify--Under Construction, Coming Soon & Maintenance Mode | Cross-Site Request Forgery (CSRF) vulnerability in Analytify Under Construction, Coming Soon & Maintenance Mode allows Cross Site Request Forgery.This issue affects Under Construction, Coming Soon & Maintenance Mode: from n/a through 2.1.1. | 2026-04-07 | 7.5 | CVE-2026-34896 | https://patchstack.com/database/wordpress/plugin/under-construction-maintenance-mode/vulnerability/wordpress-under-construction-coming-soon-maintenance-mode-plugin-2-1-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Analytify--Simple Social Media Share Buttons | Cross-Site Request Forgery (CSRF) vulnerability in Analytify Simple Social Media Share Buttons allows Cross Site Request Forgery.This issue affects Simple Social Media Share Buttons: from n/a through 6.2.0. | 2026-04-07 | 7.5 | CVE-2026-34904 | https://patchstack.com/database/wordpress/plugin/simple-social-buttons/vulnerability/wordpress-simple-social-media-share-buttons-plugin-6-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Dynalon--MDwiki | MDwiki contains a cross-site scripting vulnerability that allows remote attackers to execute arbitrary JavaScript by injecting malicious code through the location hash parameter. Attackers can craft URLs with JavaScript payloads in the hash fragment that are parsed and rendered without sanitization, causing the injected scripts to execute in the victim's browser context. | 2026-04-12 | 6.1 | CVE-2017-20239 | ExploitDB-46097 VulnCheck Advisory: MDwiki Cross-Site Scripting via Location Hash Parameter |
| NSauditor--SpotFTP Password Recover | SpotFTP Password Recover 2.4.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized buffer in the Name field during registration. Attackers can generate a 256-byte payload, paste it into the Name input field, and trigger a crash when submitting the registration code. | 2026-04-12 | 6.2 | CVE-2019-25711 | ExploitDB-46088 VulnCheck Advisory: SpotFTP Password Recover 2.4.2 Denial of Service via Name Field |
| NSauditor--BlueAuditor | BlueAuditor 1.7.2.0 contains a buffer overflow vulnerability in the registration key field that allows local attackers to crash the application by submitting an oversized key value. Attackers can trigger a denial of service by entering a 256-byte buffer of repeated characters in the Key registration field, causing the application to crash during registration processing. | 2026-04-12 | 6.2 | CVE-2019-25712 | ExploitDB-46087 VulnCheck Advisory: BlueAuditor 1.7.2.0 Buffer Overflow Denial of Service via Registration Key |
| Synology--Synology SSL VPN Client | A files or directories accessible to external parties vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access files within the installation directory via a local HTTP server bound to the loopback interface. By leveraging user interaction with a crafted web page, attackers may retrieve sensitive files such as configuration files, certificates, and logs, leading to information disclosure. | 2026-04-10 | 6.5 | CVE-2021-47960 | Synology-SA-26:05 Synology SSL VPN Client |
| Adivaha--WordPress adivaha Travel Plugin | WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile GET parameter at the /mobile-app/v3/ endpoint to execute arbitrary code in victims' browsers and steal session tokens or credentials. | 2026-04-09 | 6.1 | CVE-2023-54358 | ExploitDB-51663 Official Product Homepage Product Reference VulnCheck Advisory: WordPress adivaha Travel Plugin 2.3 Reflected XSS via isMobile |
| Jlexart--Joomla JLex Review | Joomla JLex Review 6.0.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the review_id URL parameter. Attackers can craft malicious links containing JavaScript payloads that execute in victims' browsers when clicked, enabling session hijacking or credential theft. | 2026-04-09 | 6.1 | CVE-2023-54360 | ExploitDB-51645 Official Product Homepage Product Reference VulnCheck Advisory: Joomla JLex Review 6.0.1 Reflected XSS via review_id Parameter |
| Thethinkery--Joomla iProperty Real Estate | Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the filter_keyword parameter. Attackers can craft URLs containing JavaScript payloads in the filter_keyword GET parameter of the all-properties-with-map endpoint to execute arbitrary code in victim browsers and steal session tokens or credentials. | 2026-04-09 | 6.1 | CVE-2023-54361 | ExploitDB-51640 Official Product Homepage Product Reference VulnCheck Advisory: Joomla iProperty Real Estate 4.1.1 Reflected XSS via filter_keyword |
| Virtuemart--Cart | Joomla VirtueMart Shopping-Cart 4.0.12 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft malicious URLs containing script payloads in the keyword parameter of the product-variants endpoint to execute arbitrary JavaScript in victim browsers and steal session tokens or credentials. | 2026-04-09 | 6.1 | CVE-2023-54362 | ExploitDB-51631 Official Product Homepage Product Reference VulnCheck Advisory: Joomla VirtueMart Shopping-Cart 4.0.12 Reflected XSS via keyword |
| Solidres--Joomla Solidres | Joomla Solidres 2.13.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating multiple GET parameters including show, reviews, type_id, distance, facilities, categories, prices, location, and Itemid. Attackers can craft malicious URLs containing JavaScript payloads in these parameters to steal session tokens, login credentials, or manipulate site content when victims visit the crafted links. | 2026-04-09 | 6.1 | CVE-2023-54363 | ExploitDB-51638 Official Product Homepage Product Reference VulnCheck Advisory: Joomla Solidres 2.13.3 Reflected XSS via Multiple Parameters |
| Hikashop--Joomla HikaShop | Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the from_option, from_ctrl, from_task, or from_itemid parameters to steal session tokens or login credentials when victims visit the link. | 2026-04-09 | 6.1 | CVE-2023-54364 | ExploitDB-51629 Official Product Homepage Product Reference VulnCheck Advisory: Joomla HikaShop 4.7.4 Reflected XSS via Product Filter |
| IBM--Concert | IBM Concert 1.0.0 through 2.2.0 creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack. | 2026-04-07 | 6.2 | CVE-2025-13044 | https://www.ibm.com/support/pages/node/7268620 |
| elemntor--Elementor Website Builder more than just a page builder | The Elementor Website Builder - More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget parameters in all versions up to, and including, 3.35.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 6.4 | CVE-2025-14732 | https://www.wordfence.com/threat-intel/vulnerabilities/id/20232d70-72b2-47b7-ac7e-ad07892864ef?source=cve https://plugins.trac.wordpress.org/browser/elementor/trunk/modules/wp-rest/classes/elementor-post-meta.php#L67 https://plugins.trac.wordpress.org/changeset?old_path=/elementor/tags/3.35.5&new_path=/elementor/tags/3.35.6 |
| Juniper Networks--Junos OS | A Missing Authentication for Critical Function vulnerability in command processing of Juniper Networks Junos OS allows a privileged local attacker to gain access to line cards running Junos OS Evolved as root. This issue affects systems running Junos OS using Linux-based line cards. Affected line cards include: * MPC7, MPC8, MPC9, MPC10, MPC11 * LC2101, LC2103 * LC480, LC4800, LC9600 * MX304 (built-in FPC) * MX-SPC3 * SRX5K-SPC3 * EX9200-40XS * FPC3-PTX-U2, FPC3-PTX-U3 * FPC3-SFF-PTX * LC1101, LC1102, LC1104, LC1105 This issue affects Junos OS: * all versions before 22.4R3-S8, * from 23.2 before 23.2R2-S6, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2, * from 25.2 before 25.2R2. | 2026-04-08 | 6.7 | CVE-2025-30650 | https://github.com/orangecertcc/security-research/security/advisories/GHSA-fwhc-gh5m-v8fq https://kb.juniper.net/JSA107863 |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when accessing freed memory due to concurrent fence deregistration and signal handling. | 2026-04-06 | 6.5 | CVE-2025-47374 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Siklu--EtherHaul 8010 | Siklu EtherHaul 8010 siklu-uimage-nxp-enc-10_6_2-18707-ea552dc00b devices have a static root password. | 2026-04-08 | 6.4 | CVE-2025-57175 | https://semaja2.net/2025/04/30/siklu-eh-firmware-decryption/ |
| Red Hat--Red Hat Ansible Automation Platform 2 | A container privilege escalation flaw was found in certain Ansible Automation Platform images. This issue arises from the /etc/passwd file being created with group-writable permissions during the build process. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This vulnerability allows an attacker to add a new user with any arbitrary UID, including UID 0, gaining full root privileges within the container. | 2026-04-08 | 6.4 | CVE-2025-57847 | https://access.redhat.com/security/cve/CVE-2025-57847 RHBZ#2391092 |
| Red Hat--Multicluster Engine for Kubernetes | A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. | 2026-04-08 | 6.4 | CVE-2025-57851 | https://access.redhat.com/security/cve/CVE-2025-57851 RHBZ#2391104 |
| Red Hat--Red Hat Web Terminal | A container privilege escalation flaw was found in certain Web Terminal images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. | 2026-04-08 | 6.4 | CVE-2025-57853 | https://access.redhat.com/security/cve/CVE-2025-57853 RHBZ#2391106 |
| Red Hat--Red Hat OpenShift Update Service | A container privilege escalation flaw was found in certain OpenShift Update Service (OSUS) images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. | 2026-04-08 | 6.4 | CVE-2025-57854 | https://access.redhat.com/security/cve/CVE-2025-57854 RHBZ#2391107 |
| Red Hat--Red Hat Process Automation 7 | A container privilege escalation flaw was found in certain Red Hat Process Automation Manager images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. | 2026-04-08 | 6.4 | CVE-2025-58713 | https://access.redhat.com/security/cve/CVE-2025-58713 RHBZ#2394419 |
| Juniper Networks--Junos OS Evolved | A Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the advanced forwarding toolkit (evo-aftmand/evo-pfemand) of Juniper Networks Junos OS Evolved on PTX Series or QFX5000 Series allows an unauthenticated, adjacent attacker to cause a Denial of Service (DoS).An attacker sending crafted multicast packets will cause line cards running evo-aftmand/evo-pfemand to crash and restart or non-line card devices to crash and restart. Continued receipt and processing of these packets will sustain the Denial of Service (DoS) condition. This issue affects Junos OS Evolved PTX Series: * All versions before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 before 23.4R2-EVO, * from 24.2 before 24.2R2-EVO, * from 24.4 before 24.4R2-EVO. This issue affects Junos OS Evolved on QFX5000 Series: * 22.2-EVO version before 22.2R3-S7-EVO, * 22.4-EVO version before 22.4R3-S7-EVO, * 23.2-EVO versions before 23.2R2-S4-EVO, * 23.4-EVO versions before 23.4R2-S5-EVO, * 24.2-EVO versions before 24.2R2-S1-EVO, * 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO. This issue does not affect Junos OS Evolved on QFX5000 Series versions before: 21.2R2-S1-EVO, 21.2R3-EVO, 21.3R2-EVO, 21.4R1-EVO, and 22.1R1-EVO. | 2026-04-09 | 6.5 | CVE-2025-59969 | https://kb.juniper.net/JSA103159 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to cause denial of service to the GitLab instance due to improper input validation in GraphQL queries. | 2026-04-08 | 6.5 | CVE-2026-1101 | HackerOne Bug Bounty Report #3460228 https://gitlab.com/gitlab-org/gitlab/-/work_items/586488 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| usystemsgmbh--Webling | The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.0 due to insufficient input sanitization, insufficient output escaping, and missing capabilities checks in the 'webling_admin_save_form' and 'webling_admin_save_memberlist' functions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject Webling forms and memberlists with arbitrary web scripts that will execute whenever an administrator views the related form or memberlist area of the WordPress admin. | 2026-04-10 | 6.4 | CVE-2026-1263 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bd8fbe0d-0709-4fa2-9294-393ddcd05b22?source=cve https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/lists/Form_List.php#L122 https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/lists/Memberlist_List.php#L115 https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/actions/save_form.php#L2 https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/actions/save_memberlist.php#L2 https://plugins.trac.wordpress.org/changeset?old_path=%2Fwebling/tags/3.9.0&new_path=%2Fwebling/tags/3.9.1 |
| magicplugins--Magic Conversation For Gravity Forms | The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode in all versions up to, and including, 3.0.97 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 6.4 | CVE-2026-1396 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bc425c4a-cb4e-4f50-b85b-8c4c7778c073?source=cve https://plugins.trac.wordpress.org/browser/magic-conversation-for-gravity-forms/trunk/main.php#L1627 https://plugins.trac.wordpress.org/browser/magic-conversation-for-gravity-forms/tags/3.0.96/main.php#L1627 https://plugins.trac.wordpress.org/changeset/3482359/magic-conversation-for-gravity-forms/trunk/main.php |
| realmag777--BEAR Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net | The BEAR - Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_redraw_table_row() function. This makes it possible for unauthenticated attackers to update WooCommerce product data including prices, descriptions, and other product fields via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link. | 2026-04-08 | 6.5 | CVE-2026-1672 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b5faa-1a29-4fa7-9146-d782adce0b1f?source=cve https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/index.php#L782 https://plugins.trac.wordpress.org/changeset/3457263/ https://plugins.trac.wordpress.org/changeset/3465138/ |
| wpeverest--User Registration & Membership Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | The User Registration & Membership - Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to SQL Injection via the 'membership_ids[]' parameter in all versions up to, and including, 5.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-04-08 | 6.5 | CVE-2026-1865 | https://www.wordfence.com/threat-intel/vulnerabilities/id/07c79459-66b8-4c93-a1cd-6e3ede95643f?source=cve https://plugins.trac.wordpress.org/changeset/3469042/user-registration |
| n/a--Intel(R) Pentium(R) Processor Silver Series, Intel(R) Celeron(R) Processor J Series, Intel(R) Celeron(R) Processor N Series may allow an escalation of privilege. Hardware reverse engineer adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via physical access when attack requirements are present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (high) and availability (none) impacts. | Use of Default Cryptographic Key in the hardware for some Intel(R) Pentium(R) Processor Silver Series, Intel(R) Celeron(R) Processor J Series, Intel(R) Celeron(R) Processor N Series may allow an escalation of privilege. Hardware reverse engineer adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via physical access when attack requirements are present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (high) and availability (none) impacts. | 2026-04-08 | 6.6 | CVE-2026-20709 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-00609.html |
| Juniper Networks--Junos Space | An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the list filter field that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator. This issue affects all versions of Junos Space before 24.1R5 Patch V3. | 2026-04-09 | 6.1 | CVE-2026-21904 | https://kb.juniper.net/JSA106003 |
| Juniper Networks--JSI LWC | A Permissive List of Allowed Input vulnerability in the CLI of Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows a local, high privileged attacker to escalate their privileges to root. The CLI menu accepts input without carefully validating it, which allows for shell command injection. These shell commands are executed with root permissions and can be used to gain complete control of the system. This issue affects all JSI vLWC versions before 3.0.94. | 2026-04-09 | 6.7 | CVE-2026-21915 | https://kb.juniper.net/JSA106016 |
| Juniper Networks--Junos OS | An Incorrect Synchronization vulnerability in the management daemon (mgd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker with low privileges to cause a complete Denial-of-Service (DoS) of the management plane. When NETCONF sessions are quickly established and disconnected, a locking issue causes mgd processes to hang in an unusable state. When the maximum number of mgd processes has been reached, no new logins are possible. This leads to the inability to manage the device and requires a power-cycle to recover. This issue can be monitored by checking for mgd processes in lockf state in the output of 'show system processes extensive': user@host> show system processes extensive | match mgd <pid> root 20 0 501M 4640K lockf 1 0:01 0.00% mgd If the system still can be accessed (either via the CLI or as root, which might still be possible as last resort as this won't invoke mgd), mgd processes in this state can be killed with 'request system process terminate <PID>' from the CLI or with 'kill -9 <PID>' from the shell. This issue affects: Junos OS: * 23.4 versions before 23.4R2-S4, * 24.2 versions before 24.2R2-S1, * 24.4 versions before 24.4R1-S3, 24.4R2; This issue does not affect Junos OS versions before 23.4R1; Junos OS Evolved: * 23.4 versions before 23.4R2-S5-EVO, * 24.2 versions before 24.2R2-S1-EVO, * 24.4 versions before 24.4R1-S3-EVO, 24.4R2-EVO. This issue does not affect Junos OS Evolved versions before 23.4R1-EVO; | 2026-04-09 | 6.5 | CVE-2026-21919 | https://kb.juniper.net/JSA106019 |
| addfunc--AddFunc Head & Footer Code | The AddFunc Head & Footer Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `aFhfc_head_code`, `aFhfc_body_code`, and `aFhfc_footer_code` post meta values in all versions up to, and including, 2.3. This is due to the plugin outputting these meta values without any sanitization or escaping. While the plugin restricts its own metabox and save handler to administrators via `current_user_can('manage_options')`, it does not use `register_meta()` with an `auth_callback` to protect these meta keys. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts via the WordPress Custom Fields interface that execute when an administrator previews or views the post. | 2026-04-10 | 6.4 | CVE-2026-2305 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2f2d1a67-1d9b-4b73-988e-085eaa7474c6?source=cve https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.3/addfunc-head-footer-code.php#L63 https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.3/addfunc-head-footer-code.php#L74 https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.3/addfunc-head-footer-code.php#L85 https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head-footer-code.php#L63 https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head-footer-code.php#L74 https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head-footer-code.php#L85 https://plugins.trac.wordpress.org/changeset?old_path=%2Faddfunc-head-footer-code/tags/2.3&new_path=%2Faddfunc-head-footer-code/tags/2.4 |
| blubrry--PowerPress Podcasting plugin by Blubrry | The Blubrry PowerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'powerpress' and 'podcast' shortcodes in versions up to, and including, 11.15.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 6.4 | CVE-2026-2988 | https://www.wordfence.com/threat-intel/vulnerabilities/id/de25459d-9e19-4e3e-982f-0b34fa89dc30?source=cve https://plugins.trac.wordpress.org/changeset/3473781/powerpress |
| fernandobt--List category posts | The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode in all versions up to, and including, 0.94.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-09 | 6.4 | CVE-2026-3005 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1a93ff8a-364f-4ec4-9c32-208c7a3e1fc1?source=cve https://plugins.trac.wordpress.org/browser/list-category-posts/trunk/include/lcp-thumbnail.php#L95 https://plugins.trac.wordpress.org/changeset/3482733/ |
| uniquecodergmailcom--Pinterest Site Verification plugin using Meta Tag | The Pinterest Site Verification plugin using Meta Tag plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_var' parameter in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 6.4 | CVE-2026-3142 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7ccb7534-b588-4bdd-9627-0e38c0ee5e8a?source=cve https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L160 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/trunk/PinterestMetaTagSiteVerification.php#L160 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L172 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L180 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L92 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L132 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L214 |
| wpchill--Strong Testimonials | The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's testimonial_view shortcode in all versions up to, and including, 3.2.21 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 6.4 | CVE-2026-3239 | https://www.wordfence.com/threat-intel/vulnerabilities/id/88d769cd-bea8-42e4-80a8-a77c0699b50c?source=cve https://plugins.trac.wordpress.org/changeset/3470120/strong-testimonials |
| posimyththemes--The Plus Addons for Elementor Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce | The The Plus Addons for Elementor - Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Progress Bar shortcode in all versions up to, and including, 6.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 6.4 | CVE-2026-3311 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6367c5fc-f664-4105-a1b7-a93fb0a2392b?source=cve https://plugins.trac.wordpress.org/changeset/3473275/the-plus-addons-for-elementor-page-builder |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the REST API stats endpoint allows any authenticated user (including low-privilege students with ROLE_USER) to read any other user's learning progress, certificates, and gradebook scores for any course, without enrollment or supervisory relationship. This vulnerability is fixed in 2.0.0-RC.3. | 2026-04-10 | 6.5 | CVE-2026-33141 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-j2pr-2r5w-jrpj https://github.com/chamilo/chamilo-lms/commit/792ba05953470ca971617fe2674ed14c1479fa80 |
| pi-hole--web | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface by crafting a malicious URL. The file query parameter is interpolated into an innerHTML assignment without escaping. Because the Content-Security-Policy is missing the form-action directive, injected <form> elements can exfiltrate credentials to an external origin. This vulnerability is fixed in 6.5. | 2026-04-06 | 6.1 | CVE-2026-33403 | https://github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9pr-qv59 |
| Elastic--Kibana | Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data. | 2026-04-08 | 6.8 | CVE-2026-33458 | https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815 |
| Elastic--Kibana | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, the backend services become unstable, resulting in service disruption and deployment unavailability for all users. | 2026-04-08 | 6.5 | CVE-2026-33459 | https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-26/385814 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38. | 2026-04-10 | 6.5 | CVE-2026-33708 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-qwch-82q9-q999 https://github.com/chamilo/chamilo-lms/commit/4a119f93abbfba6fe833580f2463c8d4afa500c2 |
| pi-hole--pi-hole | Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct interactive-login issue. However, nologin does not prevent code from running as UID pihole if a Pi-hole component is compromised. In that realistic post-compromise scenario, attacker-controlled content in /etc/pihole/versions is sourced by root-run Pi-hole scripts, leading to root code execution. This vulnerability is fixed in 6.4.1. | 2026-04-06 | 6.4 | CVE-2026-33727 | https://github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user (including ROLE_STUDENT) can enumerate all platform users and access personal information (email, phone, roles) via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3. | 2026-04-10 | 6.5 | CVE-2026-33736 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-fp2p-fj6c-x3x9 https://github.com/chamilo/chamilo-lms/commit/1739371ce1c562c007c7f5d53e6d65b7a4ff4109 |
| trailofbits--rfc3161-client | rfc3161-client is a Python library implementing the Time-Stamp Protocol (TSP) described in RFC 3161. Prior to 1.0.6, an Authorization Bypass vulnerability in rfc3161-client's signature verification allows any attacker to impersonate a trusted TimeStamping Authority (TSA). By exploiting a logic flaw in how the library extracts the leaf certificate from an unordered PKCS#7 bag of certificates, an attacker can append a spoofed certificate matching the target common_name and Extended Key Usage (EKU) requirements. This tricks the library into verifying these authorization rules against the forged certificate while validating the cryptographic signature against an actual trusted TSA (such as FreeTSA), thereby bypassing the intended TSA authorization pinning entirely. This vulnerability is fixed in 1.0.6. | 2026-04-08 | 6.2 | CVE-2026-33753 | https://github.com/trailofbits/rfc3161-client/security/advisories/GHSA-3xxc-pwj6-jgrj |
| Juniper Networks--Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass the configured firewall filter and access the control-plane of the device. On MX platforms with MPC10, MPC11, LC4800 or LC9600 line cards, and MX304, firewall filters applied on a loopback interface lo0.n (where n is a non-0 number) don't get executed when lo0.n is in the global VRF / default routing-instance. An affected configuration would be: user@host# show configuration interfaces lo0 | display set set interfaces lo0 unit 1 family inet filter input <filter-name> where a firewall filter is applied to a non-0 loopback interface, but that loopback interface is not referred to in any routing-instance (RI) configuration, which implies that it's used in the default RI. The issue can be observed with the CLI command: user@device> show firewall counter filter <filter_name> not showing any matches. This issue affects Junos OS on MX Series: * all versions before 23.2R2-S6, * 23.4 versions before 23.4R2-S7, * 24.2 versions before 24.2R2, * 24.4 versions before 24.4R2. | 2026-04-09 | 6.5 | CVE-2026-33774 | https://kb.juniper.net/JSA107865 |
| Juniper Networks--Junos OS | A Missing Release of Memory after Effective Lifetime vulnerability in the BroadBand Edge subscriber management daemon (bbe-smgd) of Juniper Networks Junos OS on MX Series allows an adjacent, unauthenticated attacker to cause a Denial of Service (DoS). If the authentication packet-type option is configured and a received packet does not match that packet type, the memory leak occurs. When all memory available to bbe-smgd has been consumed, no new subscribers will be able to login. The memory utilization of bbe-smgd can be monitored with the following show command: user@host> show system processes extensive | match bbe-smgd The below log message can be observed when this limit has been reached: bbesmgd[<PID>]: %DAEMON-3-SMD_DPROF_RSMON_ERROR: Resource unavailability, Reason: Daemon Heap Memory exhaustion This issue affects Junos OS on MX Series: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2, * 25.2 versions before 25.2R2. | 2026-04-09 | 6.5 | CVE-2026-33775 | https://kb.juniper.net/JSA107821 |
| Juniper Networks--Junos OS | An Improper Following of a Certificate's Chain of Trust vulnerability in J-Web of Juniper Networks Junos OS on SRX Series allows a PITM to intercept the communication of the device and get access to confidential information and potentially modify it. When an SRX device is provisioned to connect to Security Director (SD) cloud, it doesn't perform sufficient verification of the received server certificate. This allows a PITM to intercept the communication between the SRX and SD cloud and access credentials and other sensitive information. This issue affects Junos OS: * all versions before 22.4R3-S9, * 23.2 versions before 23.2R2-S6, * 23.4 versions before 23.4R2-S7, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions before 25.2R1-S2, 25.2R2. | 2026-04-09 | 6.5 | CVE-2026-33779 | https://kb.juniper.net/JSA107823 |
| Juniper Networks--Junos OS | A Missing Release of Memory after Effective Lifetime vulnerability in the Layer 2 Address Learning Daemon (l2ald) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker to cause a memory leak ultimately leading to a Denial of Service (DoS). In an EVPN-MPLS scenario, routes learned from remote multi-homed Provider Edge (PE) devices are programmed as ESI routes. Due to a logic issue in the l2ald memory management, memory allocated for these routes is not released when there is churn for these routes. As a result, memory leaks in the l2ald process which will ultimately lead to a crash and restart of l2ald. Use the following command to monitor the memory consumption by l2ald: user@device> show system process extensive | match "PID|l2ald" This issue affects: Junos OS: * all versions before 22.4R3-S5, * 23.2 versions before 23.2R2-S3, * 23.4 versions before 23.4R2-S4, * 24.2 versions before 24.2R2; Junos OS Evolved: * all versions before 22.4R3-S5-EVO, * 23.2 versions before 23.2R2-S3-EVO, * 23.4 versions before 23.4R2-S4-EVO, * 24.2 versions before 24.2R2-EVO. | 2026-04-09 | 6.5 | CVE-2026-33780 | https://kb.juniper.net/JSA107819 |
| Juniper Networks--Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX and QFX Series devices allow an unauthenticated, adjacent attacker to cause a complete Denial of Service (DoS). On EX4k, and QFX5k platforms configured as service-provider edge devices, if L2PT is enabled on the UNI and VSTP is enabled on NNI in VXLAN scenarios, receiving VSTP BPDUs on UNI leads to packet buffer allocation failures, resulting in the device to not pass traffic anymore until it is manually recovered with a restart.This issue affects Junos OS: * 24.4 releases before 24.4R2, * 25.2 releases before 25.2R1-S1, 25.2R2. This issue does not affect Junos OS releases before 24.4R1. | 2026-04-09 | 6.5 | CVE-2026-33781 | https://kb.juniper.net/JSA107869 |
| Juniper Networks--Junos OS | A Missing Release of Memory after Effective Lifetime vulnerability in the DHCP daemon (jdhcpd) of Juniper Networks Junos OS on MX Series, allows an adjacent, unauthenticated attacker to cause a memory leak, that will eventually cause a complete Denial-of-Service (DoS). In a DHCPv6 over PPPoE, or DHCPv6 over VLAN with Active lease query or Bulk lease query scenario, every subscriber logout will leak a small amount of memory. When all available memory has been exhausted, jdhcpd will crash and restart which causes a complete service impact until the process has recovered. The memory usage of jdhcpd can be monitored with: user@host> show system processes extensive | match jdhcpd This issue affects Junos OS: * all versions before 22.4R3-S1, * 23.2 versions before 23.2R2, * 23.4 versions before 23.4R2. | 2026-04-09 | 6.5 | CVE-2026-33782 | https://kb.juniper.net/JSA107820 |
| Juniper Networks--Junos OS Evolved | A Function Call With Incorrect Argument Type vulnerability in the sensor interface of Juniper Networks Junos OS Evolved on PTX Series allows a network-based, authenticated attacker with low privileges to cause a complete Denial of Service (DoS). If colored SRTE policy tunnels are provisioned via PCEP, and gRPC is used to monitor traffic in these tunnels, evo-aftmand crashes and doesn't restart which leads to a complete and persistent service impact. The system has to be manually restarted to recover. The issue is seen only when the Originator ASN field in PCEP contains a value larger than 65,535 (32-bit ASN). The issue is not reproducible when SRTE policy tunnels are statically configured. This issue affects Junos OS Evolved on PTX Series: * all versions before 22.4R3-S9-EVO, * 23.2 versions before 23.2R2-S6-EVO, * 23.4 versions before 23.4R2-S7-EVO, * 24.2 versions before 24.2R2-S4-EVO, * 24.4 versions before 24.4R2-S2-EVO, * 25.2 versions before 25.2R1-S2-EVO, 25.2R2-EVO. | 2026-04-09 | 6.5 | CVE-2026-33783 | https://kb.juniper.net/JSA107870 |
| Juniper Networks--Junos OS | An OS Command Injection vulnerability in the CLI processing of Juniper Networks Junos OS and Junos OS Evolved allows a local, high-privileged attacker executing specific, crafted CLI commands to inject arbitrary shell commands as root, leading to a complete compromise of the system. Certain 'set system' commands, when executed with crafted arguments, are not properly sanitized, allowing for arbitrary shell injection. These shell commands are executed as root, potentially allowing for complete control of the vulnerable system. This issue affects: Junos OS: * all versions before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S7, * from 24.2 before 24.2R2-S2, * from 24.4 before 24.4R2, * from 25.2 before 25.2R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 before 23.4R2-S7-EVO, * from 24.2 before 24.2R2-S2-EVO, * from 24.4 before 24.4R2-EVO, * from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO. | 2026-04-09 | 6.7 | CVE-2026-33791 | https://kb.juniper.net/JSA107875 |
| danny-avila--LibreChat | LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the execute_code sandbox when persisting code-generated artifacts. On deployments using the default local file strategy, a malicious artifact filename containing traversal sequences (for example, ../../../../../app/client/dist/poc.txt) is concatenated into the server-side destination path and written with fs.writeFileSync() without sanitization. This gives any user who can trigger execute_code an arbitrary file write primitive as the LibreChat server user. This vulnerability is fixed in 0.8.4. | 2026-04-07 | 6.3 | CVE-2026-34371 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-qrm5-r67f-6692 |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.4.0 to before 3.4.9, a missing bounds check on the dataWindow attribute in EXR file headers allows an attacker to trigger a signed integer overflow in generic_unpack(). By setting dataWindow.min.x to a large negative value, OpenEXRCore computes an enormous image width, which is later used in a signed integer multiplication that overflows, causing the process to terminate with SIGILL via UBSan. This vulnerability is fixed in 3.4.9. | 2026-04-06 | 6.5 | CVE-2026-34378 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-v76p-4qvv-vh4g https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9 |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). From 0.7.0 to before 0.19.0, the VideoMediaIO.load_base64() method at vllm/multimodal/media/video.py splits video/jpeg data URLs by comma to extract individual JPEG frames, but does not enforce a frame count limit. The num_frames parameter (default: 32), which is enforced by the load_bytes() code path, is completely bypassed in the video/jpeg base64 path. An attacker can send a single API request containing thousands of comma-separated base64-encoded JPEG frames, causing the server to decode all frames into memory and crash with OOM. This vulnerability is fixed in 0.19.0. | 2026-04-06 | 6.5 | CVE-2026-34755 | https://github.com/vllm-project/vllm/security/advisories/GHSA-pq5c-rjhq-qp7p |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionRequest Pydantic models, an unauthenticated attacker can send a single HTTP request with an astronomically large n value. This completely blocks the Python asyncio event loop and causes immediate Out-Of-Memory crashes by allocating millions of request object copies in the heap before the request even reaches the scheduling queue. This vulnerability is fixed in 0.19.0. | 2026-04-06 | 6.5 | CVE-2026-34756 | https://github.com/vllm-project/vllm/security/advisories/GHSA-3mwp-wvh9-7528 https://github.com/vllm-project/vllm/pull/37952 https://github.com/vllm-project/vllm/commit/b111f8a61f100fdca08706f41f29ef3548de7380 |
| electron--electron | Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, when a renderer calls window.open() with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissive webPreferences (via setWindowOpenHandler's overrideBrowserWindowOptions), content loaded by the second renderer inherits those permissions. Apps are only affected if they open multiple top-level windows with differing trust levels and use setWindowOpenHandler to grant child windows elevated webPreferences such as a privileged preload script. Apps that do not elevate child window privileges, or that use a single top-level window, are not affected. Apps that additionally grant nodeIntegration: true or sandbox: false to child windows (contrary to the security recommendations) may be exposed to arbitrary code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5. | 2026-04-07 | 6 | CVE-2026-34765 | https://github.com/electron/electron/security/advisories/GHSA-f3pv-wv63-48x8 |
| burlingtonbytes--WP Blockade Visual Page Builder | The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an admin_post action hook 'wp-blockade-shortcode-render' that maps to the render_shortcode_preview() function. This function lacks any capability check (current_user_can()) and nonce verification, allowing any authenticated user to execute arbitrary WordPress shortcodes. The function takes a user-supplied 'shortcode' parameter from $_GET, passes it through stripslashes(), and directly executes it via do_shortcode(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes, which could lead to information disclosure, privilege escalation, or other impacts depending on what shortcodes are registered on the site (e.g., shortcodes from other plugins that display sensitive data, perform actions, or include files). | 2026-04-08 | 6.5 | CVE-2026-3480 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3f159aac-092b-4655-9d97-a496ac01738c?source=cve https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L393 https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L393 https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L361 https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L361 https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L112 https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L112 |
| David Lingren--Media LIbrary Assistant | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David Lingren Media LIbrary Assistant allows Stored XSS.This issue affects Media LIbrary Assistant: from n/a through 3.34. | 2026-04-06 | 6.5 | CVE-2026-34897 | https://patchstack.com/database/wordpress/plugin/media-library-assistant/vulnerability/wordpress-media-library-assistant-plugin-3-34-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Red Hat--mirror registry for Red Hat OpenShift | A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation. | 2026-04-08 | 5.3 | CVE-2025-14243 | https://access.redhat.com/security/cve/CVE-2025-14243 RHBZ#2419829 |
| inisev--BackupBliss Backup & Migration with Free Cloud Storage | The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin's JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion. | 2026-04-07 | 5.3 | CVE-2025-14944 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a2a41a15-0743-48cc-8c92-7cb839fa5847?source=cve https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/offline.php#L29 https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/ajax_offline.php#L112 https://plugins.trac.wordpress.org/changeset?old=3386897&old_path=backup-backup%2Ftags%2F2.0.0%2Fincludes%2Foffline.php&new=3449635&new_path=backup-backup%2Ftags%2F2.1.0%2Fincludes%2Foffline.php |
| johanaarstein--AM LottiePlayer | The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 5.4 | CVE-2025-1794 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ef2f1ad1-1e2e-4b56-b16c-d87956b142ad?source=cve https://plugins.trac.wordpress.org/browser/am-lottieplayer/tags/3.5.0/includes/upload-thumbnail.php |
| Hitachi--JP1/IT Desktop Management 2 - Manager | Buffer Overflow Vulnerability in JP1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management 2 - Operations Director on Windows, Job Management Partner 1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management - Manager on Windows, Job Management Partner 1/IT Desktop Management - Manager on Windows, JP1/NETM/DM Manager on Windows, JP1/NETM/DM Client on Windows, Job Management Partner 1/Software Distribution Manager on Windows, Job Management Partner 1/Software Distribution Client on Windows.This issue affects JP1/IT Desktop Management 2 - Manager: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; JP1/IT Desktop Management 2 - Operations Director: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; Job Management Partner 1/IT Desktop Management 2 - Manager: from 10-50 through 10-50-11; JP1/IT Desktop Management - Manager: from 09-50 through 10-10-16; Job Management Partner 1/IT Desktop Management - Manager: from 09-50 through 10-10-16; JP1/NETM/DM Manager: from 09-00 through 10-20-02; JP1/NETM/DM Client: from 09-00 through 10-20-02; Job Management Partner 1/Software Distribution Manager: from 09-00 through 09-51-13; Job Management Partner 1/Software Distribution Client: from 09-00 through 09-51-13. | 2026-04-07 | 5.5 | CVE-2025-65116 | https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-118/index.html |
| vsourz1td--Advanced Contact form 7 DB | The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the 'vsz_cf7_save_setting_callback' function. This makes it possible for unauthenticated attackers to delete form entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-04-08 | 5.4 | CVE-2026-0811 | https://www.wordfence.com/threat-intel/vulnerabilities/id/88097744-d2f5-4ae5-aa71-0f4a0decd911?source=cve https://plugins.trac.wordpress.org/browser/advanced-cf7-db/tags/2.0.9/admin/class-advanced-cf7-db-admin.php#L885 https://plugins.trac.wordpress.org/changeset/3497481/advanced-cf7-db |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that in Code Quality reports could have allowed an authenticated user to leak IP addresses of users viewing the report via specially crafted content. | 2026-04-08 | 5.7 | CVE-2026-1516 | HackerOne Bug Bounty Report #3514461 https://gitlab.com/gitlab-org/gitlab/-/work_items/587893 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| wpmudev--Hustle Email Marketing, Lead Generation, Optins, Popups | The Hustle - Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustle_module_converted' AJAX action in all versions up to, and including, 7.8.10.2. This makes it possible for unauthenticated attackers to forge conversion tracking events for any Hustle module, including draft modules that are never displayed to users, thereby manipulating marketing analytics and conversion statistics. | 2026-04-07 | 5.3 | CVE-2026-2263 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2305462c-0a00-4423-8dc2-e32628c4864d?source=cve https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front-ajax.php#L32 https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front-ajax.php#L1047 https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front.php#L311 https://plugins.trac.wordpress.org/changeset?old_path=/wordpress-popup/tags/7.8.10.2&new_path=/wordpress-popup/tags/7.8.11 |
| OCS Inventory--OCS Inventory NG Server | OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft requests with malicious User-Agent values that are stored without sanitation and rendered with insufficient encoding in the web console, leading to arbitrary JavaScript execution in the browsers of authenticated users viewing the statistics dashboard. | 2026-04-06 | 5.4 | CVE-2026-22675 | https://github.com/OCSInventory-NG/OCSInventory-Server/pull/483 https://github.com/OCSInventory-NG/OCSInventory-Server/commit/78faf2ca8b897141ba4d337d75692ab8e405bd4e https://www.vulncheck.com/advisories/ocs-inventory-ng-server-stored-xss-via-user-agent |
| Volcengine--OpenViking | OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/{task_id} routes without authentication to expose task type, task status, resource identifiers, archive URIs, result payloads, and error information, potentially causing cross-tenant interference in multi-tenant deployments. | 2026-04-07 | 5.3 | CVE-2026-22680 | https://github.com/volcengine/OpenViking/releases/tag/v0.3.3 https://github.com/volcengine/OpenViking/pull/1182 https://github.com/volcengine/OpenViking/commit/8c1c3f3608364ee0bb0e45f73478771a68aebdf5 https://www.vulncheck.com/advisories/openviking-missing-authorization-via-task-polling |
| HDFGroup--hdf5 | HDF5 is software for managing data. In 1.14.1-2 and earlier, an attacker who can control an h5 file parsed by HDF5 can trigger a write-based heap buffer overflow condition in the H5T__ref_mem_setnull method. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on the practical exploitability of the heap overflow against modern operating systems. | 2026-04-10 | 5.5 | CVE-2026-29043 | https://github.com/HDFGroup/hdf5/security/advisories/GHSA-qm2m-5g5w-2277 |
| smub--Charitable Donation Plugin for WordPress Fundraising with Recurring Donations & More | The Charitable - Donation Plugin for WordPress - Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook events. This makes it possible for unauthenticated attackers to forge payment_intent.succeeded webhook payloads and mark pending donations as completed without a real payment. | 2026-04-07 | 5.3 | CVE-2026-3177 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b2645-7b57-4884-99c5-e37dbd4a9600?source=cve https://plugins.trac.wordpress.org/changeset/3485023/charitable |
| Red Hat--mirror registry for Red Hat OpenShift | A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An attacker with organization administrator privileges could supply a crafted hostname to force the Quay server to make requests to internal network services, cloud infrastructure endpoints, or other resources that should not be accessible from the Quay application. | 2026-04-08 | 5.2 | CVE-2026-32591 | https://access.redhat.com/security/cve/CVE-2026-32591 RHBZ#2446965 |
| opensourcepos--opensourcepos | Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-table column configuration, causing customer names to be rendered as raw HTML. An attacker with customer management permissions can inject arbitrary JavaScript into a customer's first_name or last_name field, which executes in the browser of any user viewing the Daily Sales page. This vulnerability is fixed in 3.4.3. | 2026-04-07 | 5.4 | CVE-2026-32712 | https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hcfr-9hfv-mcwp |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher's browser. The pagination code merges all $_GET parameters via array_merge() and outputs the result via http_build_query() directly into HTML href attributes without htmlspecialchars() encoding. This vulnerability is fixed in 2.0.0-RC.3. | 2026-04-10 | 5.4 | CVE-2026-32893 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-37jh-g64j-88mc https://github.com/chamilo/chamilo-lms/commit/72bc403f89b1ebb73a139f8f6cf0478857592276 |
| Microsoft--Microsoft Edge for Android | User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. | 2026-04-10 | 5.4 | CVE-2026-33119 | Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability |
| pi-hole--web | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. JavaScript execution is blocked by the server's CSP (script-src 'self'), but injected attributes can alter element styling for UI redressing. The primary attack vector is importing a malicious teleporter backup, which bypasses per-field server-side validation. This vulnerability is fixed in 6.5. | 2026-04-06 | 5.4 | CVE-2026-33406 | https://github.com/pi-hole/web/security/advisories/GHSA-9rfm-c5g6-538p |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the target course ID. The enrollment record is created in the database and the private course title and enrollment status are exposed in the subscriber's dashboard, though WordPress core access control prevents the subscriber from viewing the actual course content (returns 404). Enrollment in private courses should be restricted to users with the `read_private_posts` capability. | 2026-04-11 | 5.4 | CVE-2026-3358 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0c173356-7228-4253-bb28-2c2e11af76fd?source=cve https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2066 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L134 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2053 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2989 https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7&new_path=%2Ftutor/tags/3.9.8 https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/classes/Course.php |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure. This vulnerability is fixed in 1.11.38. | 2026-04-10 | 5.3 | CVE-2026-33705 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-5wjg-8x28-px57 https://github.com/chamilo/chamilo-lms/commit/4efb5ee8ed849ca147ca1fe7472ef7b98db17bff |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 5.3 | CVE-2026-33737 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-c4ww-qgf2-v89j https://github.com/chamilo/chamilo-lms/commit/22b1cb1c609b643765c88654155aba27070c927e https://github.com/chamilo/chamilo-lms/commit/af6b7002af7c15825e98fc522e2ead0d00cacaa3 |
| Juniper Networks--Junos OS | An Incorrect Initialization of Resource vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX Series and QFX Series device allows an unauthenticated, network-based attacker to cause an integrity impact to downstream networks. When the same family inet or inet6 filter is applied on an IRB interface and on a physical interface as egress filter on EX4100, EX4400, EX4650 and QFX5120 devices, only one of the two filters will be applied, which can lead to traffic being sent out one of these interfaces which should have been blocked. This issue affects Junos OS on EX Series and QFX Series: * 23.4 version 23.4R2-S6, * 24.2 version 24.2R2-S3. No other Junos OS versions are affected. | 2026-04-09 | 5.8 | CVE-2026-33773 | https://kb.juniper.net/JSA107815 |
| Juniper Networks--Junos OS | A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS and Junos OS Evolved allows a local user with low privileges to read sensitive information. A local user with low privileges can execute the CLI command 'show mgd' with specific arguments which will expose sensitive information. This issue affects Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S6, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S4, * 24.4 versions before 24.4R2-S1, * 25.2 version before 25.2R1-S2, 25.2R2; Junos OS Evolved: * all versions before 23.2R2-S6-EVO, * 23.4 version before 23.4R2-S6-EVO, * 24.2 version before 24.2R2-S4-EVO, * 24.4 versions before 24.4R2-S1-EVO, * 25.2 versions before 25.2R2-EVO. | 2026-04-09 | 5.5 | CVE-2026-33776 | https://kb.juniper.net/JSA107866 |
| Juniper Networks--Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the chassis control daemon (chassisd) of Juniper Networks Junos OS on SRX1600, SRX2300 and SRX4300 allows a local attacker with low privileges to cause a complete Denial of Service (DoS). When a specific 'show chassis' CLI command is executed, chassisd crashes and restarts which causes a momentary impact to all traffic until all modules are online again. This issue affects Junos OS on SRX1600, SRX2300 and SRX4300: * 24.4 versions before 24.4R1-S3, 24.4R2. This issue does not affect Junos OS versions before 24.4R1. | 2026-04-09 | 5.5 | CVE-2026-33786 | https://kb.juniper.net/JSA107810 |
| Juniper Networks--Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the chassis control daemon (chassisd) of Juniper Networks Junos OS on SRX1500, SRX4100, SRX4200 and SRX4600 allows a local attacker with low privileges to cause a complete Denial of Service (DoS). When a specific 'show chassis' CLI command is executed, chassisd crashes and restarts which causes a momentary impact to all traffic until all modules are online again. This issue affects Junos OS on SRX1500, SRX4100, SRX4200 and SRX4600: * 23.2 versions before 23.2R2-S6, * 23.4 versions before 23.4R2-S7 * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2, * 25.2 versions before 25.2R1-S1, 25.2R2. | 2026-04-09 | 5.5 | CVE-2026-33787 | https://kb.juniper.net/JSA107873 |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a signed integer overflow exists in undo_pxr24_impl() in src/lib/OpenEXRCore/internal_pxr24.c at line 377. The expression (uint64_t)(w * 3) computes w * 3 as a signed 32-bit integer before casting to uint64_t. When w is large, this multiplication constitutes undefined behavior under the C standard. On tested builds (clang/gcc without sanitizers), two's-complement wraparound commonly occurs, and for specific values of w the wrapped result is a small positive integer, which may allow the subsequent bounds check to pass incorrectly. If the check is bypassed, the decoding loop proceeds to write pixel data through dout, potentially extending far beyond the allocated output buffer. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. | 2026-04-06 | 5.9 | CVE-2026-34380 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-q3v8-hw4m-59w5 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9 |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). From 0.16.0 to before 0.19.0, a server-side request forgery (SSRF) vulnerability in download_bytes_from_url allows any actor who can control batch input JSON to make the vLLM batch runner issue arbitrary HTTP/HTTPS requests from the server, without any URL validation or domain restrictions. This can be used to target internal services (e.g. cloud metadata endpoints or internal HTTP APIs) reachable from the vLLM host. This vulnerability is fixed in 0.19.0. | 2026-04-06 | 5.4 | CVE-2026-34753 | https://github.com/vllm-project/vllm/security/advisories/GHSA-pf3h-qjgv-vcpr |
| pnggroup--libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57. | 2026-04-09 | 5.1 | CVE-2026-34757 | https://github.com/pnggroup/libpng/security/advisories/GHSA-6fr7-g8h7-v645 https://github.com/pnggroup/libpng/issues/836 https://github.com/pnggroup/libpng/issues/837 https://github.com/pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde3684e8a https://github.com/pnggroup/libpng/commit/55d20aaa322c9274491cda82c5cd4f99b48c6bcc |
| projectzealous01--PZ Frontend Manager | The PZ Frontend Manager plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.6. The pzfm_user_request_action_callback() function, registered via the wp_ajax_pzfm_user_request_action action hook, lacks both capability checks and nonce verification. This function handles user activation, deactivation, and deletion operations. When the 'dataType' parameter is set to 'delete', the function calls wp_delete_user() on all provided user IDs without verifying that the current user has the appropriate permissions. Notably, the similar pzfm_remove_item_callback() function does check pzfm_can_delete_user() before performing deletions, indicating this was an oversight. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary WordPress users (including administrators) by sending a crafted request to the AJAX endpoint. | 2026-04-08 | 5.3 | CVE-2026-3477 | https://www.wordfence.com/threat-intel/vulnerabilities/id/90d8e345-b549-493b-a84b-abe56ab42a04?source=cve https://plugins.trac.wordpress.org/browser/pz-frontend-manager/trunk/admin/includes/ajax-hooks.php#L331 https://plugins.trac.wordpress.org/browser/pz-frontend-manager/tags/1.0.6/admin/includes/ajax-hooks.php#L331 https://plugins.trac.wordpress.org/browser/pz-frontend-manager/trunk/admin/includes/ajax-hooks.php#L292 https://plugins.trac.wordpress.org/browser/pz-frontend-manager/tags/1.0.6/admin/includes/ajax-hooks.php#L292 https://plugins.trac.wordpress.org/browser/pz-frontend-manager/trunk/admin/includes/ajax-hooks.php#L290 https://plugins.trac.wordpress.org/browser/pz-frontend-manager/tags/1.0.6/admin/includes/ajax-hooks.php#L290 |
| Eniture technology--LTL Freight Quotes Worldwide Express Edition | Missing Authorization vulnerability in Eniture technology LTL Freight Quotes - Worldwide Express Edition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LTL Freight Quotes - Worldwide Express Edition: from n/a through 5.2.1. | 2026-04-07 | 5.3 | CVE-2026-34899 | https://patchstack.com/database/wordpress/plugin/ltl-freight-quotes-worldwide-express-edition/vulnerability/wordpress-ltl-freight-quotes-worldwide-express-edition-plugin-5-2-1-broken-access-control-vulnerability?_s_id=cve |
| OceanWP--Ocean Extra | Missing Authorization vulnerability in OceanWP Ocean Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ocean Extra: from n/a through 2.5.3. | 2026-04-07 | 5.4 | CVE-2026-34903 | https://patchstack.com/database/wordpress/plugin/ocean-extra/vulnerability/wordpress-ocean-extra-plugin-2-5-3-broken-access-control-vulnerability?_s_id=cve |
| Heatmiser--Heatmiser Wifi Thermostat | Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting the networkSetup.htm endpoint with parameters usnm, usps, and cfps to modify the admin username and password without user consent. | 2026-04-12 | 4.3 | CVE-2019-25708 | ExploitDB-46100 VulnCheck Advisory: Heatmiser Wifi Thermostat 1.7 Cross-Site Request Forgery |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries. | 2026-04-08 | 4.3 | CVE-2025-9484 | GitLab Issue #565363 HackerOne Bug Bounty Report #3303810 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| vsourz1td--Advanced Contact form 7 DB | The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in all versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export form submissions to excel file. | 2026-04-08 | 4.3 | CVE-2026-0814 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5e3de1a4-a534-475b-9138-2337755b0288?source=cve https://plugins.trac.wordpress.org/browser/advanced-cf7-db/tags/2.0.9/admin/class-advanced-cf7-db-admin.php#L1507 https://plugins.trac.wordpress.org/changeset/3497481/advanced-cf7-db |
| realmag777--BEAR Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net | The BEAR - Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_delete_tax_term() function. This makes it possible for unauthenticated attackers to delete WooCommerce taxonomy terms (categories, tags, etc.) via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link. | 2026-04-08 | 4.3 | CVE-2026-1673 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1e4e8960-b0c1-4dbb-ba97-e45b88fb06c0?source=cve https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/index.php#L1474 https://plugins.trac.wordpress.org/changeset/3457263/ https://plugins.trac.wordpress.org/changeset/3465138/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with developer-role permissions to modify protected environment settings due to improper authorization checks in the API. | 2026-04-08 | 4.3 | CVE-2026-1752 | HackerOne Bug Bounty Report #3533545 https://gitlab.com/gitlab-org/gitlab/-/work_items/588413 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| arubadev--Aruba HiSpeed Cache | The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing nonce verification on the `ahsc_ajax_reset_options()` function. This makes it possible for unauthenticated attackers to reset all plugin settings to their default values via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-04-10 | 4.3 | CVE-2026-1924 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d2230151-fde2-43d6-8bff-0d2ffd559ab3?source=cve https://plugins.trac.wordpress.org/browser/aruba-hispeed-cache/tags/3.0.4/aruba-hispeed-cache.php#L632 https://plugins.trac.wordpress.org/browser/aruba-hispeed-cache/tags/3.0.4/aruba-hispeed-cache.php#L631 https://plugins.trac.wordpress.org/changeset?old_path=%2Faruba-hispeed-cache/tags/3.0.4&new_path=%2Faruba-hispeed-cache/tags/3.0.5 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to access confidential issues assigned to other users via CSV export due to insufficient authorization checks. | 2026-04-08 | 4.3 | CVE-2026-2104 | HackerOne Bug Bounty Report #3541476 https://gitlab.com/gitlab-org/gitlab/-/work_items/589021 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| idealwebdesignlk--Whole Enquiry Cart for WooCommerce | The Whole Enquiry Cart for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'woowhole_success_msg' parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-04-08 | 4.4 | CVE-2026-2838 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ddc14a98-1df8-480b-bae3-5ec057b498af?source=cve https://plugins.trac.wordpress.org/browser/whole-cart-enquiry/trunk/admin.php#L53 |
| homarr-labs--homarr | Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint (/api/trpc/user.register) is vulnerable to a race condition that allows an attacker to create multiple user accounts from a single-use invite token. The registration flow performs three sequential database operations without a transaction: CHECK, CREATE, and DELETE. Because these operations are not atomic, concurrent requests can all pass the validation step (1) before any of them reaches the deletion step (3). This allows multiple accounts to be registered using a single invite token that was intended to be single-use. This vulnerability is fixed in 1.57.0. | 2026-04-06 | 4.2 | CVE-2026-32602 | https://github.com/homarr-labs/homarr/security/advisories/GHSA-vfw3-53q9-2hp8 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulnerability in the session course edit page allows an attacker to redirect an authenticated administrator to an arbitrary external URL after saving coach assignment changes. The redirect also leaks the id_session parameter to the attacker's server. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 4.7 | CVE-2026-32932 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-q2cp-3qj3-wx8q https://github.com/chamilo/chamilo-lms/commit/b005b3d3e76cf6eafc03e15ac445ceff089551c0 https://github.com/chamilo/chamilo-lms/commit/fbd8d7eb37d05ec974293f05b6ffaaf9102ebd2b |
| Microsoft--Microsoft Edge (Chromium-based) | Microsoft Edge (Chromium-based) Spoofing Vulnerability | 2026-04-10 | 4.3 | CVE-2026-33118 | Microsoft Edge (Chromium-based) Spoofing Vulnerability |
| Elastic--Kibana | Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access. | 2026-04-08 | 4.3 | CVE-2026-33460 | https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-25/385813 |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler's `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs. | 2026-04-11 | 4.3 | CVE-2026-3371 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f9cf0430-8577-449a-aefe-d7bf606fe2de?source=cve https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1687 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1755 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L252 https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7&new_path=%2Ftutor/tags/3.9.8 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Mattermost--Mattermost | Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610 | 2026-04-09 | 3.7 | CVE-2026-21388 | MMSA-2026-00610 |
| Dell--PowerProtect Agent | Dell PowerProtect Agent Service, version(s) prior to 20.1, contain(s) an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. | 2026-04-08 | 3.3 | CVE-2026-28264 | https://www.dell.com/support/kbdoc/en-us/000447277/dsa-2026-158-security-update-dell-powerprotect-data-manager-for-multiple-security-vulnerabilities |
| pi-hole--web | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping - an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5. | 2026-04-06 | 3.4 | CVE-2026-33404 | https://github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v |
| pi-hole--web | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a query row in the Query Log, enabling stored HTML injection. JavaScript execution is blocked by the server's CSP (script-src 'self'). The same fields are properly escaped in the table view (rowCallback), confirming the omission was an oversight. This vulnerability is fixed in 6.5. | 2026-04-06 | 3.1 | CVE-2026-33405 | https://github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62vq |
| OpenStack--Keystone | An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected. | 2026-04-10 | 3.5 | CVE-2026-33551 | https://bugs.launchpad.net/keystone/+bug/2142138 https://security.openstack.org/ossa/OSSA-2026-005.html |
| harttle--liquidjs | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limiter, but the actual output from str.split(pattern).join(replacement) can be quadratically larger when the pattern occurs many times in the input string. This allows an attacker who controls template content to bypass the memoryLimit DoS protection with approximately 2,500x amplification, potentially causing out-of-memory conditions. This vulnerability is fixed in 10.25.3. | 2026-04-08 | 3.7 | CVE-2026-34166 | https://github.com/harttle/liquidjs/security/advisories/GHSA-mmg9-6m6j-jqqx https://github.com/harttle/liquidjs/commit/abc058be0f33d6372cd2216f4945183167abeb25 https://github.com/harttle/liquidjs/releases/tag/v10.25.3 |
| electron--electron | Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From 33.0.0-alpha.1 to before 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the release() callback provided on a paint event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption. Apps are only affected if they use offscreen rendering with webPreferences.offscreen: { useSharedTexture: true }. Apps that do not enable shared-texture offscreen rendering are not affected. To mitigate this issue, ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5. | 2026-04-06 | 2.3 | CVE-2026-34764 | https://github.com/electron/electron/security/advisories/GHSA-8x5q-pvf5-64mp |
| electron--electron | Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that call clipboard.readImage() may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process. Apps are only affected if they call clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5. | 2026-04-07 | 2.8 | CVE-2026-34781 | https://github.com/electron/electron/security/advisories/GHSA-f37v-82c4-4x64 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1, anyone can trigger a malicious redirect through the use of the redirect parameter to /login. This vulnerability is fixed in 2.0-beta.2. | 2026-04-10 | not yet calculated | CVE-2025-66447 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-m82x-prv3-rwwv https://github.com/chamilo/chamilo-lms/commit/73ae6293adaa6098374bc22625342dbae5cbc446 |
| n/a--Stakeholder-Specific Vulnerability Categorization (SSVC) | QD 20230821 is vulnerable to Server-side request forgery (SSRF) via a crafted request | 2026-04-08 | not yet calculated | CVE-2023-46945 | https://qd-today.github.io/qd/ https://gist.github.com/kurokoleung/5b36b2013a54adadcce79967d3e4f056 |
| n/a--Koha 23.05.10 | Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line "qx/unzip $filename -d $dirname/;" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by an attacker and is directly included in a system command, i.e., an attack can occur via malicious filenames after uploading a .zip file and clicking Process Images. | 2026-04-07 | not yet calculated | CVE-2024-36057 | https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_10.md https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_11.md https://github.com/hacklantic/Research/tree/main/CVE-2024-36057 https://koha-community.org/koha-22-05-22-released/ |
| n/a--Koha 23.05.10 | The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, allowing library users to read arbitrary data from the database. | 2026-04-07 | not yet calculated | CVE-2024-36058 | https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_10.md https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_11.md https://koha-community.org/koha-22-05-22-released/ https://github.com/hacklantic/Research/tree/main/CVE-2024-36058 |
| Unknown--YML for Yandex Market | The YML for Yandex Market WordPress plugin before 5.0.26 is vulnerable to Remote Code Execution via the feed generation process. | 2026-04-10 | not yet calculated | CVE-2025-14545 | https://wpscan.com/vulnerability/9bb1a4ca-976c-461d-82de-8a3b04a56fbc/ |
| Canonical--Ubuntu | In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, Subiquity could include certain user credentials, such as the user's plaintext Wi-Fi password, in the attached logs. | 2026-04-09 | not yet calculated | CVE-2025-14551 | noble backport - stop logging network config and identity data Stop logging identity data and network secrets |
| Mitsubishi Electric Corporation--GENESIS64 | Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric AnalytiX versions 10.97.3 and prior, Mitsubishi Electric GENESIS versions 11.02 and prior, Mitsubishi Electric MC Works64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions AnalytiX versions 10.97.3 and prior, and Mitsubishi Electric Iconics Digital Solutions GENESIS versions 11.02 and prior allows a local attacker to disclose the SQL Server credentials stored in plaintext within the local SQLite file by exploiting this vulnerability, when the local caching feature using SQLite is enabled and SQL authentication is used for the SQL Server authentication. As a result, the unauthorized attacker could access the SQL Server and disclose, tamper with, or destroy data on the server, potentially cause a denial-of-service (DoS) condition on the system. | 2026-04-08 | not yet calculated | CVE-2025-14815 | https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-023_en.pdf https://jvn.jp/vu/JVNVU90646130/ https://www.cisa.gov/news-events/ics-advisories/icsa-26-097-01 |
| Mitsubishi Electric Corporation--GENESIS64 | Cleartext Storage of Sensitive Information in GUI vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric AnalytiX versions 10.97.3 and prior, Mitsubishi Electric GENESIS versions 11.02 and prior, Mitsubishi Electric MC Works64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions AnalytiX versions 10.97.3 and prior, and Mitsubishi Electric Iconics Digital Solutions GENESIS versions 11.02 and prior allows a local attacker to disclose the SQL Server credentials displayed in plain text in the GUI of the Hyper Historian Splitter feature by exploiting this vulnerability, when SQL authentication is used for the SQL Server authentication. As a result, the unauthorized attacker could access the SQL Server and disclose, tamper with, or destroy data on the server, potentially cause a denial-of-service (DoS) condition on the system. | 2026-04-08 | not yet calculated | CVE-2025-14816 | https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-023_en.pdf https://www.cisa.gov/news-events/ics-advisories/icsa-26-097-01 https://jvn.jp/vu/JVNVU90646130/ |
| Semtech--LR1110 | An improper access control vulnerability exists in Semtech LoRa LR11xxx transceivers running early versions of firmware where the memory write command accessible via the physical SPI interface fails to enforce write protection on the program call stack. An attacker with physical access to the SPI interface can overwrite stack memory to hijack program control flow and achieve limited arbitrary code execution. However, the impact is limited to the active attack session: the device's secure boot mechanism prevents persistent firmware modification, the crypto engine isolates cryptographic keys from direct firmware access, and all modifications are lost upon device reboot or loss of physical access. | 2026-04-07 | not yet calculated | CVE-2025-14857 | https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001 |
| Semtech--LR1110 | The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validity check command via the SPI interface, the device decrypts the provided encrypted firmware package block-by-block to validate its integrity. However, the last decrypted firmware block remains uncleared in memory after the validation process completes. An attacker with access to the SPI interface can subsequently issue memory read commands to retrieve the decrypted firmware contents from this residual memory, effectively bypassing the firmware encryption protection mechanism. The attack requires physical access to the device's SPI interface. | 2026-04-07 | not yet calculated | CVE-2025-14858 | https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001 |
| Semtech--LR1110 | The Semtech LR11xx LoRa transceivers implement secure boot functionality using digital signatures to authenticate firmware. However, the implementation uses a non-standard cryptographic hashing algorithm that is vulnerable to second preimage attacks. An attacker with physical access to the device can exploit this weakness to generate a malicious firmware image with a hash collision, bypassing the secure boot verification mechanism and installing arbitrary unauthorized firmware on the device. | 2026-04-07 | not yet calculated | CVE-2025-14859 | https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001 |
| Canonical--Ubuntu | In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs. | 2026-04-09 | not yet calculated | CVE-2025-15480 | feat: don't log identity data (noble backport) feat: don't log identity data |
| Unknown--Popup Box | The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend. | 2026-04-07 | not yet calculated | CVE-2025-15611 | https://wpscan.com/vulnerability/089ea763-2421-4089-a220-251421f7f226/ |
| Ping Identity--PingIDM | An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity's security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode. | 2026-04-07 | not yet calculated | CVE-2025-20628 | https://backstage.forgerock.com/knowledge/advisories/article/a14305629?rev=_newest https://backstage.pingidentity.com/downloads/browse/idm/featured |
| Nokia--MantaRay NM | Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Symptom Collector application. | 2026-04-07 | not yet calculated | CVE-2025-24817 | https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24817/ |
| Nokia--MantaRay NM | Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Log Search application. | 2026-04-07 | not yet calculated | CVE-2025-24818 | https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24818/ |
| Nokia--MantaRay NM | Nokia MantaRay NM is vulnerable to a Relative Path Traversal vulnerability due to improper validation of input parameter on the file system in Software Manager application. | 2026-04-07 | not yet calculated | CVE-2025-24819 | https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24819/ |
| Checkmk GmbH--Checkmk | Local privilege escalation in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows a site user to escalate their privileges to root, by manipulating files in the site context that are processed when the `omd` administrative command is run by root. | 2026-04-07 | not yet calculated | CVE-2025-39666 | https://checkmk.com/werk/18891 |
| n/a--OwnTone - open source (audio) media server | owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking. | 2026-04-10 | not yet calculated | CVE-2025-44560 | https://github.com/owntone/owntone-server/issues/1873 https://gist.github.com/wenwenyuyu/517851c3fe38c4f97b2d1940597da2d3 |
| D-Link[.]com -- D-Link DI-8300 | D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the ip parameter in the ip_position_asp function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-08 | not yet calculated | CVE-2025-45057 | https://www.dlink.com/en/security-bulletin/ https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=DI-8300 https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8300 | D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the fx parameter in the jingx_asp function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-08 | not yet calculated | CVE-2025-45058 | https://www.dlink.com/en/security-bulletin/ https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=DI-8300 https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8300 | D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the fn parameter in the tgfile_htm function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-08 | not yet calculated | CVE-2025-45059 | https://www.dlink.com/en/security-bulletin/ https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=DI-8300 https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| www[.]rrweb[.]io/ -- rrwebplayer | A cross-site scripting (XSS) vulnerability in rrweb-snapshot before v2.0.0-alpha.18 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 2026-04-09 | not yet calculated | CVE-2025-45806 | https://github.com/rrweb-io/rrweb https://github.com/rrweb-io/rrweb/tree/master/packages/rrweb-snapshot https://github.com/rrweb-io/rrweb/issues/1817 |
| Google--Android | In importWrappedKey of KMKeymasterApplet.java, there is a possible way access keys that should be restricted due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-04-06 | not yet calculated | CVE-2025-48651 | https://source.android.com/docs/security/bulletin/2026/2026-04-01 |
| n/a--n/a | Jizhicms v2.5.4 is vulnerable to Server-Side Request Forgery (SSRF) in User Evaluation, Message, and Comment modules. | 2026-04-09 | not yet calculated | CVE-2025-50228 | https://github.com/Cherry-toto/jizhicms https://www.jizhicms.cn https://github.com/Cherry-toto/jizhicms/issues/104 |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper validation of user input in the qj.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50644 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A vulnerability has been discovered in D-Link DI-8003 16.07.26A1, which can lead to a buffer overflow when the s parameter in the pppoe_list_opt.asp endpoint is manipulated. By sending a crafted request with an excessively large value for the s parameter, an attacker can trigger a buffer overflow condition. | 2026-04-08 | not yet calculated | CVE-2025-50645 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to insufficient input validation on the name parameter in the /qos_type_asp.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50646 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1, specifically in the handling of the wans parameter in the qos.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50647 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to inadequate input validation in the /tggl.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50648 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper input validation in the vlan_name parameter in the /shut_set.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50649 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to inadequate validation of input size in the routes_static parameter in the /router.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50650 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | An issue in D-Link DI-8003 16.07.26A1 related to improper handling of the id parameter in the /saveparm_usb.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50652 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name and mem parameters in the /time_group.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50653 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper validation of the id parameter in the /thd_member.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50654 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name parameter in the /thd_group.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50655 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the pid parameter in the /trace.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50657 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the custom_error parameter in the /user.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50659 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name parameter in the /url_member.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50660 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of multiple parameters in the /url_rule.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request with parameters name, en, ips, u, time, act, rpri, and log. | 2026-04-08 | not yet calculated | CVE-2025-50661 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name parameter in the /url_group.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50662 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name parameter in the /usb_paswd.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50663 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in the /user_group.asp endpoint. The attacker can exploit this vulnerability by sending a crafted HTTP GET request with parameters name, mem, pri, and attr. | 2026-04-08 | not yet calculated | CVE-2025-50664 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of input parameters in the /web_keyword.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request via the name, en, time, mem_gb2312, and mem_utf8 parameters. | 2026-04-08 | not yet calculated | CVE-2025-50665 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of multiple parameters in the /web_post.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request in parameters such as name, en, user_id, log, and time. | 2026-04-08 | not yet calculated | CVE-2025-50666 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the iface parameter in the /wan_line_detection.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50667 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the s parameter in the /web_list_opt.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50668 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 and DI-8003G 19.12.10A1 due to improper handling of the wan_ping parameter in the /wan_ping.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50669 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in the /xwgl_bwr.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request in the name, qq, and time parameters. | 2026-04-08 | not yet calculated | CVE-2025-50670 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in the /xwgl_ref.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request with excessively long strings in parameters name, en, user_id, shibie_name, time, act, log, and rpri. | 2026-04-08 | not yet calculated | CVE-2025-50671 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in the /yyxz_dlink.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50672 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the http_lanport parameter in the /webgl.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50673 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| Tendacn[.]com -- AC6 WiFi Router | Tenda AC6 15.03.05.16_multi is vulnerable to Buffer Overflow in the formSetCfm function via the funcname, funcpara1, and funcpara2 parameters. | 2026-04-08 | not yet calculated | CVE-2025-52221 | https://github.com/faqiadegege/IoTVuln/blob/main/tendaAc6_formSetCfm_funcname_overflow/detail.md https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | D-Link DI-8003 v16.07.26A1, DI-8500 v16.07.26A1; DI-8003G v17.12.21A1, DI-8200G v17.12.20A1, DI-8200 v16.07.26A1, DI-8400 v16.07.26A1, DI-8004w v16.07.26A1, DI-8100 v16.07.26A1, and DI-8100G v17.12.20A1 were discovered to contain a buffer overflow via the rd_en, rd_auth, rd_acct, http_hadmin, http_hadminpwd, rd_key, and rd_ip parameters in the radius_asp function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-04-08 | not yet calculated | CVE-2025-52222 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Incorrect Handling of the NL80211 vendor command leads to a buffer overflow via a certain ioctl message, issue 1 of 2. | 2026-04-07 | not yet calculated | CVE-2025-52908 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-52908/ |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Incorrect Handling of the NL80211 vendor command leads to a buffer overflow via a certain ioctl message, issue 2 of 2. | 2026-04-07 | not yet calculated | CVE-2025-52909 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-52909/ |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in NAS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Incorrect Handling of a DL NAS Transport packet leads to a Denial of Service. | 2026-04-06 | not yet calculated | CVE-2025-54324 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54324/ |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in SMS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. A Stack-based Buffer Overflow occurs while parsing SMS RP-DATA messages. | 2026-04-06 | not yet calculated | CVE-2025-54328 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54328/ |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor amd Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Improper synchronization on a global variable leads to a double free. An attacker can trigger a race condition by invoking an ioctl function concurrently from multiple threads. | 2026-04-06 | not yet calculated | CVE-2025-54601 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54601/ |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Improper synchronization on a global variable leads to a use-after-free. An attacker can trigger a race condition by invoking an ioctl function concurrently from multiple threads. | 2026-04-06 | not yet calculated | CVE-2025-54602 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54602/ |
| n/a--GenieACS | In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint. | 2026-04-07 | not yet calculated | CVE-2025-56015 | https://github.com/genieacs/genieacs/ https://github.com/e1st/CVE-2025-56015 |
| Apache Software Foundation--Apache Airflow | When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+ Users are recommended to upgrade to version 3.2.0, which fixes this issue. | 2026-04-09 | not yet calculated | CVE-2025-57735 | https://github.com/apache/airflow/pull/61339 https://github.com/apache/airflow/pull/56633 https://lists.apache.org/thread/ovn8mpd8zkc604hojt7x3wsw3kc60x98 |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem (Exynos 980, 850, 990, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 1680, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400, and Modem 5410). The absence of proper input validation leads to a Denial of Service. | 2026-04-06 | not yet calculated | CVE-2025-57834 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54328/ |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in RRC in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Improper memory initialization results in an illegal memory access, causing a system crash via a malformed RRCReconfiguration message. | 2026-04-06 | not yet calculated | CVE-2025-57835 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-57835/ |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Incorrect handling of LTE MAC packets containing many MAC Control Elements (CEs) leads to baseband crashes. | 2026-04-06 | not yet calculated | CVE-2025-58349 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58349/ |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in USIM in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Improper handling of SIM card proactive commands leads to a Denial of Service. | 2026-04-06 | not yet calculated | CVE-2025-59440 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-59440/ |
| n/a--n/a | An open redirect in Ascertia SigningHub User v10.0 allows attackers to redirect users to a malicious site via a crafted URL. | 2026-04-06 | not yet calculated | CVE-2025-61166 | https://linkedin.com/in/thakur-nikhil https://medium.com/@rajput.thakur/malicious-open-redirection-cve-2025-61166-bf5d708cd241 |
| Apache Software Foundation--Apache DolphinScheduler | An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler. This vulnerability may allow unauthorized actors to access sensitive information, including database credentials. This issue affects Apache DolphinScheduler versions 3.1.*. Users are recommended to upgrade to: * version ≥ 3.2.0 if using 3.1.x As a temporary workaround, users who cannot upgrade immediately may restrict the exposed management endpoints by setting the following environment variable: ``` MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus ``` Alternatively, add the following configuration to the application.yaml file: ``` management: endpoints: web: exposure: include: health,metrics,prometheus ``` This issue has been reported as CVE-2023-48796: https://cveprocess.apache.org/cve5/CVE-2023-48796 | 2026-04-09 | not yet calculated | CVE-2025-62188 | https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo https://www.cve.org/CVERecord?id=CVE-2023-48796 |
| axios--axios | Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0. | 2026-04-09 | not yet calculated | CVE-2025-62718 | https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5 https://github.com/axios/axios/pull/10661 https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df https://datatracker.ietf.org/doc/html/rfc1034#section-3.1 https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2 https://github.com/axios/axios/releases/tag/v1.15.0 |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. An out-of-bounds write occurs due to a mismatch between the TP-UDHI and UDL values when processing an SMS TP-UD packet. | 2026-04-07 | not yet calculated | CVE-2025-62818 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-62818/ |
| n/a--LimeSurvey | A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user. | 2026-04-09 | not yet calculated | CVE-2025-63238 | https://github.com/LimeSurvey/LimeSurvey/commit/80769a677dc82ddb1fcced4af19bd959d583208d https://gist.github.com/masquerad3r/f913ab479e8de2ad71987ef98a088fb5 |
| n/a--n/a | An issue in JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to force the infotainment system into accepting falsified GPS signals as legitimate, resulting in the device reporting an incorrect or static location. | 2026-04-07 | not yet calculated | CVE-2025-69515 | http://jxl.com https://github.com/thorat-shubham/JXL_Infotainment_CVE-2025-69515/blob/main/README.md |
| n/a--n/a | An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server. | 2026-04-09 | not yet calculated | CVE-2025-70364 | http://kiamo.com https://github.com/hackvens/blog.hackvens.fr/blob/main/_posts/advisories/2025-12-23-CVE-2025-70364-Kiamo.md |
| Kiamo[.]com -- Kiamo | A stored cross-site scripting (XSS) vulnerability exists in Kiamo before 8.4 due to improper output encoding of user-supplied input in administrative interfaces. An authenticated administrative user can inject arbitrary JavaScript code that is executed in the browser of users viewing the affected pages. | 2026-04-09 | not yet calculated | CVE-2025-70365 | http://kiamo.com https://github.com/hackvens/blog.hackvens.fr/blob/main/_posts/advisories/2025-12-23-CVE-2025-70365-Kiamo.md |
| n/a-- Limesurvey | Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters. | 2026-04-09 | not yet calculated | CVE-2025-70797 | https://gist.github.com/masquerad3r/772ddbfbd9fd95754f4873bcb202146d https://github.com/LimeSurvey/LimeSurvey/pull/4356 |
| n/a--n/a | Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism | 2026-04-09 | not yet calculated | CVE-2025-70810 | https://github.com/ariefibis https://www.linkedin.com/in/mohammed-a-6a2548112/ https://gist.github.com/ariefibis/80e306765c23d6fac1584dbb76822e30 |
| n/a--n/a | Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality. | 2026-04-09 | not yet calculated | CVE-2025-70811 | https://github.com/ariefibis https://www.linkedin.com/in/mohammed-a-6a2548112/ https://github.com/ariefibis/PHPBB/security/advisories/GHSA-56pv-xg3w-6822 |
| n/a--Yaffa | yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript into the "Add Account Group" function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page. | 2026-04-07 | not yet calculated | CVE-2025-70844 | https://github.com/kantorge/yaffa https://github.com/J4cky1028/vulnerability-research/tree/main/CVE-2025-70844 |
| n/a--n/a | Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses without validating that the response originates from a legitimate configured upstream DNS server. The implementation matches responses primarily by TXID and inserts results into the cache, enabling a remote attacker to inject forged responses and poison the DNS cache, potentially redirecting victims to attacker-controlled destinations. | 2026-04-07 | not yet calculated | CVE-2025-71058 | https://sourceforge.net/projects/dhcp-dns-server/ https://github.com/FPokerFace/Security-Advisory/tree/main/CVE-2025-71058 |
| Google--Android | In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-04-06 | not yet calculated | CVE-2026-0049 | https://source.android.com/docs/security/bulletin/2026/2026-04-01 |
| Pegasystems--Pega Robot Studio | An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The vulnerability could occur if a Robot Runtime user navigates to the malicious website. | 2026-04-07 | not yet calculated | CVE-2026-1078 | https://support.pega.com/support-doc/pega-security-advisory-a26-vulnerability-remediation-note |
| Pegasystems--Pega Browser Extension (PBE) | A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a website that contains malicious code that targets PBE. The vulnerability could occur if a user navigates to this website. The malicious website could then present an unexpected message box. | 2026-04-07 | not yet calculated | CVE-2026-1079 | https://support.pega.com/support-doc/pega-security-advisory-a26-vulnerability-remediation-note |
| parisneo--parisneo/lollms | In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0. | 2026-04-07 | not yet calculated | CVE-2026-1114 | https://huntr.com/bounties/608b2a3b-2225-438e-9e61-ffbfdec2ed89 https://github.com/parisneo/lollms/commit/a3b2b82b84d537a9da63e63a370a6a8ad55fed34 |
| parisneo--parisneo/lollms | A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators. This can lead to account takeover, session hijacking, and wormable attacks. The issue is resolved in version 2.2.0. | 2026-04-10 | not yet calculated | CVE-2026-1115 | https://huntr.com/bounties/099aa4fe-7165-4337-889c-3fb4f1aa71aa https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a |
| parisneo--parisneo/lollms | A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the `content` field when deserializing user-provided data. This allows an attacker to inject malicious HTML or JavaScript payloads, which can be executed in the context of another user's browser. Exploitation of this vulnerability can lead to account takeover, session hijacking, or wormable attacks. | 2026-04-12 | not yet calculated | CVE-2026-1116 | https://huntr.com/bounties/d3d076a7-2a51-4e07-8d0e-91e28e76788e https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a |
| parisneo--parisneo/lollms | An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password. | 2026-04-08 | not yet calculated | CVE-2026-1163 | https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b |
| Python Software Foundation--CPython | CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. | 2026-04-10 | not yet calculated | CVE-2026-1502 | https://github.com/python/cpython/pull/146212 https://github.com/python/cpython/issues/146211 https://mail.python.org/archives/list/security-announce@python.org/thread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/ https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69 |
| huggingface--huggingface/transformers | A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3. | 2026-04-07 | not yet calculated | CVE-2026-1839 | https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485 https://github.com/huggingface/transformers/commit/03c8082ba4594c9b8d6fe190ca9bed0e5f8ca396 |
| Unknown--Link Whisper Free | The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates. | 2026-04-07 | not yet calculated | CVE-2026-1900 | https://wpscan.com/vulnerability/dc10b627-7981-4c53-bc9d-e87418f3fcfc/ |
| MediaTek, Inc.--MediaTek chipset | In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01106496; Issue ID: MSV-4467. | 2026-04-07 | not yet calculated | CVE-2026-20431 | https://corp.mediatek.com/product-security-bulletin/April-2026 |
| MediaTek, Inc.--MediaTek chipset | In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01406170; Issue ID: MSV-4461. | 2026-04-07 | not yet calculated | CVE-2026-20432 | https://corp.mediatek.com/product-security-bulletin/April-2026 |
| MediaTek, Inc.--MediaTek chipset | In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01088681; Issue ID: MSV-4460. | 2026-04-07 | not yet calculated | CVE-2026-20433 | https://corp.mediatek.com/product-security-bulletin/April-2026 |
| MediaTek, Inc.--MediaTek chipset | In sec boot, there is a possible out of bounds write due to an integer overflow. This could lead to local denial of service, if an attacker has physical access to the device, with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09963054; Issue ID: MSV-3899. | 2026-04-07 | not yet calculated | CVE-2026-20446 | https://corp.mediatek.com/product-security-bulletin/April-2026 |
| Rocket.Chat--Rocket.Chat | An open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 allows users to be redirected to arbitrary URLs by manipulating parameters within a SAML endpoint. | 2026-04-10 | not yet calculated | CVE-2026-22560 | https://hackerone.com/reports/3418031 https://github.com/RocketChat/Rocket.Chat/pull/38994 |
| The Wikimedia Foundation--Mediawiki - Wikilove Extension | Improper neutralization of alternate XSS syntax vulnerability in The Wikimedia Foundation Mediawiki - Wikilove Extension allows Cross-Site Scripting (XSS).The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45. | 2026-04-07 | not yet calculated | CVE-2026-22711 | https://phabricator.wikimedia.org/T416502 https://gerrit.wikimedia.org/r/q/Iab86209478a044504f5a6aea0d8c3d14f21c48b3 |
| OpenPLC_V3--OpenPLC_V3 | OpenPLC_V3 is vulnerable to an Initialization of a Resource with an Insecure Default vulnerability which could allow an attacker to gain access to the system by bypassing authentication via an API. | 2026-04-09 | not yet calculated | CVE-2026-28205 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10 |
| OpenSSL--OpenSSL | Issue summary: Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES support can trigger an out-of-bounds read of up to 15 bytes when processing partial cipher blocks. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not written to output. The vulnerable code path is only reached when processing partial blocks (when a previous call left an incomplete block and the current call provides fewer bytes than needed to complete it). Additionally, the input buffer must be positioned at a page boundary with the following page unmapped. CFB mode is not used in TLS/DTLS protocols, which use CBC, GCM, CCM, or ChaCha20-Poly1305 instead. For these reasons the issue was assessed as Low severity according to our Security Policy. Only x86-64 systems with AVX-512 and VAES instruction support are affected. Other architectures and systems without VAES support use different code paths that are not affected. OpenSSL FIPS module in 3.6 version is affected by this issue. | 2026-04-07 | not yet calculated | CVE-2026-28386 | OpenSSL Advisory 3.6.2 git commit |
| OpenSSL--OpenSSL | Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary. | 2026-04-07 | not yet calculated | CVE-2026-28387 | OpenSSL Advisory 3.6.2 git commit 3.5.6 git commit 3.4.5 git commit 3.3.7 git commit 3.0.20 git commit |
| OpenSSL--OpenSSL | Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference. Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-04-07 | not yet calculated | CVE-2026-28388 | OpenSSL Advisory 3.6.2 git commit 3.5.6 git commit 3.4.5 git commit 3.3.7 git commit 3.0.20 git commit |
| OpenSSL--OpenSSL | Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-04-07 | not yet calculated | CVE-2026-28389 | OpenSSL Advisory 3.6.2 git commit 3.5.6 git commit 3.4.5 git commit 3.3.7 git commit 3.0.20 git commit |
| OpenSSL--OpenSSL | Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-04-07 | not yet calculated | CVE-2026-28390 | OpenSSL Advisory 3.6.2 git commit 3.5.6 git commit 3.4.5 git commit 3.3.7 git commit 3.0.20 git commit |
| Japan Computer Emergency Response Team Coordination Center (JPCERT/CC)--Emocheck | Emocheck insecurely loads Dynamic Link Libraries (DLLs). If a crafted DLL file is placed to the same directory, an arbitrary code may be executed with the privilege of the user invoking EmoCheck. | 2026-04-10 | not yet calculated | CVE-2026-28704 | https://www.jpcert.or.jp/press/2026/PR20260410.html https://github.com/JPCERTCC/EmoCheck/ https://jvn.jp/en/jp/JVN00263243/ |
| Erlang--OTP | Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6. | 2026-04-07 | not yet calculated | CVE-2026-28808 | https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f https://cna.erlef.org/cves/CVE-2026-28808.html https://osv.dev/vulnerability/EEF-CVE-2026-28808 https://www.erlang.org/doc/system/versions.html#order-of-versions https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688 https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c |
| Erlang--OTP | Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning. The built-in DNS resolver (inet_res) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. This conflicts with RFC 5452 recommendations for mitigating forged DNS answers. inet_res is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where spoofed DNS responses are possible. This vulnerability is associated with program files lib/kernel/src/inet_db.erl and lib/kernel/src/inet_res.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from 3.0 until 10.6.2, 10.2.7.4 and 9.2.4.11. | 2026-04-07 | not yet calculated | CVE-2026-28810 | https://github.com/erlang/otp/security/advisories/GHSA-v884-5jg5-whj8 https://cna.erlef.org/cves/CVE-2026-28810.html https://osv.dev/vulnerability/EEF-CVE-2026-28810 https://www.erlang.org/doc/system/versions.html#order-of-versions https://github.com/erlang/otp/commit/36f23c9d2cc54afe83671dd7343596d7972839a5 https://github.com/erlang/otp/commit/dd15e8eb03548c5e55e9915f0e91389ec6bad9fd https://github.com/erlang/otp/commit/b057a9d995017b1be50d6dc02edd52382f3231b8 |
| Apache Software Foundation--Apache Tomcat | Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue. | 2026-04-09 | not yet calculated | CVE-2026-29129 | https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f |
| Apache Software Foundation--Apache Tomcat | CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue. | 2026-04-09 | not yet calculated | CVE-2026-29145 | https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz |
| Apache Software Foundation--Apache Tomcat | Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue. | 2026-04-09 | not yet calculated | CVE-2026-29146 | https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w |
| n/a--n/a | PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at login.php. | 2026-04-10 | not yet calculated | CVE-2026-29861 | https://github.com/amanyadav78/CVE-2026-29861 |
| Entechtaiwan[.]com – PowerStrip | The pstrip64.sys driver in EnTech Taiwan PowerStrip <=3.90.736 allows local users to escalate privileges to SYSTEM via a crafted IOCTL request enabling unprivileged users to map arbitrary physical memory into their address space and modify critical kernel structures. | 2026-04-09 | not yet calculated | CVE-2026-29923 | https://entechtaiwan.com/util/ps.shtm https://packetstorm.news/files/id/218394/ |
| n/a-- OpenAirInterface | OpenAirInterface Version 2.2.0 has a Buffer Overflow vulnerability in processing UplinkNASTransport containing Authentication Response containing a NAS PDU with oversize response (For example 100 byte). The response is decoded by AMF and passed to the AUSF component for verification. AUSF crashes on receiving this oversize response. This can prohibit users from further registration and verification and can cause Denial of Services (DoS). | 2026-04-08 | not yet calculated | CVE-2026-30075 | https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-ausf/-/issues?show=eyJpaWQiOiI2IiwiZnVsbF9wYXRoIjoib2FpL2NuNWcvb2FpLWNuNWctYXVzZiIsImlkIjo1NDE5fQ%3D%3D https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-ausf/-/issues/6 |
| n/a-- OpenAirInterface | OpenAirInterface V2.2.0 AMF crashes when it receives an NGAP message with invalid procedure code or invalid PDU-type. For example when the message specification requires InitiatingMessage but sent with successfulOutcome. | 2026-04-06 | not yet calculated | CVE-2026-30078 | https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/74 https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/merge_requests/414 |
| n/a-- OpenAirInterface | In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows authentication to be bypassed completely. If a SecurityModeComplete message is sent after InitialUERegistration, a registration reject is received followed by a registration accept! This leads the UE to be registered without proper authentication. | 2026-04-07 | not yet calculated | CVE-2026-30079 | https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/77 |
| n/a-- OpenAirInterface | OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade security context can lead to the possibility of replay attack. | 2026-04-08 | not yet calculated | CVE-2026-30080 | https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/78 |
| chartbrew--chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any IP address validation, enabling Server-Side Request Forgery attacks against internal networks and cloud metadata endpoints. This vulnerability is fixed in 4.8.5. | 2026-04-10 | not yet calculated | CVE-2026-30232 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-p4rg-967r-w4cv https://github.com/chartbrew/chartbrew/commit/9c4a7e2b02acb25f0782bd4ac1f16407d59c2df1 |
| n/a-- Daylight Studio FuelCMS | Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module. | 2026-04-07 | not yet calculated | CVE-2026-30460 | https://github.com/daylightstudio/FUEL-CMS/ http://daylight.com http://fuelcms.com https://pentest-tools.com/PTT-2025-027-Improper-Authorization.pdf |
| Ms4w[.]com -- GatewayGeo Mapserver | A Dynamic-link Library Injection vulnerability in GatewayGeo MapServer for Windows version 5 allows attackers to escalate privileges via a crafted executable. | 2026-04-09 | not yet calculated | CVE-2026-30478 | https://ms4w.com https://github.com/penjaminTester/Research/tree/main/CVE-2026-30478 |
| Ms4w[.]com -- GatewayGeo Mapserver | A Dynamic-link Library Injection vulnerability in OSGeo Project MapServer before v8.0 allows attackers to execute arbitrary code via a crafted executable. | 2026-04-09 | not yet calculated | CVE-2026-30479 | https://mapserver.org/index.html https://github.com/penjaminTester/Research/tree/main/CVE-2026-30479 |
| Aziot[.]life -- AZIOT 1 Node Smart Switch | An information disclosure vulnerability exists in AZIOT 1 Node Smart Switch (16amp)- WiFi/Bluetooth Enabled Software Version: 1.1.9 due to improper access control on the UART debug interface. An attacker with physical access can connect to the UART interface and obtain sensitive information from the serial console without authentication. | 2026-04-06 | not yet calculated | CVE-2026-30613 | http://aziot.com https://github.com/dumbermore/tuya/blob/main/README.md |
| TP-Link Systems Inc.--AX53 v1.0 | A stack-based buffer overflow in the tmpServer module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to trigger a segmentation fault and potentially execute arbitrary code via a specially crafted configuration file. Successful exploitation may cause a crash and could allow arbitrary code execution, enabling modification of device state, exposure of sensitive data, or further compromise of device integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | 2026-04-08 | not yet calculated | CVE-2026-30814 | https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/us/support/faq/5055/ |
| TP-Link Systems Inc.--AX53 v1.0 | An OS command injection vulnerability in the OpenVPN module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute system commands when a specially crafted configuration file is processed due to insufficient input validation. Successful exploitation may allow modification of configuration files, disclosure of sensitive information, or further compromise of device integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | 2026-04-08 | not yet calculated | CVE-2026-30815 | https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/us/support/faq/5055/ |
| TP-Link Systems Inc.--AX53 v1.0 | An external control of configuration vulnerability in the OpenVPN module of TP-Link AX53 v1.0 allows an authenticated adjacent attacker to read arbitrary file when a malicious configuration file is processed. Successful exploitation may allow unauthorized access to arbitrary files on the device, potentially exposing sensitive information.This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | 2026-04-08 | not yet calculated | CVE-2026-30816 | https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/us/support/faq/5055/ |
| TP-Link Systems Inc.--AX53 v1.0 | An external configuration control vulnerability in the OpenVPN module of TP-Link AX53 v1.0 allows an authenticated adjacent attacker to read arbitrary files when a malicious configuration file is processed. Successful exploitation may allow unauthorized access to arbitrary files on the device, potentially exposing sensitive information.This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | 2026-04-08 | not yet calculated | CVE-2026-30817 | https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/us/support/faq/5055/ |
| TP-Link Systems Inc.--AX53 v1.0 | An OS command injection vulnerability in the dnsmasq module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute arbitrary code when a specially crafted configuration file is processed due to insufficient input validation. Successful exploitation may allow the attacker to modify device configuration, access sensitive information, or further compromise system integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | 2026-04-08 | not yet calculated | CVE-2026-30818 | https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/us/support/faq/5055/ |
| n/a--n/a | A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure. | 2026-04-08 | not yet calculated | CVE-2026-31017 | http://frappe.com https://github.com/PhDg1410/CVE/tree/main/CVE-2026-31017 |
| n/a--n/a | A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution. | 2026-04-08 | not yet calculated | CVE-2026-31040 | https://github.com/SepineTam/stata-mcp/issues/20 https://github.com/SepineTam/stata-mcp/pull/21 https://github.com/SepineTam/stata-mcp/commit/52413ce https://github.com/SepineTam/stata-mcp/releases/tag/v1.13.0 |
| n/a--n/a | A double free vulnerability exists in librz/bin/format/le/le.c in the function le_load_fixup_record(). When processing malformed or circular LE fixup chains, relocation entries may be freed multiple times during error handling. A specially crafted LE binary can trigger heap corruption and cause the application to crash, resulting in a denial-of-service condition. An attacker with a crafted binary could cause a denial of service when the tool is integrated on a service pipeline. | 2026-04-06 | not yet calculated | CVE-2026-31053 | https://github.com/rizinorg/rizin/issues/5753 https://github.com/rizinorg/rizin/pull/5795 |
| n/a-- Aggressive HiPER Router 1200GW | UTT Aggressive HiPER 1200GW v2.5.3-170306 was discovered to contain a buffer overflow in the timeRangeName parameter of the formConfigDnsFilterGlobal function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31058 | https://github.com/zxq0408/Vul202601/blob/main/2.md |
| n/a-- Aggressive HiPER Router 520W | A remote command execution (RCE) vulnerability in the /goform/formDia component of UTT Aggressive HiPER 520W v3v1.7.7-180627 allows attackers to execute arbitrary commands via a crafted string. | 2026-04-06 | not yet calculated | CVE-2026-31059 | https://github.com/zxq0408/Vul202601/blob/main/9.md |
| n/a-- Aggressive HiPER Router 810G | UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer overflow in the notes parameter of the formGroupConfig function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31060 | https://github.com/zxq0408/Vul202601/blob/main/5.md |
| n/a-- Aggressive HiPER Router 810G | UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer overflow in the timestart parameter of the ConfigAdvideo function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31061 | https://github.com/zxq0408/Vul202601/blob/main/1.md |
| n/a-- Aggressive HiPER Router 510W | UTT Aggressive 520W v3v1.7.7-180627 was discovered to contain a buffer overflow in the filename parameter of the formFtpServerDirConfig function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31062 | https://github.com/zxq0408/Vul202601/blob/main/7.md |
| n/a-- Aggressive HiPER Router 1200GW | UTT Aggressive HiPER 1200GW v2.5.3-170306 was discovered to contain a buffer overflow in the pools parameter of the formArpBindConfig function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31063 | https://github.com/zxq0408/Vul202601/blob/main/4.md |
| n/a-- Aggressive HiPER Router 520W | UTT Aggressive 520W v3v1.7.7-180627 was discovered to contain a buffer overflow in the addCommand parameter of the formConfigCliForEngineerOnly function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31065 | https://github.com/zxq0408/Vul202601/blob/main/8.md |
| n/a-- Aggressive HiPER Router 810G | UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer overflow in the selDateType parameter of the formTaskEdit function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31066 | https://github.com/zxq0408/Vul202601/blob/main/6.md |
| n/a-- UTT Aggressive 520W | A remote command execution (RCE) vulnerability in the /goform/formReleaseConnect component of UTT Aggressive 520W v3v1.7.7-180627 allows attackers to execute arbitrary commands via a crafted string. | 2026-04-06 | not yet calculated | CVE-2026-31067 | https://github.com/zxq0408/Vul202601/blob/main/10.md |
| n/a-- Kaleris YMS | Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated attackers with only the shipping/receiving role to view the truck's dashboard resources. | 2026-04-06 | not yet calculated | CVE-2026-31150 | https://kaleris.com/solutions/yard-management/ https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31150 |
| n/a-- Kaleris YMS | An issue in the login mechanism of Kaleris YMS v7.2.2.1 allows attackers to bypass login verification to access the application 's resources. | 2026-04-06 | not yet calculated | CVE-2026-31151 | https://kaleris.com/solutions/yard-management/ https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31151 |
| Bynder[.]com -- Bynder v0.1.394 | A stored cross-site scripting (XSS) vulnerability in Bynder v0.1.394 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 2026-04-06 | not yet calculated | CVE-2026-31153 | https://www.bynder.com/en/ https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31153 |
| Totolink[.]net -- A3300R router | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi. | 2026-04-09 | not yet calculated | CVE-2026-31170 | https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-pass-cmd-injection |
| Altenar[.]com -- Sportsbook Software Platform SB2 v.2.0 | Cross Site Scripting vulnerability in Altenar Sportsbook Software Platform (SB2) v.2.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the URL parameter | 2026-04-10 | not yet calculated | CVE-2026-31262 | https://github.com/nikolas-ch/CVEs/tree/main/Altenar_SportsBook_Platform_SB2/ORtoXSS https://github.com/nikolas-ch/CVEs/blob/main/Altenar_SportsBook_Platform_SB2/ORtoXSS/ORtoXSS.txt |
| n/a--n/a | megagao production_ssm v1.0 contains an authorization bypass vulnerability in the user addition functionality. The insert() method in UserController.java lacks authentication checks, allowing unauthenticated attackers to create super administrator accounts by directly accessing the /user/insert endpoint. This leads to complete system compromise. | 2026-04-07 | not yet calculated | CVE-2026-31271 | https://github.com/clockw1se0v0/Vul/blob/main/production_ssm/Unauthorized.md |
| n/a--n/a | MRCMS 3.1.2 contains an access control vulnerability. The save() method in src/main/java/org/marker/mushroom/controller/UserController.java lacks proper authorization validation, enabling direct addition of super administrator accounts without authentication. | 2026-04-07 | not yet calculated | CVE-2026-31272 | https://github.com/clockw1se0v0/Vul/blob/main/MRCMS/Unauthorized.md |
| n/a-- Feehi CMS | An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Content field. | 2026-04-06 | not yet calculated | CVE-2026-31313 | http://feehi.com https://github.com/liufee/cms/issues/80 |
| n/a-- Feehi CMS | An authenticated stored cross-site scripting (XSS) vulnerability in Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Page Sign parameter. | 2026-04-06 | not yet calculated | CVE-2026-31350 | https://github.com/liufee/cms https://github.com/liufee/cms/issues/82 |
| n/a-- Feehi CMS | An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter. | 2026-04-06 | not yet calculated | CVE-2026-31351 | https://github.com/liufee/cms https://github.com/liufee/cms/issues/81 |
| n/a-- Feehi CMS | An authenticated stored cross-site scripting (XSS) vulnerability in the Role Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Role Name parameter. | 2026-04-06 | not yet calculated | CVE-2026-31352 | https://github.com/liufee/cms https://github.com/liufee/cms/issues/83 |
| n/a-- Feehi CMS | An authenticated stored cross-site scripting (XSS) vulnerability in the Category module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter. | 2026-04-06 | not yet calculated | CVE-2026-31353 | https://github.com/liufee/cms https://github.com/liufee/cms/issues/84 |
| n/a-- Feehi CMS | Multiple authenticated stored cross-site scripting (XSS) vulnerabilities in the Permissions module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Group, Category or Description parameters. | 2026-04-06 | not yet calculated | CVE-2026-31354 | https://github.com/liufee/cms https://github.com/liufee/cms/issues/85 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: dvb-net: fix OOB access in ULE extension header tables The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in handle_one_ule_extension() are declared with 255 elements (valid indices 0-254), but the index htype is derived from network-controlled data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When htype equals 255, an out-of-bounds read occurs on the function pointer table, and the OOB value may be called as a function pointer. Add a bounds check on htype against the array size before either table is accessed. Out-of-range values now cause the SNDU to be discarded. | 2026-04-06 | not yet calculated | CVE-2026-31405 | https://git.kernel.org/stable/c/29ef43ceb121d67b87f4cbb08439e4e9e732eff8 https://git.kernel.org/stable/c/1a6da3dbb9985d00743073a1cc1f96e59f5abc30 https://git.kernel.org/stable/c/145e50c2c700fa52b840df7bab206043997dd18e https://git.kernel.org/stable/c/8bde543d2a5f935ba2a6a6325a2e02f8a9256fbe https://git.kernel.org/stable/c/f2b65dcb78c8990e4c68a906627433be1fe38a92 https://git.kernel.org/stable/c/24d87712727a5017ad142d63940589a36cd25647 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() After cancel_delayed_work_sync() is called from xfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining states via __xfrm_state_delete(), which calls xfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work. The following is a simple race scenario: cpu0 cpu1 cleanup_net() [Round 1] ops_undo_list() xfrm_net_exit() xfrm_nat_keepalive_net_fini() cancel_delayed_work_sync(nat_keepalive_work); xfrm_state_fini() xfrm_state_flush() xfrm_state_delete(x) __xfrm_state_delete(x) xfrm_nat_keepalive_state_updated(x) schedule_delayed_work(nat_keepalive_work); rcu_barrier(); net_complete_free(); net_passive_dec(net); llist_add(&net->defer_free_list, &defer_free_list); cleanup_net() [Round 2] rcu_barrier(); net_complete_free() kmem_cache_free(net_cachep, net); nat_keepalive_work() // on freed net To prevent this, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync(). | 2026-04-06 | not yet calculated | CVE-2026-31406 | https://git.kernel.org/stable/c/32d0f44c2f14d60fe8e920e69a28c11051543ec1 https://git.kernel.org/stable/c/2255ed6adbc3100d2c4a83abd9d0396d04b87792 https://git.kernel.org/stable/c/21f2fc49ca6faa393c31da33b8a4e6c41fc84c13 https://git.kernel.org/stable/c/daf8e3b253aa760ff9e96c7768a464bc1d6b3c90 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: add missing netlink policy validations Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN. | 2026-04-06 | not yet calculated | CVE-2026-31407 | https://git.kernel.org/stable/c/0fbae1e74493d5a160a70c51aeba035d8266ea7d https://git.kernel.org/stable/c/f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock. Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths. | 2026-04-06 | not yet calculated | CVE-2026-31408 | https://git.kernel.org/stable/c/b0a7da0e3f7442545f071499beb36374714bb9de https://git.kernel.org/stable/c/45aaca995e4a7a05b272a58e7ab2fff4f611b8f1 https://git.kernel.org/stable/c/108b81514d8f2535eb16651495cefb2250528db3 https://git.kernel.org/stable/c/7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e https://git.kernel.org/stable/c/e76e8f0581ef555eacc11dbb095e602fb30a5361 https://git.kernel.org/stable/c/598dbba9919c5e36c54fe1709b557d64120cb94b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset conn->binding on failed binding request When a multichannel SMB2_SESSION_SETUP request with SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true but never clears it on the error path. This leaves the connection in a binding state where all subsequent ksmbd_session_lookup_all() calls fall back to the global sessions table. This fix it by clearing conn->binding = false in the error path. | 2026-04-06 | not yet calculated | CVE-2026-31409 | https://git.kernel.org/stable/c/d073870dab8f6dadced81d13d273ff0b21cb7f4e https://git.kernel.org/stable/c/6ebef4a220a1ebe345de899ebb9ae394206fe921 https://git.kernel.org/stable/c/89afe5e2dbea6e9d8e5f11324149d06fa3a4efca https://git.kernel.org/stable/c/9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772 https://git.kernel.org/stable/c/6260fc85ed1298a71d24a75d01f8b2e56d489a60 https://git.kernel.org/stable/c/282343cf8a4a5a3603b1cb0e17a7083e4a593b03 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: use volume UUID in FS_OBJECT_ID_INFORMATION Use sb->s_uuid for a proper volume identifier as the primary choice. For filesystems that do not provide a UUID, fall back to stfs.f_fsid obtained from vfs_statfs(). | 2026-04-06 | not yet calculated | CVE-2026-31410 | https://git.kernel.org/stable/c/ce00616bc1df675bfdacc968f2bf7c51f4669227 https://git.kernel.org/stable/c/3d80ebe6d1b7bc9ad20fd9b0c1a0c56d804f8a0a https://git.kernel.org/stable/c/c283a6ffe6d5d6e5594d991286b9ce15951572e1 https://git.kernel.org/stable/c/3a64125730cabc34fccfbc230c2667c2e14f7308 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: atm: fix crash due to unvalidated vcc pointer in sigd_send() Reproducer available at [1]. The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged: int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0); ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon struct msghdr msg = { .msg_iov = &iov, ... }; *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer sendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeef In normal operation, the kernel sends the vcc pointer to the signaling daemon via sigd_enq() when processing operations like connect(), bind(), or listen(). The daemon is expected to return the same pointer when responding. However, a malicious daemon can send arbitrary pointer values. Fix this by introducing find_get_vcc() which validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs), and acquires a reference via sock_hold() if found. Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime. Therefore using sock_hold/sock_put is sufficient to keep the vcc alive while it is being used. Note that there may be a race with sigd_close() which could mark the vcc with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However, sock_hold() guarantees the memory remains valid, so this race only affects the logical state, not memory safety. [1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3 | 2026-04-08 | not yet calculated | CVE-2026-31411 | https://git.kernel.org/stable/c/c96549d07dfdd51aadf0722cfb40711574424840 https://git.kernel.org/stable/c/1c8bda3df028d5e54134077dcd09f46ca8cfceb5 https://git.kernel.org/stable/c/3e1a8b00095246a9a2b46b57f6d471c6d3c00ed2 https://git.kernel.org/stable/c/e3f80666c2739296c3b69a127300455c43aa1067 https://git.kernel.org/stable/c/21c303fec138c002f90ed33bce60e807d53072bb https://git.kernel.org/stable/c/69d3f9ee5489e6e8b66defcfa226e91d82393297 https://git.kernel.org/stable/c/440c9a5fc477a8ee259d8bf669531250b8398651 https://git.kernel.org/stable/c/ae88a5d2f29b69819dc7b04086734439d074a643 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() The `check_command_size_in_blocks()` function calculates the data size in bytes by left shifting `common->data_size_from_cmnd` by the block size (`common->curlun->blkbits`). However, it does not validate whether this shift operation will cause an integer overflow. Initially, the block size is set up in `fsg_lun_open()` , and the `common->data_size_from_cmnd` is set up in `do_scsi_command()`. During initialization, there is no integer overflow check for the interaction between two variables. So if a malicious USB host sends a SCSI READ or WRITE command requesting a large amount of data (`common->data_size_from_cmnd`), the left shift operation can wrap around. This results in a truncated data size, which can bypass boundary checks and potentially lead to memory corruption or out-of-bounds accesses. Fix this by using the check_shl_overflow() macro to safely perform the shift and catch any overflows. | 2026-04-10 | not yet calculated | CVE-2026-31412 | https://git.kernel.org/stable/c/91817ad5452defe69bc7bc0e355f0ed5d01125cc https://git.kernel.org/stable/c/ce0caaed5940162780c5c223b8ae54968a5f059b https://git.kernel.org/stable/c/228b37936376143f4b60cc6828663f6eaceb81b5 https://git.kernel.org/stable/c/3428dc5520c811e66622b2f5fa43341bf9a1f8b3 https://git.kernel.org/stable/c/387ebb0453b99d71491419a5dc4ab4bee0cacbac https://git.kernel.org/stable/c/8479891d1f04a8ce55366fe4ca361ccdb96f02e1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the source operand is a constant. When dst has signed range [-1, 0], it forks the verifier state: the pushed path gets dst = 0, the current path gets dst = -1. For BPF_AND this is correct: 0 & K == 0. For BPF_OR this is wrong: 0 | K == K, not 0. The pushed path therefore tracks dst as 0 when the runtime value is K, producing an exploitable verifier/runtime divergence that allows out-of-bounds map access. Fix this by passing env->insn_idx (instead of env->insn_idx + 1) to push_stack(), so the pushed path re-executes the ALU instruction with dst = 0 and naturally computes the correct result for any opcode. | 2026-04-12 | not yet calculated | CVE-2026-31413 | https://git.kernel.org/stable/c/342aa1ee995ef5bbf876096dc3a5e51218d76fa4 https://git.kernel.org/stable/c/58bd87d0e69204dbd739e4387a1edb0c4b1644e7 https://git.kernel.org/stable/c/d13281ae7ea8902b21d99d10a2c8caf0bdec0455 https://git.kernel.org/stable/c/c845894ebd6fb43226b3118d6b017942550910c5 |
| OpenSSL--OpenSSL | Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow. Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-04-07 | not yet calculated | CVE-2026-31789 | OpenSSL Advisory 3.6.2 git commit 3.5.6 git commit 3.4.5 git commit 3.3.7 git commit 3.0.20 git commit |
| OpenSSL--OpenSSL | Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker. RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced. If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext. As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue. | 2026-04-07 | not yet calculated | CVE-2026-31790 | OpenSSL Advisory 3.6.2 git commit 3.5.6 git commit 3.4.5 git commit 3.3.7 git commit 3.0.20 git commit |
| Sonatype--Nexus Repository | A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control. | 2026-04-08 | not yet calculated | CVE-2026-3199 | https://help.sonatype.com/en/sonatype-nexus-repository-3-91-0-release-notes.html https://support.sonatype.com/hc/en-us/articles/50615414548499 |
| Erlang--OTP | Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification. The OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate's issuer name matches the CA's subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid. This affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context. This vulnerability is associated with program files lib/public_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3. This issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7. | 2026-04-07 | not yet calculated | CVE-2026-32144 | https://github.com/erlang/otp/security/advisories/GHSA-gxrm-pf64-99xm https://cna.erlef.org/cves/CVE-2026-32144.html https://osv.dev/vulnerability/EEF-CVE-2026-32144 https://www.erlang.org/doc/system/versions.html#order-of-versions https://github.com/erlang/otp/commit/ac7ff528be857c5d35eb29c7f24106e3a16d4891 https://github.com/erlang/otp/commit/49033a6d93a5be0ee0dce04e1fb8b4ae7de1e0c0 |
| Gleam--Gleam | Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended dependency directory, allowing attacker-controlled paths (via relative traversal such as ../ or absolute paths) to target filesystem locations outside that directory. When resolving git dependencies (e.g. via gleam deps download), the computed path is used for filesystem operations including directory deletion and creation. This vulnerability occurs during the dependency resolution and download phase, which is generally expected to be limited to fetching and preparing dependencies within a confined directory. A malicious direct or transitive git dependency can exploit this issue to delete and overwrite arbitrary directories outside the intended dependency directory, including attacker-chosen absolute paths, potentially causing data loss. In some environments, this may be further leveraged to achieve code execution, for example by overwriting git hooks or shell configuration files. This issue affects Gleam from 1.9.0-rc1 until 1.15.3 and 1.16.0-rc1. | 2026-04-11 | not yet calculated | CVE-2026-32146 | https://github.com/gleam-lang/gleam/security/advisories/GHSA-vq5j-55vx-wq8j https://cna.erlef.org/cves/CVE-2026-32146.html https://osv.dev/vulnerability/EEF-CVE-2026-32146 https://github.com/gleam-lang/gleam/commit/1aa5d8e594b0aa240bb213fce6ee19c65e6d5bcf https://github.com/gleam-lang/gleam/commit/55bb36e6d7febfbbc48c4d001e0ae13eb0312d78 |
| Go standard library--crypto/x509 | During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls. | 2026-04-08 | not yet calculated | CVE-2026-32280 | https://go.dev/cl/758320 https://go.dev/issue/78282 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4947 |
| Go standard library--crypto/x509 | Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. | 2026-04-08 | not yet calculated | CVE-2026-32281 | https://go.dev/cl/758061 https://go.dev/issue/78281 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4946 |
| Go standard library--internal/syscall/unix | On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation. | 2026-04-08 | not yet calculated | CVE-2026-32282 | https://go.dev/cl/763761 https://go.dev/issue/78293 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4864 |
| Go standard library--crypto/tls | If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. | 2026-04-08 | not yet calculated | CVE-2026-32283 | https://go.dev/cl/763767 https://go.dev/issue/78334 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4870 |
| Go standard library--archive/tar | tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. | 2026-04-08 | not yet calculated | CVE-2026-32288 | https://go.dev/cl/763766 https://go.dev/issue/78301 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4869 |
| Go standard library--html/template | Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities. | 2026-04-08 | not yet calculated | CVE-2026-32289 | https://go.dev/cl/763762 https://go.dev/issue/78331 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4865 |
| Apache Software Foundation--Apache Cassandra | Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes. Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue. | 2026-04-07 | not yet calculated | CVE-2026-32588 | https://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc |
| Apache Software Foundation--Apache Tomcat | Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue. | 2026-04-09 | not yet calculated | CVE-2026-32990 | https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7 |
| Apache Software Foundation--Apache OpenMeetings | Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings. Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field. Full list of fields get be checked at FileItemDTO object. This issue affects Apache OpenMeetings: from 3.10 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue. | 2026-04-09 | not yet calculated | CVE-2026-33005 | https://openmeetings.apache.org/openmeetings-db/apidocs/org.apache.openmeetings.db/org/apache/openmeetings/db/dto/file/FileItemDTO.html https://lists.apache.org/thread/pttoprd628g3xr6lpp3bm1z8m3z8t4p7 |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. | 2026-04-07 | not yet calculated | CVE-2026-33033 | Django security archive Django releases announcements Django security releases issued: 6.0.4, 5.2.13, and 4.2.30 |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue. | 2026-04-07 | not yet calculated | CVE-2026-33034 | Django security archive Django releases announcements Django security releases issued: 6.0.4, 5.2.13, and 4.2.30 |
| Six Apart Ltd.--Movable Type | Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an attacker to execute an arbitrary SQL statement. | 2026-04-08 | not yet calculated | CVE-2026-33088 | https://movabletype.org/news/2026/04/mt-907-released.html https://www.sixapart.jp/movabletype/news/2026/04/08-1100.html https://jvn.jp/en/jp/JVN66473735/ |
| Acronis--Acronis True Image OEM | Local privilege escalation due to improper handling of environment variables. The following products are affected: Acronis True Image OEM (macOS) before build 42571, Acronis True Image (macOS) before build 42902. | 2026-04-10 | not yet calculated | CVE-2026-33092 | SEC-9407 |
| Apache Software Foundation--Apache ActiveMQ Client | Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ. In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit. This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3. | 2026-04-07 | not yet calculated | CVE-2026-33227 | https://activemq.apache.org/security-advisories.data/CVE-2026-33227-announcement.txt |
| xwiki--xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1. | 2026-04-08 | not yet calculated | CVE-2026-33229 | https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9 https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63 https://jira.xwiki.org/browse/XWIKI-23698 https://jira.xwiki.org/browse/XWIKI-23702 |
| Apache Software Foundation--Apache OpenMeetings | Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials. This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue. | 2026-04-09 | not yet calculated | CVE-2026-33266 | https://lists.apache.org/thread/b05jnp9563v49zq494lox9kjbhhf2w66 |
| ICZ Corporation--MATCHA INVOICE | Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed on the server. | 2026-04-08 | not yet calculated | CVE-2026-33273 | https://oss.icz.co.jp/news/?p=1386 https://jvn.jp/en/jp/JVN33581068/ |
| OpenIdentityPlatform--OpenAM | Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6. | 2026-04-07 | not yet calculated | CVE-2026-33439 | https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-2cqq-rpvq-g5qj |
| Checkmk GmbH--Checkmk | Livestatus injection in the monitoring quicksearch in Checkmk <2.5.0b4 allows an authenticated attacker to inject livestatus commands via the search query due to insufficient input sanitization in search filter plugins. | 2026-04-10 | not yet calculated | CVE-2026-33455 | https://checkmk.com/werk/17988 |
| Checkmk GmbH--Checkmk | Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.0p26 allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands via a crafted service description. | 2026-04-10 | not yet calculated | CVE-2026-33456 | https://checkmk.com/werk/17989 |
| Checkmk GmbH--Checkmk | Livestatus injection in the prediction graph page in Checkmk <2.5.0b4, <2.4.0p26, and <2.3.0p47 allows an authenticated user to inject arbitrary Livestatus commands via a crafted service name parameter due to insufficient sanitization of the service description value. | 2026-04-10 | not yet calculated | CVE-2026-33457 | https://checkmk.com/werk/17990 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code from the main/install/ directory and allow an unauthenticated attacker to modify existing files or create new files where allowed by system permissions. This only affects portals with the main/install/ directory still present and read-accessible. This vulnerability is fixed in 1.11.38. | 2026-04-10 | not yet calculated | CVE-2026-33698 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-557g-2w66-gpmf https://github.com/chamilo/chamilo-lms/commit/d3355d7873c7e5b907c5fa84cbd5d9b62ed33e51 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by modifying the userId parameter. This results in mass disclosure of sensitive user information and credentials, enabling a full platform data breach. This vulnerability is fixed in 2.0.0-RC.3. | 2026-04-10 | not yet calculated | CVE-2026-33703 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-27x6-c5c7-gpf5 |
| Go standard library--crypto/x509 | When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. | 2026-04-08 | not yet calculated | CVE-2026-33810 | https://go.dev/cl/763763 https://go.dev/issue/78332 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4866 |
| github.com/jackc/pgx/v5--github.com/jackc/pgx/v5/pgproto3 | Memory-safety vulnerability in github.com/jackc/pgx/v5. | 2026-04-07 | not yet calculated | CVE-2026-33815 | https://pkg.go.dev/vuln/GO-2026-4771 |
| github.com/jackc/pgx/v5--github.com/jackc/pgx/v5/pgproto3 | Memory-safety vulnerability in github.com/jackc/pgx/v5. | 2026-04-07 | not yet calculated | CVE-2026-33816 | https://pkg.go.dev/vuln/GO-2026-4772 |
| Mlflow--Mlflow | MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim. This issue affects MLflow version through 3.10.1 | 2026-04-07 | not yet calculated | CVE-2026-33865 | https://github.com/mlflow/mlflow/pull/21435 https://cert.pl/en/posts/2026/04/CVE-2026-33865/ https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors |
| Mlflow--Mlflow | MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access. This issue affects MLflow version through 3.10.1 | 2026-04-07 | not yet calculated | CVE-2026-33866 | https://github.com/mlflow/mlflow/pull/21708 https://cert.pl/en/posts/2026/04/CVE-2026-33865/ https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors |
| Apache Software Foundation--Apache OpenMeetings | Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue. | 2026-04-09 | not yet calculated | CVE-2026-34020 | https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url https://lists.apache.org/thread/2h3h9do5tp17xldr0nps1yjmkx4vs3db |
| flatpak--flatpak | Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4. | 2026-04-07 | not yet calculated | CVE-2026-34078 | https://github.com/flatpak/flatpak/security/advisories/GHSA-cc2q-qc34-jprg |
| flatpak--flatpak | Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4. | 2026-04-07 | not yet calculated | CVE-2026-34079 | https://github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp |
| flatpak--xdg-dbus-proxy | xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules but fails to handle eavesdrop ='true' (with a space before the equals sign) and similar cases. Clients can intercept D-Bus messages they should not have access to. This vulnerability is fixed in 0.1.7. | 2026-04-07 | not yet calculated | CVE-2026-34080 | https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677 |
| Hydrosystem--Control System | Hydrosystem Control System does not enforce authorization for some directories. This allows an unauthorized attacker to read all files in these directories and even execute some of them. Critically the attacker could run PHP scripts directly on the connected database.This issue was fixed in Hydrosystem Control System version 9.8.5 | 2026-04-09 | not yet calculated | CVE-2026-34184 | https://cert.pl/posts/2026/04/CVE-2026-4901/ https://www.hydrosystem.poznan.pl/ |
| Hydrosystem--Control System | Hydrosystem Control System is vulnerable to SQL Injection across most scripts and input parameters. Because no protections are in place, an authenticated attacker can inject arbitrary SQL commands, potentially gaining full control over the database.This issue was fixed in Hydrosystem Control System version 9.8.5 | 2026-04-09 | not yet calculated | CVE-2026-34185 | https://cert.pl/posts/2026/04/CVE-2026-4901/ https://www.hydrosystem.poznan.pl/ |
| Apache Software Foundation--Apache ActiveMQ Broker | Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue | 2026-04-07 | not yet calculated | CVE-2026-34197 | https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt |
| nyariv--SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions (e.g., ~2000 nested parentheses), causing a RangeError: Maximum call stack size exceeded that terminates the process. This vulnerability is fixed in 0.8.36. | 2026-04-06 | not yet calculated | CVE-2026-34211 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-8pfc-jjgw-6g26 |
| nyariv--SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope modification vulnerability exists in @nyariv/sandboxjs. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to untrusted code; an unexpected and undesired exploit. While this could allow modifying scopes inside the sandbox, code evaluation remains sandboxed and prototypes remain protected throughout the execution. This vulnerability is fixed in 0.8.36. | 2026-04-06 | not yet calculated | CVE-2026-34217 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-hg73-4w7g-q96w |
| zammad--zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, customers in shared organizations (means they can see each other's tickets) could see fields which are not intended for customers - including fields not intended for them at all (e.g. priority, custom ticket attributes for internal purposes). This was the case when a customer opened a ticket from another user of the same shared organization. They are not able to modify these field. This vulnerability is fixed in 7.0.1. | 2026-04-08 | not yet calculated | CVE-2026-34248 | https://github.com/zammad/zammad/security/advisories/GHSA-prww-84vh-w978 |
| Sonatype--Nexus Repository | A reflected cross-site scripting vulnerability exists in Sonatype Nexus Repository versions 3.0.0 through 3.90.2 that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted URL. Exploitation requires user interaction. | 2026-04-08 | not yet calculated | CVE-2026-3438 | https://help.sonatype.com/en/sonatype-nexus-repository-3-91-0-release-notes.html https://support.sonatype.com/hc/en-us/articles/50609137161363 |
| scoder--lupa | Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution. | 2026-04-06 | not yet calculated | CVE-2026-34444 | https://github.com/scoder/lupa/security/advisories/GHSA-69v7-xpr6-6gjm |
| Python Software Foundation--CPython | When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "validate=True" to enable stricter processing of base64 data. | 2026-04-10 | not yet calculated | CVE-2026-3446 | https://github.com/python/cpython/pull/145267 https://github.com/python/cpython/issues/145264 https://mail.python.org/archives/list/security-announce@python.org/thread/F5ZT5ICGJ6CKXVUJ34YBVY7WOZ5SHG53/ https://github.com/python/cpython/commit/1f9958f909c1b41a4ffc0b613ef8ec8fa5e7c474 https://github.com/python/cpython/commit/4561f6418a691b3e89aef0901f53fe0dfb7f7c0e https://github.com/python/cpython/commit/e31c55121620189a0d1a07b689762d8ca9c1b7fa |
| Apache Software Foundation--Apache Log4j Core | The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName attribute of the <Ssl> element. Although the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value. A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met: * An SMTP, Socket, or Syslog appender is in use. * TLS is configured via a nested <Ssl> element. * The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured. This issue does not affect users of the HTTP appender, which uses a separate verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName attribute that was not subject to this bug and verifies host names by default. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue. | 2026-04-10 | not yet calculated | CVE-2026-34477 | https://github.com/apache/logging-log4j2/pull/4075 https://logging.apache.org/security.html#CVE-2026-34477 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName https://lists.apache.org/thread/lkx8cl46t2bvkcwfcb2pd43ygc097lq4 |
| Apache Software Foundation--Apache Log4j Core | Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly: * The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output. * The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping. Users of the SyslogAppender are not affected, as its configuration attributes were not modified. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue. | 2026-04-10 | not yet calculated | CVE-2026-34478 | https://github.com/apache/logging-log4j2/pull/4074 https://logging.apache.org/security.html#CVE-2026-34478 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt |
| Apache Software Foundation--Apache Log4j 1 to Log4j 2 bridge | The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records. Two groups of users are affected: * Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file. * Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class. Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue. Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge. | 2026-04-10 | not yet calculated | CVE-2026-34479 | https://github.com/apache/logging-log4j2/pull/4078 https://logging.apache.org/security.html#CVE-2026-34479 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on |
| Apache Software Foundation--Apache Log4j Core | Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output. | 2026-04-10 | not yet calculated | CVE-2026-34480 | https://github.com/apache/logging-log4j2/pull/4077 https://logging.apache.org/security.html#CVE-2026-34480 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb |
| Apache Software Foundation--Apache Log4j JSON Template Layout | Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue. | 2026-04-10 | not yet calculated | CVE-2026-34481 | https://github.com/apache/logging-log4j2/pull/4080 https://logging.apache.org/security.html#CVE-2026-34481 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/json-template-layout.html https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv |
| Apache Software Foundation--Apache Tomcat | Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue. | 2026-04-09 | not yet calculated | CVE-2026-34483 | https://lists.apache.org/thread/j1w7304yonlr8vo1tkb5nfs7od1y228b |
| Apache Software Foundation--Apache Tomcat | Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue. | 2026-04-09 | not yet calculated | CVE-2026-34486 | https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly |
| Apache Software Foundation--Apache Tomcat | Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue. | 2026-04-09 | not yet calculated | CVE-2026-34487 | https://lists.apache.org/thread/4xpkwolpkrj8v5xzp5nyovtlqp3y850h |
| Apache Software Foundation--Apache Tomcat | CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue. | 2026-04-09 | not yet calculated | CVE-2026-34500 | https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2 |
| Apache Software Foundation--Apache Airflow | Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security model documentation that defines the Viewer role as read-only. Airflow uses the FAB Auth Manager to manage access control on a per-resource basis. The Viewer role is intended to be read-only by default, and the security model documentation defines Viewer users as those who can inspect DAGs without accessing sensitive execution results. Users are recommended to upgrade to Apache Airflow 3.2.0 which resolves this issue. | 2026-04-09 | not yet calculated | CVE-2026-34538 | https://github.com/apache/airflow/pull/64415 https://lists.apache.org/thread/9mq3msqhmgjwdzbr6bgthj4brb3oz9fl |
| randombit--botan | Botan is a C++ cryptography library. In 3.11.0, the function Certificate_Store::certificate_known had a misleading name; it would return true if any certificate in the store had a DN (and subject key identifier, if set) matching that of the argument. It did not check that the cert it found and the cert it was passed were actually the same certificate. In 3.11.0 an extension of path validation logic was made which assumed that certificate_known only returned true if the certificates were in fact identical. The impact is that if an end entity certificate is presented, and its DN (and subject key identifier, if set) match that of any trusted root, the end entity certificate is accepted immediately as if it itself were a trusted root. , This vulnerability is fixed in 3.11.1. | 2026-04-07 | not yet calculated | CVE-2026-34580 | https://github.com/randombit/botan/security/advisories/GHSA-v782-6fq4-q827 |
| randombit--botan | Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1. | 2026-04-07 | not yet calculated | CVE-2026-34582 | https://github.com/randombit/botan/security/advisories/GHSA-pxcj-9ppx-g86g |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic. Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. | 2026-04-06 | not yet calculated | CVE-2026-34588 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-588r-cr5c-w6hf https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9 |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. | 2026-04-06 | not yet calculated | CVE-2026-34589 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-p8xc-w3q4-h64x https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9 |
| Checkmk GmbH--Checkmk | Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link on a shared dashboard. | 2026-04-07 | not yet calculated | CVE-2026-3466 | https://checkmk.com/werk/19033 https://www.vulncheck.com/advisories/checkmk-stored-cross-site-scripting-in-dashlet-title |
| zammad--zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the HTML sanitizer for ticket articles was missing proper sanitization of data: ... URI schemes, resulting in storing such malicious content in the database of the Zammad instance. The Zammad GUI is rendering this content, due to applied CSP rules no harm was done by e.g., clicking such a link. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34718 | https://github.com/zammad/zammad/security/advisories/GHSA-c2cf-9fc7-jhf3 |
| zammad--zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the webhook model was missing a proper validation for loop back addresses, or link-local addresses - only the URL scheme (HTTP/HTTPS) as well as the hostname was checked. This could end up in retrieving confidential metadata of cloud/hosting providers. The existing check is now extended and is applied when configuring webhooks as well as triggering webhook jobs. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34719 | https://github.com/zammad/zammad/security/advisories/GHSA-2vgc-vfh2-rw75 |
| zammad--zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the SSO mechanism in Zammad was not verifying the header originates from a trusted SSO proxy/gateway before applying further actions on it. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34720 | https://github.com/zammad/zammad/security/advisories/GHSA-hcv6-w4h9-p2p7 |
| zammad--zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34721 | https://github.com/zammad/zammad/security/advisories/GHSA-mfwp-hx66-626c |
| zammad--zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the used endpoint for ticket creation was missing authorization if the related parameter for adding links is used. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34722 | https://github.com/zammad/zammad/security/advisories/GHSA-28m3-wwgv-ppw8 |
| zammad--zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, unauthenticated remote attackers were able to access the getting started endpoint to get access to sensitive internal entity data, even after the system setup was completed. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34723 | https://github.com/zammad/zammad/security/advisories/GHSA-hcm9-ch62-5727 |
| zammad--zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, a server-side template injection vulnerability which leads to RCE via AI Agent exists. Impact is limited to environments where an attacker can control or influence type_enrichment_data (typically high-privilege administrative configuration). This vulnerability is fixed in 7.0.1. | 2026-04-08 | not yet calculated | CVE-2026-34724 | https://github.com/zammad/zammad/security/advisories/GHSA-fg9w-jg8f-4j94 |
| zammad--zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the REST endpoint POST /api/v1/ai_assistance/text_tools/:id was not checking if a user is privileged to use the text tool, resulting in being able to use it in all situations. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34782 | https://github.com/zammad/zammad/security/advisories/GHSA-96r7-29c8-2j7q |
| zammad--zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, he REST endpoint POST /api/v1/ai_assistance/text_tools/:id contains an authorization failure. Context data (e.g., a group or organization) supplied to be used in the AI prompt were not checked if they are accessible for the current user. This leads to having data present in the AI prompt that were not authorized before being used. A user needs to have ticket.agent permission to be able to use the provided context data. This vulnerability is fixed in 7.0.1. | 2026-04-08 | not yet calculated | CVE-2026-34837 | https://github.com/zammad/zammad/security/advisories/GHSA-89vv-6639-wcv8 |
n/a
Vulnerability Summary for the Week of February 2, 2026
Posted on Monday February 09, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Insaat--Fikir Odalari AdminPando | A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing unauthenticated attackers to bypass authentication completely. Successful exploitation grants full administrative access to the application, including the ability to manipulate the public-facing website content (HTML/DOM manipulation). | 2026-02-03 | 10 | CVE-2025-10878 | https://onurcangenc.com.tr/posts/cve-2025-10878-sql-authentication-bypass-in-fikir-odalar%C4%B1-adminpando/ https://github.com/onurcangnc/CVE-2025-10878-AdminPandov1.0.1-SQLi |
| Zenitel--TCIS-3+ | This vulnerability allows authenticated attackers to execute arbitrary commands on the underlying system using the file name of an uploaded file. | 2026-02-04 | 10 | CVE-2025-59818 | Zenitel Release Notes Turbine Zenitel Security Advisory Zenitel Release Notes Fortitude8 Zenitel Release Notes ZIPS Zenitel Release Notes Fortitude6 Zenitel Release Notes Display Series |
| n/a--Docan[.]co | Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key (APP_KEY), database credentials, SMTP/SendGrid API credentials, and internal configuration parameters, enabling complete system compromise including authentication bypass via session token forgery, direct database access to all tenant data, and email infrastructure takeover. Due to the multi-tenancy architecture, this vulnerability affects all tenants in the system. | 2026-02-03 | 10 | CVE-2025-70841 | https://codecanyon.net/item/dokans-multitenancy-based-ecommerce-platform-saas/31122915 https://github.com/cod3rLucas/security-advisories/blob/main/CVE-2025-70841.md |
| Synectix--LAN 232 TRIO | The Synectix LAN 232 TRIO 3-Port serial to ethernet adapter exposes its web management interface without requiring authentication, allowing unauthenticated users to modify critical device settings or factory reset the device. | 2026-02-03 | 10 | CVE-2026-1633 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-034-04 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-034-04.json |
| SignalK--signalk-server | Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0. | 2026-02-02 | 10 | CVE-2026-23515 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-p8gp-2w28-mhwg https://github.com/SignalK/set-system-time/commit/75b11eae2de528bf89ede3fb1f7ed057ddbb4d24 |
| nyariv--SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27. | 2026-02-02 | 10 | CVE-2026-25142 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-9p4w-fq8m-2hp7 https://github.com/nyariv/SandboxJS/commit/75c8009db32e6829b0ad92ca13bf458178442bd3 https://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398 |
| ci4-cms-erp--ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0. | 2026-02-03 | 10 | CVE-2026-25510 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gp56-f67f-m4px https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653 |
| nyariv--SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get an Array containing the host's Function constructor, by using Array.prototype.at you can obtain the hosts Function constructor, which can be used to execute arbitrary code outside of the sandbox. This vulnerability is fixed in 0.8.29. | 2026-02-06 | 10 | CVE-2026-25520 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-58jh-xv4v-pcx4 https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3 |
| nyariv--SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables prototype whitelist enforcement in the property-access path. This permits direct access to __proto__ and other blocked prototype properties, enabling host Object.prototype pollution and persistent cross-sandbox impact. This vulnerability is fixed in 0.8.29. | 2026-02-06 | 10 | CVE-2026-25586 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-jjpw-65fv-8g48 https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3 |
| nyariv--SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it's prototype can be obtained via Map.prototype. By overwriting Map.prototype.has the sandbox can be escaped. This vulnerability is fixed in 0.8.29. | 2026-02-06 | 10 | CVE-2026-25587 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-66h4-qj4x-38xp https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3 |
| microsoft--semantic-kernel | Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.70.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.70.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync or UploadFileAsync and ensures the provided localFilePath is allow listed. | 2026-02-06 | 10 | CVE-2026-25592 | https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4 https://github.com/microsoft/semantic-kernel/pull/13478/changes#diff-88d3cacba2bfa84eef8f2aa171b34f9940338cbb784a3ffc49f5fe3af1b8943d https://github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs#L61-L64 |
| WaterFutures--EPyT-Flow | EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow's REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files. This vulnerability is fixed in 0.16.1. | 2026-02-06 | 10 | CVE-2026-25632 | https://github.com/WaterFutures/EPyT-Flow/security/advisories/GHSA-74vm-8frp-7w68 https://github.com/WaterFutures/EPyT-Flow/commit/3fff9151494c7dbc72073830b734f0a7e550e385 https://github.com/WaterFutures/EPyT-Flow/releases/tag/v0.16.1 |
| nyariv--SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a mismatch between the key on which the validation is performed and the key used for accessing properties. Even though the key used in property accesses is annotated as string, this is never enforced. So, attackers can pass malicious objects that coerce to different string values when used, e.g., one for the time the key is sanitized using hasOwnProperty(key) and a different one for when the key is used for the actual property access. This vulnerability is fixed in 0.8.29. | 2026-02-06 | 10 | CVE-2026-25641 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-7x3h-rm86-3342 https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3 https://github.com/nyariv/SandboxJS/blob/6103d7147c4666fe48cfda58a4d5f37005b43754/src/executor.ts#L304-L304 |
| StreamRipper--StreamRipper32 | StreamRipper32 version 2.6 contains a buffer overflow vulnerability in the Station/Song Section that allows attackers to overwrite memory by manipulating the SongPattern input. Attackers can craft a malicious payload exceeding 256 bytes to potentially execute arbitrary code and compromise the application. | 2026-02-03 | 9.8 | CVE-2020-37065 | ExploitDB-48517 StreamRipper Vendor Homepage VulnCheck Advisory: StreamRipper32 2.6 - Buffer Overflow |
| GoldWave--GoldWave | GoldWave 5.70 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting malicious input in the File Open URL dialog. Attackers can generate a specially crafted text file with Unicode-encoded shellcode to trigger a stack-based overflow and execute commands when the file is opened. | 2026-02-03 | 9.8 | CVE-2020-37066 | ExploitDB-48510 Official Vendor Homepage VulnCheck Advisory: GoldWave 5.70 – Buffer Overflow (SEH Unicode) |
| Utillyty--Filetto | Filetto 1.0 FTP server contains a denial of service vulnerability in the FEAT command processing that allows attackers to crash the service. Attackers can send an oversized FEAT command with 11,008 bytes of repeated characters to trigger a buffer overflow and terminate the FTP service. | 2026-02-03 | 9.8 | CVE-2020-37067 | ExploitDB-48503 Vendor Homepage Software Project Repository VulnCheck Advisory: Filetto 1.0 - 'FEAT' Denial of Service |
| Konica Minolta--FTP Utility | Konica Minolta FTP Utility 1.0 contains a buffer overflow vulnerability in the LIST command that allows attackers to overwrite system registers. Attackers can send an oversized buffer of 1500 'A' characters to crash the FTP server and potentially execute unauthorized code. | 2026-02-03 | 9.8 | CVE-2020-37068 | ExploitDB-48501 Konica Minolta FTP Utility Download Page Konica Minolta Vendor Homepage VulnCheck Advisory: Konica Minolta FTP Utility 1.0 - 'LIST' Denial of Service |
| Konica Minolta--FTP Utility | Konica Minolta FTP Utility 1.0 contains a buffer overflow vulnerability in the NLST command that allows attackers to overwrite system registers. Attackers can send an oversized buffer of 1500 'A' characters to crash the FTP server and potentially execute unauthorized code. | 2026-02-03 | 9.8 | CVE-2020-37069 | ExploitDB-48502 Konica Minolta FTP Utility Download Page Konica Minolta Vendor Homepage VulnCheck Advisory: Konica Minolta FTP Utility 1.0 - 'NLST' Denial of Service |
| CloudMe--CloudMe | CloudMe 1.11.2 contains a buffer overflow vulnerability that allows remote attackers to execute arbitrary code through crafted network packets. Attackers can exploit the vulnerability by sending a specially crafted payload to the CloudMe service running on port 8888, enabling remote code execution. | 2026-02-03 | 9.8 | CVE-2020-37070 | ExploitDB-48499 CloudMe Official Homepage VulnCheck Advisory: CloudMe 1.11.2 - Buffer Overflow (SEH,DEP,ASLR) |
| CraftCMS--CraftCMS | CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download functionality with a specially crafted request. | 2026-02-03 | 9.8 | CVE-2020-37071 | ExploitDB-48492 Official CraftCMS Vendor Homepage CraftCMS vCard Plugin Page Researcher Exploit Disclosure VulnCheck Advisory: CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution |
| LizardSystems--Remote Desktop Audit | Remote Desktop Audit 2.3.0.157 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code during the Add Computers Wizard file import process. Attackers can craft a malicious payload file to trigger a structured exception handler (SEH) bypass and execute shellcode when importing computer lists. | 2026-02-03 | 9.8 | CVE-2020-37074 | ExploitDB-48465 Remote Desktop Audit Product Webpage VulnCheck Advisory: Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH) |
| LizardSystems--LanSend | LanSend 3.2 contains a buffer overflow vulnerability in the Add Computers Wizard file import functionality that allows remote attackers to execute arbitrary code. Attackers can craft a malicious payload file to trigger a structured exception handler (SEH) overwrite and execute shellcode when importing computers from a file. | 2026-02-03 | 9.8 | CVE-2020-37075 | ExploitDB-48461 LanSend Product Webpage VulnCheck Advisory: LanSend 3.2 - Buffer Overflow (SEH) |
| luiswang--webTareas | webTareas 2.0.p8 contains a file deletion vulnerability in the print_layout.php administration component that allows authenticated attackers to delete arbitrary files. Attackers can exploit the vulnerability by manipulating the 'atttmp1' parameter to specify and delete files on the server through an unauthenticated file deletion mechanism. | 2026-02-03 | 9.8 | CVE-2020-37080 | ExploitDB-48430 webTareas Project Homepage VulnCheck Advisory: webTareas 2.0.p8 - Arbitrary File Deletion |
| Weberp--webERP | webERP 4.15.1 contains an unauthenticated file access vulnerability that allows remote attackers to download database backup files without authentication. Attackers can directly access generated backup files in the companies/weberp/ directory by requesting the Backup_[timestamp].sql.gz file. | 2026-02-03 | 9.8 | CVE-2020-37082 | ExploitDB-48420 Official webERP Vendor Homepage webERP SourceForge Project Page VulnCheck Advisory: webERP 4.15.1 - Unauthenticated Backup File Access |
| Arox--School ERP Pro | School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts through the message attachment feature, enabling remote code execution on the server. | 2026-02-03 | 9.8 | CVE-2020-37090 | ExploitDB-48392 Archived Vendor Homepage Archived SourceForge Product Page VulnCheck Advisory: School ERP Pro 1.0 - Remote Code Execution |
| EspoCRM--EspoCRM | EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user information and privileges. | 2026-02-03 | 9.8 | CVE-2020-37094 | ExploitDB-48376 EspoCRM Official Vendor Homepage VulnCheck Advisory: EspoCRM 5.8.5 - Privilege Escalation |
| Cyberoam--Cyberoam Authentication Client | Cyberoam Authentication Client 2.1.2.7 contains a buffer overflow vulnerability that allows remote attackers to execute arbitrary code by overwriting Structured Exception Handler (SEH) memory. Attackers can craft a malicious input in the 'Cyberoam Server Address' field to trigger a bind TCP shell on port 1337 with system-level access. | 2026-02-06 | 9.8 | CVE-2020-37095 | ExploitDB-48148 Archived Cyberoam Authentication Client Software VulnCheck Advisory: Cyberoam Authentication Client 2.1.2.7 - Buffer Overflow (SEH) |
| Nsasoft--Nsauditor | Nsauditor 3.0.28 and 3.2.1.0 contains a buffer overflow vulnerability in the DNS Lookup tool that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malicious DNS query payload to trigger a three-byte overwrite, bypass ASLR, and execute shellcode through a carefully constructed exploit. | 2026-02-05 | 9.8 | CVE-2020-37119 | ExploitDB-48350 Nsauditor Homepage VulnCheck Advisory: Nsauditor 3.2.1.0 - Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite)) |
| Rubo Medical Imaging--Rubo DICOM Viewer | Rubo DICOM Viewer 2.0 contains a buffer overflow vulnerability in the DICOM server name input field that allows attackers to overwrite Structured Exception Handler (SEH). Attackers can craft a malicious text file with carefully constructed payload to execute arbitrary code by overwriting SEH and triggering remote code execution. | 2026-02-05 | 9.8 | CVE-2020-37120 | ExploitDB-48351 Archived Rubo DICOM Viewer Product Page VulnCheck Advisory: Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH) |
| wcchandler--Pinger | Pinger 1.0 contains a remote code execution vulnerability that allows attackers to inject shell commands through the ping and socket parameters. Attackers can exploit the unsanitized input in ping.php to write arbitrary PHP files and execute system commands by appending shell metacharacters. | 2026-02-05 | 9.8 | CVE-2020-37123 | ExploitDB-48323 Pinger GitHub Repository VulnCheck Advisory: Pinger 1.0 - Remote Code Execution |
| 4Mhz--B64dec | B64dec 1.1.2 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting Structured Exception Handler (SEH) with crafted input. Attackers can leverage an egg hunter technique and carefully constructed payload to inject and execute malicious code during base64 decoding process. | 2026-02-05 | 9.8 | CVE-2020-37124 | ExploitDB-48317 Product Webpage VulnCheck Advisory: B64dec 1.1.2 - Buffer Overflow (SEH Overflow + Egg Hunter) |
| EDIMAX Technology--EW-7438RPn Mini | Edimax EW-7438RPn-v3 Mini 1.27 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands through the /goform/mp endpoint. Attackers can exploit the vulnerability by sending crafted POST requests with command injection payloads to download and execute malicious scripts on the device. | 2026-02-05 | 9.8 | CVE-2020-37125 | ExploitDB-48318 Edimax EW-7438RPn Mini Product Page VulnCheck Advisory: Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution |
| Drive Software Company--Free Desktop Clock | Free Desktop Clock 3.0 contains a stack overflow vulnerability in the Time Zones display name input that allows attackers to overwrite Structured Exception Handler (SEH) registers. Attackers can exploit the vulnerability by crafting a malicious Unicode input that triggers an access violation and potentially execute arbitrary code. | 2026-02-05 | 9.8 | CVE-2020-37126 | ExploitDB-48314 Vendor Homepage VulnCheck Advisory: Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH) |
| Microvirt--Memu Play | Memu Play 7.1.3 contains an insecure folder permissions vulnerability that allows low-privileged users to modify the MemuService.exe executable. Attackers can replace the service executable with a malicious file during system restart to gain SYSTEM-level privileges by exploiting unrestricted file modification permissions. | 2026-02-05 | 9.8 | CVE-2020-37129 | ExploitDB-48283 Memu Play Official Homepage VulnCheck Advisory: Memu Play 7.1.3 - Insecure Folder Permissions |
| 10-Strike Software--Network Inventory Explorer | 10-Strike Network Inventory Explorer 9.03 contains a buffer overflow vulnerability in the file import functionality that allows remote attackers to execute arbitrary code. Attackers can craft a malicious text file with carefully constructed payload to trigger a stack-based buffer overflow and bypass data execution prevention through a ROP chain. | 2026-02-05 | 9.8 | CVE-2020-37138 | ExploitDB-48264 10-Strike Software Homepage 10-Strike Network Inventory Explorer Product Page VulnCheck Advisory: 10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP) |
| Parallaxis--Cuckoo Clock | Parallaxis Cuckoo Clock 5.0 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting memory registers in the alarm scheduling feature. Attackers can craft a malicious payload exceeding 260 bytes to overwrite EIP and EBP, enabling shellcode execution with potential remote code execution. | 2026-02-06 | 9.8 | CVE-2020-37159 | ExploitDB-48087 Vendor Homepage VulnCheck Advisory: Cuckoo Clock 5.0 - Buffer Overflow |
| Wedding Slideshow Studio--Wedding Slideshow Studio | Wedding Slideshow Studio 1.36 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting the registration name field with malicious payload. Attackers can craft a specially designed payload to trigger remote code execution, demonstrating the ability to run system commands like launching the calculator. | 2026-02-06 | 9.8 | CVE-2020-37161 | ExploitDB-48050 Wedding Slideshow Studio Official Homepage VulnCheck Advisory: Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow |
| Wedding Slideshow Studio--Wedding Slideshow Studio | Wedding Slideshow Studio 1.36 contains a buffer overflow vulnerability in the registration key input that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malicious payload of 1608 bytes to trigger a stack-based buffer overflow and execute commands through the registration key field. | 2026-02-06 | 9.8 | CVE-2020-37162 | ExploitDB-48028 Archived Wedding Slideshow Studio Webpage VulnCheck Advisory: Wedding Slideshow Studio 1.36 - 'Key' Buffer Overflow |
| Innomic--VibroLine VLX1 HD 5.0 | An unauthenticated remote attacker can gain full access on the affected devices as they are shipped without a password by default and setting one is not enforced. | 2026-02-02 | 9.8 | CVE-2022-50981 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| IBM--Common Cryptographic Architecture | IBM Common Cryptographic Architecture (CCA) 7.5.52 and 8.4.82 could allow an unauthenticated user to execute arbitrary commands with elevated privileges on the system. | 2026-02-04 | 9.8 | CVE-2025-13375 | https://www.ibm.com/support/pages/node/7259625 |
| jayarsiech--JAY Login & Register | The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_login_register_ajax_create_final_user' function. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator. | 2026-02-08 | 9.8 | CVE-2025-15027 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b08198a6-10e8-44ca-a1c5-8d987d85c469?source=cve https://plugins.trac.wordpress.org/browser/jay-login-register/tags/2.5.01/includes/jay-login-register-ajax-handler.php#L788 |
| Emit Informatics and Communication Technologies Industry and Trade Ltd. Co.--DIGITA Efficiency Management System | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Emit Informatics and Communication Technologies Industry and Trade Ltd. Co. DIGITA Efficiency Management System allows SQL Injection. This issue affects DIGITA Efficiency Management System: through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 9.8 | CVE-2025-5319 | https://www.usom.gov.tr/bildirim/tr-26-0016 |
| Martcode Software Inc.--Delta Course Automation | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Martcode Software Inc. Delta Course Automation allows SQL Injection. This issue affects Delta Course Automation: through 04022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-04 | 9.8 | CVE-2025-5329 | https://www.usom.gov.tr/bildirim/tr-26-0018 |
| Unstructured-IO--unstructured | The unstructured library provides open-source components for ingesting and pre-processing images and text documents, such as PDFs, HTML, Word docs, and many more. Prior to version 0.18.18, a path traversal vulnerability in the partition_msg function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments. This issue has been patched in version 0.18.18. | 2026-02-04 | 9.8 | CVE-2025-64712 | https://github.com/Unstructured-IO/unstructured/security/advisories/GHSA-gm8q-m8mv-jj5m https://github.com/Unstructured-IO/unstructured/commit/b01d35b2373fd087d2e15162b9c021663c97155d |
| wildfirechat--im-server | Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component related to the file upload functionality found in com.xiaoleilu.loServer.action.UploadFileAction. The application exposes an endpoint (/fs) that handles multipart file uploads but fails to properly sanitize the filename provided by the user. Specifically, the writeFileUploadData method directly concatenates the configured storage directory with the filename extracted from the upload request without stripping directory traversal sequences (e.g., ../../). This vulnerability allows an attacker to write arbitrary files to any location on the server's filesystem where the application process has write permissions. By uploading malicious files (such as scripts, executables, or overwriting configuration files like authorized_keys or cron jobs), an attacker can achieve Remote Code Execution (RCE) and completely compromise the server. This vulnerability is fixed in 1.4.3. | 2026-02-02 | 9.8 | CVE-2025-66480 | https://github.com/wildfirechat/im-server/security/advisories/GHSA-74hq-jhx2-fq6c https://github.com/wildfirechat/im-server/commit/2f9c4e028c01c64913cab32e7248bcca183a5230 https://github.com/wildfirechat/im-server/releases/tag/1.4.3 |
| revmakx--WP Duplicate WordPress Migration Plugin | The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the `process_add_site()` AJAX action combined with path traversal in the file upload functionality. This makes it possible for authenticated (subscriber-level) attackers to set the internal `prod_key_random_id` option, which can then be used by an unauthenticated attacker to bypass authentication checks and write arbitrary files to the server via the `handle_upload_single_big_file()` function, ultimately leading to remote code execution. | 2026-02-06 | 9.8 | CVE-2026-1499 | https://www.wordfence.com/threat-intel/vulnerabilities/id/11bb7190-023b-45e1-99a5-7313c489ef45?source=cve https://cwe.mitre.org/data/definitions/862.html https://plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-admin.php#L422 https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-admin.php#L422 https://plugins.trac.wordpress.org/browser/local-sync/trunk/includes/class-local-sync-handle-server-requests.php#L389 https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/includes/class-local-sync-handle-server-requests.php#L389 https://plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-files-op.php#L843 https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-files-op.php#L843 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3452904%40local-sync&old=3400317%40local-sync&sfp_email=&sfph_mail= |
| Rapid7--Vulnerability Management | Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via "Security Console" installations, resulting in full account takeover. The issue occurs due to the application processing these unsigned assertions and issuing session cookies that granted access to the targeted user accounts. This has been fixed in version 8.34.0 of InsightVM. | 2026-02-03 | 9.6 | CVE-2026-1568 | https://docs.rapid7.com/insight/command-platform-release-notes/ |
| RISS SRL--MOMA Seismic Station | MOMA Seismic Station Version v2.4.2520 and prior exposes its web management interface without requiring authentication, which could allow an unauthenticated attacker to modify configuration settings, acquire device data or remotely reset the device. | 2026-02-03 | 9.1 | CVE-2026-1632 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-034-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-034-03.json |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate. | 2026-02-06 | 9.4 | CVE-2026-1709 | RHSA-2026:2224 RHSA-2026:2225 RHSA-2026:2298 https://access.redhat.com/security/cve/CVE-2026-1709 RHBZ#2435514 |
| IP-COM--W30AP | A vulnerability was detected in IP-COM W30AP up to 1.0.0.11(1340). Affected by this issue is the function R7WebsSecurityHandler of the file /goform/wx3auth of the component POST Request Handler. The manipulation of the argument data results in stack-based buffer overflow. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 9.8 | CVE-2026-2017 | VDB-344599 | IP-COM W30AP POST Request wx3auth R7WebsSecurityHandler stack-based overflow VDB-344599 | CTI Indicators (IOB, IOC, IOA) Submit #744062 | IP-COM W30APv4.0 <= v1.0.0.11(1340) Stack-based Buffer Overflow Submit #744063 | IP-COM W30APv4.0 <= v1.0.0.11(1340) Stack-based Buffer Overflow (Duplicate) https://gitee.com/GXB0_0/iot-vul/blob/master/IP-COM/W30AP/wx3auth-sprintf.md https://gitee.com/GXB0_0/iot-vul/blob/master/IP-COM/W30AP/wx3auth-sprintf.md#poc |
| Fortinet--FortiClientEMS | An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. | 2026-02-06 | 9.1 | CVE-2026-21643 | https://fortiguard.fortinet.com/psirt/FG-IR-25-1142 |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1. | 2026-02-02 | 9.8 | CVE-2026-22778 | https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv https://github.com/vllm-project/vllm/pull/31987 https://github.com/vllm-project/vllm/pull/32319 https://github.com/vllm-project/vllm/releases/tag/v0.14.1 |
| Microsoft--Azure Front Door | Azure Front Door Elevation of Privilege Vulnerability | 2026-02-05 | 9.8 | CVE-2026-24300 | Azure Front Door Elevation of Privilege Vulnerability |
| NixOS--nixpkgs | The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05. | 2026-02-02 | 9.1 | CVE-2026-25137 | https://github.com/NixOS/nixpkgs/security/advisories/GHSA-cwmq-6wv5-f3px https://github.com/NixOS/nixpkgs/pull/485310 https://github.com/NixOS/nixpkgs/pull/485454 |
| QwikDev--qwik | Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails to sanitize dangerous property names like __proto__, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service. This issue has been patched in version 1.19.0. | 2026-02-03 | 9.3 | CVE-2026-25150 | https://github.com/QwikDev/qwik/security/advisories/GHSA-xqg6-98cw-gxhq https://github.com/QwikDev/qwik/commit/5f65bae2bc33e6ca0c21e4cfcf9eae05077716f7 |
| AlistGo--alist | Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerable to Man-in-the-Middle (MitM) attacks. This enables the complete decryption, theft, and manipulation of all data transmitted during storage operations, severely compromising the confidentiality and integrity of user data. This issue has been patched in version 3.57.0. | 2026-02-04 | 9.1 | CVE-2026-25160 | https://github.com/AlistGo/alist/security/advisories/GHSA-8jmm-3xwx-w974 https://github.com/AlistGo/alist/commit/69629ca76a8f2c8c973ede3b616f93aa26ff23fb |
| Samsung Electronics--MagicINFO 9 Server | A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS, which can result in account takeover This issue affects MagicINFO 9 Server: less than 21.1090.1. | 2026-02-02 | 9.8 | CVE-2026-25200 | https://security.samsungtv.com/securityUpdates |
| Samsung Electronics--MagicINFO 9 Server | The database account and password are hardcoded, allowing login with the account to manipulate the database in MagicInfo9 Server. This issue affects MagicINFO 9 Server: less than 21.1090.1. | 2026-02-02 | 9.8 | CVE-2026-25202 | https://security.samsungtv.com/securityUpdates |
| maziggy--bambuddy | Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7. | 2026-02-04 | 9.8 | CVE-2026-25505 | https://github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf https://github.com/maziggy/bambuddy/pull/225 https://github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9 https://github.com/maziggy/bambuddy/commit/c31f2968889c855f1ffacb700c2c9970deb2a6fb https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28 https://github.com/maziggy/bambuddy/blob/main/CHANGELOG.md https://github.com/maziggy/bambuddy/releases/tag/v0.1.7 |
| HubSpot--jinjava | JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3. | 2026-02-04 | 9.8 | CVE-2026-25526 | https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74 https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998 https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441 https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6 https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3 |
| siyuan-note--siyuan | SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5. | 2026-02-04 | 9.1 | CVE-2026-25539 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9 https://github.com/siyuan-note/siyuan/commit/d7f790755edf8c78d2b4176171e5a0cdcd720feb |
| payloadcms--payload | Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0. | 2026-02-06 | 9.8 | CVE-2026-25544 | https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8 |
| blakeblackshear--frigate | Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4. | 2026-02-06 | 9.1 | CVE-2026-25643 | https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x https://github.com/blakeblackshear/frigate/releases/tag/v0.16.4 |
| denpiligrim--3dp-manager | 3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default credentials (admin/admin) upon the first initialization. Attackers with network access to the application's login interface can gain full administrative control, managing VPN tunnels and system settings. This issue will be patched in version 2.0.2. | 2026-02-06 | 9.8 | CVE-2026-25803 | https://github.com/denpiligrim/3dp-manager/security/advisories/GHSA-5x57-h7cw-9jmw https://github.com/denpiligrim/3dp-manager/commit/f568de41de97dd1b70a963708a1ee18e52b9d248 |
| OXID-eSales--OXID eShop | OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute arbitrary code through crafted URLs. | 2026-02-03 | 8.2 | CVE-2019-25260 | ExploitDB-48527 Official OXID eShop Vendor Homepage OXID eShop Community Edition GitHub Repository Archived Researcher Disclosure Archived RIPSTech Security Blog OXID eShop Bug Tracking Entry VulnCheck Advisory: OXID eShop 6.3.4 - 'sorting' SQL Injection |
| VictorAlagwu--CMSsite | Victor CMS 1.0 contains an authenticated file upload vulnerability that allows administrators to upload PHP files with arbitrary content through the user_image parameter. Attackers can upload a malicious PHP shell to the /img/ directory and execute system commands by accessing the uploaded file with a 'cmd' parameter. | 2026-02-03 | 8.8 | CVE-2020-37073 | ExploitDB-48490 Victor CMS Project Repository VulnCheck Advisory: Victor CMS 1.0 - Authenticated Arbitrary File Upload |
| VictorAlagwu--CMSsite | Victor CMS version 1.0 contains a SQL injection vulnerability in the 'post' parameter on post.php that allows remote attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted UNION SELECT payloads to extract database information through boolean-based, error-based, and time-based injection techniques. | 2026-02-03 | 8.2 | CVE-2020-37076 | ExploitDB-48451 Victor CMS GitHub Repository VulnCheck Advisory: Victor CMS 1.0 - 'post' SQL Injection |
| i-doit GmbH--i-doit Open Source CMDB | i-doit Open Source CMDB 1.14.1 contains a file deletion vulnerability in the import module that allows authenticated attackers to delete arbitrary files by manipulating the delete_import parameter. Attackers can send a POST request to the import module with a crafted filename to remove files from the server's filesystem. | 2026-02-03 | 8.8 | CVE-2020-37078 | ExploitDB-48427 Official Vendor Homepage i-doit SourceForge Project VulnCheck Advisory: i-doit Open Source CMDB 1.14.1 - Arbitrary File Deletion |
| chatelao--PHP Address Book | PHP AddressBook 9.0.0.1 contains a time-based blind SQL injection vulnerability that allows remote attackers to manipulate database queries through the 'id' parameter. Attackers can inject crafted SQL statements with time delays to extract information by observing response times in the photo.php endpoint. | 2026-02-03 | 8.2 | CVE-2020-37083 | ExploitDB-48416 SourceForge Product Page VulnCheck Advisory: addressbook 9.0.0.1 - 'id' SQL Injection |
| Arox--School ERP Pro | School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate database queries through GET requests. Attackers can exploit the vulnerable parameter by injecting crafted SQL statements to potentially extract, modify, or delete database information. | 2026-02-03 | 8.2 | CVE-2020-37089 | ExploitDB-48390 Archived Vendor Homepage Archived SourceForge Product Page VulnCheck Advisory: School ERP Pro 1.0 - 'es_messagesid' SQL Injection |
| Davidvg--60CycleCMS | 60CycleCMS 2.5.2 contains an SQL injection vulnerability in news.php and common/lib.php that allows attackers to manipulate database queries through unvalidated user input. Attackers can exploit vulnerable query parameters like 'title' to inject malicious SQL code and potentially extract or modify database contents. This issue does not involve cross-site scripting. | 2026-02-03 | 8.2 | CVE-2020-37110 | ExploitDB-48177 Software Download Link VulnCheck Advisory: 60CycleCMS 2.5.2 - 'news.php' SQL Injection Vulnerability |
| Openeclass--GUnet OpenEclass | GUnet OpenEclass 1.7.3 allows authenticated users to bypass file extension restrictions when uploading files. By renaming a PHP file to .php3 or .PhP, an attacker can upload a web shell and execute arbitrary code on the server. This vulnerability enables remote code execution by bypassing the intended file type checks in the exercise submission feature. | 2026-02-03 | 8.8 | CVE-2020-37113 | ExploitDB-48163 Official Vendor Homepage Changelog VulnCheck Advisory: GUnet OpenEclass 1.7.3 E-learning platform - File Upload Extension Bypass |
| Openeclass--GUnet OpenEclass | GUnet OpenEclass 1.7.3 includes phpMyAdmin 2.10.0.2 by default, which allows remote logins. Attackers with access to the platform can remotely access phpMyAdmin and, after uploading a shell, view the config.php file to obtain the MySQL password, leading to full database compromise. | 2026-02-03 | 8.8 | CVE-2020-37116 | ExploitDB-48163 Official Vendor Homepage Changelog VulnCheck Advisory: GUnet OpenEclass 1.7.3 E-learning platform - phpMyAdmin Remote Access |
| jizhiCMS--jizhiCMS | jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability by sending crafted POST requests with malicious filepath and download_url parameters to trigger unauthorized file downloads. | 2026-02-05 | 8.8 | CVE-2020-37117 | ExploitDB-48361 Official Vendor Homepage VulnCheck Advisory: jizhiCMS 1.6.7 - Arbitrary File Download |
| Odin-Secure-Ftp-Expert--Odin Secure FTP Expert | Odin Secure FTP Expert 7.6.3 contains a local denial of service vulnerability that allows attackers to crash the application by manipulating site information fields. Attackers can generate a buffer overflow by pasting 108 bytes of repeated characters into connection fields, causing the application to crash. | 2026-02-05 | 8.4 | CVE-2020-37139 | ExploitDB-48262 Archived Software Download VulnCheck Advisory: Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service |
| AMSS++--AMSS++ | AMSS++ version 4.31 contains a SQL injection vulnerability in the mail module's maildetail.php script through the 'id' parameter. Attackers can manipulate the 'id' parameter in /modules/mail/main/maildetail.php to inject malicious SQL queries and potentially access or modify database contents. | 2026-02-06 | 8.2 | CVE-2020-37141 | ExploitDB-48109 VulnCheck Advisory: AMSS++ v 4.31 - 'id' SQL Injection |
| 10-Strike Software--Network Inventory Explorer | 10-Strike Network Inventory Explorer 8.54 contains a structured exception handler buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting SEH records. Attackers can craft a malicious payload targeting the 'Computer' parameter during the 'Add' function to trigger remote code execution. | 2026-02-05 | 8.4 | CVE-2020-37142 | ExploitDB-48253 10-Strike Software Homepage Archived Researcher Blog VulnCheck Advisory: 10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH) |
| EDIMAX Technology--EW-7438RPn Mini | Edimax EW-7438RPn-v3 Mini 1.27 is vulnerable to cross-site request forgery (CSRF) that can lead to command execution. An attacker can trick an authenticated user into submitting a crafted form to the /goform/mp endpoint, resulting in arbitrary command execution on the device with the user's privileges. | 2026-02-05 | 8.1 | CVE-2020-37149 | ExploitDB-48318 Edimax EW-7438RPn Mini Product Page VulnCheck Advisory: Edimax Technology EW-7438RPn-v3 Mini 1.27 - Cross-Site Request Forgery (CSRF) to Command Execution |
| Ciprianmp--phpMyChat Plus | phpMyChat Plus 1.98 contains a SQL injection vulnerability in the deluser.php page through the pmc_username parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, and time-based blind SQL injection techniques to extract sensitive database information by crafting malicious payloads in the username field. | 2026-02-05 | 8.2 | CVE-2020-37151 | ExploitDB-48066 Vendor Homepage VulnCheck Advisory: phpMyChat Plus 1.98 'deluser.php' SQL Injection |
| QuickDate--QuickDate | QuickDate 1.3.2 contains a SQL injection vulnerability that allows remote attackers to manipulate database queries through the '_located' parameter in the find_matches endpoint. Attackers can inject UNION-based SQL statements to extract database information including user credentials, database name, and system version. | 2026-02-06 | 8.2 | CVE-2020-37163 | ExploitDB-48022 Archived QuickDate Script Webpage VulnCheck Advisory: QuickDate 1.3.2 - SQL Injection |
| Innomic--VibroLine VLX1 HD 5.0 | An unauthenticated remote attacker is able to use an existing session id of a logged in user and gain full access to the device if configuration via ethernet is enabled. | 2026-02-02 | 8.8 | CVE-2022-50975 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| Mitsubishi Electric Corporation--FREQSHIP-mini for Windows | Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation FREQSHIP-mini for Windows versions 8.0.0 to 8.0.2 allows a local attacker to execute arbitrary code with system privileges by replacing service executable files (EXE) or DLLs in the installation directory with specially crafted files. As a result, the attacker may be able to disclose, tamper with, delete, or destroy information stored on the PC where the affected product is installed, or cause a Denial of Service (DoS) condition on the affected system. | 2026-02-05 | 8.8 | CVE-2025-10314 | https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-019_en.pdf https://jvn.jp/jp/JVN64883963/ https://www.cisa.gov/news-events/ics-advisories/icsa-26-034-01 |
| roxnor--Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers | The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to generic SQL Injection via the multiple REST API endpoints in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Vulnerability was patched in version 2.2.1 for unauthenticated users, and fully patched in version 2.2.3 for Administrator+ level users. | 2026-02-04 | 8.2 | CVE-2025-13192 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9db1dfde-0cba-41b2-ab7a-a1640e5fd96b?source=cve https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Popup.php#L50 https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Popup.php#L133 https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Helpers/DataBase.php#L382 https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Helpers/DataBase.php#L413 https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Subscribers.php#L99 https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Subscribers.php#L133 |
| IBM--Aspera Console | IBM Aspera Console 3.4.0 through 3.4.8 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. | 2026-02-05 | 8.6 | CVE-2025-13379 | https://www.ibm.com/support/pages/node/7259448 |
| jayarsiech--JAY Login & Register | The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_panel_ajax_update_profile' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator. | 2026-02-08 | 8.8 | CVE-2025-15100 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fb900810-23a2-4920-a5e8-4388c4474de0?source=cve https://plugins.trac.wordpress.org/browser/jay-login-register/tags/2.6.01/includes/user-panel/jay-login-register-ajax-handler-user-panel.php#L624 |
| Tanium--Deploy | Tanium addressed an improper input validation vulnerability in Deploy. | 2026-02-05 | 8.8 | CVE-2025-15330 | TAN-2025-012 |
| themeboy--SportsPress Sports Club & League Manager | The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. | 2026-02-04 | 8.8 | CVE-2025-15368 | https://www.wordfence.com/threat-intel/vulnerabilities/id/27e40af7-5697-4482-a96d-9216886c363b?source=cve https://plugins.trac.wordpress.org/browser/sportspress/tags/2.7.26/includes/class-sp-shortcodes.php#L32 https://plugins.trac.wordpress.org/browser/sportspress/tags/2.7.26/includes/class-sp-shortcodes.php#L182 https://plugins.trac.wordpress.org/browser/sportspress/tags/2.7.26/includes/sp-core-functions.php#L68 |
| Kubernetes--ingress-nginx | A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | 2026-02-06 | 8.8 | CVE-2025-15566 | https://github.com/kubernetes/kubernetes/issues/136789 |
| Ankara Hosting Website Design--Website Software | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ankara Hosting Website Design Website Software allows Reflected XSS. This issue affects Website Software: through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 8.6 | CVE-2025-6397 | https://www.usom.gov.tr/bildirim/tr-26-0014 |
| n/a--n/a | An arbitrary file upload vulnerability in the AddFont() function of FPDF v1.86 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file. | 2026-02-03 | 8.8 | CVE-2025-65875 | http://www.fpdf.org https://github.com/Setasign/FPDF https://advisories.gitlab.com/pkg/composer/tecnickcom/tc-lib-pdf-font/CVE-2024-56520/ |
| N/A--Moodle[.]org | A flaw was found in Moodle. This authentication bypass vulnerability allows suspended users to authenticate through the Learning Tools Interoperability (LTI) Provider. The issue arises from the LTI authentication handlers failing to enforce the user's suspension status, enabling unauthorized access to the system. This can lead to information disclosure or other unauthorized actions by users who should be restricted. | 2026-02-03 | 8.1 | CVE-2025-67848 | https://access.redhat.com/security/cve/CVE-2025-67848 RHBZ#2423831 https://moodle.org/mod/forum/discuss.php?d=471298 |
| AKCE Software Technology R&D Industry and Trade Inc.--SKSPro | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows SQL Injection. This issue affects SKSPro: through 07012026. | 2026-02-02 | 8.6 | CVE-2025-8587 | https://www.usom.gov.tr/bildirim/tr-26-0011 |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests. | 2026-02-03 | 8.1 | CVE-2026-1375 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4e95b32b-c050-41eb-8fce-461257420eb6?source=cve https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L289 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L437 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L463 https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/classes/Course_List.php?contextall=1&old=3339576&old_path=%2Ftutor%2Ftrunk%2Fclasses%2FCourse_List.php |
| Red Hat--Red Hat Satellite 6 | A flaw was found in fog-kubevirt. This vulnerability allows a remote attacker to perform a Man-in-the-Middle (MITM) attack due to disabled certificate validation. This enables the attacker to intercept and potentially alter sensitive communications between Satellite and OpenShift, resulting in information disclosure and data integrity compromise. | 2026-02-02 | 8.1 | CVE-2026-1530 | https://access.redhat.com/security/cve/CVE-2026-1530 RHBZ#2433784 |
| Red Hat--Red Hat Satellite 6 | A flaw was found in foreman_kubevirt. When configuring the connection to OpenShift, the system disables SSL verification if a Certificate Authority (CA) certificate is not explicitly set. This insecure default allows a remote attacker, capable of intercepting network traffic between Satellite and OpenShift, to perform a Man-in-the-Middle (MITM) attack. Such an attack could lead to the disclosure or alteration of sensitive information. | 2026-02-02 | 8.1 | CVE-2026-1531 | https://access.redhat.com/security/cve/CVE-2026-1531 RHBZ#2433786 |
| Kubernetes--ingress-nginx | A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | 2026-02-03 | 8.8 | CVE-2026-1580 | https://github.com/kubernetes/kubernetes/issues/136677 |
| skirridsystems--OS DataHub Maps | The OS DataHub Maps plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'OS_DataHub_Maps_Admin::add_file_and_ext' function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2026-02-03 | 8.8 | CVE-2026-1730 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c32ba2a0-a9a7-4f17-8169-912cecc40b7b?source=cve https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/include/osmap-admin.php?rev=3449192#L67 https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/include/osmap-admin.php?rev=3449192#L51 https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/os-datahub-maps.php?rev=3449192#L87 https://plugins.trac.wordpress.org/changeset/3452323/os-datahub-maps |
| seezee--WP FOFT Loader | The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WP_FOFT_Loader_Mimes::file_and_ext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2026-02-04 | 8.8 | CVE-2026-1756 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cede8ff5-f739-4eb3-9672-5adb5d2ae0a9?source=cve https://plugins.trac.wordpress.org/browser/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php?rev=3449144#L45 https://plugins.trac.wordpress.org/browser/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php?rev=3449144#L31 https://plugins.trac.wordpress.org/changeset/3453101/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libsoup. This stack-based buffer overflow vulnerability occurs during the parsing of multipart HTTP responses due to an incorrect length calculation. A remote attacker can exploit this by sending a specially crafted multipart HTTP response, which can lead to memory corruption. This issue may result in application crashes or arbitrary code execution in applications that process untrusted server responses, and it does not require authentication or user interaction. | 2026-02-02 | 8.6 | CVE-2026-1761 | RHSA-2026:1948 RHSA-2026:2005 RHSA-2026:2006 RHSA-2026:2007 RHSA-2026:2008 RHSA-2026:2049 RHSA-2026:2182 RHSA-2026:2214 RHSA-2026:2215 RHSA-2026:2216 https://access.redhat.com/security/cve/CVE-2026-1761 RHBZ#2435961 |
| Ziroom--ZHOME A0101 | A weakness has been identified in Ziroom ZHOME A0101 1.0.1.0. Impacted is an unknown function of the component Dropbear SSH Service. This manipulation causes use of default credentials. Remote exploitation of the attack is possible. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 8.1 | CVE-2026-1803 | VDB-343976 | Ziroom ZHOME A0101 Dropbear SSH Service default credentials VDB-343976 | CTI Indicators (IOB, IOC) Submit #745497 | Ziroom Smart Ziroom Smart Gateway (ZH-A0101) ZH-A0101 1.0.1.0 Backdoor Submit #745529 | Ziroom Smart Smart Gateway ZH-A0101 ZH-A0101 1.0.1.0 Credentials Management (Duplicate) https://github.com/Blackhole23-Lab/-/blob/main/vulns/ssh-backdoor.md https://github.com/Blackhole23-Lab/-/blob/main/vulns/ssh-backdoor.md#proof-of-concept |
| Karel Electronics Industry and Trade Inc.--ViPort | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS. This issue affects ViPort: through 23012026. | 2026-02-04 | 8.8 | CVE-2026-1819 | https://www.usom.gov.tr/bildirim/tr-26-0017 |
| Cisco--Cisco Meeting Management | A vulnerability in the Certificate Management feature of Cisco Meeting Management could allow an authenticated, remote attacker to upload arbitrary files, execute arbitrary commands, and elevate privileges to root on an affected system. This vulnerability is due to improper input validation in certain sections of the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to upload arbitrary files to the affected system. The malicious files could overwrite system files that are processed by the root system account and allow arbitrary command execution with root privileges. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of video operator. | 2026-02-04 | 8.8 | CVE-2026-20098 | cisco-sa-cmm-file-up-kY47n8kK |
| UTT-- 520W | A weakness has been identified in UTT 进取 520W 1.7.7-180627. This affects the function strcpy of the file /goform/formIpGroupConfig. Executing a manipulation of the argument groupName can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 8.8 | CVE-2026-2066 | VDB-344633 | UTT 进取 520W formIpGroupConfig strcpy buffer overflow VDB-344633 | CTI Indicators (IOB, IOC, IOA) Submit #745260 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/36.md https://github.com/cymiao1978/cve/blob/main/new/36.md#poc |
| UTT-- 520W | A security vulnerability has been detected in UTT 进取 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/formTimeGroupConfig. The manipulation of the argument year1 leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 8.8 | CVE-2026-2067 | VDB-344634 | UTT 进取 520W formTimeGroupConfig strcpy buffer overflow VDB-344634 | CTI Indicators (IOB, IOC, IOA) Submit #745261 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/37.md https://github.com/cymiao1978/cve/blob/main/new/37.md#poc |
| UTT-- 520W | A vulnerability was detected in UTT 进取 520W 1.7.7-180627. This issue affects the function strcpy of the file /goform/formSyslogConf. The manipulation of the argument ServerIp results in buffer overflow. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 8.8 | CVE-2026-2068 | VDB-344635 | UTT 进取 520W formSyslogConf strcpy buffer overflow VDB-344635 | CTI Indicators (IOB, IOC, IOA) Submit #745262 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/38.md https://github.com/cymiao1978/cve/blob/main/new/38.md#poc |
| UTT-- 520W | A vulnerability has been found in UTT 进取 520W 1.7.7-180627. The affected element is the function strcpy of the file /goform/formPolicyRouteConf. Such manipulation of the argument GroupName leads to buffer overflow. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 8.8 | CVE-2026-2070 | VDB-344637 | UTT 进取 520W formPolicyRouteConf strcpy buffer overflow VDB-344637 | CTI Indicators (IOB, IOC, IOA) Submit #745264 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/39.md |
| UTT-- 520W | A vulnerability was found in UTT 进取 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formP2PLimitConfig. Performing a manipulation of the argument except results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 8.8 | CVE-2026-2071 | VDB-344638 | UTT 进取 520W formP2PLimitConfig strcpy buffer overflow VDB-344638 | CTI Indicators (IOB, IOC, IOA) Submit #745265 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/40.md |
| UTT--HiPER 810G | A vulnerability was detected in UTT HiPER 810G up to 1.7.7-171114. Affected by this vulnerability is the function strcpy of the file /goform/formFireWall of the component Management Interface. The manipulation of the argument GroupName results in buffer overflow. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 8.8 | CVE-2026-2086 | VDB-344653 | UTT HiPER 810G Management formFireWall strcpy buffer overflow VDB-344653 | CTI Indicators (IOB, IOC, IOA) Submit #746502 | UTT (AiTai) HiPER 810G <= v3v1.7.7-171114 Buffer Overflow https://github.com/alc9700jmo/CVE/issues/22 https://github.com/alc9700jmo/CVE/issues/22#issue-3851242657 |
| Tenda--TX3 | A vulnerability has been found in Tenda TX3 up to 16.03.13.11_multi. This impacts an unknown function of the file /goform/SetIpMacBind. The manipulation of the argument list leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2026-02-08 | 8.8 | CVE-2026-2137 | VDB-344772 | Tenda TX3 SetIpMacBind buffer overflow VDB-344772 | CTI Indicators (IOB, IOC, IOA) Submit #747239 | Tenda TX3 V16.03.13.11_multi Buffer Overflow https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx3/fromSetIpMacBind.md https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx3/fromSetIpMacBind.md#poc https://www.tenda.com.cn/ |
| Tenda--TX9 | A vulnerability was found in Tenda TX9 up to 22.03.02.10_multi. Affected is the function sub_42D03C of the file /goform/SetStaticRouteCfg. The manipulation of the argument list results in buffer overflow. The attack can be launched remotely. The exploit has been made public and could be used. | 2026-02-08 | 8.8 | CVE-2026-2138 | VDB-344773 | Tenda TX9 SetStaticRouteCfg sub_42D03C buffer overflow VDB-344773 | CTI Indicators (IOB, IOC, IOA) Submit #747249 | Tenda TX9 V22.03.02.10_multi Buffer Overflow https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/SetStaticRouteCfg.md https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/SetStaticRouteCfg.md#poc https://www.tenda.com.cn/ |
| Tenda--TX9 | A vulnerability was determined in Tenda TX9 up to 22.03.02.10_multi. Affected by this vulnerability is the function sub_432580 of the file /goform/fast_setting_wifi_set. This manipulation of the argument ssid causes buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 8.8 | CVE-2026-2139 | VDB-344774 | Tenda TX9 fast_setting_wifi_set sub_432580 buffer overflow VDB-344774 | CTI Indicators (IOB, IOC, IOA) Submit #747250 | Tenda TX9 V22.03.02.10_multi Buffer Overflow https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/fast_setting_wifi_set.md https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/fast_setting_wifi_set.md#poc https://www.tenda.com.cn/ |
| Tenda--TX9 | A vulnerability was identified in Tenda TX9 up to 22.03.02.10_multi. Affected by this issue is the function sub_4223E0 of the file /goform/setMacFilterCfg. Such manipulation of the argument deviceList leads to buffer overflow. The attack may be launched remotely. The exploit is publicly available and might be used. | 2026-02-08 | 8.8 | CVE-2026-2140 | VDB-344775 | Tenda TX9 setMacFilterCfg sub_4223E0 buffer overflow VDB-344775 | CTI Indicators (IOB, IOC, IOA) Submit #747251 | Tenda TX9 V22.03.02.10_multi Buffer Overflow Submit #749747 | Tenda TX9 V22.03.02.18 Stack-based Buffer Overflow (Duplicate) https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/setMacFilterCfg.md https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/setMacFilterCfg.md#poc https://www.tenda.com.cn/ |
| Microsoft--Azure Functions | Azure Function Information Disclosure Vulnerability | 2026-02-05 | 8.2 | CVE-2026-21532 | Azure Function Information Disclosure Vulnerability |
| Tenda--RX3 | A vulnerability was identified in Tenda RX3 16.03.13.11. Affected is an unknown function of the file /goform/fast_setting_wifi_set. Such manipulation of the argument ssid_5g leads to stack-based buffer overflow. The attack can be launched remotely. The exploit is publicly available and might be used. | 2026-02-08 | 8.8 | CVE-2026-2180 | VDB-344883 | Tenda RX3 fast_setting_wifi_set stack-based overflow VDB-344883 | CTI Indicators (IOB, IOC, IOA) Submit #749703 | Tenda RX3 V16.03.13.11 Stack-based Buffer Overflow https://github.com/LX-66-LX/cve-new/issues/4 https://www.tenda.com.cn/ |
| Tenda--RX3 | A security flaw has been discovered in Tenda RX3 16.03.13.11. Affected by this vulnerability is an unknown functionality of the file /goform/openSchedWifi. Performing a manipulation of the argument schedStartTime/schedEndTime results in stack-based buffer overflow. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-02-08 | 8.8 | CVE-2026-2181 | VDB-344884 | Tenda RX3 openSchedWifi stack-based overflow VDB-344884 | CTI Indicators (IOB, IOC, IOA) Submit #749710 | Tenda RX3 V16.03.13.11 Stack-based Buffer Overflow https://github.com/LX-66-LX/cve-new/issues/5 https://www.tenda.com.cn/ |
| Tenda--RX3 | A flaw has been found in Tenda RX3 16.03.13.11. This issue affects the function set_device_name of the file /goform/setBlackRule of the component MAC Filtering Configuration Endpoint. This manipulation of the argument devName/mac causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. | 2026-02-08 | 8.8 | CVE-2026-2185 | VDB-344888 | Tenda RX3 MAC Filtering Configuration Endpoint setBlackRule set_device_name stack-based overflow VDB-344888 | CTI Indicators (IOB, IOC, IOA) Submit #749715 | Tenda RX3 V16.03.13.11 Stack-based Buffer Overflow https://github.com/LX-66-LX/cve-new/issues/6 https://www.tenda.com.cn/ |
| Tenda--RX3 | A vulnerability has been found in Tenda RX3 16.03.13.11. Impacted is the function fromSetIpMacBind of the file /goform/SetIpMacBind. Such manipulation of the argument list leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2026-02-08 | 8.8 | CVE-2026-2186 | VDB-344889 | Tenda RX3 SetIpMacBind fromSetIpMacBind stack-based overflow VDB-344889 | CTI Indicators (IOB, IOC, IOA) Submit #749718 | Tenda RX3 V16.03.13.11 Stack-based Buffer Overflow https://github.com/LX-66-LX/cve-new/issues/7 https://www.tenda.com.cn/ |
| Tenda--RX3 | A vulnerability was found in Tenda RX3 16.03.13.11. The affected element is the function set_qosMib_list of the file /goform/formSetQosBand. Performing a manipulation of the argument list results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made public and could be used. | 2026-02-08 | 8.8 | CVE-2026-2187 | VDB-344890 | Tenda RX3 formSetQosBand set_qosMib_list stack-based overflow VDB-344890 | CTI Indicators (IOB, IOC, IOA) Submit #749721 | Tenda RX3 V16.03.13.11 Stack-based Buffer Overflow https://github.com/LX-66-LX/cve-new/issues/8 https://www.tenda.com.cn/ |
| Significant-Gravitas--AutoGPT | AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.46, the AutoGPT platform's Stagehand integration blocks log API keys and authentication secrets in plaintext using logger.info() statements. This occurs in three separate block implementations (StagehandObserveBlock, StagehandActBlock, and StagehandExtractBlock) where the code explicitly calls api_key.get_secret_value() and logs the result. This issue has been patched in autogpt-platform-beta-v0.6.46. | 2026-02-04 | 8.1 | CVE-2026-22038 | https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-rc89-6g7g-v5v7 https://github.com/Significant-Gravitas/AutoGPT/commit/1eabc604842fa876c09d69af43d2d1e8fb9b8eb9 |
| opencloud-eu--reva | REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the "archiver" service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to. This vulnerability is fixed in 2.42.3 and 2.40.3. | 2026-02-06 | 8.2 | CVE-2026-23989 | https://github.com/opencloud-eu/reva/security/advisories/GHSA-9j2f-3rj3-wgpg https://github.com/opencloud-eu/reva/commit/95aa2bc5d980eaf6cc134d75782b4f5ac7b36ae1 |
| NeoRazorX--facturascripts | FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators. | 2026-02-02 | 8 | CVE-2026-23997 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-4v7v-7v7r-3r5h |
| Microsoft--Azure ARC | Azure Arc Elevation of Privilege Vulnerability | 2026-02-05 | 8.6 | CVE-2026-24302 | Azure Arc Elevation of Privilege Vulnerability |
| Kubernetes--ingress-nginx | A security issue was discovered in ingress-nginx cthe `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | 2026-02-03 | 8.8 | CVE-2026-24512 | https://github.com/kubernetes/kubernetes/issues/136678 |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into uploaded assignment files, which is executed when instructors view the submission. This issue has been patched in version 4.2. | 2026-02-03 | 8.7 | CVE-2026-24665 | https://github.com/gunet/openeclass/security/advisories/GHSA-2qgm-m7fm-m888 |
| parallax--jsPDF | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The vulnerability has been fixed in jsPDF@4.1.0. | 2026-02-02 | 8.1 | CVE-2026-24737 | https://github.com/parallax/jsPDF/security/advisories/GHSA-pqxr-3g65-p328 https://github.com/parallax/jsPDF/commit/da291a5f01b96282545c9391996702cdb8879f79 https://github.com/parallax/jsPDF/releases/tag/v4.1.0 |
| clawdbot--clawdbot | OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw's Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29. | 2026-02-02 | 8.8 | CVE-2026-24763 | https://github.com/openclaw/openclaw/security/advisories/GHSA-mc68-q9jw-2h3v https://github.com/openclaw/openclaw/commit/771f23d36b95ec2204cc9a0054045f5d8439ea75 https://github.com/openclaw/openclaw/releases/tag/v2026.1.29 |
| chainguard-dev--melange | melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing path traversal via ../ sequences. This issue has been patched in version 0.40.3. | 2026-02-04 | 8.2 | CVE-2026-24843 | https://github.com/chainguard-dev/melange/security/advisories/GHSA-qxx2-7h4c-83f4 https://github.com/chainguard-dev/melange/commit/6e243d0d46699f837d7c392397a694d2bcc7612b |
| node-modules--compressing | Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can cause subsequent file entries to be written to arbitrary locations on the host file system. Depending on the extractor's handling of existing files, this behavior may allow overwriting sensitive files or creating new files in security-critical locations. This issue has been patched in versions 1.10.4 and 2.0.1. | 2026-02-04 | 8.4 | CVE-2026-24884 | https://github.com/node-modules/compressing/security/advisories/GHSA-cc8f-xg8v-72m3 https://github.com/node-modules/compressing/commit/8d16c196c7f1888fc1af957d9ff36117247cea6c https://github.com/node-modules/compressing/commit/ce1c0131c401c071c77d5a1425bf8c88cfc16361 |
| Huawei--HarmonyOS | Out-of-bounds write vulnerability in the camera module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 8.4 | CVE-2026-24926 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ |
| Huawei--HarmonyOS | UAF concurrency vulnerability in the graphics module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 8.4 | CVE-2026-24930 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ |
| OpenListTeam--OpenList | OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, the application contains path traversal vulnerability in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. This allows ".." sequences to bypass path restrictions, enabling users to access other users' files within the same storage mount and perform unauthorized actions such as deletion, renaming, or copying of files. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal and copying across user boundaries within the same storage mount. This vulnerability is fixed in 4.1.10. | 2026-02-02 | 8.8 | CVE-2026-25059 | https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-qmj2-8r24-xxcq https://github.com/OpenListTeam/OpenList/commit/7b78fed106382430c69ef351d43f5d09928fff14 https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10 |
| OpenListTeam--OpenList | OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf/config.go. This vulnerability enables Man-in-the-Middle (MitM) attacks by disabling TLS certificate verification, allowing attackers to intercept and manipulate all storage communications. Attackers can exploit this through network-level attacks like ARP spoofing, rogue Wi-Fi access points, or compromised internal network equipment to redirect traffic to malicious endpoints. Since certificate validation is skipped, the system will unknowingly establish encrypted connections with attacker-controlled servers, enabling full decryption, data theft, and manipulation of all storage operations without triggering any security warnings. This vulnerability is fixed in 4.1.10. | 2026-02-02 | 8.1 | CVE-2026-25060 | https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-wf93-3ghh-h389 https://github.com/OpenListTeam/OpenList/commit/e3c664f81d0584fbbdb86ffe6644be16259371c1 https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10 |
| AlistGo--alist | Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal, movement and copying across user boundaries within the same storage mount. This issue has been patched in version 3.57.0. | 2026-02-04 | 8.8 | CVE-2026-25161 | https://github.com/AlistGo/alist/security/advisories/GHSA-x4q4-7phh-42j9 https://github.com/AlistGo/alist/commit/b188288525b9a35c76535139311e7c036dab057e |
| Samsung Electronics--MagicINFO 9 Server | An unauthenticated user can upload arbitrary files to execute remote code, leading to privilege escalation in MagicInfo9 Server. This issue affects MagicINFO 9 Server: less than 21.1090.1. | 2026-02-02 | 8.8 | CVE-2026-25201 | https://security.samsungtv.com/securityUpdates |
| OpenSlides--OpenSlides | OpenSlides is a free, web based presentation and assembly system for managing and projecting agenda, motions and elections of an assembly. Prior to version 4.2.29, OpenSlides supports local logins with username and password or an optionally configurable single sign on with SAML via an external IDP. For users synced to OpenSlides via an external IDP, there is an incorrect access control regarding the local login of these users. Users can successfully login using the local login form and the OpenSlides username of a SAML user and a trivial password. This password is valid for all SAML users. This issue has been patched in version 4.2.29. | 2026-02-04 | 8.1 | CVE-2026-25519 | https://github.com/OpenSlides/OpenSlides/security/advisories/GHSA-vv4h-8wfc-pf8c https://github.com/OpenSlides/openslides-auth-service/pull/889 https://github.com/OpenSlides/openslides-auth-service/commit/70c1aa9f5e1db59ec120ecce98d1c1169350a4ee https://github.com/OpenSlides/OpenSlides/releases/tag/4.2.29 |
| pydantic--pydantic-ai | Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0. | 2026-02-06 | 8.6 | CVE-2026-25580 | https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3 https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301 |
| openclaw--openclaw | OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerability is fixed in 2026.1.20. | 2026-02-06 | 8.4 | CVE-2026-25593 | https://github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg |
| qdrant--qdrant | Qdrant is a vector similarity search engine and vector database. From 1.9.3 to before 1.16.0, it is possible to append to arbitrary files via /logger endpoint using an attacker-controlled on_disk.log_file path. Minimal privileges are required (read-only access). This vulnerability is fixed in 1.16.0. | 2026-02-06 | 8.6 | CVE-2026-25628 | https://github.com/qdrant/qdrant/security/advisories/GHSA-f632-vm87-2m2f https://github.com/qdrant/qdrant/commit/32b7fdfb7f542624ecd1f7c8d3e2b13c4e36a2c1 https://github.com/qdrant/qdrant/blob/48203e414e4e7f639a6d394fb6e4df695f808e51/src/actix/api/service_api.rs#L195 |
| kovidgoyal--calibre | calibre is an e-book manager. Prior to 9.2.0, Calibre's CHM reader contains a path traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows (haven't tested on other OS's), this can lead to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. This vulnerability is fixed in 9.2.0. | 2026-02-06 | 8.6 | CVE-2026-25635 | https://github.com/kovidgoyal/calibre/security/advisories/GHSA-32vh-whvh-9fxr https://github.com/kovidgoyal/calibre/commit/9739232fcb029ac15dfe52ccd4fdb4a07ebb6ce9 |
| kovidgoyal--calibre | calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0. | 2026-02-06 | 8.2 | CVE-2026-25636 | https://github.com/kovidgoyal/calibre/security/advisories/GHSA-8r26-m7j5-hm29 https://github.com/kovidgoyal/calibre/commit/9484ea82c6ab226c18e6ca5aa000fa16de598726 |
| Anydesk--AnyDesk | AnyDesk 5.4.0 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially inject malicious executables. Attackers can exploit the unquoted binary path to place malicious files in service executable locations, potentially gaining elevated system privileges. | 2026-02-03 | 7.8 | CVE-2019-25261 | ExploitDB-47883 Official Vendor Homepage VulnCheck Advisory: AnyDesk 5.4.0 - Unquoted Service Path |
| Wondershare--Wondershare Application Framework Service | Wondershare Application Framework Service 2.4.3.231 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific directory locations to hijack the service's execution context. | 2026-02-06 | 7.8 | CVE-2019-25266 | ExploitDB-47617 Vendor Homepage Software Product Page VulnCheck Advisory: Wondershare Application Framework Service 2.4.3.231 - 'WsAppService' Unquote Service Path |
| Wftpserver--Wing FTP Server | Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions. | 2026-02-04 | 7.8 | CVE-2019-25267 | ExploitDB-47818 Wing FTP Server Official Homepage VulnCheck Advisory: Wing FTP Server 6.0.7 - Unquoted Service Path |
| Netgate--Amiti Antivirus | Amiti Antivirus 25.0.640 contains an unquoted service path vulnerability in its Windows service configurations. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges by placing executable files in specific directory locations. | 2026-02-04 | 7.8 | CVE-2019-25269 | ExploitDB-47747 Vendor Homepage VulnCheck Advisory: Amiti Antivirus 25.0.640 - Unquoted Service Path Vulnerability |
| NETGATE--Data Backup | NETGATE Data Backup 3.0.620 contains an unquoted service path vulnerability in its NGDatBckpSrv Windows service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with LocalSystem privileges by placing executable files in specific directory locations. | 2026-02-04 | 7.8 | CVE-2019-25271 | ExploitDB-47746 Vendor Homepage VulnCheck Advisory: NETGATE Data Backup 3.0.620 - 'NGDatBckpSrv' Unquoted Service Path |
| Tenaxsoft--TexasSoft CyberPlanet | TexasSoft CyberPlanet 6.4.131 contains an unquoted service path vulnerability in the CCSrvProxy service that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\TenaxSoft\CyberPlanet\SrvProxy.exe' to inject malicious executables and gain elevated system privileges. | 2026-02-04 | 7.8 | CVE-2019-25272 | ExploitDB-47724 Vendor Homepage VulnCheck Advisory: TexasSoft CyberPlanet 6.4.131 - 'CCSrvProxy' Unquoted Service Path |
| Easy-Hide-Ip--IP | Easy-Hide-IP 5.0.0.3 contains an unquoted service path vulnerability in the EasyRedirect service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe' to inject malicious executables and escalate privileges. | 2026-02-04 | 7.8 | CVE-2019-25273 | ExploitDB-47712 Vendor Homepage VulnCheck Advisory: Easy-Hide-IP 5.0.0.3 - 'EasyRedirect' Unquoted Service Path |
| Photodex--ProShow Producer | ProShow Producer 9.0.3797 contains an unquoted service path vulnerability in the ScsiAccess service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges during service startup. | 2026-02-04 | 7.8 | CVE-2019-25274 | ExploitDB-47705 Vendor Homepage VulnCheck Advisory: ProShow Producer 9.0.3797 - Unquoted Service Path |
| FileHorse--BartVPN | BartVPN 1.2.2 contains an unquoted service path vulnerability in the BartVPNService that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific file system locations to hijack the service's execution context. | 2026-02-04 | 7.8 | CVE-2019-25275 | ExploitDB-47675 Vendor Homepage VulnCheck Advisory: BartVPN 1.2.2 - 'BartVPNService' Unquoted Service Path |
| Rockwellautomation--Studio | Studio 5000 Logix Designer 30.01.00 contains an unquoted service path vulnerability in the FactoryTalk Activation Service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\ to inject malicious code that would execute with LocalSystem permissions. | 2026-02-04 | 7.8 | CVE-2019-25276 | ExploitDB-47676 Rockwell Automation Homepage VulnCheck Advisory: Studio 5000 Logix Designer 30.01.00 - 'FactoryTalk Activation Service' Unquoted Service Path |
| ncp-e--NCP_Secure_Entry_Client | NCP Secure Entry Client 9.2 contains an unquoted service path vulnerability in multiple Windows services that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted paths in services like ncprwsnt, rwsrsu, ncpclcfg, and NcpSec to inject malicious code that would execute with LocalSystem privileges during service startup. | 2026-02-04 | 7.8 | CVE-2019-25281 | ExploitDB-47668 NCP Software Vendor Homepage VulnCheck Advisory: NCP_Secure_Entry_Client 9.2 - Unquoted Service Paths |
| shrew--Shrew Soft VPN Client | Shrew Soft VPN Client 2.2.2 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can place malicious executables in the unquoted service path to gain elevated access during service startup or system reboot. | 2026-02-04 | 7.8 | CVE-2019-25283 | ExploitDB-47660 Vendor Homepage VulnCheck Advisory: Shrew Soft VPN Client 2.2.2 - 'iked' Unquoted Service Path |
| Alps--device Controller | Alps Pointing-device Controller 8.1202.1711.04 contains an unquoted service path vulnerability in the ApHidMonitorService that allows local attackers to execute code with elevated privileges. Attackers can place a malicious executable in the service path and gain system-level access when the service restarts or the system reboots. | 2026-02-04 | 7.8 | CVE-2019-25285 | ExploitDB-47637 Official Alps Homepage VulnCheck Advisory: Alps Pointing-device Controller 8.1202.1711.04 - 'ApHidMonitorService' Unquoted Service Path |
| Gcafe--_GCaf | GCafé 3.0 contains an unquoted service path vulnerability in the gbClientService that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be run with LocalSystem permissions. | 2026-02-04 | 7.8 | CVE-2019-25286 | ExploitDB-47604 GCafé Official Vendor Homepage VulnCheck Advisory: _GCafé 3.0 - 'gbClienService' Unquoted Service Path |
| Webcompanion--Adaware Web Companion version | Adaware Web Companion version 4.8.2078.3950 contains an unquoted service path vulnerability in the WCAssistantService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Lavasoft\Web Companion\Application\ to inject malicious code that would execute with LocalSystem privileges during service startup. | 2026-02-04 | 7.8 | CVE-2019-25287 | ExploitDB-47597 Adaware Web Companion Official Website VulnCheck Advisory: Adaware Web Companion version 4.8.2078.3950 - 'WCAssistantService' Unquoted Service Path |
| Wacom--Wacom WTabletService | Wacom WTabletService 6.6.7-3 contains an unquoted service path vulnerability that allows local attackers to execute malicious code with elevated privileges. Attackers can insert an executable file in the service path to run unauthorized code when the service restarts or the system reboots. | 2026-02-04 | 7.8 | CVE-2019-25288 | ExploitDB-47593 Wacom Official Homepage VulnCheck Advisory: Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path |
| Alps--Alps HID Monitor Service | Alps HID Monitor Service 8.1.0.10 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files\Apoint2K\HidMonitorSvc.exe to inject malicious executables and gain system-level access. | 2026-02-06 | 7.8 | CVE-2019-25292 | ExploitDB-47605 Official Product Homepage VulnCheck Advisory: Alps HID Monitor Service 8.1.0.10 - 'ApHidMonitorService' Unquote Service Path |
| bluestacks--Blue Stacks App Player | BlueStacks App Player 2.4.44.62.57 contains an unquoted service path vulnerability in the BstHdLogRotatorSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe to inject malicious executables and escalate privileges. | 2026-02-06 | 7.8 | CVE-2019-25293 | ExploitDB-47582 Official Product Homepage VulnCheck Advisory: Blue Stacks App Player 2.4.44.62.57 - "BstHdLogRotatorSvc" Unquote Service Path |
| lolypop55--html5_snmp | html5_snmp 1.11 contains multiple SQL injection vulnerabilities that allow attackers to manipulate database queries through Router_ID and Router_IP parameters. Attackers can exploit error-based, time-based, and union-based injection techniques to potentially extract or modify database information by sending crafted payloads. | 2026-02-06 | 7.1 | CVE-2019-25298 | ExploitDB-47588 Vendor Homepage VulnCheck Advisory: html5_snmp 1.11 - 'Router_ID' SQL Injection |
| rimbalinux--AhadPOS | RimbaLinux AhadPOS 1.11 contains a SQL injection vulnerability in the 'alamatCustomer' parameter that allows attackers to manipulate database queries through crafted POST requests. Attackers can exploit time-based and boolean-based blind SQL injection techniques to extract information or potentially interact with the underlying database. | 2026-02-06 | 7.1 | CVE-2019-25299 | ExploitDB-47585 Vendor Homepage VulnCheck Advisory: rimbalinux AhadPOS 1.11 - 'alamatCustomer' SQL Injection |
| thejshen--Globitek CMS | thejshen Globitek CMS 1.4 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'id' GET parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques to potentially extract or modify database information. | 2026-02-06 | 7.1 | CVE-2019-25300 | ExploitDB-47581 Vendor Homepage VulnCheck Advisory: thejshen Globitek CMS 1.4 - 'id' SQL Injection |
| Acer--Launch Manager | Acer Launch Manager 6.1.7600.16385 contains an unquoted service path vulnerability in the DsiWMIService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Launch Manager\dsiwmis.exe to insert malicious code that would execute with system-level permissions during service startup. | 2026-02-06 | 7.8 | CVE-2019-25302 | ExploitDB-47577 Acer Official Website VulnCheck Advisory: Acer Launch Manager 6.1.7600.16385 - 'DsiWMIService' Unquoted Service Path |
| thejshen--contentManagementSystem | TheJshen ContentManagementSystem 1.04 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'id' GET parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques to extract or manipulate database information by crafting malicious query payloads. | 2026-02-06 | 7.1 | CVE-2019-25303 | ExploitDB-47569 Vendor Homepage VulnCheck Advisory: TheJshen contentManagementSystem 1.04 - 'id' SQL Injection |
| Issivs--Intelligent Security System SecurOS Enterprise | SecurOS Enterprise 10.2 contains an unquoted service path vulnerability in the SecurosCtrlService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\ISS\SecurOS\ to insert malicious code that would execute with system-level permissions during service startup. | 2026-02-06 | 7.8 | CVE-2019-25304 | ExploitDB-47556 Vendor Product Homepage Company Website VulnCheck Advisory: Intelligent Security System SecurOS Enterprise 10.2 - 'SecurosCtrlService' Unquoted Service Path |
| Inforprograma--JumpStart | JumpStart 0.6.0.0 contains an unquoted service path vulnerability in the jswpbapi service running with LocalSystem privileges. Attackers can exploit the unquoted path containing spaces to inject and execute malicious code with elevated system permissions. | 2026-02-06 | 7.8 | CVE-2019-25305 | ExploitDB-47549 Official Product Homepage VulnCheck Advisory: JumpStart 0.6.0.0 - 'jswpbapi' Unquoted Service Path |
| VictorAlagwu--CMSsite | Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'comment_author' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers. | 2026-02-03 | 7.2 | CVE-2020-37072 | ExploitDB-48484 Victor CMS Project Repository VulnCheck Advisory: Victor CMS 1.0 - 'comment_author' Persistent Cross-Site Scripting |
| Fishing Reservation System--Fishing Reservation System | Fishing Reservation System 7.5 contains multiple remote SQL injection vulnerabilities in admin.php, cart.php, and calendar.php that allow attackers to inject malicious SQL commands. Attackers can exploit vulnerable parameters like uid, pid, type, m, y, and code to compromise the database management system and web application without user interaction. | 2026-02-03 | 7.1 | CVE-2020-37081 | ExploitDB-48417 Vulnerability-Lab Researcher Disclosure Fishing Reservation System Homepage VulnCheck Advisory: Fishing Reservation System 7.5 - 'uid' SQL Injection |
| SunnySideSoft--VirtualTablet Server | VirtualTablet Server 3.0.2 contains a denial of service vulnerability that allows attackers to crash the service by sending oversized string payloads through the Thrift protocol. Attackers can exploit the vulnerability by sending a long string to the send_say() method, causing the server to become unresponsive. | 2026-02-03 | 7.5 | CVE-2020-37085 | ExploitDB-48402 Official Product Homepage VulnCheck Advisory: VirtualTablet Server 3.0.2 - Denial of Service (PoC) |
| Arox--School ERP Pro | School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the 'document' parameter in download.php. Attackers can access sensitive configuration files by supplying directory traversal paths to retrieve system credentials and configuration information. | 2026-02-03 | 7.5 | CVE-2020-37088 | ExploitDB-48394 Archived Vendor Homepage Archived SourceForge Product Page VulnCheck Advisory: School ERP Pro 1.0 - Arbitrary File Read |
| Netis Systems Co., Ltd.--Netis E1+ | Netis E1+ version 1.2.32533 contains a hardcoded root account vulnerability that allows unauthenticated attackers to access the device with predefined credentials. Attackers can leverage the embedded root account with a crackable password to gain full administrative access to the network device. | 2026-02-03 | 7.5 | CVE-2020-37092 | ExploitDB-48382 Netis Systems Official Homepage VulnCheck Advisory: Netis E1+ 1.2.32533 - Backdoor Account (root) |
| Netis Systems Co., Ltd.--Netis E1+ | Netis E1+ 1.2.32533 contains an information disclosure vulnerability that allows unauthenticated attackers to retrieve WiFi passwords through the netcore_get.cgi endpoint. Attackers can send a GET request to the endpoint to extract sensitive network credentials including SSID and WiFi passwords in plain text. | 2026-02-03 | 7.5 | CVE-2020-37093 | ExploitDB-48384 Netis Systems Official Homepage VulnCheck Advisory: Netis E1+ 1.2.32533 - Unauthenticated WiFi Password Leak |
| EDIMAX Technology Co., Ltd.--EW-7438RPn Mini | Edimax EW-7438RPn 1.13 contains an information disclosure vulnerability that exposes WiFi network configuration details through the wlencrypt_wiz.asp file. Attackers can access the script to retrieve sensitive information including WiFi network name and plaintext password stored in device configuration variables. | 2026-02-03 | 7.5 | CVE-2020-37097 | ExploitDB-48365 Edimax EW-7438RPn Product Homepage VulnCheck Advisory: Edimax EW-7438RPn 1.13 - Information Disclosure (WiFi Password) |
| DiskSorter--Disk Sorter Enterprise | Disk Sorter Enterprise 12.4.16 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions. | 2026-02-03 | 7.8 | CVE-2020-37098 | ExploitDB-48048 Vendor Homepage VulnCheck Advisory: Disk Sorter Enterprise 12.4.16 - Unquoted Service Path |
| DiskSavvy--Disk Savvy Enterprise | Disk Savvy Enterprise 12.3.18 contains an unquoted service path vulnerability in its service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe' to inject malicious executables and escalate privileges. | 2026-02-03 | 7.8 | CVE-2020-37099 | ExploitDB-48049 Vendor Homepage VulnCheck Advisory: Disk Savvy Enterprise 12.3.18 - 'disksvs.exe' Unquoted Service Path |
| SyncBreeze--Sync Breeze Enterprise | Sync Breeze Enterprise 12.4.18 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific file system locations to hijack the service startup process. | 2026-02-03 | 7.8 | CVE-2020-37100 | ExploitDB-48045 Vendor Homepage VulnCheck Advisory: Sync Breeze Enterprise 12.4.18 - Unquoted Service Path |
| Vpnunlimitedapp--VPN unlimited | VPN Unlimited 6.1 contains an unquoted service path vulnerability that allows local attackers to inject malicious executables into the service binary path. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\VPN Unlimited\' to replace the service executable and gain elevated system privileges. | 2026-02-03 | 7.8 | CVE-2020-37101 | ExploitDB-47916 VPN Unlimited Official Homepage VulnCheck Advisory: VPN unlimited 6.1 - Unquoted Service Path |
| Lavasoft--Web Companion | Adaware Web Companion 4.9.2159 contains an unquoted service path vulnerability in the WCAssistantService that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges during service startup. | 2026-02-03 | 7.8 | CVE-2020-37102 | ExploitDB-47852 Vendor Homepage Software Download Link VulnCheck Advisory: Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path |
| redmine--PMB | PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. Attackers can leverage this vulnerability by sending crafted requests to the /admin/sauvegarde/download.php endpoint with manipulated logid values to interact with the database. | 2026-02-03 | 7.1 | CVE-2020-37105 | ExploitDB-48356 Vendor Homepage Software Download Repository VulnCheck Advisory: PMB 5.6 - 'logid' SQL Injection |
| Core FTP--Core FTP LE | Core FTP LE 2.2 contains a denial of service vulnerability that allows attackers to crash the application by overwriting the account field with a large buffer. Attackers can create a text file with 20,000 repeated characters and paste it into the account field to cause the application to become unresponsive and require reinstallation. | 2026-02-06 | 7.5 | CVE-2020-37107 | ExploitDB-48137 Core FTP Vendor Homepage Core FTP Download Page VulnCheck Advisory: Core FTP LE 2.2 - Denial of Service |
| AllHandsMarketing--PhpIX 2012 Professional | PhpIX 2012 Professional contains a SQL injection vulnerability in the 'id' parameter of product_detail.php that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the 'id' parameter to potentially extract or modify database information. | 2026-02-03 | 7.1 | CVE-2020-37108 | ExploitDB-48138 Vendor Homepage Demonstration Website VulnCheck Advisory: PhpIX 2012 Professional - 'id' SQL Injection |
| asc Applied Software Consultants--aSc TimeTables | aSc TimeTables 2020.11.4 contains a denial of service vulnerability that allows attackers to crash the application by overwriting the Subject title field with a large buffer. Attackers can generate a 1000-character buffer and paste it into the Subject title to trigger an application crash and potential instability. | 2026-02-06 | 7.5 | CVE-2020-37109 | ExploitDB-48133 Vendor Homepage VulnCheck Advisory: aSc TimeTables 2020.11.4 - Denial of Service |
| Openeclass--GUnet OpenEclass | GUnet OpenEclass 1.7.3 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through unvalidated parameters. Attackers can exploit the 'month' parameter in the agenda module and other endpoints to extract sensitive database information using error-based or time-based injection techniques. | 2026-02-03 | 7.1 | CVE-2020-37112 | ExploitDB-48163 Official Vendor Homepage Changelog VulnCheck Advisory: GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection |
| Nsauditor--FTP Password Recover | SpotFTP-FTP Password Recover 2.4.8 contains a denial of service vulnerability that allows attackers to crash the application by generating a large buffer overflow. Attackers can create a text file with 1000 'Z' characters and input it as a registration code to trigger the application crash. | 2026-02-06 | 7.5 | CVE-2020-37122 | ExploitDB-48132 Vendor Homepage Software Download Page VulnCheck Advisory: SpotFTP-FTP Password Recover 2.4.8 - Denial of Service |
| Nsauditor--Nsauditor | Nsauditor 3.2.0.0 contains a denial of service vulnerability in the registration name input field that allows attackers to crash the application. Attackers can create a malicious payload of 1000 bytes of repeated characters to trigger an application crash when pasted into the registration name field. | 2026-02-05 | 7.5 | CVE-2020-37130 | ExploitDB-48286 Vendor Homepage VulnCheck Advisory: Nsauditor 3.2.0.0 - 'Name' Denial of Service |
| UltraVNC Team--UltraVNC Launcher | UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allows attackers to crash the application. Attackers can paste an overly long string of 300 characters into the Repeater Host property to trigger an application crash. | 2026-02-05 | 7.5 | CVE-2020-37133 | ExploitDB-48288 UltraVNC Official Homepage VulnCheck Advisory: UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service |
| UltraVNC Team--UltraVNC Viewer | UltraVNC Viewer 1.2.4.0 contains a denial of service vulnerability that allows attackers to crash the application by manipulating VNC Server input. Attackers can generate a malformed 256-byte payload and paste it into the VNC Server connection dialog to trigger an application crash. | 2026-02-05 | 7.5 | CVE-2020-37134 | ExploitDB-48291 UltraVNC Official Homepage VulnCheck Advisory: UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service |
| Amssplus--AMSS++ | AMSS++ 4.7 contains an authentication bypass vulnerability that allows attackers to access administrative accounts using hardcoded credentials. Attackers can log in with the default admin username and password '1234' to gain unauthorized administrative access to the system. | 2026-02-06 | 7.5 | CVE-2020-37135 | ExploitDB-48114 VulnCheck Advisory: AMSS++ 4.7 - Backdoor Admin Account |
| EmTec--ZOC Terminal | ZOC Terminal 7.25.5 contains a denial of service vulnerability in the private key file input field that allows attackers to crash the application. Attackers can overwrite the private key file input with a 2000-byte buffer, causing the application to become unresponsive when attempting to create SSH key files. | 2026-02-05 | 7.5 | CVE-2020-37136 | ExploitDB-48292 Vendor Homepage VulnCheck Advisory: ZOC Terminal v7.25.5 - 'Private key file' Denial of Service |
| GE Intelligent Platforms, Inc.--ProficySCADA for iOS | ProficySCADA for iOS 5.0.25920 contains a denial of service vulnerability that allows attackers to crash the application by manipulating the password input field. Attackers can overwrite the password field with 257 bytes of repeated characters to trigger an application crash and prevent successful authentication. | 2026-02-05 | 7.5 | CVE-2020-37143 | ExploitDB-48236 Archived App Software VulnCheck Advisory: ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service |
| ACE SECURITY--Aptina AR0130 960P 1.3MP Camera | ACE Security WiP-90113 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration files. Attackers can access the camera's configuration backup by sending a GET request to the /config_backup.bin endpoint, exposing credentials and system settings. | 2026-02-06 | 7.5 | CVE-2020-37146 | ExploitDB-48127 Vendor Homepage Product Support Page VulnCheck Advisory: Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure |
| Atutor--ATutor | ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'id' parameter of the admin_delete.php script to potentially extract or modify database information. | 2026-02-06 | 7.1 | CVE-2020-37147 | ExploitDB-48117 ATutor Official Homepage VulnCheck Advisory: ATutor 2.2.4 - 'id' SQL Injection |
| EDIMAX Technology--EW-7438RPn Mini | Edimax EW-7438RPn-v3 Mini 1.27 allows unauthenticated attackers to access the /wizard_reboot.asp page in unsetup mode, which discloses the Wi-Fi SSID and security key. Attackers can retrieve the wireless password by sending a GET request to this endpoint, exposing sensitive information without authentication. | 2026-02-05 | 7.5 | CVE-2020-37150 | ExploitDB-48318 Edimax EW-7438RPn Mini Product Page VulnCheck Advisory: Edimax Technology EW-7438RPn-v3 Mini 1.27 - Unauthorized Access: Wi-Fi Password Disclosure |
| Tripath Project--eLection | eLection 2.0 contains an authenticated SQL injection vulnerability in the candidate management endpoint that allows attackers to manipulate database queries through the 'id' parameter. Attackers can leverage SQLMap to exploit the vulnerability, potentially gaining remote code execution by uploading backdoor files to the web application directory. | 2026-02-06 | 7.1 | CVE-2020-37154 | ExploitDB-48122 eLection Project Vendor Homepage Researcher Exploit Disclosure VulnCheck Advisory: eLection 2.0 - 'id' SQL Injection |
| Core FTP--Core FTP Lite | Core FTP Lite 1.3 contains a buffer overflow vulnerability in the username input field that allows attackers to crash the application by supplying oversized input. Attackers can generate a 7000-byte payload of repeated 'A' characters to trigger an application crash without requiring additional interaction. | 2026-02-06 | 7.5 | CVE-2020-37155 | ExploitDB-48100 Core FTP Official Homepage VulnCheck Advisory: Core FTP Lite 1.3 - Denial of Service (PoC) |
| DBPower--DBPower C300 HD Camera | DBPower C300 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive credentials through an unprotected configuration backup endpoint. Attackers can download the configuration file and extract hardcoded username and password by accessing the /tmpfs/config_backup.bin resource. | 2026-02-06 | 7.5 | CVE-2020-37157 | ExploitDB-48095 Archived Researcher Blog VulnCheck Advisory: DBPower C300 HD Camera - Remote Configuration Disclosure |
| Innomic--VibroLine Configurator 5.0 | A local attacker could cause a full device reset by resetting the device passwords using an invalid reset file via USB. | 2026-02-02 | 7.7 | CVE-2022-50976 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| Innomic--VibroLine VLX1 HD 5.0 | An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via HTTP. | 2026-02-02 | 7.5 | CVE-2022-50977 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| Innomic--VibroLine VLX1 HD 5.0 | An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (TCP). | 2026-02-02 | 7.5 | CVE-2022-50978 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| Talemy--Spirit Framework | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Talemy Spirit Framework allows PHP Local File Inclusion. This issue affects Spirit Framework: from n/a through 1.2.13. | 2026-02-02 | 7.5 | CVE-2024-54263 | https://patchstack.com/database/wordpress/plugin/spirit-framework/vulnerability/wordpress-spirit-framework-plugin-1-2-13-local-file-inclusion-vulnerability?_s_id=cve |
| Zyxel--ATP series firmware | A post‑authentication command injection vulnerability in the Dynamic DNS (DDNS) configuration CLI command in Zyxel ATP series firmware versions from V5.35 through V5.41, USG FLEX series firmware versions from V5.35 through V5.41, USG FLEX 50(W) series firmware versions from V5.35 through V5.41, and USG20(W)-VPN series firmware versions from V5.35 through V5.41 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device by supplying a specially crafted string as an argument to the CLI command. | 2026-02-05 | 7.2 | CVE-2025-11730 | https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-the-ddns-configuration-cli-command-of-zld-firewalls-02-05-2026 |
| IBM--Business Automation Workflow containers | IBM Business Automation Workflow containers V25.0.0 through V25.0.0-IF007, V24.0.1 - V24.0.1-IF007, V24.0.0 - V24.0.0-IF007 and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | 2026-02-02 | 7.1 | CVE-2025-13096 | https://www.ibm.com/support/pages/node/7259321 |
| Mattermost--Mattermost Confluence Plugin | Mattermost Confluence plugin version <1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers via sending a specially crafted OAuth2 connection link that, when visited, renders the attacker's display name without proper sanitization. Mattermost Advisory ID: MMSA-2025-00557 | 2026-02-06 | 7.7 | CVE-2025-13523 | MMSA-2025-00557 |
| IBM--WebSphere Application Server Liberty | IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a privileged user to upload a zip archive containing path traversal sequences resulting in an overwrite of files leading to arbitrary code execution. | 2026-02-02 | 7.6 | CVE-2025-14914 | https://www.ibm.com/support/pages/node/7258224 |
| infility--Infility Global | The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append - with certain server configurations - additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-02-04 | 7.5 | CVE-2025-15268 | https://www.wordfence.com/threat-intel/vulnerabilities/id/648941b8-d1ab-4587-bd87-f23008ac9a00?source=cve https://plugins.trac.wordpress.org/browser/infility-global/trunk/include/class/db.class.php?marks=41#L41 https://plugins.trac.wordpress.org/browser/infility-global/trunk/infility_global.php?marks=626#L626 https://plugins.trac.wordpress.org/browser/infility-global/trunk/include/class/str.class.php?marks=21#L21 |
| lupsonline--SEO Flow by LupsOnline | The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() functions in all versions up to, and including, 2.2.1. These authorization functions only implement basic API key authentication but fail to implement WordPress capability checks. This makes it possible for unauthenticated attackers to create, modify, and delete blog posts and categories. | 2026-02-04 | 7.5 | CVE-2025-15285 | https://www.wordfence.com/threat-intel/vulnerabilities/id/526837cc-ed1d-4d3d-8f75-a2098445dd1d?source=cve https://plugins.trac.wordpress.org/browser/lupsonline-link-netwerk/tags/2.2.1/includes/class-linknetwerk-api.php?marks=83-99,101-117#L83 |
| Tanium--Tanium Appliance | Tanium addressed an unauthorized code execution vulnerability in Tanium Appliance. | 2026-02-05 | 7.8 | CVE-2025-15311 | TAN-2025-002 |
| n/a--Open5GS | A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function hss_ogs_diam_cx_mar_cb of the file src/hss/hss-cx-path.c of the component VoLTE Cx-Test. The manipulation of the argument OGS_KEY_LEN results in stack-based buffer overflow. The attack may be launched remotely. The patch is identified as 54dda041211098730221d0ae20a2f9f9173e7a21. A patch should be applied to remediate this issue. | 2026-02-04 | 7.3 | CVE-2025-15555 | VDB-343795 | Open5GS VoLTE Cx-Test hss-cx-path.c hss_ogs_diam_cx_mar_cb stack-based overflow VDB-343795 | CTI Indicators (IOB, IOC, IOA) Submit #741901 | Open5GS v2.7.6 Buffer Over-read https://github.com/open5gs/open5gs/issues/4177 https://github.com/open5gs/open5gs/issues/4177#event-21256395700 https://github.com/open5gs/open5gs/commit/54dda041211098730221d0ae20a2f9f9173e7a21 https://github.com/open5gs/open5gs/ |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when user space address is modified and passed to mem_free API, causing kernel memory to be freed inadvertently. | 2026-02-02 | 7.8 | CVE-2025-47358 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when multiple threads simultaneously access a memory free API. | 2026-02-02 | 7.8 | CVE-2025-47359 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Cryptographic issue when a Trusted Zone with outdated code is triggered by a HLOS providing incorrect input. | 2026-02-02 | 7.1 | CVE-2025-47366 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when initiating GPU memory mapping using scatter-gather lists due to unchecked IOMMU mapping errors. | 2026-02-02 | 7.8 | CVE-2025-47397 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption while deallocating graphics processing unit memory buffers due to improper handling of memory pointers. | 2026-02-02 | 7.8 | CVE-2025-47398 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption while processing IOCTL call to update sensor property settings with invalid input parameters. | 2026-02-02 | 7.8 | CVE-2025-47399 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| n8n-io--n8n | n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the same Node.js process (for example, data from prior requests, tasks, secrets, or tokens), resulting in potential information disclosure. This issue has been patched in version 1.114.3. | 2026-02-04 | 7.7 | CVE-2025-61917 | https://github.com/n8n-io/n8n/security/advisories/GHSA-49mx-fj45-q3p6 https://github.com/n8n-io/n8n/commit/2c4c2953199733c791f739a40879ae31ca129aba |
| N/A--Moodle[.]org | A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. When other users view these compromised pages, their sessions could be stolen, or the user interface could be manipulated. | 2026-02-03 | 7.3 | CVE-2025-67849 | https://access.redhat.com/security/cve/CVE-2025-67849 RHBZ#2423835 |
| N/A--Moodle[.]org | A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. A remote attacker could inject malicious code into these fields. When other users view these expressions, the malicious code would execute in their web browsers, potentially compromising their data or leading to unauthorized actions. | 2026-02-03 | 7.3 | CVE-2025-67850 | https://access.redhat.com/security/cve/CVE-2025-67850 RHBZ#2423838 |
| N/A--Moodle[.]org | A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts. | 2026-02-03 | 7.5 | CVE-2025-67853 | https://access.redhat.com/security/cve/CVE-2025-67853 RHBZ#2423847 |
| TriliumNext--Trilium | Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. Prior to 0.101.0, a critical timing attack vulnerability in Trilium's sync authentication endpoint allows unauthenticated remote attackers to recover HMAC authentication hashes byte-by-byte through statistical timing analysis. This enables complete authentication bypass without password knowledge, granting full read/write access to victim's knowledge base. This vulnerability is fixed in 0.101.0. | 2026-02-06 | 7.4 | CVE-2025-68621 | https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hxf6-58cx-qq3x https://github.com/TriliumNext/Trilium/pull/8129 |
| Ofisimo Web-Based Software Technologies--Association Web Package Flora | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ofisimo Web-Based Software Technologies Association Web Package Flora allows XSS Through HTTP Headers. This issue affects Association Web Package Flora: from v3.0 through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 7.6 | CVE-2025-7760 | https://www.usom.gov.tr/bildirim/tr-26-0015 |
| Kod8 Software Technologies Trade Ltd. Co.--Kod8 Individual and SME Website | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kod8 Software Technologies Trade Ltd. Co. Kod8 Individual and SME Website allows Reflected XSS. This issue affects Kod8 Individual and SME Website: through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 7.6 | CVE-2025-8456 | https://www.usom.gov.tr/bildirim/tr-26-0012 |
| Seres Software--syWEB | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Seres Software syWEB allows Reflected XSS. This issue affects syWEB: through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 7.6 | CVE-2025-8461 | https://www.usom.gov.tr/bildirim/tr-26-0013 |
| AKCE Software Technology R&D Industry and Trade Inc.--SKSPro | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Reflected XSS. This issue affects SKSPro: through 07012026. | 2026-02-03 | 7.6 | CVE-2025-8589 | https://www.usom.gov.tr/bildirim/tr-26-0011 |
| AKCE Software Technology R&D Industry and Trade Inc.--SKSPro | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Directory Indexing. This issue affects SKSPro: through 07012026. | 2026-02-03 | 7.5 | CVE-2025-8590 | https://www.usom.gov.tr/bildirim/tr-26-0011 |
| Autodesk--3ds Max | A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can cause a Stack-Based Buffer Overflow vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-02-04 | 7.8 | CVE-2026-0536 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002 |
| Autodesk--3ds Max | A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-02-04 | 7.8 | CVE-2026-0537 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002 |
| Autodesk--3ds Max | A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-02-04 | 7.8 | CVE-2026-0538 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002 |
| latepoint--LatePoint Calendar Booking Plugin for Appointments and Events | The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the customer's activity history. | 2026-02-03 | 7.2 | CVE-2026-0617 | https://www.wordfence.com/threat-intel/vulnerabilities/id/22bcfd36-ecf9-4d2c-ac94-94ffa0340c4c?source=cve https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/views/activities/view.php#L27 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/controllers/activities_controller.php https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/models/activity_model.php https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3449263%40latepoint%2Ftrunk&old=3408660%40latepoint%2Ftrunk&sfp_email=&sfph_mail= |
| Autodesk--USD for Arnold | A maliciously crafted USD file, when loaded or imported into Autodesk Arnold or Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-02-04 | 7.8 | CVE-2026-0659 | https://www.autodesk.com/products/autodesk-access/overview https://github.com/Autodesk/arnold-usd https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0003 |
| Autodesk--3ds Max | A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can cause a Stack-Based Buffer Overflow vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-02-04 | 7.8 | CVE-2026-0660 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002 |
| Autodesk--3ds Max | A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-02-04 | 7.8 | CVE-2026-0661 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002 |
| Autodesk--3ds Max | A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized. | 2026-02-04 | 7.8 | CVE-2026-0662 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002 |
| 10web--Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder | The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions list. | 2026-02-03 | 7.1 | CVE-2026-1058 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e0ec0027-2792-4069-b413-8fdd951f5fe7?source=cve https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/admin/views/Submissions_fm.php#L759 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3447011%40form-maker%2Ftrunk&old=3440395%40form-maker%2Ftrunk&sfp_email=&sfph_mail= |
| 10web--Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder | The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms. | 2026-02-03 | 7.2 | CVE-2026-1065 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8230d5f8-01d9-465a-8a43-e9852248bb3d?source=cve https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/js/add_field.js#L2364 https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form_maker.php#L1744 https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form_maker.php#L1855 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3447011%40form-maker%2Ftrunk&old=3440395%40form-maker%2Ftrunk&sfp_email=&sfph_mail= |
| bplugins--All In One Image Viewer Block Gutenberg block to create image viewer with hyperlink | The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-02-05 | 7.2 | CVE-2026-1294 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7c3f7108-eb32-425a-a705-4f032e7da6b0?source=cve https://plugins.trac.wordpress.org/browser/image-viewer/tags/1.0.2/image-viewer-block.php#L10 https://plugins.trac.wordpress.org/changeset/3449642/image-viewer/tags/1.0.3/image-viewer-block.php?old=3405983&old_path=image-viewer%2Ftags%2F1.0.2%2Fimage-viewer-block.php |
| pgadmin.org--pgAdmin 4 | pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an active restore operation, extract the `\restrict` key in real time, and race the restore process by overwriting the restore script with a payload that re-enables meta-commands using `\unrestrict <key>`. This results in reliable command execution on the pgAdmin host during the restore operation. | 2026-02-05 | 7.4 | CVE-2026-1707 | https://github.com/pgadmin-org/pgadmin4/issues/9518 |
| EFM--ipTIME A8004T | A vulnerability was found in EFM ipTIME A8004T 14.18.2. This impacts the function httpcon_check_session_url of the file /cgi/timepro.cgi of the component Hidden Hiddenloginsetup Interface. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-02 | 7.3 | CVE-2026-1740 | VDB-343639 | EFM ipTIME A8004T Hidden Hiddenloginsetup timepro.cgi httpcon_check_session_url improper authentication VDB-343639 | CTI Indicators (IOB, IOC, IOA) Submit #741422 | IPTIME A8004T 14.18.2 Authentication Bypass & Arbitrary Password Reset https://github.com/LX-LX88/cve/issues/27 |
| AWS--SageMaker Python SDK | The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 includes the ModelBuilder HMAC signing key in the cleartext response elements of the DescribeTrainingJob function. A third party with permissions to both call this API and permissions to modify objects in the Training Jobs S3 output location may have the ability to upload arbitrary artifacts which are executed the next time the Training Job is invoked. | 2026-02-02 | 7.2 | CVE-2026-1777 | https://aws.amazon.com/security/security-bulletins/2026-004-AWS/ https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-rjrp-m2jw-pv9c https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.2.0 https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.256.0 |
| Ziroom--ZHOME A0101 | A security flaw has been discovered in Ziroom ZHOME A0101 1.0.1.0. This issue affects the function macAddrClone of the file luci\controller\api\zrMacClone.lua. The manipulation of the argument macType results in command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 7.3 | CVE-2026-1802 | VDB-343975 | Ziroom ZHOME A0101 zrMacClone.lua macAddrClone command injection VDB-343975 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741842 | https://sh.ziroom.com/ ZHOME A0101 Command Injection https://github.com/jinhao118/cve/blob/main/ziru_router_command_injection.md |
| itsourcecode--Student Management System | A vulnerability was found in itsourcecode Student Management System 1.0. The affected element is an unknown function of the file /ramonsys/enrollment/controller.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. | 2026-02-06 | 7.3 | CVE-2026-2011 | VDB-344593 | itsourcecode Student Management System controller.php sql injection VDB-344593 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743498 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/tianrenu/CVE-Discoveries/issues/1 https://itsourcecode.com/ |
| Cisco--Cisco RoomOS Software | A vulnerability in the text rendering subsystem of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of input received by an affected device. An attacker could exploit this vulnerability by getting the affected device to render crafted text, for example, a crafted meeting invitation. As indicated in the CVSS score, no user interaction is required, such as accepting the meeting invitation. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. | 2026-02-04 | 7.5 | CVE-2026-20119 | cisco-sa-tce-roomos-dos-9V9jrC2q |
| itsourcecode--Student Management System | A vulnerability was determined in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /ramonsys/facultyloading/index.php. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-06 | 7.3 | CVE-2026-2012 | VDB-344594 | itsourcecode Student Management System index.php sql injection VDB-344594 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743499 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/tianrenu/CVE-Discoveries/issues/2 https://itsourcecode.com/ |
| itsourcecode--Student Management System | A vulnerability was identified in itsourcecode Student Management System 1.0. This affects an unknown function of the file /ramonsys/soa/index.php. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. | 2026-02-06 | 7.3 | CVE-2026-2013 | VDB-344595 | itsourcecode Student Management System index.php sql injection VDB-344595 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743500 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/tianrenu/CVE-Discoveries/issues/3 https://itsourcecode.com/ |
| itsourcecode--Student Management System | A security flaw has been discovered in itsourcecode Student Management System 1.0. This impacts an unknown function of the file /ramonsys/billing/index.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. | 2026-02-06 | 7.3 | CVE-2026-2014 | VDB-344596 | itsourcecode Student Management System index.php sql injection VDB-344596 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744048 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/35 https://itsourcecode.com/ |
| itsourcecode--School Management System | A flaw has been found in itsourcecode School Management System 1.0. This affects an unknown part of the file /ramonsys/settings/controller.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2026-02-06 | 7.3 | CVE-2026-2018 | VDB-344600 | itsourcecode School Management System controller.php sql injection VDB-344600 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744075 | itsourcecode School Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/36 https://itsourcecode.com/ |
| SourceCodester--Medical Center Portal Management System | A vulnerability was detected in SourceCodester Medical Center Portal Management System 1.0. This affects an unknown function of the file /login.php. The manipulation of the argument User results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. | 2026-02-06 | 7.3 | CVE-2026-2057 | VDB-344617 | SourceCodester Medical Center Portal Management System login.php sql injection VDB-344617 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744233 | SourceCodester Medical Center Portal Management System 1.0 SQL Injection https://github.com/Roger-Adventures/CVE/issues/1 https://www.sourcecodester.com/ |
| mathurvishal--CloudClassroom-PHP-Project | A flaw has been found in mathurvishal CloudClassroom-PHP-Project up to 5dadec098bfbbf3300d60c3494db3fb95b66e7be. This impacts an unknown function of the file /postquerypublic.php of the component Post Query Details Page. This manipulation of the argument gnamex causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 7.3 | CVE-2026-2058 | VDB-344618 | mathurvishal CloudClassroom-PHP-Project Post Query Details postquerypublic.php sql injection VDB-344618 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744236 | https://github.com/mathurvishal/CloudClassroom-PHP-Project CloudClassroom PHP Project 1.0 SQL Injection https://github.com/carlosalbertotuma/CLOUD-CLASSROOMS-php-1.0 https://github.com/carlosalbertotuma/CLOUD-CLASSROOMS-php-1.0#impact |
| SourceCodester--Medical Center Portal Management System | A vulnerability has been found in SourceCodester Medical Center Portal Management System 1.0. Affected is an unknown function of the file /emp_edit1.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2026-02-06 | 7.3 | CVE-2026-2059 | VDB-344619 | SourceCodester Medical Center Portal Management System emp_edit1.php sql injection VDB-344619 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744261 | SourceCodester Medical Center Portal Management System 1.0 SQL Injection https://github.com/Roger-Adventures/CVE/issues/2 https://www.sourcecodester.com/ |
| code-projects--Simple Blood Donor Management System | A vulnerability was found in code-projects Simple Blood Donor Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /simpleblooddonor/editcampaignform.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. | 2026-02-06 | 7.3 | CVE-2026-2060 | VDB-344620 | code-projects Simple Blood Donor Management System editcampaignform.php sql injection VDB-344620 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744262 | code-projects Simple Blood Donor Management System V1.0 SQL Injection https://github.com/kyxh001/CVE/issues/1 https://code-projects.org/ |
| itsourcecode--School Management System | A vulnerability was determined in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/user/index.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2026-02-07 | 7.3 | CVE-2026-2073 | VDB-344639 | itsourcecode School Management System index.php sql injection VDB-344639 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745482 | itsourcecode School Management System V1.0 SQL Injection https://github.com/Sherlocksbs/CVE/issues/1 https://itsourcecode.com/ |
| UTT--HiPER 810 | A vulnerability has been found in UTT HiPER 810 1.7.4-141218. This issue affects the function setSysAdm of the file /goform/formUser. The manipulation of the argument passwd1 leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 7.2 | CVE-2026-2080 | VDB-344646 | UTT HiPER 810 formUser setSysAdm command injection VDB-344646 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745521 | UTT HiPER 810 / nv810v4 nv810v4v1.7.4-141218 Command Injection https://github.com/cha0yang1/UTT810CVE/blob/main/README.md https://github.com/cha0yang1/UTT810CVE/blob/main/README.md#reproduction-steps |
| code-projects--Social Networking Site | A security flaw has been discovered in code-projects Social Networking Site 1.0. This affects an unknown function of the file /delete_post.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-02-07 | 7.3 | CVE-2026-2083 | VDB-344650 | code-projects Social Networking Site delete_post.php sql injection VDB-344650 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745937 | code-projects Social Networking Site V1.0 SQL Injection https://github.com/6Justdododo6/CVE/issues/1 https://code-projects.org/ |
| D-Link--DIR-823X | A weakness has been identified in D-Link DIR-823X 250416. This impacts an unknown function of the file /goform/set_language. Executing a manipulation of the argument langSelection can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. | 2026-02-07 | 7.2 | CVE-2026-2084 | VDB-344651 | D-Link DIR-823X set_language os command injection VDB-344651 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746379 | D-Link DIR 250416 OS Command Injection Submit #746380 | D-Link DIR-823X 250416 OS Command Injection (Duplicate) https://github.com/master-abc/cve/issues/24 https://www.dlink.com/ |
| D-Link--DWR-M921 | A security vulnerability has been detected in D-Link DWR-M921 1.1.50. Affected is the function sub_419F20 of the file /boafrm/formUSSDSetup of the component USSD Configuration Endpoint. The manipulation of the argument ussdValue leads to command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-02-07 | 7.2 | CVE-2026-2085 | VDB-344652 | D-Link DWR-M921 USSD Configuration Endpoint formUSSDSetup sub_419F20 command injection VDB-344652 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746400 | D-Link DWR-M921 V1.1.50 Command Injection https://github.com/LX-66-LX/cve-new/issues/1 https://github.com/LX-66-LX/cve-new/issues/1#issue-3851345029 https://www.dlink.com/ |
| SourceCodester--Online Class Record System | A flaw has been found in SourceCodester Online Class Record System 1.0. Affected by this issue is some unknown functionality of the file /admin/login.php. This manipulation of the argument user_email causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2026-02-07 | 7.3 | CVE-2026-2087 | VDB-344654 | SourceCodester Online Class Record System login.php sql injection VDB-344654 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746510 | SourceCodester Online Class Record System 1.0 SQL Injection https://github.com/xiaoccm07/cve/issues/1 https://www.sourcecodester.com/ |
| PHPGurukul--Beauty Parlour Management System | A vulnerability has been found in PHPGurukul Beauty Parlour Management System 1.1. This affects an unknown part of the file /admin/accepted-appointment.php. Such manipulation of the argument delid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2026-02-07 | 7.3 | CVE-2026-2088 | VDB-344655 | PHPGurukul Beauty Parlour Management System accepted-appointment.php sql injection VDB-344655 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746520 | PHPgurukul Beauty Parlour Management System V1.1 SQL Injection https://github.com/Shaon-Xis/cve/issues/1 https://phpgurukul.com/ |
| SourceCodester--Online Class Record System | A vulnerability was found in SourceCodester Online Class Record System 1.0. This vulnerability affects unknown code of the file /admin/subject/controller.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2026-02-07 | 7.3 | CVE-2026-2089 | VDB-344656 | SourceCodester Online Class Record System controller.php sql injection VDB-344656 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746550 | SourceCodester Online Class Record System 1.0 SQL Injection https://github.com/xiaoccm07/cve/issues/2 https://www.sourcecodester.com/ |
| SourceCodester--Online Class Record System | A vulnerability was determined in SourceCodester Online Class Record System 1.0. This issue affects some unknown processing of the file /admin/message/search.php. Executing a manipulation of the argument term can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-07 | 7.3 | CVE-2026-2090 | VDB-344657 | SourceCodester Online Class Record System search.php sql injection VDB-344657 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746551 | SourceCodester Online Class Record System 1.0 SQL Injection https://github.com/xiaoccm07/cve/issues/3 https://www.sourcecodester.com/ |
| Infor--SyteLine ERP | Infor SyteLine ERP uses hard-coded static cryptographic keys to encrypt stored credentials, including user passwords, database connection strings, and API keys. The encryption keys are identical across all installations. An attacker with access to the application binary and database can decrypt all stored credentials. | 2026-02-06 | 7.1 | CVE-2026-2103 | https://blog.blacklanternsecurity.com/p/cve-2026-2103-infor-syteline-erp |
| yuan1994--tpadmin | A security vulnerability has been detected in yuan1994 tpadmin up to 1.3.12. This affects an unknown part in the library /public/static/admin/lib/webuploader/0.1.5/server/preview.php of the component WebUploader. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-07 | 7.3 | CVE-2026-2113 | VDB-344688 | yuan1994 tpadmin WebUploader preview.php deserialization VDB-344688 | CTI Indicators (IOB, IOC, IOA) Submit #746795 | https://github.com/yuan1994/tpadmin cms v1.3 RCE https://github.com/sTy1H/CVE-Report/blob/main/Remote%20Code%20Execution%20Vulnerability%20in%20Tpadmin%20System.md |
| itsourcecode--Society Management System | A vulnerability was detected in itsourcecode Society Management System 1.0. This vulnerability affects unknown code of the file /admin/edit_admin.php. The manipulation of the argument admin_id results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. | 2026-02-07 | 7.3 | CVE-2026-2114 | VDB-344689 | itsourcecode Society Management System edit_admin.php sql injection VDB-344689 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746796 | itsourcecode Society Management System V1.0 SQL injection https://github.com/zpf7029/oblong/issues/3 https://itsourcecode.com/ |
| itsourcecode--Society Management System | A flaw has been found in itsourcecode Society Management System 1.0. This issue affects some unknown processing of the file /admin/delete_expenses.php. This manipulation of the argument expenses_id causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2026-02-07 | 7.3 | CVE-2026-2115 | VDB-344690 | itsourcecode Society Management System delete_expenses.php sql injection VDB-344690 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746797 | itsourcecode Society Management System V1.0 SQL injection https://github.com/zpf7029/oblong/issues/2 https://itsourcecode.com/ |
| itsourcecode--Society Management System | A vulnerability has been found in itsourcecode Society Management System 1.0. Impacted is an unknown function of the file /admin/edit_expenses.php. Such manipulation of the argument expenses_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2026-02-07 | 7.3 | CVE-2026-2116 | VDB-344691 | itsourcecode Society Management System edit_expenses.php sql injection VDB-344691 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746798 | itsourcecode Society Management System V1.0 SQL injection https://github.com/zpf7029/oblong/issues/1 https://itsourcecode.com/ |
| itsourcecode--Society Management System | A vulnerability was found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/edit_activity.php. Performing a manipulation of the argument activity_id results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2026-02-07 | 7.3 | CVE-2026-2117 | VDB-344692 | itsourcecode Society Management System edit_activity.php sql injection VDB-344692 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746884 | itsourcecode Society Management System V1.0 SQL injection https://github.com/ZooNJarway/CVE/issues/4 https://itsourcecode.com/ |
| UTT--HiPER 810 | A vulnerability was determined in UTT HiPER 810 1.7.4-141218. The impacted element is the function sub_4407D4 of the file /goform/formReleaseConnect of the component rehttpd. Executing a manipulation of the argument Isp_Name can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 7.2 | CVE-2026-2118 | VDB-344693 | UTT HiPER 810 rehttpd formReleaseConnect sub_4407D4 command injection VDB-344693 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746802 | UTT (艾泰) HiPER 810 nv810v4v1.7.4-141218 Command Injection https://github.com/cha0yang1/UTT810CVE/blob/main/CVEreadme1.md https://github.com/cha0yang1/UTT810CVE/blob/main/CVEreadme1.md#poc |
| D-Link--DIR-823X | A vulnerability was identified in D-Link DIR-823X 250416. This affects an unknown function of the file /goform/set_server_settings of the component Configuration Parameter Handler. The manipulation of the argument terminal_addr/server_ip/server_port leads to os command injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2026-02-08 | 7.2 | CVE-2026-2120 | VDB-344694 | D-Link DIR-823X Configuration Parameter set_server_settings os command injection VDB-344694 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746916 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/26 https://www.dlink.com/ |
| D-Link--DIR-823X | A vulnerability was found in D-Link DIR-823X 250416. Affected by this issue is some unknown functionality of the file /goform/set_ac_status. Performing a manipulation of the argument ac_ipaddr/ac_ipstatus/ap_randtime results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used. | 2026-02-08 | 7.2 | CVE-2026-2129 | VDB-344764 | D-Link DIR-823X set_ac_status os command injection VDB-344764 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746935 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/23 https://www.dlink.com/ |
| code-projects--Online Music Site | A security flaw has been discovered in code-projects Online Music Site 1.0. This issue affects some unknown processing of the file /Administrator/PHP/AdminUpdateCategory.php. The manipulation of the argument txtcat results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. | 2026-02-08 | 7.3 | CVE-2026-2132 | VDB-344767 | code-projects Online Music Site AdminUpdateCategory.php sql injection VDB-344767 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747210 | code-projects ONLINE MUSIC SITE V1.0 SQL Injection https://github.com/Volije/AdminUpdateCategory/issues/1 https://code-projects.org/ |
| code-projects--Online Music Site | A weakness has been identified in code-projects Online Music Site 1.0. Impacted is an unknown function of the file /Administrator/PHP/AdminUpdateCategory.php. This manipulation of the argument txtimage causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 7.3 | CVE-2026-2133 | VDB-344768 | code-projects Online Music Site AdminUpdateCategory.php unrestricted upload VDB-344768 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747213 | code-projects ONLINE MUSIC SITE V1.0 Arbitrary file upload vulnerability https://github.com/Volije/cve2/issues/1 https://code-projects.org/ |
| projectworlds--Online Food Ordering System | A flaw has been found in projectworlds Online Food Ordering System 1.0. This affects an unknown function of the file /view-ticket.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-02-08 | 7.3 | CVE-2026-2136 | VDB-344771 | projectworlds Online Food Ordering System view-ticket.php sql injection VDB-344771 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747230 | projectworlds Online Food Ordering System Project in PHP V1.0 SQL Injection https://github.com/hater-us/CVE/issues/4 |
| D-Link--DIR-823X | A weakness has been identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_420688 of the file /goform/set_qos. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 7.2 | CVE-2026-2142 | VDB-344777 | D-Link DIR-823X set_qos sub_420688 os command injection VDB-344777 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747428 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/29 https://www.dlink.com/ |
| D-Link--DIR-823X | A security vulnerability has been detected in D-Link DIR-823X 250416. This issue affects some unknown processing of the file /goform/set_ddns of the component DDNS Service. The manipulation of the argument ddnsType/ddnsDomainName/ddnsUserName/ddnsPwd leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | 2026-02-08 | 7.2 | CVE-2026-2143 | VDB-344778 | D-Link DIR-823X DDNS Service set_ddns os command injection VDB-344778 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747492 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/25 https://www.dlink.com/ |
| D-Link--DIR-615 | A vulnerability has been found in D-Link DIR-615 4.10. This affects an unknown part of the file adv_firewall.php of the component DMZ Host Feature. Such manipulation of the argument dmz_ipaddr leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-08 | 7.2 | CVE-2026-2151 | VDB-344853 | D-Link DIR-615 DMZ Host Feature adv_firewall.php os command injection VDB-344853 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748031 | Dlink DIR-615 v4.10 OS Command Injection https://pentagonal-time-3a7.notion.site/DIR-615-OS-Command-Injection-2f6e5dd4c5a58053b2b4f166c2a503ba https://www.dlink.com/ |
| D-Link--DIR-615 | A vulnerability was found in D-Link DIR-615 4.10. This vulnerability affects unknown code of the file adv_routing.php of the component Web Configuration Interface. Performing a manipulation of the argument dest_ip/ submask/ gw results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-08 | 7.2 | CVE-2026-2152 | VDB-344854 | D-Link DIR-615 Web Configuration adv_routing.php os command injection VDB-344854 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748032 | Dlink DIR-615 v4.10 OS Command Injection https://pentagonal-time-3a7.notion.site/DIR-615-routing-command-injection-2f6e5dd4c5a580089587f5e78a1bbf70?pvs=74 https://www.dlink.com/ |
| D-Link--DIR-823X | A security flaw has been discovered in D-Link DIR-823X 250416. The affected element is the function sub_4208A0 of the file /goform/set_dmz of the component Configuration Handler. The manipulation of the argument dmz_host/dmz_enable results in os command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. | 2026-02-08 | 7.2 | CVE-2026-2155 | VDB-344857 | D-Link DIR-823X Configuration set_dmz sub_4208A0 os command injection VDB-344857 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748236 | D-Link DIR-823X 250416 OS Command Injection Submit #750038 | D-Link DIR-823X 250416 OS Command Injection (Duplicate) https://github.com/master-abc/cve/issues/32 https://www.dlink.com/ |
| D-Link--DIR-823X | A security vulnerability has been detected in D-Link DIR-823X 250416. This affects the function sub_4175CC of the file /goform/set_static_route_table. Such manipulation of the argument interface/destip/netmask/gateway/metric leads to os command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2026-02-08 | 7.2 | CVE-2026-2157 | VDB-344859 | D-Link DIR-823X set_static_route_table sub_4175CC os command injection VDB-344859 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748376 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/28 https://www.dlink.com/ |
| code-projects--Student Web Portal | A vulnerability was detected in code-projects Student Web Portal 1.0. This impacts an unknown function of the file /check_user.php. Performing a manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. | 2026-02-08 | 7.3 | CVE-2026-2158 | VDB-344860 | code-projects Student Web Portal check_user.php sql injection VDB-344860 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748816 | code-projects.org STUDENT WEB PORTAL IN PHP WITH SOURCE CODE 1.0 SQL Injection https://github.com/Qing-420/cve/blob/main/sql.md https://code-projects.org/ |
| itsourcecode--Directory Management System | A vulnerability was found in itsourcecode Directory Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/forget-password.php. The manipulation of the argument email results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. | 2026-02-08 | 7.3 | CVE-2026-2161 | VDB-344863 | itsourcecode Directory Management System forget-password.php sql injection VDB-344863 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #751082 | itsourcecode Directory Management System V1.0 SQL Injection https://github.com/Wzl731/test/issues/1 https://itsourcecode.com/ |
| detronetdip--E-commerce | A security flaw has been discovered in detronetdip E-commerce 1.0.0. This issue affects some unknown processing of the file /seller/assets/backend/profile/addadhar.php. Performing a manipulation of the argument File results in unrestricted upload. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-08 | 7.3 | CVE-2026-2164 | VDB-344866 | detronetdip E-commerce addadhar.php unrestricted upload VDB-344866 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #751853 | detronetdip E-commerce 1.0 Remote Code Execution https://github.com/detronetdip/E-commerce/issues/23 https://github.com/Nixon-H/PHP-Unrestricted-Upload-RCE https://github.com/detronetdip/E-commerce/ |
| detronetdip--E-commerce | A weakness has been identified in detronetdip E-commerce 1.0.0. Impacted is an unknown function of the file /Admin/assets/backend/seller/add_seller.php of the component Account Creation Endpoint. Executing a manipulation of the argument email can lead to missing authentication. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-08 | 7.3 | CVE-2026-2165 | VDB-344867 | detronetdip E-commerce Account Creation Endpoint add_seller.php missing authentication VDB-344867 | CTI Indicators (IOB, IOC, IOA) Submit #751857 | detronetdip E-commerce 1.0 Access Control Violation https://github.com/detronetdip/E-commerce/issues/23 https://github.com/Nixon-H/Unauthenticated-Admin-Account-Creation https://github.com/detronetdip/E-commerce/ |
| code-projects--Online Reviewer System | A security vulnerability has been detected in code-projects Online Reviewer System 1.0. The affected element is an unknown function of the file /login/index.php of the component Login. The manipulation of the argument username/password leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | 2026-02-08 | 7.3 | CVE-2026-2166 | VDB-344868 | code-projects Online Reviewer System Login index.php sql injection VDB-344868 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #751858 | code-projects OnlineReviewerSystem 1.0 SQL Injection Submit #750018 | code-projects ONLINE REVIEWER SYSTEM V1.0 SQL Injection (Duplicate) https://github.com/liaoliao-hla/cve/issues/2 https://code-projects.org/ |
| code-projects--Online Student Management System | A vulnerability was found in code-projects Online Student Management System 1.0. Affected is an unknown function of the file accounts.php of the component Login. Performing a manipulation of the argument username/password results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2026-02-08 | 7.3 | CVE-2026-2171 | VDB-344872 | code-projects Online Student Management System Login accounts.php sql injection VDB-344872 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749233 | code-projects Online Student Management System in PHP unknown SQL Injection https://code-projects.org/ |
| code-projects--Online Application System for Admission | A vulnerability was determined in code-projects Online Application System for Admission 1.0. Affected by this vulnerability is an unknown functionality of the file enrollment/index.php of the component Login Endpoint. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 7.3 | CVE-2026-2172 | VDB-344873 | code-projects Online Application System for Admission Login Endpoint index.php sql injection VDB-344873 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749253 | code-projects Online Application System for Admission in PHP unknown SQL Injection https://code-projects.org/ |
| code-projects--Online Examination System | A vulnerability was identified in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file login.php. The manipulation of the argument username/password leads to sql injection. The attack may be initiated remotely. | 2026-02-08 | 7.3 | CVE-2026-2173 | VDB-344874 | code-projects Online Examination System login.php sql injection VDB-344874 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749255 | code-projects Online Examination System in PHP unknown sql https://code-projects.org/ |
| code-projects--Contact Management System | A security flaw has been discovered in code-projects Contact Management System 1.0. This affects an unknown part of the component CRUD Endpoint. The manipulation of the argument ID results in improper authentication. The attack may be launched remotely. | 2026-02-08 | 7.3 | CVE-2026-2174 | VDB-344875 | code-projects Contact Management System CRUD Endpoint improper authentication VDB-344875 | CTI Indicators (IOB, IOC, IOA) Submit #749262 | code-projects Contact Management System in PHP unknown Authentication Bypass Issues https://code-projects.org/ |
| D-Link--DIR-823X | A weakness has been identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_420618 of the file /goform/set_upnp. This manipulation of the argument upnp_enable causes os command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 7.2 | CVE-2026-2175 | VDB-344876 | D-Link DIR-823X set_upnp sub_420618 os command injection VDB-344876 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749263 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/31 https://www.dlink.com/ |
| SourceCodester--Prison Management System | A vulnerability has been found in SourceCodester Prison Management System 1.0. The impacted element is an unknown function of the component Login. The manipulation leads to session fixiation. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2026-02-08 | 7.3 | CVE-2026-2177 | VDB-344880 | SourceCodester Prison Management System Login session fixiation VDB-344880 | CTI Indicators (IOB, IOC) Submit #749485 | SourceCodester Prison Management System Using PHP V1.0 Session Fixiation https://github.com/hater-us/CVE/issues/10 https://www.sourcecodester.com/ |
| UTT-- 521G | A weakness has been identified in UTT 进取 521G 3.1.1-190816. Affected by this issue is the function doSystem of the file /goform/setSysAdm. Executing a manipulation of the argument passwd1 can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 7.2 | CVE-2026-2182 | VDB-344885 | UTT 进取 521G setSysAdm doSystem command injection VDB-344885 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749712 | UTT (艾泰) UTT521G NV521Gv2v3.1.1-190816 Command Injection https://github.com/cha0yang1/UTT521G/blob/main/RCE1.md https://github.com/cha0yang1/UTT521G/blob/main/RCE1.md#poc |
| Great Developers--Certificate Generation System | A vulnerability was detected in Great Developers Certificate Generation System up to 97171bb0e5e22e52eacf4e4fa81773e5f3cffb73. This vulnerability affects unknown code of the file /restructured/csv.php. The manipulation of the argument photo results in os command injection. The attack can be executed remotely. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The code repository of the project has not been active for many years. | 2026-02-08 | 7.3 | CVE-2026-2184 | VDB-344887 | Great Developers Certificate Generation System csv.php os command injection VDB-344887 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749714 | Great Developers Certificate Generator System 1.0 Improper Neutralization of Special Elements https://github.com/lakshayyverma/CVE-Discovery/blob/main/Certificate2.md |
| UTT-- 521G | A vulnerability was determined in UTT 进取 521G 3.1.1-190816. The impacted element is the function sub_446B18 of the file /goform/formPdbUpConfig. Executing a manipulation of the argument policyNames can lead to os command injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 7.2 | CVE-2026-2188 | VDB-344891 | UTT 进取 521G formPdbUpConfig sub_446B18 os command injection VDB-344891 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749733 | UTT (艾泰) UTT521G NV521Gv2v3.1.1-190816 Command Injection https://github.com/cha0yang1/UTT521G/blob/main/RCE2.md |
| itsourcecode--School Management System | A vulnerability was identified in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/report/index.php. The manipulation of the argument ay leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2026-02-08 | 7.3 | CVE-2026-2189 | VDB-344892 | itsourcecode School Management System index.php sql injection VDB-344892 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749746 | itsourcecode School Management System V1.0 SQL Injection https://github.com/angtas/cve/issues/1 https://itsourcecode.com/ |
| itsourcecode--School Management System | A security flaw has been discovered in itsourcecode School Management System 1.0. This impacts an unknown function of the file /ramonsys/user/controller.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-02-08 | 7.3 | CVE-2026-2190 | VDB-344893 | itsourcecode School Management System controller.php sql injection VDB-344893 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749783 | itsourcecode School Management System V1.0 SQL Injection https://github.com/yyue02/cve/issues/2 https://itsourcecode.com/ |
| Tenda--AC9 | A weakness has been identified in Tenda AC9 15.03.06.42_multi. Affected is the function formGetDdosDefenceList. This manipulation of the argument security.ddos.map causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 7.2 | CVE-2026-2191 | VDB-344894 | Tenda AC9 formGetDdosDefenceList stack-based overflow VDB-344894 | CTI Indicators (IOB, IOC, IOA) Submit #749800 | Tenda AC9 v1.0/V3.0 V15.03.06.42_multi Stack-based Buffer Overflow https://github.com/glkfc/IoT-Vulnerability/blob/main/Tenda/tenda3.md https://www.tenda.com.cn/ |
| Tenda--AC9 | A security vulnerability has been detected in Tenda AC9 15.03.06.42_multi. Affected by this vulnerability is the function formGetRebootTimer. Such manipulation of the argument sys.schedulereboot.start_time/sys.schedulereboot.end_time leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-02-08 | 7.2 | CVE-2026-2192 | VDB-344895 | Tenda AC9 formGetRebootTimer stack-based overflow VDB-344895 | CTI Indicators (IOB, IOC, IOA) Submit #749801 | Tenda AC9 v1.0/V3.0 V15.03.06.42_multi Stack-based Buffer Overflow https://github.com/glkfc/IoT-Vulnerability/blob/main/Tenda/tenda4.md https://www.tenda.com.cn/ |
| code-projects--Online Reviewer System | A vulnerability has been found in code-projects Online Reviewer System 1.0. This vulnerability affects unknown code of the file /system/system/admins/assessments/pretest/questions-view.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2026-02-08 | 7.3 | CVE-2026-2195 | VDB-344898 | code-projects Online Reviewer System questions-view.php sql injection VDB-344898 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #750005 | code-projects Online Reviewer System V1 SQL Injection https://github.com/tiancesec/CVE/issues/16 https://code-projects.org/ |
| TeamViewer--Remote | Improper access control in the TeamViewer Full and Host clients (Windows, macOS, Linux) prior version 15.74.5 allows an authenticated user to bypass additional access controls with "Allow after confirmation" configuration in a remote session. An exploit could result in unauthorized access prior to local confirmation. The user needs to be authenticated for the remote session via ID/password, Session Link, or Easy Access as a prerequisite to exploit this vulnerability. | 2026-02-05 | 7.2 | CVE-2026-23572 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1003/ |
| apollographql--apollo-server | Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer. | 2026-02-04 | 7.5 | CVE-2026-23897 | https://github.com/apollographql/apollo-server/security/advisories/GHSA-mp6q-xf9x-fwf7 https://github.com/apollographql/apollo-server/commit/d25a5bdc377826ad424fcf7f8d1d062055911643 https://github.com/apollographql/apollo-server/commit/e9d49d163a86b8a33be56ed27c494b9acd5400a4 |
| open-telemetry--opentelemetry-go | OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0. | 2026-02-02 | 7 | CVE-2026-24051 | https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53 |
| NVIDIA--Megatron-LM | NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, data tampering. | 2026-02-03 | 7.8 | CVE-2026-24149 | NVD Mitre |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an insecure password reset mechanism allows local attackers to reuse a valid password reset token after it has already been used, enabling unauthorized password changes and potential account takeover. This issue has been patched in version 4.2. | 2026-02-03 | 7.8 | CVE-2026-24669 | https://github.com/gunet/openeclass/security/advisories/GHSA-gcqq-fxw6-f866 |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into user profile fields, which is executed when users with viewing privileges access affected application pages. This issue has been patched in version 4.2. | 2026-02-03 | 7.3 | CVE-2026-24672 | https://github.com/gunet/openeclass/security/advisories/GHSA-3p2x-qgxw-qvxh |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows unauthenticated remote attackers to access personal files of other users by directly requesting predictable user identifiers. This issue has been patched in version 4.2. | 2026-02-03 | 7.5 | CVE-2026-24773 | https://github.com/gunet/openeclass/security/advisories/GHSA-63pm-pff4-xc9c |
| chainguard-dev--melange | melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3. | 2026-02-04 | 7.8 | CVE-2026-24844 | https://github.com/chainguard-dev/melange/security/advisories/GHSA-vqqr-rmpc-hhg2 https://github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8 |
| Huawei--HarmonyOS | Heap-based buffer overflow vulnerability in the image module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 7.3 | CVE-2026-24925 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ |
| chainguard-dev--apko | apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1. | 2026-02-04 | 7.5 | CVE-2026-25121 | https://github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14 |
| chainguard-dev--apko | apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1. | 2026-02-04 | 7.5 | CVE-2026-25140 | https://github.com/chainguard-dev/apko/security/advisories/GHSA-f4w5-5xv9-85f6 https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09 |
| chainguard-dev--melange | melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived values (series paths, patch filenames, and numeric parameters) into shell scripts without proper quoting or validation, allowing shell metacharacters to break out of their intended context. The vulnerability affects the built-in patch pipeline which can be invoked through melange build and melange license-check operations. An attacker who can control patch-related inputs (e.g., through pull request-driven CI, build-as-a-service, or by influencing melange configurations) can inject shell metacharacters such as backticks, command substitutions $(…), semicolons, pipes, or redirections to execute arbitrary commands with the privileges of the melange build process. This issue has been patched in version 0.40.3. | 2026-02-04 | 7.8 | CVE-2026-25143 | https://github.com/chainguard-dev/melange/security/advisories/GHSA-rf4g-89h5-crcr https://github.com/chainguard-dev/melange/commit/bd132535cd9f57d4bd39d9ead0633598941af030 |
| openclaw--openclaw | OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescaped path was interpolated directly into an echo statement, allowing arbitrary command execution on the remote SSH host. The parseSSHTarget function did not validate that SSH target strings could not begin with a dash. An attacker-supplied target like -oProxyCommand=... would be interpreted as an SSH configuration flag rather than a hostname, allowing arbitrary command execution on the local machine. This issue has been patched in version 2026.1.29. | 2026-02-04 | 7.8 | CVE-2026-25157 | https://github.com/openclaw/openclaw/security/advisories/GHSA-q284-4pvr-m585 |
| fastify--fastify | Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2. | 2026-02-03 | 7.5 | CVE-2026-25223 | https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821 https://hackerone.com/reports/3464114 https://fastify.dev/docs/latest/Reference/Validation-and-Serialization https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125 https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, stack-based buffer overflow in icFixXml() function when processing malformed ICC profiles, allows potential arbitrary code execution through crafted NamedColor2 tags. This issue has been patched in version 2.3.1.2. | 2026-02-03 | 7.8 | CVE-2026-25502 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-c2qq-jf7w-rm27 https://github.com/InternationalColorConsortium/iccDEV/issues/537 https://github.com/InternationalColorConsortium/iccDEV/pull/545 https://github.com/InternationalColorConsortium/iccDEV/commit/be5d7ec5cc137c084c08006aee8cd3ed378c7ac2 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, type confusion allowed malformed ICC profiles to trigger undefined behavior when loading invalid icImageEncodingType values causing denial of service. This issue has been patched in version 2.3.1.2. | 2026-02-03 | 7.1 | CVE-2026-25503 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-pf84-4c7q-x764 https://github.com/InternationalColorConsortium/iccDEV/issues/539 https://github.com/InternationalColorConsortium/iccDEV/pull/547 https://github.com/InternationalColorConsortium/iccDEV/commit/353e6517a31cb6ac9fdd44ac0103bc2fadb25175 |
| modelcontextprotocol--typescript-sdk | MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0. | 2026-02-04 | 7.1 | CVE-2026-25536 | https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7 https://github.com/modelcontextprotocol/typescript-sdk/issues/204 https://github.com/modelcontextprotocol/typescript-sdk/issues/243 |
| Coding-Solo--godot-mcp | Godot MCP is a Model Context Protocol (MCP) server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input (e.g., projectPath) directly to exec(), which spawns a shell. An attacker could inject shell metacharacters like $(command) or &calc to execute arbitrary commands with the privileges of the MCP server process. This affects any tool that accepts projectPath, including create_scene, add_node, load_sprite, and others. This issue has been patched in version 0.1.1. | 2026-02-04 | 7.8 | CVE-2026-25546 | https://github.com/Coding-Solo/godot-mcp/security/advisories/GHSA-8jx2-rhfh-q928 https://github.com/Coding-Solo/godot-mcp/issues/64 https://github.com/Coding-Solo/godot-mcp/pull/67 https://github.com/Coding-Solo/godot-mcp/commit/21c785d923cfdb471ea60323c13807d62dfecc5a |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a heap buffer overflow (read) vulnerability in CIccIO::WriteUInt16Float() when converting malformed XML to ICC profiles via iccFromXml tool. This issue has been patched in version 2.3.1.3. | 2026-02-04 | 7.8 | CVE-2026-25582 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-46hq-fphp-jggf https://github.com/InternationalColorConsortium/iccDEV/issues/559 https://github.com/InternationalColorConsortium/iccDEV/pull/561 https://github.com/InternationalColorConsortium/iccDEV/commit/b5e5dd238f609ec1a4efb25674e7fa4bd29d894a |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a heap buffer overflow vulnerability in CIccFileIO::Read8() when processing malformed ICC profile files via unchecked fread operation. This issue has been patched in version 2.3.1.3. | 2026-02-04 | 7.8 | CVE-2026-25583 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-5ffg-r52h-fgw3 https://github.com/InternationalColorConsortium/iccDEV/issues/558 https://github.com/InternationalColorConsortium/iccDEV/pull/562 https://github.com/InternationalColorConsortium/iccDEV/commit/8a6df2d8dac1e971a18be66fa36e3a0d6584f919 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a stack-buffer-overflow vulnerability in CIccTagFloatNum<>::GetValues(). This is triggered when processing a malformed ICC profile. The vulnerability allows an out-of-bounds write on the stack, potentially leading to memory corruption, information disclosure, or code execution when processing specially crafted ICC files. This issue has been patched in version 2.3.1.3. | 2026-02-04 | 7.8 | CVE-2026-25584 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-xjr3-v3vr-5794 https://github.com/InternationalColorConsortium/iccDEV/issues/551 https://github.com/InternationalColorConsortium/iccDEV/pull/565 https://github.com/InternationalColorConsortium/iccDEV/commit/c9cb108f58683bd87afca616dea3e4cdb884c23f |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a vulnerability IccCmm.cpp:5793 when reading through index during ICC profile processing. The malformed ICC profile triggers improper array bounds validation in the color management module, resulting in an out-of-bounds read that can lead to memory disclosure or segmentation fault from accessing memory beyond the array boundary. This issue has been patched in version 2.3.1.3. | 2026-02-04 | 7.8 | CVE-2026-25585 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-pmqx-q624-jg6w https://github.com/InternationalColorConsortium/iccDEV/issues/552 https://github.com/InternationalColorConsortium/iccDEV/pull/563 https://github.com/InternationalColorConsortium/iccDEV/commit/ba81cd94b9c82b1d3905d45427badbd9d8adfa15 |
| Blesta--Blesta | Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680. | 2026-02-03 | 7.5 | CVE-2026-25614 | https://www.blesta.com/2026/01/28/security-advisory/ |
| Blesta--Blesta | Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668. | 2026-02-03 | 7.2 | CVE-2026-25615 | https://www.blesta.com/2026/01/28/security-advisory/ |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to 2.3.1.4, SrcPixel and DestPixel stack buffers overlap in CIccTagMultiProcessElement::Apply() int IccTagMPE.cpp. This vulnerability is fixed in 2.3.1.4. | 2026-02-06 | 7.8 | CVE-2026-25634 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-35rg-jcmp-583h https://github.com/InternationalColorConsortium/iccDEV/issues/577 https://github.com/InternationalColorConsortium/iccDEV/pull/579 https://github.com/InternationalColorConsortium/iccDEV/commit/9206e0b8684e4cf4186d9ae768f16760bc1af9ff https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.4 |
| pydantic--pydantic-ai | Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 1.34.0 to before 1.51.0, a path traversal vulnerability in the Pydantic AI web UI allows an attacker to serve arbitrary JavaScript in the context of the application by crafting a malicious URL. In affected versions, the CDN URL is constructed using a version query parameter from the request URL. This parameter is not validated, allowing path traversal sequences that cause the server to fetch and serve attacker-controlled HTML/JavaScript from an arbitrary source on the same CDN, instead of the legitimate chat UI package. If a victim clicks the link or visits it via an iframe, attacker-controlled code executes in their browser, enabling theft of chat history and other client-side data. This vulnerability only affects applications that use Agent.to_web to serve a chat interface and clai web to serve a chat interface from the CLI. These are typically run locally (on localhost), but may also be deployed on a remote server. This vulnerability is fixed in 1.51.0. | 2026-02-06 | 7.1 | CVE-2026-25640 | https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-wjp5-868j-wqv7 https://github.com/pydantic/pydantic-ai/releases/tag/v1.51.0 |
| datahub-project--datahub | DataHub is an open-source metadata platform. Prior to version 1.3.1.8, the LDAP ingestion source is vulnerable to MITM attack through TLS downgrade. This issue has been patched in version 1.3.1.8. | 2026-02-06 | 7.5 | CVE-2026-25644 | https://github.com/datahub-project/datahub/security/advisories/GHSA-j34h-x7qg-4qw5 |
| kovidgoyal--calibre | calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0. | 2026-02-06 | 7.8 | CVE-2026-25731 | https://github.com/kovidgoyal/calibre/security/advisories/GHSA-xrh9-w7qx-3gcc https://github.com/kovidgoyal/calibre/commit/f0649b27512e987b95fcab2e1e0a3bcdafc23379 |
| zauberzeug--nicegui | NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0. | 2026-02-06 | 7.5 | CVE-2026-25732 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115 https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82 |
| adonisjs--core | AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9. | 2026-02-06 | 7.2 | CVE-2026-25754 | https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9 |
| adonisjs--core | AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a denial of service (DoS) vulnerability exists in the multipart file handling logic of @adonisjs/bodyparser. When processing file uploads, the multipart parser may accumulate an unbounded amount of data in memory while attempting to detect file types, potentially leading to excessive memory consumption and process termination. This issue has been patched in versions 10.1.3 and 11.0.0-next.9. | 2026-02-06 | 7.5 | CVE-2026-25762 | https://github.com/adonisjs/core/security/advisories/GHSA-xx9g-fh25-4q64 https://github.com/adonisjs/bodyparser/releases/tag/v10.1.3 https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Sweethawk--Zendesk App SweetHawk Survey | Zendesk SweetHawk Survey 1.6 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through support ticket submissions. Attackers can insert XSS payloads like script tags into ticket text that automatically execute when survey pages are loaded by other users. | 2026-02-03 | 6.4 | CVE-2019-25263 | ExploitDB-47781 SweetHawk Survey App Vendor Homepage Zendesk Survey App Software Page VulnCheck Advisory: Zendesk App SweetHawk Survey 1.6 - Persistent Cross-Site Scripting |
| Snipeitapp--IT Open Source Asset Management | Snipe-IT 4.7.5 contains a persistent cross-site scripting vulnerability that allows authorized users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags to execute arbitrary JavaScript when the accessory is viewed by other users. | 2026-02-03 | 6.4 | CVE-2019-25264 | ExploitDB-47756 Official Vendor Homepage Snipe-IT Software Release v4.7.5 VulnCheck Advisory: Snipe-IT Open Source Asset Management 4.7.5 - Persistent Cross-Site Scripting |
| Bigprof--Online Inventory Manager | Online Inventory Manager 3.2 contains a stored cross-site scripting vulnerability in the group description field of the admin edit groups section. Attackers can inject malicious JavaScript through the description field that will execute when the groups page is viewed, allowing potential cookie theft and client-side script execution. | 2026-02-03 | 6.4 | CVE-2019-25265 | ExploitDB-47725 Vendor Homepage Software Download Page VulnCheck Advisory: Online Inventory Manager 3.2 - Persistent Cross-Site Scripting |
| lolypop55--html5_snmp | html5_snmp 1.11 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through the 'Remark' parameter in add_router_operation.php. Attackers can craft a POST request with a script payload in the Remark field to execute arbitrary JavaScript in victim browsers when the page is loaded. | 2026-02-06 | 6.4 | CVE-2019-25294 | ExploitDB-47587 Vendor Homepage VulnCheck Advisory: html5_snmp 1.11 - 'Remark' Persistent Cross-Site Scripting |
| thrsrossi--Millhouse Project | Millhouse-Project 1.414 contains a persistent cross-site scripting vulnerability in the comment submission functionality that allows attackers to inject malicious scripts. Attackers can post comments with embedded JavaScript through the 'content' parameter in add_comment_sql.php to execute arbitrary scripts in victim browsers. | 2026-02-06 | 6.4 | CVE-2019-25301 | ExploitDB-47583 Vendor Homepage VulnCheck Advisory: thrsrossi Millhouse-Project 1.414 - 'content' Persistent Cross-Site Scripting |
| Twinkle Toes Software--Booked Scheduler | Booked Scheduler 2.7.7 contains a directory traversal vulnerability in the manage_email_templates.php script that allows authenticated administrators to access unauthorized files. Attackers can exploit the vulnerable 'tn' parameter to read files outside the intended directory by manipulating directory path traversal techniques. | 2026-02-03 | 6.5 | CVE-2020-37077 | ExploitDB-48428 Booked Scheduler Official Website Archived Booked Scheduler SourceForge Page VulnCheck Advisory: Booked Scheduler 2.7.7 - Authenticated Directory Traversal |
| Rubikon Teknoloji--Easy Transfer | Easy Transfer 1.7 iOS mobile application contains a directory traversal vulnerability that allows remote attackers to access unauthorized file system paths without authentication. Attackers can exploit the vulnerability by manipulating path parameters in GET and POST requests to list or download sensitive system files and inject malicious scripts into application parameters. | 2026-02-03 | 6.2 | CVE-2020-37086 | ExploitDB-48395 Vulnerability-Lab Advisory Official App Store Product Page VulnCheck Advisory: Easy Transfer 1.7 for iOS - Directory Traversal |
| Dnnsoftware--DotNetNuke | DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML files with executable scripts through journal tools. Attackers can upload XML files with XHTML namespace scripts to execute arbitrary JavaScript in users' browsers, potentially bypassing CSRF protections and performing more damaging attacks. | 2026-02-03 | 6.4 | CVE-2020-37103 | ExploitDB-48124 DotNetNuke Official Vendor Homepage Vulnerability Analysis Blog Post VulnCheck Advisory: DotNetNuke 9.5 - Persistent Cross-Site Scripting |
| Davidvg--60CycleCMS | 60CycleCMS 2.5.2 contains a cross-site scripting (XSS) vulnerability in news.php that allows attackers to inject malicious scripts through GET parameters. Attackers can craft malicious URLs with XSS payloads targeting the 'etsu' and 'ltsu' parameters to execute arbitrary scripts in victim's browsers. This issue does not involve SQL injection. | 2026-02-03 | 6.1 | CVE-2020-37111 | ExploitDB-48177 Vendor Homepage Software Download Link VulnCheck Advisory: 60CycleCMS 2.5.2 - 'news.php' Cross-site Scripting (XSS) Vulnerability |
| Openeclass--GUnet OpenEclass | GUnet OpenEclass 1.7.3 stores user credentials in plaintext, allowing administrators to view all registered users' usernames and passwords without encryption. This vulnerability exposes sensitive information and increases the risk of credential theft and unauthorized access. | 2026-02-03 | 6.5 | CVE-2020-37115 | ExploitDB-48163 Official Vendor Homepage Changelog VulnCheck Advisory: GUnet OpenEclass 1.7.3 E-learning platform - Plaintext Password Storage |
| EmTec--ZOC Terminal | ZOC Terminal 7.25.5 contains a script processing vulnerability that allows local attackers to crash the application by loading a maliciously crafted REXX script file. Attackers can generate an oversized script with 20,000 repeated characters to trigger an application crash and cause a denial of service. | 2026-02-05 | 6.2 | CVE-2020-37128 | ExploitDB-48302 Vendor Homepage VulnCheck Advisory: ZOC Terminal 7.25.5 - 'Script' Denial of Service |
| Nsauditor--Product Key Explorer | Nsauditor Product Key Explorer 4.2.2.0 contains a denial of service vulnerability that allows local attackers to crash the application by inputting a specially crafted registration key. Attackers can generate a payload of 1000 bytes of repeated characters and paste it into the 'Key' input field to trigger the application crash. | 2026-02-05 | 6.2 | CVE-2020-37131 | ExploitDB-48284 Vendor Homepage VulnCheck Advisory: Product Key Explorer 4.2.2.0 - 'Key' Denial of Service |
| UltraVNC Team--UltraVNC Launcher | UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allows local attackers to crash the application. Attackers can paste an overly long 300-character string into the password field to trigger an application crash and prevent normal launcher functionality. | 2026-02-05 | 6.2 | CVE-2020-37132 | ExploitDB-48290 UltraVNC Official Homepage VulnCheck Advisory: UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service |
| PHP Fusion--PHP Fusion | PHP-Fusion 9.03.50 contains a remote code execution vulnerability in the 'add_panel_form()' function that allows attackers to execute arbitrary code through an eval() function with unsanitized POST data. Attackers can exploit the vulnerability by sending crafted panel_content POST parameters to the panels.php administration endpoint to execute malicious code. | 2026-02-05 | 6.1 | CVE-2020-37137 | ExploitDB-48278 PHP Fusion Official Website VulnCheck Advisory: PHP-Fusion 9.03.50 - 'panels.php' Eval Injection |
| Veridium--SprintWork | SprintWork 2.3.1 contains multiple local privilege escalation vulnerabilities through insecure file, service, and folder permissions on Windows systems. Local unprivileged users can exploit missing executable files and weak service configurations to create a new administrative user and gain complete system access. | 2026-02-06 | 6.2 | CVE-2020-37160 | ExploitDB-48070 Vendor Homepage Product Information Page VulnCheck Advisory: SprintWork 2.3.1 - Local Privilege Escalation |
| Celestial Software--AbsoluteTelnet | AbsoluteTelnet 11.12 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized license name. Attackers can generate a 2500-character payload and paste it into the license entry field to trigger an application crash. | 2026-02-06 | 6.2 | CVE-2020-37164 | ExploitDB-48005 Vendor Homepage VulnCheck Advisory: AbsoluteTelnet 11.12 - "license entry" Denial of Service |
| Celestial Software--AbsoluteTelnet | AbsoluteTelnet 11.12 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized license name. Attackers can generate a 2500-character payload and paste it into the license name field to trigger an application crash. | 2026-02-06 | 6.2 | CVE-2020-37165 | ExploitDB-48006 Vendor Homepage VulnCheck Advisory: AbsoluteTelnet 11.12 - "license name" Denial of Service |
| Celestial Software--AbsoluteTelnet | AbsoluteTelnet 11.12 contains a denial of service vulnerability in the SSH2 username input field that allows local attackers to crash the application. Attackers can overwrite the username field with a 1000-byte buffer, causing the application to become unresponsive and terminate. | 2026-02-06 | 6.2 | CVE-2020-37166 | ExploitDB-48010 Vendor Homepage VulnCheck Advisory: AbsoluteTelnet 11.12 - 'SSH2/username' Denial of Service |
| Raimersoft--TapinRadio | TapinRadio 2.12.3 contains a denial of service vulnerability in the application proxy address configuration that allows local attackers to crash the application. Attackers can overwrite the address field with 3000 bytes of arbitrary data to trigger an application crash and prevent normal program functionality. | 2026-02-06 | 6.2 | CVE-2020-37170 | ExploitDB-48011 TapinRadio Product Webpage VulnCheck Advisory: TapinRadio 2.12.3 - 'address' Denial of Service |
| Raimersoft--TapinRadio | TapinRadio 2.12.3 contains a denial of service vulnerability in the application proxy username configuration that allows local attackers to crash the application. Attackers can overwrite the username field with 10,000 bytes of arbitrary data to trigger an application crash and prevent normal program functionality. | 2026-02-06 | 6.2 | CVE-2020-37171 | ExploitDB-48013 TapinRadio Product Webpage VulnCheck Advisory: TapinRadio 2.12.3 - 'username' Denial of Service |
| Innomic--VibroLine VLX1 HD 5.0 | An unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (RS485). | 2026-02-02 | 6.5 | CVE-2022-50979 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| Innomic--VibroLine VLX1 HD 5.0 | A unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via CAN. | 2026-02-02 | 6.5 | CVE-2022-50980 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. | 2026-02-04 | 6.3 | CVE-2024-43181 | https://www.ibm.com/support/pages/node/7257006 |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. | 2026-02-04 | 6.5 | CVE-2024-51451 | https://www.ibm.com/support/pages/node/7257006 |
| boldthemes--Bold Page Builder | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_raw_content shortcode in all versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2025-12159 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f492dcb6-0aa7-476d-bb85-c81a136d02a6?source=cve https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.4.8/content_elements/bt_bb_raw_content/bt_bb_raw_content.php#L25 |
| boldthemes--Bold Page Builder | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2025-12803 | https://www.wordfence.com/threat-intel/vulnerabilities/id/64f30329-ecf2-4e30-bc23-9d447e239e08?source=cve https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.4.8/content_elements/bt_bb_tabs/bt_bb_tabs.php https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.4.8/content_elements/bt_bb_tabs/bt_bb_tabs.php#L65 |
| boldthemes--Bold Page Builder | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid component in all versions up to, and including, 5.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2025-13463 | https://www.wordfence.com/threat-intel/vulnerabilities/id/865ff4bf-608e-45f0-a160-35581b82cc2b?source=cve https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.5.3/content_elements/bt_bb_css_post_grid/bt_bb_css_post_grid.php#L46 https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.5.3/content_elements/bt_bb_css_post_grid/bt_bb_css_post_grid.js#L8 |
| IBM--webMethods Integration (on prem) - Integration Server | IBM webMethods Integration (on prem) - Integration Server 10.15 through IS_10.15_Core_Fix2411.1 to IS_11.1_Core_Fix8 IBM webMethods Integration could disclose sensitive user information in server responses. | 2026-02-05 | 6.5 | CVE-2025-14150 | https://www.ibm.com/support/pages/node/7259518 |
| Docker Inc.--Docker Desktop | Docker Desktop for Windows contains multiple incorrect permission assignment vulnerabilities in the installer's handling of the C:\ProgramData\DockerDesktop directory. The installer creates this directory without proper ownership verification, creating two exploitation scenarios: Scenario 1 (Persistent Attack): If a low-privileged attacker pre-creates C:\ProgramData\DockerDesktop before Docker Desktop installation, the attacker retains ownership of the directory even after the installer applies restrictive ACLs. At any time after installation completes, the attacker can modify the directory ACL (as the owner) and tamper with critical configuration files such as install-settings.json to specify a malicious credentialHelper, causing arbitrary code execution when any user runs Docker Desktop. Scenario 2 (TOCTOU Attack): During installation, there is a time-of-check-time-of-use (TOCTOU) race condition between when the installer creates C:\ProgramData\DockerDesktop and when it sets secure ACLs. A low-privileged attacker actively monitoring for the installation can inject malicious files (such as install-settings.json) with attacker-controlled ACLs during this window, achieving the same code execution outcome. | 2026-02-04 | 6.7 | CVE-2025-14740 | https://docs.docker.com/security/ https://www.zerodayinitiative.com/advisories/ZDI-CAN-28542/ https://www.zerodayinitiative.com/advisories/ZDI-CAN-28190/ |
| lwsdevelopers--MyRewards Loyalty Points and Rewards for WooCommerce Reward orders, referrals, product reviews and more | The MyRewards - Loyalty Points and Rewards for WooCommerce plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 5.6.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'ajax' function. This makes it possible for authenticated attackers, with subscriber level access and above, to modify, add, or delete loyalty program earning rules, including manipulating point multipliers to arbitrary values. | 2026-02-04 | 6.5 | CVE-2025-15260 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2591f473-44ff-4319-8b17-b0f793a29d66?source=cve https://plugins.trac.wordpress.org/browser/woorewards/tags/5.6.0/assets/lws-adminpanel/include/internal/editlistcontroler.php#L76 |
| boldthemes--Bold Page Builder | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_accordion_item shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2025-15267 | https://www.wordfence.com/threat-intel/vulnerabilities/id/38a3b3bf-9538-4ae8-9da4-d4b48805763b?source=cve https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.5.7/content_elements/bt_bb_accordion_item/bt_bb_accordion_item.php?marks=28#L28 |
| Tanium--Tanium Appliance | Tanium addressed an improper output sanitization vulnerability in Tanium Appliance. | 2026-02-05 | 6.6 | CVE-2025-15312 | TAN-2025-003 |
| Tanium--Engage | Tanium addressed a documentation issue in Engage. | 2026-02-05 | 6.6 | CVE-2025-15324 | TAN-2025-004 |
| Tanium--Discover | Tanium addressed an improper input validation vulnerability in Discover. | 2026-02-05 | 6.3 | CVE-2025-15325 | TAN-2025-005 |
| Tanium--Performance | Tanium addressed an incorrect default permissions vulnerability in Performance. | 2026-02-05 | 6.5 | CVE-2025-15336 | TAN-2025-029 |
| Tanium--Patch | Tanium addressed an incorrect default permissions vulnerability in Patch. | 2026-02-05 | 6.5 | CVE-2025-15337 | TAN-2025-029 |
| Tanium--Partner Integration | Tanium addressed an incorrect default permissions vulnerability in Partner Integration. | 2026-02-05 | 6.5 | CVE-2025-15338 | TAN-2025-029 |
| Tanium--Discover | Tanium addressed an incorrect default permissions vulnerability in Discover. | 2026-02-05 | 6.5 | CVE-2025-15339 | TAN-2025-029 |
| Tanium--Comply | Tanium addressed an incorrect default permissions vulnerability in Comply. | 2026-02-05 | 6.5 | CVE-2025-15340 | TAN-2025-029 |
| Tanium--Benchmark | Tanium addressed an incorrect default permissions vulnerability in Benchmark. | 2026-02-05 | 6.5 | CVE-2025-15341 | TAN-2025-029 |
| Tanium--Enforce | Tanium addressed an incorrect default permissions vulnerability in Enforce. | 2026-02-05 | 6.5 | CVE-2025-15343 | TAN-2025-032 |
| simonfairbairn--The Bucketlister | The Bucketlister plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode `category` and `id` attributes in all versions up to, and including, 0.1.5 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-02-07 | 6.5 | CVE-2025-15477 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fba36ebc-a396-4eb8-8cb6-afc50b9c974e?source=cve https://plugins.trac.wordpress.org/browser/the-bucketlister/tags/0.1.5/bucketlister.php#L19 |
| HCLSoftware--HCL DevOps Velocity | Rate limiting for certain API calls is not being enforced, making HCL Velocity vulnerable to Denial of Service (DoS) attacks. An attacker could flood the system with a large number of requests, overwhelming its resources and causing it to become unresponsive to legitimate users. This vulnerability is fixed in 5.1.7. | 2026-02-07 | 6.8 | CVE-2025-31990 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128585 |
| IBM--PowerVM Hypervisor | IBM PowerVM Hypervisor FW1110.00 through FW1110.03, FW1060.00 through FW1060.51, and FW950.00 through FW950.F0 could allow a local user with administration privileges to obtain sensitive information from a Virtual TPM through a series of PowerVM service procedures. | 2026-02-02 | 6 | CVE-2025-36238 | https://www.ibm.com/support/pages/node/7257556 |
| IBM--Cloud Pak for Business Automation | IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-02-02 | 6.4 | CVE-2025-36436 | https://www.ibm.com/support/pages/node/7259318 |
| Qualcomm, Inc.--Snapdragon | Memory corruption when calculating oversized partition sizes without proper checks. | 2026-02-02 | 6.8 | CVE-2025-47363 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while calculating offset from partition start point. | 2026-02-02 | 6.8 | CVE-2025-47364 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Transient DOS when processing a received frame with an excessively large authentication information element. | 2026-02-02 | 6.5 | CVE-2025-47402 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| N/A--Moodle[.]org | A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet. | 2026-02-03 | 6.1 | CVE-2025-67851 | https://access.redhat.com/security/cve/CVE-2025-67851 RHBZ#2423841 https://moodle.org/mod/forum/discuss.php?d=471301 |
| nanomq--nanomq | NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, NanoMQ has a protocol parsing / forwarding inconsistency when handling shared subscriptions ($share/). A malformed SUBSCRIBE topic such as $share/ab (missing the second /) is not strictly validated during the subscription stage, so the invalid Topic Filter is stored into the subscription table. Later, when any PUBLISH matches this subscription, the broker send path (nmq_pipe_send_start_v4/v5) performs a second $share/ parsing using strchr() and increments the returned pointer without NULL checks. If the second strchr() returns NULL, sub_topic++ turns the pointer into an invalid address (e.g. 0x1). This invalid pointer is then passed into topic_filtern(), which triggers strlen() and crashes with SIGSEGV. The crash is stable and remotely triggerable. This issue has been patched in version 0.24.7. | 2026-02-04 | 6.5 | CVE-2025-68699 | https://github.com/nanomq/nanomq/security/advisories/GHSA-qv5f-c6v2-2f8h https://github.com/nanomq/nanomq/commit/89d68d678e7f841ae7baa45cba8d9bc7ddc9ef4b |
| Microsoft--Microsoft Edge (Chromium-based) | User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network. | 2026-02-05 | 6.5 | CVE-2026-0391 | Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability |
| premmerce--Premmerce | The Premmerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premmerce_wizard_actions' AJAX endpoint in all versions up to, and including, 1.3.20. This is due to missing capability checks and insufficient input sanitization and output escaping on the `state` parameter. This makes it possible for authenticated attackers, with subscriber level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page (the Premmerce Wizard admin page). | 2026-02-07 | 6.4 | CVE-2026-0555 | https://www.wordfence.com/threat-intel/vulnerabilities/id/90b2a644-19a0-43a1-8ff6-7486d7ef29b3?source=cve https://plugins.trac.wordpress.org/browser/premmerce/tags/1.3.20/src/Admin/Admin.php?marks=41#L41 https://plugins.trac.wordpress.org/browser/premmerce/tags/1.3.20/src/Admin/Handlers/WizardHandler.php?marks=42,50,52#L42 https://plugins.trac.wordpress.org/browser/premmerce/tags/1.3.20/src/Api/WizardApi.php?marks=38#L38 https://plugins.trac.wordpress.org/browser/premmerce/tags/1.3.20/views/admin/tabs/wizard.php?marks=30#L30 |
| webpurify--WebPurify Profanity Filter | The WebPurify Profanity Filter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webpurify_save_options' function in all versions up to, and including, 4.0.2. This makes it possible for unauthenticated attackers to change plugin settings. | 2026-02-04 | 6.5 | CVE-2026-0572 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9283f6ea-8bc4-4fdd-a0b9-05de127f34e4?source=cve https://plugins.trac.wordpress.org/browser/webpurifytextreplace/trunk/webpurifytextreplace-options.php?rev=2343695#L92 |
| zealopensource--Smart Appointment & Booking | The Smart Appointment & Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the saab_save_form_data AJAX action in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-04 | 6.4 | CVE-2026-0742 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bf332c0d-5481-412d-b44a-b3de346d7b60?source=cve https://plugins.trac.wordpress.org/browser/smart-appointment-booking/trunk/inc/admin/class.saab.admin.action.php#L1203 https://plugins.trac.wordpress.org/browser/smart-appointment-booking/tags/1.0.7/inc/admin/class.saab.admin.action.php#L1203 https://plugins.trac.wordpress.org/browser/smart-appointment-booking/trunk/inc/front/class.saab.front.action.php#L2189 https://plugins.trac.wordpress.org/browser/smart-appointment-booking/tags/1.0.7/inc/front/class.saab.front.action.php#L2189 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3450387%40smart-appointment-booking&new=3450387%40smart-appointment-booking&sfp_email=&sfph_mail= |
| catchthemes--Essential Widgets | The Essential Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ew-author, ew-archive, ew-category, ew-page, and ew-menu shortcodes in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in version 3.0. | 2026-02-05 | 6.4 | CVE-2026-0867 | https://www.wordfence.com/threat-intel/vulnerabilities/id/08d4ed49-1338-422f-b55f-a102f2d1d6c8?source=cve https://plugins.trac.wordpress.org/changeset/3440541/essential-widgets https://plugins.trac.wordpress.org/changeset/3447282/essential-widgets |
| thehappymonster--Happy Addons for Elementor | The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_elementor_data' meta field in all versions up to, and including, 3.20.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-03 | 6.4 | CVE-2026-1210 | https://www.wordfence.com/threat-intel/vulnerabilities/id/df4b554a-0336-404c-b06c-2bc98c99997d?source=cve https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/svg-draw/widget.php#L732 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/svg-draw/widget.php#L732 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/age-gate/widget.php#L2055 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/age-gate/widget.php#L2055 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/age-gate/widget.php#L2120 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/age-gate/widget.php#L2120 https://plugins.trac.wordpress.org/changeset/3451894/happy-elementor-addons/trunk/widgets/svg-draw/widget.php?old=3312461&old_path=happy-elementor-addons%2Ftrunk%2Fwidgets%2Fsvg-draw%2Fwidget.php |
| jackdewey--Events Listing Widget | The Events Listing Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Event URL' parameter in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-06 | 6.4 | CVE-2026-1252 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7f3b13a5-0711-4ad3-b11c-f8556e1ca9f9?source=cve https://plugins.trac.wordpress.org/browser/events-listing-widget/trunk/events-listing-widget.php#L266 https://plugins.trac.wordpress.org/browser/events-listing-widget/tags/1.3.4/events-listing-widget.php#L266 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3451446%40events-listing-widget&new=3451446%40events-listing-widget&sfp_email=&sfph_mail= |
| brechtvds--Dynamic Widget Content | The Dynamic Widget Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget content field in the Gutenberg editor sidebar in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-05 | 6.4 | CVE-2026-1268 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5324ca6d-37cb-41e4-8355-80ca113f855e?source=cve https://plugins.trac.wordpress.org/browser/dynamic-widget-content/tags/1.3.6/helpers/blocks.php#L64 https://plugins.trac.wordpress.org/browser/dynamic-widget-content/tags/1.3.6/helpers/blocks.php#L70 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444655%40dynamic-widget-content&new=3444655%40dynamic-widget-content&sfp_email=&sfph_mail= |
| cyberlord92--Employee Directory Staff Directory and Listing | The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_title' parameter in the `search_employee_directory` shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-06 | 6.4 | CVE-2026-1279 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f0d3b54c-6244-4776-be3c-afe3a28a2b8a?source=cve https://plugins.trac.wordpress.org/browser/employee-staff-directory/trunk/handler/mo-empdir-search_handler.php#L29 https://wordpress.org/plugins/employee-staff-directory https://plugins.trac.wordpress.org/browser/employee-staff-directory/tags/1.2.1/handler/mo-empdir-search_handler.php#L29 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448620%40employee-staff-directory&new=3448620%40employee-staff-directory |
| yoast--Yoast SEO Advanced SEO with real-time guidance and built-in AI | The Yoast SEO - Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `yoast-schema` block attribute in all versions up to, and including, 26.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-06 | 6.4 | CVE-2026-1293 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8b2e7c2d-ed2f-439b-9cee-f2e5d46121b6?source=cve https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/src/presenters/schema-presenter.php#L49 https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/inc/class-wpseo-utils.php#L915 https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/src/generators/schema-generator.php#L188 |
| themeisle--Robin Image Optimizer Unlimited Image Optimization & WebP Converter | The Robin Image Optimizer - Unlimited Image Optimization & WebP Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of a Media Library image in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-05 | 6.4 | CVE-2026-1319 | https://www.wordfence.com/threat-intel/vulnerabilities/id/288cd86b-8d13-46bf-99ef-76698cd62a41?source=cve https://plugins.trac.wordpress.org/changeset/3445467/robin-image-optimizer/tags/2.0.3/libs/addons/includes/classes/webp/vendor/rosell-dk/dom-util-for-webp/src/PictureTags.php |
| jackdewey--Tune Library | The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSV import in all versions up to, and including, 1.6.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The vulnerability exists because the CSV import functionality lacks authorization checks and doesn't sanitize imported data, which is later rendered without escaping through the [tune-library] shortcode. | 2026-02-06 | 6.4 | CVE-2026-1401 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cd600810-b1bc-4025-b441-5c90da7240de?source=cve https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/tune-library.php#L219 https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/tune-library.php#L235 https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/writeNodes.php#L113 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3451457%40tune-library&new=3451457%40tune-library&sfp_email=&sfph_mail= |
| dannycarlton--Simple Bible Verse via Shortcode | The Simple Bible Verse via Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `verse` shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2026-1570 | https://www.wordfence.com/threat-intel/vulnerabilities/id/098b979f-337d-4fbd-bfcc-0e8a281e6982?source=cve https://plugins.trac.wordpress.org/browser/simple-bible-verse-via-shortcode/trunk/index.php#L40 |
| omi-mexico--OMIGO | The OMIGO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `omigo_donate_button` shortcode in all versions up to, and including, 3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2026-1573 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f2cf46e6-a732-45c4-ad18-607009d7a586?source=cve https://plugins.trac.wordpress.org/browser/omigo/trunk/omigo.php?rev=2778497#L386 |
| Foxit Software Inc.--pdfonline.foxit.com | Foxit PDF Editor Cloud (pdfonline) contains a stored cross-site scripting vulnerability in the file upload feature. A malicious username is embedded into the upload file list without proper escaping, allowing arbitrary JavaScript execution when the list is displayed. This issue affects pdfonline.foxit.com: before 2026‑02‑03. | 2026-02-03 | 6.3 | CVE-2026-1591 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.--pdfonline.foxit.com | Foxit PDF Editor Cloud (pdfonline) contains a stored cross-site scripting vulnerability in the Create New Layer feature. Unsanitized user input is embedded into the HTML output, allowing arbitrary JavaScript execution when the layer is referenced. This issue affects pdfonline.foxit.com: before 2026‑02‑03. | 2026-02-03 | 6.3 | CVE-2026-1592 | https://www.foxit.com/support/security-bulletins.html |
| tigor4eg--Video Onclick | The Video Onclick plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `youtube` shortcode in all versions up to, and including, 0.4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2026-1608 | https://www.wordfence.com/threat-intel/vulnerabilities/id/73ddf729-da69-4d0b-866f-34a92ec72800?source=cve https://plugins.trac.wordpress.org/browser/video-onclick/tags/0.4.7/video-onclick.php#L109 |
| jmrukkers--Wikiloops Track Player | The Wikiloops Track Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wikiloops` shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2026-1611 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cb472bdb-de35-45e4-bcea-04f27d425817?source=cve https://plugins.trac.wordpress.org/browser/wikiloops-track-player/tags/1.0.1/Wikiloops-Track-Player.php#L19 |
| mrlister1--Wonka Slide | The Wonka Slide plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `list_class` shortcode in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2026-1613 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f15f0211-724d-45b5-bf2f-7482f77c474d?source=cve https://plugins.trac.wordpress.org/browser/wonka-slide/trunk/admin/class-wonka-slide-build.php#L65 |
| alexdtn--Subitem AL Slider | The Subitem AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-02-07 | 6.1 | CVE-2026-1634 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4bfeff72-27de-46a9-b947-f60255b5d062?source=cve https://wordpress.org/plugins/subitem-al-slider/ https://plugins.trac.wordpress.org/browser/subitem-al-slider/trunk/templates/tab1_block1.tpl#L11 https://plugins.trac.wordpress.org/browser/subitem-al-slider/tags/1.0.0/templates/tab1_block1.tpl#L11 |
| ariagle--MP-Ukagaka | The MP-Ukagaka plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-02-07 | 6.1 | CVE-2026-1643 | https://www.wordfence.com/threat-intel/vulnerabilities/id/14c3b53c-ba98-4e93-ba65-6da11816d7a6?source=cve https://wordpress.org/plugins/mp-ukagaka/ https://plugins.trac.wordpress.org/browser/mp-ukagaka/trunk/options.php#L160 https://plugins.trac.wordpress.org/browser/mp-ukagaka/tags/1.5.2/options.php#L160 |
| pkthree--Peters Date Countdown | The Peter's Date Countdown plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-02-05 | 6.1 | CVE-2026-1654 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f8f8e436-2679-4ecb-831e-2b22dd99be32?source=cve https://plugins.trac.wordpress.org/browser/peters-date-countdown/tags/2.0.0/datecountdown.php#L246 https://plugins.trac.wordpress.org/changeset/3450122/ |
| EFM--ipTIME A8004T | A vulnerability was determined in EFM ipTIME A8004T 14.18.2. Affected is the function httpcon_check_session_url of the file /sess-bin/d.cgi of the component Debug Interface. This manipulation of the argument cmd causes backdoor. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-02 | 6.6 | CVE-2026-1741 | VDB-343640 | EFM ipTIME A8004T Debug d.cgi httpcon_check_session_url backdoor VDB-343640 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741423 | EFM IPTIME A8004T 14.18.2 Command Injection https://github.com/LX-LX88/cve/issues/28 |
| n/a--JeecgBoot | A vulnerability was identified in JeecgBoot 3.9.0. This vulnerability affects unknown code of the file /JeecgBoot/sys/api/loadDictItemByKeyword of the component Online Report API. Such manipulation of the argument keyword leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-02 | 6.3 | CVE-2026-1746 | VDB-343677 | JeecgBoot Online Report API loadDictItemByKeyword sql injection VDB-343677 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741647 | Beijing Guoju Information Technology Co., Ltd JeecgBoot 3.9.0 SQL Injection https://www.yuque.com/meizhiyuwai/sks4nu/clircmda9b8q66lo?singleDoc |
| themeisle--Menu Icons by ThemeIsle | The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_wp_attachment_image_alt' post meta in all versions up to, and including, 0.13.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-03 | 6.4 | CVE-2026-1755 | https://www.wordfence.com/threat-intel/vulnerabilities/id/30bfa616-c7f3-4ff0-85b3-468debc8a73e?source=cve https://plugins.trac.wordpress.org/browser/menu-icons/tags/0.13.20/includes/front.php#L497 https://plugins.trac.wordpress.org/changeset/3452685/menu-icons |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system. | 2026-02-02 | 6.2 | CVE-2026-1757 | https://access.redhat.com/security/cve/CVE-2026-1757 RHBZ#2435940 |
| ravanh--Orange Comfort+ accessibility toolbar for WordPress | The Orange Confort+ accessibility toolbar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' parameter of the ocplus_button shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-06 | 6.4 | CVE-2026-1808 | https://www.wordfence.com/threat-intel/vulnerabilities/id/89cb81c3-25d7-4a4e-beed-558ea8ce721d?source=cve https://plugins.trac.wordpress.org/browser/orange-confort-plus/trunk/inc/class-shortcode.php#L50 https://plugins.trac.wordpress.org/browser/orange-confort-plus/tags/0.7/inc/class-shortcode.php#L50 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3453313%40orange-confort-plus&new=3453313%40orange-confort-plus&sfp_email=&sfph_mail= |
| bolo-blog--bolo-solo | A vulnerability was detected in bolo-blog bolo-solo up to 2.6.4. The impacted element is the function unpackFilteredZip of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component ZIP File Handler. Performing a manipulation of the argument File results in path traversal. The attack is possible to be carried out remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-03 | 6.3 | CVE-2026-1810 | VDB-343978 | bolo-blog bolo-solo ZIP File BackupService.java unpackFilteredZip path traversal VDB-343978 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742422 | https://github.com/bolo-blog/bolo-solo/ bolo-solo V2.6.4 Write any file https://github.com/bolo-blog/bolo-solo/issues/326 https://github.com/bolo-blog/bolo-solo/ |
| bolo-blog--bolo-solo | A flaw has been found in bolo-blog bolo-solo up to 2.6.4. This affects the function importFromMarkdown of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component Filename Handler. Executing a manipulation of the argument File can lead to path traversal. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-03 | 6.3 | CVE-2026-1811 | VDB-343979 | bolo-blog bolo-solo Filename BackupService.java importFromMarkdown path traversal VDB-343979 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742437 | https://github.com/bolo-blog/bolo-solo bolo-solo V2.6.4 Arbitrary File Write and Remote Code Execution https://github.com/bolo-blog/bolo-solo/issues/327 https://github.com/bolo-blog/bolo-solo/ |
| bolo-blog--bolo-solo | A vulnerability has been found in bolo-blog bolo-solo up to 2.6.4. This impacts the function importFromCnblogs of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component Filename Handler. The manipulation of the argument File leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-03 | 6.3 | CVE-2026-1812 | VDB-343980 | bolo-blog bolo-solo Filename BackupService.java importFromCnblogs path traversal VDB-343980 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742582 | https://github.com/bolo-blog/bolo-solo bolo-solo V2.6.4 Arbitrary file write https://github.com/bolo-blog/bolo-solo/issues/328 https://github.com/bolo-blog/bolo-solo/ |
| bolo-blog--bolo-solo | A vulnerability was found in bolo-blog bolo-solo up to 2.6.4. Affected is an unknown function of the file src/main/java/org/b3log/solo/bolo/pic/PicUploadProcessor.java of the component FreeMarker Template Handler. The manipulation of the argument File results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-03 | 6.3 | CVE-2026-1813 | VDB-343981 | bolo-blog bolo-solo FreeMarker Template PicUploadProcessor.java unrestricted upload VDB-343981 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743402 | https://github.com/bolo-blog/bolo-solo bolo-solo V2.6.4 Arbitrary File Write and RCE https://github.com/bolo-blog/bolo-solo/issues/329 https://github.com/bolo-blog/bolo-solo/ |
| htplugins--Docus YouTube Video Playlist | The Docus - YouTube Video Playlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'docusplaylist' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-06 | 6.4 | CVE-2026-1888 | https://www.wordfence.com/threat-intel/vulnerabilities/id/16c6fec8-81ec-477a-9942-10fd3adb8fa4?source=cve https://plugins.trac.wordpress.org/browser/docus/trunk/includes/class.shortcode.php#L55 https://plugins.trac.wordpress.org/browser/docus/tags/1.0.6/includes/class.shortcode.php#L55 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3454510%40docus&new=3454510%40docus&sfp_email=&sfph_mail= |
| n/a--WeKan | A vulnerability was detected in WeKan up to 8.20. This impacts an unknown function of the file models/checklistItems.js of the component REST API. Performing a manipulation of the argument item.cardId/item.checklistId/card.boardId results in improper authorization. Remote exploitation of the attack is possible. Upgrading to version 8.21 will fix this issue. The patch is named 251d49eea94834cf351bb395808f4a56fb4dbb44. Upgrading the affected component is recommended. | 2026-02-04 | 6.3 | CVE-2026-1894 | VDB-344266 | WeKan REST API checklistItems.js Checklist REST Bleed improper authorization VDB-344266 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742663 | Wekan <8.21 IDOR via REST API / improper object relationship validation https://github.com/wekan/wekan/commit/251d49eea94834cf351bb395808f4a56fb4dbb44 https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| n/a--WeKan | A flaw has been found in WeKan up to 8.20. Affected is the function applyWipLimit of the file models/lists.js of the component Attachment Storage Handler. Executing a manipulation can lead to improper access controls. The attack can be executed remotely. Upgrading to version 8.21 is able to address this issue. This patch is called 8c0b4f79d8582932528ec2fdf2a4487c86770fb9. It is recommended to upgrade the affected component. | 2026-02-04 | 6.3 | CVE-2026-1895 | VDB-344267 | WeKan Attachment Storage lists.js applyWipLimit ListWIPBleed access control VDB-344267 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742666 | Wekan <8.21 Improper access control (CWE-284) https://github.com/wekan/wekan/commit/8c0b4f79d8582932528ec2fdf2a4487c86770fb9 https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| n/a--WeKan | A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerability is the function ComprehensiveBoardMigration of the file server/migrations/comprehensiveBoardMigration.js of the component Migration Operation Handler. The manipulation of the argument boardId leads to improper access controls. The attack is possible to be carried out remotely. Upgrading to version 8.21 addresses this issue. The identifier of the patch is cc35dafef57ef6e44a514a523f9a8d891e74ad8f. Upgrading the affected component is advised. | 2026-02-04 | 6.3 | CVE-2026-1896 | VDB-344268 | WeKan Migration Operation comprehensiveBoardMigration.js ComprehensiveBoardMigration MigrationBleed access control VDB-344268 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742670 | Wekan <8.21 Improper access control on administrative migration methods (CWE https://github.com/wekan/wekan/commit/cc35dafef57ef6e44a514a523f9a8d891e74ad8f https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| n/a--WeKan | A vulnerability was determined in WeKan up to 8.20. This affects an unknown part of the file packages/wekan-ldap/server/syncUser.js of the component LDAP User Sync. This manipulation causes improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to mitigate this issue. Patch name: 146905a459106b5d00b4f09453a6554255e6965a. You should upgrade the affected component. | 2026-02-05 | 6.3 | CVE-2026-1898 | VDB-344270 | WeKan LDAP User Sync syncUser.js SyncLDAPBleed access control VDB-344270 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742676 | Wekan <8.21 Missing authorization on admin function (CWE-284) https://github.com/wekan/wekan/commit/146905a459106b5d00b4f09453a6554255e6965a https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| x-raym--WaveSurfer-WP | The WaveSurfer-WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's audio shortcode in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping on the 'src' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-06 | 6.4 | CVE-2026-1909 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b507462d-1ce2-4463-93bf-635ee78274f6?source=cve https://plugins.trac.wordpress.org/browser/wavesurfer-wp/trunk/wavesurfer-wp.php#L739 https://plugins.trac.wordpress.org/browser/wavesurfer-wp/tags/2.8.3/wavesurfer-wp.php#L739 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3454006%40wavesurfer-wp&new=3454006%40wavesurfer-wp&sfp_email=&sfph_mail= |
| n/a--WeKan | A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function of the file server/attachmentMigration.js of the component Attachment Migration. The manipulation leads to improper access controls. The attack may be initiated remotely. Upgrading to version 8.21 is sufficient to resolve this issue. The identifier of the patch is 053bf1dfb76ef230db162c64a6ed50ebedf67eee. It is recommended to upgrade the affected component. | 2026-02-05 | 6.3 | CVE-2026-1962 | VDB-344484 | WeKan Attachment Migration attachmentMigration.js AttachmentMigrationBleed access control VDB-344484 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742677 | Wekan <8.21 Improper access control on migration endpoints (CWE-284) https://github.com/wekan/wekan/commit/053bf1dfb76ef230db162c64a6ed50ebedf67eee https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| n/a--WeKan | A vulnerability was found in WeKan up to 8.20. This affects an unknown function of the file models/attachments.js of the component Attachment Storage. The manipulation results in improper access controls. The attack may be launched remotely. Upgrading to version 8.21 mitigates this issue. The patch is identified as c413a7e860bc4d93fe2adcf82516228570bf382d. Upgrading the affected component is advised. | 2026-02-05 | 6.3 | CVE-2026-1963 | VDB-344485 | WeKan Attachment Storage attachments.js MoveStorageBleed access control VDB-344485 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742678 | Wekan <8.21 Improper access control (CWE-284) https://github.com/wekan/wekan/commit/c413a7e860bc4d93fe2adcf82516228570bf382d https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| isaacwasserman--mcp-vegalite-server | A security vulnerability has been detected in isaacwasserman mcp-vegalite-server up to 16aefed598b8cd897b78e99b907f6e2984572c61. Affected by this vulnerability is the function eval of the component visualize_data. Such manipulation of the argument vegalite_specification leads to code injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-06 | 6.3 | CVE-2026-1977 | VDB-344499 | isaacwasserman mcp-vegalite-server visualize_data eval code injection VDB-344499 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743246 | GitHub mcp-vegalite-server master Code Injection https://github.com/isaacwasserman/mcp-vegalite-server/issues/9 https://github.com/isaacwasserman/mcp-vegalite-server/ |
| abhiphile--fermat-mcp | A vulnerability was detected in abhiphile fermat-mcp up to 47f11def1cd37e45dd060f30cdce346cbdbd6f0a. This vulnerability affects the function eqn_chart of the file fmcp/mpl_mcp/core/eqn_chart.py. Performing a manipulation of the argument equations results in code injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-06 | 6.3 | CVE-2026-2008 | VDB-344590 | abhiphile fermat-mcp eqn_chart.py eqn_chart code injection VDB-344590 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743458 | GitHub fermat-mcp master Code Injection https://github.com/abhiphile/fermat-mcp/issues/9 https://github.com/abhiphile/fermat-mcp/issues/9#issue-3837794397 https://github.com/abhiphile/fermat-mcp/ |
| SourceCodester--Gas Agency Management System | A flaw has been found in SourceCodester Gas Agency Management System 1.0. This issue affects some unknown processing of the file /gasmark/php_action/createUser.php. Executing a manipulation can lead to improper access controls. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-02-06 | 6.3 | CVE-2026-2009 | VDB-344591 | SourceCodester Gas Agency Management System createUser.php access control VDB-344591 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743459 | SourceCodester Gas Agency Management System 1.0 Improper Access Controls https://github.com/Asim-QAZi/Improper-Access-Control-in-SourceCodester-Gas-Agency-Management-System https://www.sourcecodester.com/ |
| Portabilis--i-Educar | A weakness has been identified in Portabilis i-Educar up to 2.10. Affected is an unknown function of the file FinalStatusImportService.php of the component Final Status Import. Executing a manipulation of the argument school_id can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 6.3 | CVE-2026-2015 | VDB-344597 | Portabilis i-Educar Final Status Import FinalStatusImportService.php improper authorization VDB-344597 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743760 | Portabilis i-Educar 2.0 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 Improper Authorization https://github.com/ViniCastro2001/Security_Reports/tree/main/i-educar/BFLA-Final-Status-Import https://github.com/ViniCastro2001/Security_Reports/tree/main/i-educar/BFLA-Final-Status-Import#proof-of-concept-poc |
| Flycatcher Toys--smART Pixelator | A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. The attack can only be performed from the local network. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 6.3 | CVE-2026-2065 | VDB-344632 | Flycatcher Toys smART Pixelator Bluetooth Low Energy missing authentication VDB-344632 | CTI Indicators (IOB, IOC) Submit #745129 | Flycatcher Toys smART Pixelator 2.0 2.0 Missing Authentication https://github.com/davidrxchester/smart-pixelator-upload https://github.com/davidrxchester/smart-pixelator-upload/blob/main/poc.py |
| n/a--O2OA | A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 6.3 | CVE-2026-2074 | VDB-344640 | O2OA HTTP POST Request check xml external entity reference VDB-344640 | CTI Indicators (IOB, IOC, IOA) Submit #745486 | 浙江兰德纵横网络技术股份有限公司 O2OA v6.1.0 至 v9.0.0 XML实体注入漏洞 Submit #745489 | O2OA开发平台 O2OA v6.1.0 至 v9.0.0 XML实体注入漏洞 (Duplicate) https://github.com/SourByte05/SourByte-Lab/issues/7 |
| yeqifu--warehouse | A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected is the function saveRolePermission of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\RoleController.java of the component Role-Permission Binding Handler. The manipulation results in improper access controls. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2075 | VDB-344641 | yeqifu warehouse Role-Permission Binding RoleController.java saveRolePermission access control VDB-344641 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745508 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Im https://github.com/yeqifu/warehouse/issues/52 https://github.com/yeqifu/warehouse/issues/52#issue-3846645856 https://github.com/yeqifu/warehouse/ |
| yeqifu--warehouse | A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this vulnerability is the function addUser/updateUser/deleteUser of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\UserController.java of the component User Management Endpoint. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2076 | VDB-344642 | yeqifu warehouse User Management Endpoint UserController.java deleteUser improper authorization VDB-344642 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745509 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/53 https://github.com/yeqifu/warehouse/issues/53#issue-3846651070 https://github.com/yeqifu/warehouse/ |
| yeqifu--warehouse | A security vulnerability has been detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function addRole/updateRole/deleteRole of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\RoleController.java of the component Role Management Handler. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2077 | VDB-344643 | yeqifu warehouse Role Management RoleController.java deleteRole improper authorization VDB-344643 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745512 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/54 https://github.com/yeqifu/warehouse/issues/54#issue-3846654129 https://github.com/yeqifu/warehouse/ |
| yeqifu--warehouse | A vulnerability was detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function addPermission/updatePermission/deletePermission of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\PermissionController.java of the component Permission Management. Performing a manipulation results in improper authorization. The attack may be initiated remotely. The exploit is now public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2078 | VDB-344644 | yeqifu warehouse Permission Management PermissionController.java deletePermission improper authorization VDB-344644 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745513 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/55 https://github.com/yeqifu/warehouse/issues/55#issue-3846656775 https://github.com/yeqifu/warehouse/ |
| yeqifu--warehouse | A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This vulnerability affects the function addMenu/updateMenu/deleteMenu of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\MenuController.java of the component Menu Management. Executing a manipulation can lead to improper authorization. The attack may be launched remotely. The exploit has been published and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2079 | VDB-344645 | yeqifu warehouse Menu Management MenuController.java deleteMenu improper authorization VDB-344645 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745514 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/56 https://github.com/yeqifu/warehouse/issues/56#issue-3846659524 https://github.com/yeqifu/warehouse/ |
| yeqifu--warehouse | A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The affected element is the function addDept/updateDept/deleteDept of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\DeptController.java of the component Department Management. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been published and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2105 | VDB-344681 | yeqifu warehouse Department Management DeptController.java deleteDept improper authorization VDB-344681 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745515 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/57 https://github.com/yeqifu/warehouse/issues/57#issue-3846662068 https://github.com/yeqifu/warehouse/ |
| yeqifu--warehouse | A vulnerability has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The impacted element is the function addNotice/updateNotice/deleteNotice/batchDeleteNotice of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\NoticeController.java of the component Notice Management. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2106 | VDB-344682 | yeqifu warehouse Notice Management NoticeController.java batchDeleteNotice improper authorization VDB-344682 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745516 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/58 https://github.com/yeqifu/warehouse/issues/58#issue-3846664260 https://github.com/yeqifu/warehouse/ |
| yeqifu--warehouse | A vulnerability was found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function loadAllLoginfo/deleteLoginfo/batchDeleteLoginfo of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\LoginfoController.java of the component Log Info Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2107 | VDB-344683 | yeqifu warehouse Log Info LoginfoController.java batchDeleteLoginfo improper authorization VDB-344683 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745517 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/59 https://github.com/yeqifu/warehouse/issues/59#issue-3846665806 https://github.com/yeqifu/warehouse/ |
| Xiaopi--Panel | A security flaw has been discovered in Xiaopi Panel up to 20260126. This impacts an unknown function of the file /demo.php of the component WAF Firewall. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-08 | 6.3 | CVE-2026-2122 | VDB-344695 | Xiaopi Panel WAF Firewall demo.php sql injection VDB-344695 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746917 | Xiaopi Web Application Firewall V1.0.0 Bypass https://github.com/ltranquility/CVE/issues/37 |
| BurtTheCoder--mcp-maigret | A vulnerability was determined in BurtTheCoder mcp-maigret up to 1.0.12. This affects an unknown part of the file src/index.ts of the component search_username. Executing a manipulation of the argument Username can lead to command injection. The attack may be launched remotely. Upgrading to version 1.0.13 is able to mitigate this issue. This patch is called b1ae073c4b3e789ab8de36dc6ca8111ae9399e7a. Upgrading the affected component is advised. | 2026-02-08 | 6.3 | CVE-2026-2130 | VDB-344765 | BurtTheCoder mcp-maigret search_username index.ts command injection VDB-344765 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747171 | GitHub mcp-maigret v1.0.12 Command Injection https://github.com/BurtTheCoder/mcp-maigret/issues/9 https://github.com/BurtTheCoder/mcp-maigret/pull/10 https://github.com/BurtTheCoder/mcp-maigret/commit/b1ae073c4b3e789ab8de36dc6ca8111ae9399e7a https://github.com/BurtTheCoder/mcp-maigret/releases/tag/v1.0.13 https://github.com/BurtTheCoder/mcp-maigret/ |
| XixianLiang--HarmonyOS-mcp-server | A vulnerability was identified in XixianLiang HarmonyOS-mcp-server 0.1.0. This vulnerability affects the function input_text. The manipulation of the argument text leads to os command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2026-02-08 | 6.3 | CVE-2026-2131 | VDB-344766 | XixianLiang HarmonyOS-mcp-server input_text os command injection VDB-344766 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747209 | GitHub HarmonyOS-mcp-server v0.1.0 Command Injection https://github.com/scanleale/MCP_sec/blob/main/HarmonyOS-mcp-server%20RCE%20vulnerability.md |
| UTT--HiPER 810 | A vulnerability was detected in UTT HiPER 810 1.7.4-141218. The impacted element is the function sub_43F020 of the file /goform/formPdbUpConfig. Performing a manipulation of the argument policyNames results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-02-08 | 6.3 | CVE-2026-2135 | VDB-344770 | UTT HiPER 810 formPdbUpConfig sub_43F020 command injection VDB-344770 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747222 | UTT (艾泰) HiPER 810 nv810v4v1.7.4-141218 Command Injection https://github.com/cha0yang1/UTT810CVE/blob/main/CVEreadme2.md |
| WuKongOpenSource--WukongCRM | A security flaw has been discovered in WuKongOpenSource WukongCRM up to 11.3.3. This affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-08 | 6.3 | CVE-2026-2141 | VDB-344776 | WuKongOpenSource WukongCRM URL PermissionServiceImpl.java improper authorization VDB-344776 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747264 | 郑州卡卡罗特软件科技有限公司 WukongCRM WukongCRM-11.x-JAVA logical flaw vulnerability https://github.com/SourByte05/SourByte-Lab/issues/8 |
| guchengwuyue--yshopmall | A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-08 | 6.3 | CVE-2026-2146 | VDB-344848 | guchengwuyue yshopmall co.yixiang.utils.FileUtil updateAvatar unrestricted upload VDB-344848 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747409 | https://github.com/guchengwuyue/yshopmall yshopmall V1.9.1 Incomplete Identification of Uploaded File Variables https://github.com/guchengwuyue/yshopmall/issues/40 https://github.com/guchengwuyue/yshopmall/issues/40#issue-3860542812 https://github.com/guchengwuyue/yshopmall/ |
| Totolink--WA300 | A vulnerability was detected in Totolink WA300 5.2cu.7112_B20190227. The impacted element is the function setAPNetwork of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument Ipaddr results in os command injection. The attack may be performed from remote. The exploit is now public and may be used. | 2026-02-08 | 6.3 | CVE-2026-2167 | VDB-344869 | Totolink WA300 cstecgi.cgi setAPNetwork os command injection VDB-344869 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #752063 | TOTOLINK WA300 V5.2cu.7112_B20190227 OS Command Injection https://github.com/master-abc/cve/issues/36 https://www.totolink.net/ |
| D-Link--DWR-M921 | A flaw has been found in D-Link DWR-M921 1.1.50. This affects the function sub_419920 of the file /boafrm/formLtefotaUpgradeQuectel. This manipulation of the argument fota_url causes command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2026-02-08 | 6.3 | CVE-2026-2168 | VDB-344870 | D-Link DWR-M921 formLtefotaUpgradeQuectel sub_419920 command injection VDB-344870 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748838 | D-Link DWR-M921 V1.1.50 Command Injection https://github.com/LX-66-LX/cve-new/issues/2 https://www.dlink.com/ |
| D-Link--DWR-M921 | A vulnerability has been found in D-Link DWR-M921 1.1.50. This impacts an unknown function of the file /boafrm/formLtefotaUpgradeFibocom. Such manipulation of the argument fota_url leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2026-02-08 | 6.3 | CVE-2026-2169 | VDB-344871 | D-Link DWR-M921 formLtefotaUpgradeFibocom command injection VDB-344871 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748930 | D-Link DWR-M921 V1.1.50 Command Injection https://github.com/LX-66-LX/cve-new/issues/3 https://www.dlink.com/ |
| code-projects--Contact Management System | A security vulnerability has been detected in code-projects Contact Management System 1.0. This issue affects some unknown processing of the file index.py. Such manipulation of the argument selecteditem[0] leads to sql injection. The attack can be executed remotely. | 2026-02-08 | 6.3 | CVE-2026-2176 | VDB-344877 | code-projects Contact Management System index.py sql injection VDB-344877 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749264 | code-projects Contact Management System in Python unknown SQL Injection https://code-projects.org/ |
| r-huijts--xcode-mcp-server | A vulnerability was found in r-huijts xcode-mcp-server up to f3419f00117aa9949e326f78cc940166c88f18cb. This affects the function registerXcodeTools of the file src/tools/xcode/index.ts of the component run_lldb. The manipulation of the argument args results in command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The patch is identified as 11f8d6bacadd153beee649f92a78a9dad761f56f. Applying a patch is advised to resolve this issue. | 2026-02-08 | 6.3 | CVE-2026-2178 | VDB-344881 | r-huijts xcode-mcp-server run_lldb index.ts registerXcodeTools command injection VDB-344881 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749569 | GitHub xcode-mcp-server master Command Injection https://github.com/r-huijts/xcode-mcp-server/issues/13 https://github.com/r-huijts/xcode-mcp-server/issues/13#issue-3878065790 https://github.com/r-huijts/xcode-mcp-server/commit/11f8d6bacadd153beee649f92a78a9dad761f56f https://github.com/r-huijts/xcode-mcp-server/ |
| Great Developers--Certificate Generation System | A security vulnerability has been detected in Great Developers Certificate Generation System up to 97171bb0e5e22e52eacf4e4fa81773e5f3cffb73. This affects an unknown part of the file /restructured/csv.php. The manipulation leads to unrestricted upload. Remote exploitation of the attack is possible. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The code repository of the project has not been active for many years. | 2026-02-08 | 6.3 | CVE-2026-2183 | VDB-344886 | Great Developers Certificate Generation System csv.php unrestricted upload VDB-344886 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749713 | Great Developers Certificate Generator System 1.0 Unrestricted Upload https://github.com/lakshayyverma/CVE-Discovery/blob/main/Certificate.md |
| D-Link--DI-7100G C1 | A vulnerability was detected in D-Link DI-7100G C1 24.04.18D1. Affected by this issue is the function set_jhttpd_info. Performing a manipulation of the argument usb_username results in command injection. Remote exploitation of the attack is possible. | 2026-02-08 | 6.3 | CVE-2026-2193 | VDB-344896 | D-Link DI-7100G C1 set_jhttpd_info command injection VDB-344896 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749803 | D-Link DI-7100G C1, 24.04.18D1 Command Injection https://github.com/glkfc/IoT-Vulnerability/blob/main/D-Link/Dlink_4.md https://www.dlink.com/ |
| D-Link--DI-7100G C1 | A flaw has been found in D-Link DI-7100G C1 24.04.18D1. This affects the function start_proxy_client_email. Executing a manipulation can lead to command injection. The attack can be executed remotely. The exploit has been published and may be used. | 2026-02-08 | 6.3 | CVE-2026-2194 | VDB-344897 | D-Link DI-7100G C1 start_proxy_client_email command injection VDB-344897 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749804 | D-Link DI-7100G C1: 2020/02/21, 24.04.18D1: 2024/04/18 Command Injection https://github.com/glkfc/IoT-Vulnerability/blob/main/D-Link/Dlink_3.md https://www.dlink.com/ |
| glpi-project--glpi | GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23. | 2026-02-04 | 6.5 | CVE-2026-22044 | https://github.com/glpi-project/glpi/security/advisories/GHSA-569q-j526-w385 https://github.com/glpi-project/glpi/releases/tag/10.0.23 |
| n/a--WeKan | A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to resolve this issue. The patch is named 4ce181d17249778094f73d21515f7f863f554743. It is advisable to upgrade the affected component. | 2026-02-08 | 6.3 | CVE-2026-2206 | VDB-344920 | WeKan Administrative Repair fixDuplicateLists.js FixDuplicateBleed access control VDB-344920 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #752162 | Wekan <8.21 Improper access control on administrative repair method https://github.com/wekan/wekan/commit/4ce181d17249778094f73d21515f7f863f554743 https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| n/a--WeKan | A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file client/components/settings/translationBody.js of the component Custom Translation Handler. The manipulation results in improper authorization. The attack can be launched remotely. Upgrading to version 8.19 is sufficient to fix this issue. The patch is identified as f244a43771f6ebf40218b83b9f46dba6b940d7de. It is suggested to upgrade the affected component. | 2026-02-08 | 6.3 | CVE-2026-2209 | VDB-344923 | WeKan Custom Translation translationBody.js setCreateTranslation improper authorization VDB-344923 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #752269 | Wekan <8.20 IDOR in setCreateTranslation. Non-admin could change Custom Tran https://github.com/wekan/wekan/commit/f244a43771f6ebf40218b83b9f46dba6b940d7de https://github.com/wekan/wekan/releases/tag/v8.19 https://github.com/wekan/wekan/ |
| gogs--gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | 2026-02-06 | 6.5 | CVE-2026-22592 | https://github.com/gogs/gogs/security/advisories/GHSA-cr88-6mqm-4g57 |
| gogs--gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | 2026-02-06 | 6.5 | CVE-2026-23632 | https://github.com/gogs/gogs/security/advisories/GHSA-5qhx-gwfj-6jqr |
| gogs--gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | 2026-02-06 | 6.5 | CVE-2026-23633 | https://github.com/gogs/gogs/security/advisories/GHSA-mrph-w4hh-gx3g |
| Kubernetes--ingress-nginx | A security issue was discovered in ingress-nginx where the validating admission controller feature is subject to a denial of service condition. By sending large requests to the validating admission controller, an attacker can cause memory consumption, which may result in the ingress-nginx controller pod being killed or the node running out of memory. | 2026-02-03 | 6.5 | CVE-2026-24514 | https://github.com/kubernetes/kubernetes/issues/136680 |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Cross-Site Request Forgery (CSRF) vulnerability in multiple teacher-restricted endpoints allows attackers to induce authenticated teachers to perform unintended actions, such as modifying assignment grades, via crafted requests. This issue has been patched in version 4.2. | 2026-02-03 | 6.5 | CVE-2026-24666 | https://github.com/gunet/openeclass/security/advisories/GHSA-cgmh-73qg-28fm |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to add content to existing course units, an action normally restricted to higher-privileged roles. This issue has been patched in version 4.2. | 2026-02-03 | 6.5 | CVE-2026-24668 | https://github.com/gunet/openeclass/security/advisories/GHSA-22cq-9fr7-fq6v |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to create new course units, an action normally restricted to higher-privileged roles. This issue has been patched in version 4.2. | 2026-02-03 | 6.5 | CVE-2026-24670 | https://github.com/gunet/openeclass/security/advisories/GHSA-4jf5-636r-hv9v |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated high-privileged users (teachers or administrators) to inject malicious JavaScript into multiple user-controllable input fields across the application, which is executed when other users access affected pages. This issue has been patched in version 4.2. | 2026-02-03 | 6.1 | CVE-2026-24671 | https://github.com/gunet/openeclass/security/advisories/GHSA-2x83-4fh2-fcw7 |
| Huawei--HarmonyOS | Out-of-bounds read issue in the media subsystem. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. | 2026-02-06 | 6.2 | CVE-2026-24915 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ https://consumer.huawei.com/en/support/bulletinwearables/2026/2/ https://consumer.huawei.com/en/support/bulletinvision/2026/2/ |
| Huawei--HarmonyOS | UAF vulnerability in the security module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 6.5 | CVE-2026-24917 | https://consumer.huawei.com/en/support/bulletin/2026/2/ |
| Huawei--HarmonyOS | Address read vulnerability in the communication module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 6.8 | CVE-2026-24918 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ https://consumer.huawei.com/en/support/bulletinwearables/2026/2/ https://consumer.huawei.com/en/support/bulletinvision/2026/2/ |
| Huawei--HarmonyOS | Out-of-bounds write vulnerability in the DFX module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 6 | CVE-2026-24919 | https://consumer.huawei.com/en/support/bulletin/2026/2/ |
| Huawei--HarmonyOS | Permission control vulnerability in the AMS module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 6.2 | CVE-2026-24920 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinvision/2026/2/ |
| Huawei--HarmonyOS | Buffer overflow vulnerability in the HDC module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 6.9 | CVE-2026-24922 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ https://consumer.huawei.com/en/support/bulletinwearables/2026/2/ |
| Huawei--HarmonyOS | Permission control vulnerability in the HDC module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-02-06 | 6.3 | CVE-2026-24923 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ https://consumer.huawei.com/en/support/bulletinwearables/2026/2/ |
| Huawei--HarmonyOS | Vulnerability of improper permission control in the print module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-02-06 | 6.1 | CVE-2026-24924 | https://consumer.huawei.com/en/support/bulletin/2026/2/ |
| openclaw--openclaw | OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/file, exfiltrating sensitive data to the user/channel. This issue has been patched in version 2026.1.30. | 2026-02-04 | 6.5 | CVE-2026-25475 | https://github.com/openclaw/openclaw/security/advisories/GHSA-r8g4-86fx-92mq |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a use-after-free vulnerability was reported in the BLE provisioning transport (protocomm_ble) layer. The issue can be triggered by a remote BLE client while the device is in provisioning mode. The vulnerability occurred when provisioning was stopped with keep_ble_on = true. In this configuration, internal protocomm_ble state and GATT metadata were freed while the BLE stack and GATT services remained active. Subsequent BLE read or write callbacks dereferenced freed memory, allowing a connected or newly connected client to trigger invalid memory acces. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7. | 2026-02-04 | 6.3 | CVE-2026-25507 | https://github.com/espressif/esp-idf/security/advisories/GHSA-h7r3-gmg9-xjmg https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9 https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7 https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70 https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6 https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663 https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63 |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, an out-of-bounds read vulnerability was reported in the BLE ATT Prepare Write handling of the BLE provisioning transport (protocomm_ble). The issue can be triggered by a remote BLE client while the device is in provisioning mode. The transport accumulated prepared-write fragments in a fixed-size buffer but incorrectly tracked the cumulative length. By sending repeated prepare write requests with overlapping offsets, a remote client could cause the reported length to exceed the allocated buffer size. This inflated length was then passed to provisioning handlers during execute-write processing, resulting in an out-of-bounds read and potential memory corruption. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7. | 2026-02-04 | 6.3 | CVE-2026-25508 | https://github.com/espressif/esp-idf/security/advisories/GHSA-9j5x-rf36-54x9 https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9 https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7 https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70 https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6 https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663 https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63 |
| zauberzeug--nicegui | NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable to XSS attacks. This vulnerability is fixed in 3.7.0. | 2026-02-06 | 6.1 | CVE-2026-25516 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v82v-c5x8-w282 https://github.com/zauberzeug/nicegui/commit/f1f7533577875af7d23f161ed3627f73584cb561 |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a vulnerability exists in the WPS (Wi-Fi Protected Setup) Enrollee implementation where malformed EAP-WSC packets with truncated payloads can cause integer underflow during fragment length calculation. When processing EAP-Expanded (WSC) messages, the code computes frag_len by subtracting header sizes from the total packet length. If an attacker sends a packet where the EAP Length field covers only the header and flags but omits the expected payload (such as the 2-byte Message Length field when WPS_MSG_FLAG_LEN is set), frag_len becomes negative. This negative value is then implicitly cast to size_t when passed to wpabuf_put_data(), resulting in a very large unsigned value. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7. | 2026-02-04 | 6.3 | CVE-2026-25532 | https://github.com/espressif/esp-idf/security/advisories/GHSA-m2h2-683f-9mw7 https://github.com/espressif/esp-idf/commit/60f992a26de17bb5406f2149a2f8282dd7ad1c59 https://github.com/espressif/esp-idf/commit/6f6766f917bc940ffbcc97eac4765a6ab15d5f79 https://github.com/espressif/esp-idf/commit/73a587d42a57ece1962b6a4c530b574600650f63 https://github.com/espressif/esp-idf/commit/b209fae993d795255827ce6b2b0d6942a377f5d4 https://github.com/espressif/esp-idf/commit/b88befde6b5addcdd8d7373ce55c8052dea1e855 https://github.com/espressif/esp-idf/commit/cad36beb4cde27abcf316cd90d8d8dddbc6f213a https://github.com/espressif/esp-idf/commit/de28801e8ea6a736b6f0db6fc0c682739363bb41 |
| mastodon--mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that depend on the account that signed the HTTP request. However, these contents are stored in an internal cache and reused with no regards to the signing actor. As a result, an empty response generated for a blocked user account may be served to requests from legitimate non-blocked actors, or conversely, content intended for non-blocked actors may be returned to blocked actors. This issue has been patched in versions 4.3.19, 4.4.13, 4.5.6. | 2026-02-04 | 6.5 | CVE-2026-25540 | https://github.com/mastodon/mastodon/security/advisories/GHSA-ccpr-m53r-mfwr |
| navidrome--navidrome | Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0. | 2026-02-04 | 6.1 | CVE-2026-25578 | https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w https://github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6 https://github.com/navidrome/navidrome/releases/tag/v0.60.0 |
| tgies--client-certificate-auth | client-certificate-auth is middleware for Node.js implementing client SSL certificate authentication/authorization. Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing an attacker to redirect users to arbitrary domains. This vulnerability is fixed in 1.0.0. | 2026-02-06 | 6.1 | CVE-2026-25651 | https://github.com/tgies/client-certificate-auth/security/advisories/GHSA-m4w9-gch5-c2g4 https://github.com/tgies/client-certificate-auth/releases/tag/v1.0.0 |
| vim--vim | Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132. | 2026-02-06 | 6.6 | CVE-2026-25749 | https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43 https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9 https://github.com/vim/vim/releases/tag/v9.1.2132 |
| BishopFox--sliver | Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.6.11, a path traversal in the website content subsystem lets an authenticated operator read arbitrary files on the Sliver server host. This is an authenticated path traversal / arbitrary file read issue, and it can expose credentials, configs, and keys. This vulnerability is fixed in 1.6.11. | 2026-02-06 | 6.5 | CVE-2026-25760 | https://github.com/BishopFox/sliver/security/advisories/GHSA-2286-hxv5-cmp2 https://github.com/BishopFox/sliver/commit/818127349ccec812876693c4ca74ebf4350ec6b7 |
| Maian Media--Maian Support Helpdesk | Maian Support Helpdesk 4.3 contains a cross-site request forgery vulnerability that allows attackers to create administrative accounts without authentication. Attackers can craft malicious HTML forms to add admin users and upload PHP files with unrestricted file upload capabilities through the FAQ attachment system. | 2026-02-03 | 5.3 | CVE-2020-37091 | ExploitDB-48386 Vendor Homepage VulnCheck Advisory: Maian Support Helpdesk 4.3 - Cross-Site Request Forgery (Add Admin) |
| EDIMAX Technology Co., Ltd.--EW-7438RPn Mini | Edimax EW-7438RPn 1.13 contains a cross-site request forgery vulnerability in the MAC filtering configuration interface. Attackers can craft malicious web pages to trick users into adding unauthorized MAC addresses to the device's filtering rules without their consent. | 2026-02-03 | 5.3 | CVE-2020-37096 | ExploitDB-48366 Edimax EW-7438RPn Product Homepage VulnCheck Advisory: Edimax EW-7438RPn - Cross-Site Request Forgery (MAC Filtering) |
| Bdtask--Business Live Chat Software | Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation endpoint with administrative access parameters. | 2026-02-06 | 5.3 | CVE-2020-37106 | ExploitDB-48141 Business Live Chat Software Vendor Homepage VulnCheck Advisory: Business Live Chat Software 1.0 - Cross-Site Request Forgery (Add Admin) |
| Code::Blocks--Code::Blocks | CODE::BLOCKS 16.01 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting Structured Exception Handler with crafted Unicode characters. Attackers can create a malicious M3U playlist file with 536 bytes of buffer and shellcode to trigger remote code execution. | 2026-02-05 | 5.5 | CVE-2020-37121 | ExploitDB-48344 CODE::BLOCKS Product Homepage CODE::BLOCKS SourceForge Repository VulnCheck Advisory: CODE::BLOCKS 16.01 - Buffer Overflow (SEH) UNICODE |
| dnsmasq--dnsmasq-utils | Dnsmasq-utils 2.79-1 contains a buffer overflow vulnerability in the dhcp_release utility that allows attackers to cause a denial of service by supplying excessive input. Attackers can trigger a core dump and terminate the dhcp_release process by sending a crafted input string longer than 16 characters. | 2026-02-05 | 5.5 | CVE-2020-37127 | ExploitDB-48301 Software Link for dnsmasq 2.79-1 VulnCheck Advisory: dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service |
| FinalWire--Everest | Everest, later referred to as AIDA64, 5.50.2100 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating file open functionality. Attackers can generate a 450-byte buffer of repeated characters and paste it into the file open dialog to trigger an application crash. | 2026-02-05 | 5.5 | CVE-2020-37140 | ExploitDB-48259 Archived Product Page VulnCheck Advisory: Everest 5.50.2100 - 'Open File' Denial of Service |
| Exagate--Sysguard 6001 | Exagate SYSGuard 6001 contains a cross-site request forgery vulnerability that allows attackers to create unauthorized admin accounts through a crafted HTML form. Attackers can trick users into submitting a malicious form to /kulyon.php that adds a new user with administrative privileges without the victim's consent. | 2026-02-05 | 5.3 | CVE-2020-37144 | ExploitDB-48234 Exagate Vendor Homepage Archived Sysguard 6001 Product Page VulnCheck Advisory: Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin) |
| IBM--Cloud Pak System | IBM Cloud Pak System displays sensitive information in user messages that could aid in further attacks against the system. | 2026-02-04 | 5.3 | CVE-2023-38010 | https://www.ibm.com/support/pages/node/7254419 |
| IBM--Cloud Pak System | IBM Cloud Pak System is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-02-04 | 5.3 | CVE-2023-38017 | https://www.ibm.com/support/pages/node/7254419 |
| IBM--Cloud Pak System | IBM Cloud Pak System does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. | 2026-02-04 | 5.3 | CVE-2023-38281 | https://www.ibm.com/support/pages/node/7254419 |
| IBM--Db2 Big SQL on Cloud Pak for Data | IBM Db2 Big SQL on Cloud Pak for Data versions 7.6 (on CP4D 4.8), 7.7 (on CP4D 5.0), and 7.8 (on CP4D 5.1) do not properly limit the allocation of system resources. An authenticated user with internal knowledge of the environment could exploit this weakness to cause a denial of service. | 2026-02-04 | 5.3 | CVE-2024-39724 | https://www.ibm.com/support/pages/node/7257907 |
| cyberlord92--OAuth Single Sign On SSO (OAuth Client) | The OAuth Single Sign On - SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. This is due to missing capability checks and authentication verification on the OAuth redirect functionality accessible via the 'oauthredirect' option parameter. This makes it possible for unauthenticated attackers to set the global redirect URL option via the redirect_url parameter granted they can access the site directly. | 2026-02-06 | 5.3 | CVE-2025-10753 | https://www.wordfence.com/threat-intel/vulnerabilities/id/915e1a6e-ad9c-4849-8ae0-3ded18720a1f?source=cve https://plugins.trac.wordpress.org/browser/miniorange-login-with-eve-online-google-facebook/tags/6.26.12/class-mooauth-widget.php#L260 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399223%40miniorange-login-with-eve-online-google-facebook&new=3399223%40miniorange-login-with-eve-online-google-facebook&sfp_email=&sfph_mail= |
| IBM--App Connect Operator | IBM App Connect Enterprise Certified Container up to 12.19.0 (Continuous Delivery) and 12.0 LTS (Long Term Support) could allow an attacker to access sensitive files or modify configurations due to an untrusted search path. | 2026-02-05 | 5.1 | CVE-2025-13491 | https://www.ibm.com/support/pages/node/7259746 |
| elextensions--ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. This is due to missing capability checks on the eh_crm_ticket_general function combined with a shared nonce that is exposed to low-privileged users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global WSDesk settings via the `eh_crm_ticket_general` AJAX action. | 2026-02-05 | 5.3 | CVE-2025-14079 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6fd3ea16-4706-4573-b905-93dff434968d?source=cve https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/tags/3.3.4/includes/class-crm-ajax-functions-one.php#L15 https://plugins.trac.wordpress.org/changeset/3449609/ |
| unitecms--Unlimited Elements For Elementor | The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Border Hero widget's Button Link field in versions up to 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-03 | 5.4 | CVE-2025-14274 | https://www.wordfence.com/threat-intel/vulnerabilities/id/482c4986-3677-4754-992b-ea9be7573d2e?source=cve https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/framework/functions.class.php#L2859 https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_params_processor.class.php#L1518 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3429507%40unlimited-elements-for-elementor%2Ftrunk&old=3403331%40unlimited-elements-for-elementor%2Ftrunk&sfp_email=&sfph_mail=#file15 |
| tpixendit--Xendit Payment | The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint (`wc_xendit_callback`) that processes payment callbacks without any authentication or cryptographic verification that the requests originate from Xendit's payment gateway. This makes it possible for unauthenticated attackers to mark any WooCommerce order as paid by sending a crafted POST request to the callback URL with a JSON body containing an `external_id` matching the order ID pattern and a `status` of 'PAID' or 'SETTLED', granted they can enumerate order IDs (which are sequential integers). This leads to orders being fraudulently marked as completed without any actual payment, resulting in financial loss and inventory depletion. | 2026-02-04 | 5.3 | CVE-2025-14461 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2791bbd5-9101-4484-a352-0e4d2ce04e5d?source=cve https://plugins.trac.wordpress.org/browser/woo-xendit-virtual-accounts/trunk/woocommerce-xendit-pg.php#L252 https://plugins.trac.wordpress.org/browser/woo-xendit-virtual-accounts/tags/6.0.2/woocommerce-xendit-pg.php#L252 |
| Tanium--Enforce | Tanium addressed an improper link resolution before file access vulnerability in Enforce. | 2026-02-05 | 5 | CVE-2025-15328 | TAN-2025-007 |
| chapaet--Chapa Payment Gateway Plugin for WooCommerce | The Chapa Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.3 via 'chapa_proceed' WooCommerce API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including the merchant's Chapa secret API key. | 2026-02-04 | 5.3 | CVE-2025-15482 | https://www.wordfence.com/threat-intel/vulnerabilities/id/190492ec-5982-4dce-9e97-16a518a01a27?source=cve https://plugins.trac.wordpress.org/browser/chapa-payment-gateway-for-woocommerce/tags/1.0.3/includes/class-waf-wc-chapa-gateway.php#L418 |
| magicimport--Magic Import Document Extractor | The Magic Import Document Extractor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_sync_usage() function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to modify the plugin's license status and credit balance. | 2026-02-04 | 5.3 | CVE-2025-15507 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6854e470-26ac-4747-b72c-164e79e1a1b1?source=cve https://plugins.trac.wordpress.org/browser/magic-import-document-extractor/tags/1.0.4/public/class-public.php#L225 |
| magicimport--Magic Import Document Extractor | The Magic Import Document Extractor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.4 via the get_frontend_settings() function. This makes it possible for unauthenticated attackers to extract the site's magicimport.ai license key from the page source on any page containing the plugin's shortcode. | 2026-02-04 | 5.3 | CVE-2025-15508 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9ec72ac5-1851-4074-bea4-ccfd684b9c8d?source=cve https://plugins.trac.wordpress.org/browser/magic-import-document-extractor/tags/1.0.4/public/class-public.php#L379 |
| IBM--Engineering Lifecycle Management - Global Configuration Management | IBM Engineering Lifecycle Management - Global Configuration Management 7.0.3 through 7.0.3 Interim Fix 017, and 7.1.0 through 7.1.0 Interim Fix 004 IBM Global Configuration Management is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-02-03 | 5.4 | CVE-2025-36033 | https://www.ibm.com/support/pages/node/7258063 |
| IBM--Cloud Pak for Business Automation | IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007 could allow an authenticated user to cause a denial of service or corrupt existing data due to the improper validation of input length. | 2026-02-03 | 5.4 | CVE-2025-36094 | https://www.ibm.com/support/pages/node/7259318 |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 2026-02-02 | 5.9 | CVE-2025-36253 | https://www.ibm.com/support/pages/node/7257565 |
| HCL--AION | Root File System Not Mounted as Read-Only configuration vulnerability. This can allow unintended modifications to critical system files, potentially increasing the risk of system compromise or unauthorized changes. This issue affects AION: 2.0. | 2026-02-03 | 5.5 | CVE-2025-52627 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| N/A--Moodle[.]org | A flaw was found in Moodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links. Successful exploitation could lead to information disclosure or arbitrary client-side script execution within the user's browser. | 2026-02-03 | 5.4 | CVE-2025-67855 | https://access.redhat.com/security/cve/CVE-2025-67855 RHBZ#2423861 |
| N/A--Moodle[.]org | A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to, potentially leading to privilege escalation or unauthorized access to certain features. | 2026-02-03 | 5.4 | CVE-2025-67856 | https://access.redhat.com/security/cve/CVE-2025-67856 RHBZ#2423864 |
| khoj-ai--khoj | Khoj is a self-hostable artificial intelligence app. Prior to 2.0.0-beta.23, an IDOR in the Notion OAuth callback allows an attacker to hijack any user's Notion integration by manipulating the state parameter. The callback endpoint accepts any user UUID without verifying the OAuth flow was initiated by that user, allowing attackers to replace victims' Notion configurations with their own, resulting in data poisoning and unauthorized access to the victim's Khoj search index. This attack requires knowing the user's UUID which can be leaked through shared conversations where an AI generated image is present. This vulnerability is fixed in 2.0.0-beta.23. | 2026-02-02 | 5.4 | CVE-2025-69207 | https://github.com/khoj-ai/khoj/security/advisories/GHSA-6whj-7qmg-86qj https://github.com/khoj-ai/khoj/commit/1b7ccd141d47f365edeccc57d7316cb0913d748b https://github.com/khoj-ai/khoj/releases/tag/2.0.0-beta.23 |
| fortispay--Fortis for WooCommerce | The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'check_fortis_notify_response' function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update arbitrary WooCommerce order statuses to paid/processing/completed, effectively allowing them to mark orders as paid without payment. | 2026-02-04 | 5.3 | CVE-2026-0679 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9f16c098-3e99-4506-b517-ae4b838a0925?source=cve https://plugins.trac.wordpress.org/browser/fortis-for-woocommerce/trunk/classes/WC_Gateway_Fortis.php#L1674 https://plugins.trac.wordpress.org/browser/fortis-for-woocommerce/tags/1.2.0/classes/WC_Gateway_Fortis.php#L1674 |
| alimir--WP ULike Engagement Analytics & Interactive Buttons to Understand Your Audience | The WP ULike plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.8.3.1. This is due to the `wp_ulike_delete_history_api` AJAX action not verifying that the log entry being deleted belongs to the current user. This makes it possible for authenticated attackers, with Subscriber-level access and above (granted the 'stats' capability is assigned to their role), to delete arbitrary log entries belonging to other users via the 'id' parameter. | 2026-02-03 | 5.3 | CVE-2026-0909 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bee2e520-46cc-4b54-9849-fafb9b37ba19?source=cve https://plugins.trac.wordpress.org/browser/wp-ulike/trunk/admin/admin-ajax.php#L94 https://plugins.trac.wordpress.org/browser/wp-ulike/tags/4.8.3.1/admin/admin-ajax.php#L94 https://plugins.trac.wordpress.org/changeset/3451296/wp-ulike/trunk/admin/admin-ajax.php |
| brainstormforce--Spectra Gutenberg Blocks Website Builder for the Block Editor | The Spectra Gutenberg Blocks - Website Builder for the Block Editor plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.19.17. This is due to the plugin failing to check `post_password_required()` before rendering post excerpts in the `render_excerpt()` function and the `uagb_get_excerpt()` helper function. This makes it possible for unauthenticated attackers to read excerpts of password-protected posts by simply viewing any page that contains a Spectra Post Grid, Post Masonry, Post Carousel, or Post Timeline block. | 2026-02-03 | 5.3 | CVE-2026-0950 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ccaccf03-4162-4365-9f12-0363a78e91d4?source=cve https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L1303 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L1303 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L1621 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L1621 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L2196 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L2196 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/classes/class-uagb-helper.php#L1403 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/classes/class-uagb-helper.php#L1403 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3443216%40ultimate-addons-for-gutenberg%2Ftrunk&old=3410395%40ultimate-addons-for-gutenberg%2Ftrunk&sfp_email=&sfph_mail= |
| metagauss--ProfileGrid User Profiles, Groups and Communities | The ProfileGrid - User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the 'pm_upload_image' and 'pm_upload_cover_image' AJAX actions. This is due to the update_user_meta() function being called outside of the user authorization check in public/partials/crop.php and public/partials/coverimg_crop.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change any user's profile picture or cover image, including administrators. | 2026-02-05 | 5.3 | CVE-2026-1271 | https://www.wordfence.com/threat-intel/vulnerabilities/id/712535ce-8c38-4944-aa0a-36d9bacaeb67?source=cve https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/partials/crop.php#L73 https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/partials/coverimg_crop.php#L60 https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.7/public/partials/crop.php#L73 https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.7/public/partials/coverimg_crop.php#L60 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448434%40profilegrid-user-profiles-groups-and-communities&new=3448434%40profilegrid-user-profiles-groups-and-communities&sfp_email=&sfph_mail= |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications. | 2026-02-03 | 5.3 | CVE-2026-1371 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7f5c5f64-a864-4ce1-9080-19f7c4418307?source=cve https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/ecommerce/CouponController.php#L106 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/ecommerce/CouponController.php#L658 https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/ecommerce/CouponController.php?contextall=1&old=3422766&old_path=%2Ftutor%2Ftrunk%2Fecommerce%2FCouponController.php |
| getwpfunnels--Mail Mint Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more | The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19.2. This is due to missing nonce validation on the create_or_update_note function. This makes it possible for unauthenticated attackers to create or update contact notes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to missing sanitization and escaping this can lead to stored Cross-Site Scripting. | 2026-02-03 | 5.4 | CVE-2026-1447 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e67ae204-2848-4389-a78d-7b3798e4ee54?source=cve https://plugins.trac.wordpress.org/browser/mail-mint/trunk/app/API/Routes/Admin/Contact/ContactProfileRoute.php#L105 https://plugins.trac.wordpress.org/browser/mail-mint/tags/1.19.2/app/API/Routes/Admin/Contact/ContactProfileRoute.php#L105 https://plugins.trac.wordpress.org/browser/mail-mint/trunk/app/API/Actions/Admin/Contact/ContactProfileAction.php#L85 https://plugins.trac.wordpress.org/browser/mail-mint/tags/1.19.2/app/API/Actions/Admin/Contact/ContactProfileAction.php#L85 https://plugins.trac.wordpress.org/changeset/3449536/mail-mint/trunk/app/API/Actions/Admin/Contact/ContactProfileAction.php?old=3032077&old_path=mail-mint%2Ftrunk%2Fapp%2FAPI%2FActions%2FAdmin%2FContact%2FContactProfileAction.php |
| F5--NGINX Open Source | A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side-along with conditions beyond the attacker's control-may be able to inject plain text data into the response from an upstream proxied server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-02-04 | 5.9 | CVE-2026-1642 | https://my.f5.com/manage/s/article/K000159824 |
| brstefanovic--Advanced Country Blocker | The Advanced Country Blocker plugin for WordPress is vulnerable to Authorization Bypass in all versions up to, and including, 2.3.1 due to the use of a predictable default value for the secret bypass key created during installation without requiring users to change it. This makes it possible for unauthenticated attackers to bypass the geolocation blocking mechanism by appending the key to any URL on sites where the administrator has not changed the default value. | 2026-02-07 | 5.3 | CVE-2026-1675 | https://www.wordfence.com/threat-intel/vulnerabilities/id/30747988-83f9-41f9-9bc5-1f533bc4cb94?source=cve https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L278 https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L336 https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L420 |
| n/a--Open5GS | A security vulnerability has been detected in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c of the component SGWC. Such manipulation leads to reachable assertion. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. A patch should be applied to remediate this issue. The issue report is flagged as already-fixed. | 2026-02-02 | 5.3 | CVE-2026-1736 | VDB-343635 | Open5GS SGWC s11-handler.c assertion VDB-343635 | CTI Indicators (IOB, IOC, IOA) Submit #741191 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4270 https://github.com/open5gs/open5gs/issues/4270#event-21968624624 https://github.com/open5gs/open5gs/issues/4270#issue-3795141303 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability was detected in Open5GS up to 2.7.6. The affected element is the function sgwc_s5c_handle_create_bearer_request of the file /src/sgwc/s5c-handler.c of the component CreateBearerRequest Handler. Performing a manipulation results in reachable assertion. Remote exploitation of the attack is possible. The exploit is now public and may be used. To fix this issue, it is recommended to deploy a patch. The issue report is flagged as already-fixed. | 2026-02-02 | 5.3 | CVE-2026-1737 | VDB-343636 | Open5GS CreateBearerRequest s5c-handler.c sgwc_s5c_handle_create_bearer_request assertion VDB-343636 | CTI Indicators (IOB, IOC, IOA) Submit #741192 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4271 https://github.com/open5gs/open5gs/issues/4271#event-21968630023 https://github.com/open5gs/open5gs/issues/4271#issue-3795147720 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A flaw has been found in Open5GS up to 2.7.6. The impacted element is the function sgwc_tunnel_add of the file /src/sgwc/context.c of the component SGWC. Executing a manipulation of the argument pdr can lead to reachable assertion. The attack can be executed remotely. The exploit has been published and may be used. It is advisable to implement a patch to correct this issue. The issue report is flagged as already-fixed. | 2026-02-02 | 5.3 | CVE-2026-1738 | VDB-343637 | Open5GS SGWC context.c sgwc_tunnel_add assertion VDB-343637 | CTI Indicators (IOB, IOC, IOA) Submit #741193 | Open5gs SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4261 https://github.com/open5gs/open5gs/issues/4261#event-21968563677 https://github.com/open5gs/open5gs/issues/4261#issue-3787803578 https://github.com/open5gs/open5gs/ |
| Free5GC--pcf | A vulnerability has been found in Free5GC pcf up to 1.4.1. This affects the function HandleCreateSmPolicyRequest of the file internal/sbi/processor/smpolicy.go. The manipulation leads to null pointer dereference. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is df535f5524314620715e842baf9723efbeb481a7. Applying a patch is the recommended action to fix this issue. | 2026-02-02 | 5.3 | CVE-2026-1739 | VDB-343638 | Free5GC pcf smpolicy.go HandleCreateSmPolicyRequest null pointer dereference VDB-343638 | CTI Indicators (IOB, IOC, IOA) Submit #741194 | free5gc PCF v4.1.0 Denial of Service https://github.com/free5gc/free5gc/issues/803 https://github.com/free5gc/pcf/pull/62 https://github.com/free5gc/free5gc/issues/803#issue-3815770007 https://github.com/free5gc/pcf/commit/df535f5524314620715e842baf9723efbeb481a7 https://github.com/free5gc/pcf/ |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding: chunked and Connection: keep-alive headers. A remote, unauthenticated client can exploit this by sending specially crafted requests, causing SoupServer to fail to close the connection as required by RFC 9112. This allows the attacker to smuggle additional requests over the persistent connection, leading to unintended request processing and potential denial-of-service (DoS) conditions. | 2026-02-02 | 5.3 | CVE-2026-1760 | https://access.redhat.com/security/cve/CVE-2026-1760 RHBZ#2435951 |
| Xerox--CentreWare | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Xerox CentreWare on Windows allows Stored XSS. This issue affects CentreWare: through 7.0.6. Consider upgrading Xerox® CentreWare Web® to v7.2.2.25 via the software available on Xerox.com | 2026-02-06 | 5.3 | CVE-2026-1769 | https://securitydocs.business.xerox.com/wp-content/uploads/2026/02/Xerox-Security-Bulletin-XRX26-003-for-Xerox-CentreWare-Web.pdf |
| AWS--SageMaker Python SDK | Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made by the service when a Triton Python model is imported, incorrectly allowing for requests with invalid and self-signed certificates to succeed. | 2026-02-02 | 5.9 | CVE-2026-1778 | https://aws.amazon.com/security/security-bulletins/2026-004-AWS/ https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-62rc-f4v9-h543 https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.1.1 https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.256.0 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libsoup, an HTTP client/server library. This HTTP Request Smuggling vulnerability arises from non-RFC-compliant parsing in the soup_filter_input_stream_read_line() logic, where libsoup accepts malformed chunk headers, such as lone line feed (LF) characters instead of the required carriage return and line feed (CRLF). A remote attacker can exploit this without authentication or user interaction by sending specially crafted chunked requests. This allows libsoup to parse and process multiple HTTP requests from a single network message, potentially leading to information disclosure. | 2026-02-03 | 5.3 | CVE-2026-1801 | https://access.redhat.com/security/cve/CVE-2026-1801 RHBZ#2436315 |
| n/a--WeKan | A security vulnerability has been detected in WeKan up to 8.20. This affects the function setBoardOrgs of the file models/boards.js of the component REST API. Such manipulation of the argument item.cardId/item.checklistId/card.boardId leads to improper authorization. The attack may be launched remotely. A high complexity level is associated with this attack. The exploitability is reported as difficult. Upgrading to version 8.21 mitigates this issue. The name of the patch is cabfeed9a68e21c469bf206d8655941444b9912c. It is suggested to upgrade the affected component. | 2026-02-04 | 5 | CVE-2026-1892 | VDB-344265 | WeKan REST API boards.js setBoardOrgs improper authorization VDB-344265 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742662 | Wekan <8.21 IDOR via REST API / improper object relationship validation https://github.com/wekan/wekan/commit/cabfeed9a68e21c469bf206d8655941444b9912c https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| Edimax--BR-6208AC | A vulnerability was found in Edimax BR-6208AC 2_1.02. The affected element is the function auth_check_userpass2. Performing a manipulation of the argument Username/Password results in use of default credentials. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor confirms that the affected product is end-of-life. They confirm that they "will issue a consolidated Security Advisory on our official support website." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-06 | 5.3 | CVE-2026-1972 | VDB-344494 | Edimax BR-6208AC auth_check_userpass2 default credentials VDB-344494 | CTI Indicators (IOB, IOC, IOA) Submit #744032 | Edimax BR-6208AC V2_1.02 Weak Authentication https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Weak-Password-Authentication-Vulnerability-in-auth_check_userpass2-Functi-2f0b5c52018a801c9645dd5261717901?source=copy_link |
| n/a--Free5GC | A vulnerability was determined in Free5GC up to 4.1.0. The impacted element is the function establishPfcpSession of the component SMF. Executing a manipulation can lead to null pointer dereference. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. It is best practice to apply a patch to resolve this issue. | 2026-02-06 | 5.3 | CVE-2026-1973 | VDB-344495 | Free5GC SMF establishPfcpSession null pointer dereference VDB-344495 | CTI Indicators (IOB, IOC, IOA) Submit #743236 | free5gc SMF v4.1.0 Denial of Service https://github.com/free5gc/free5gc/issues/815 https://github.com/free5gc/free5gc/issues/815#issue-3832032062 https://github.com/free5gc/smf/pull/189 https://github.com/free5gc/free5gc/ |
| n/a--Free5GC | A vulnerability was identified in Free5GC up to 4.1.0. This affects the function ResolveNodeIdToIp of the file internal/sbi/processor/datapath.go of the component SMF. The manipulation leads to denial of service. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. It is recommended to apply a patch to fix this issue. | 2026-02-06 | 5.3 | CVE-2026-1974 | VDB-344496 | Free5GC SMF datapath.go ResolveNodeIdToIp denial of service VDB-344496 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743237 | free5gc SMF v4.1.0 Denial of Service https://github.com/free5gc/free5gc/issues/816 https://github.com/free5gc/free5gc/issues/816#issue-3832055233 https://github.com/free5gc/smf/pull/189 https://github.com/free5gc/free5gc/ |
| n/a--Free5GC | A security flaw has been discovered in Free5GC up to 4.1.0. This impacts the function identityTriggerType of the file pfcp_reports.go. The manipulation results in null pointer dereference. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Applying a patch is advised to resolve this issue. | 2026-02-06 | 5.3 | CVE-2026-1975 | VDB-344497 | Free5GC pfcp_reports.go identityTriggerType null pointer dereference VDB-344497 | CTI Indicators (IOB, IOC, IOA) Submit #743238 | free5gc SMF v4.1.0 Denial of Service https://github.com/free5gc/free5gc/issues/814 https://github.com/free5gc/free5gc/issues/814#issue-3831993593 https://github.com/free5gc/smf/pull/189 https://github.com/free5gc/free5gc/ |
| n/a--Free5GC | A weakness has been identified in Free5GC up to 4.1.0. Affected is the function SessionDeletionResponse of the component SMF. This manipulation causes null pointer dereference. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. It is suggested to install a patch to address this issue. | 2026-02-06 | 5.3 | CVE-2026-1976 | VDB-344498 | Free5GC SMF SessionDeletionResponse null pointer dereference VDB-344498 | CTI Indicators (IOB, IOC, IOA) Submit #743239 | free5gc SMF v4.1.0 Denial of Service https://github.com/free5gc/free5gc/issues/817 https://github.com/free5gc/free5gc/issues/817#issue-3832188092 https://github.com/free5gc/smf/pull/189 https://github.com/free5gc/free5gc/ |
| kalyan02--NanoCMS | A vulnerability was detected in kalyan02 NanoCMS up to 0.4. Affected by this issue is some unknown functionality of the file /data/pagesdata.txt of the component User Information Handler. Performing a manipulation results in direct request. It is possible to initiate the attack remotely. The exploit is now public and may be used. You should change the configuration settings. | 2026-02-06 | 5.3 | CVE-2026-1978 | VDB-344500 | kalyan02 NanoCMS User Information pagesdata.txt direct request VDB-344500 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743260 | SourceCodester NanoCMS V0.4 Sensitive document leak https://github.com/kalyan02/NanoCMS/blob/master/data/pagesdata.txt https://github.com/kalyan02/NanoCMS/ |
| n/a--mruby | A flaw has been found in mruby up to 3.4.0. This affects the function mrb_vm_exec of the file src/vm.c of the component JMPNOT-to-JMPIF Optimization. Executing a manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been published and may be used. This patch is called e50f15c1c6e131fa7934355eb02b8173b13df415. It is advisable to implement a patch to correct this issue. | 2026-02-06 | 5.3 | CVE-2026-1979 | VDB-344501 | mruby JMPNOT-to-JMPIF Optimization vm.c mrb_vm_exec use after free VDB-344501 | CTI Indicators (IOB, IOC, IOA) Submit #743377 | mruby cda2567 Use After Free https://github.com/mruby/mruby/issues/6701 https://github.com/mruby/mruby/issues/6701#issue-3802609843 https://github.com/sysfce2/mruby/commit/e50f15c1c6e131fa7934355eb02b8173b13df415 https://github.com/mruby/mruby/ |
| happyfish100--libfastcommon | A security vulnerability has been detected in happyfish100 libfastcommon up to 1.0.84. Affected by this vulnerability is the function base64_decode of the file src/base64.c. The manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The identifier of the patch is 82f66af3e252e3e137dba0c3891570f085e79adf. Applying a patch is the recommended action to fix this issue. | 2026-02-06 | 5.3 | CVE-2026-2016 | VDB-344598 | happyfish100 libfastcommon base64.c base64_decode stack-based overflow VDB-344598 | CTI Indicators (IOB, IOC, IOA) Submit #743873 | happyfish100 libfastcommon V1.0.84 and earlier Heap-based Buffer Overflow https://github.com/happyfish100/libfastcommon/issues/55 https://github.com/happyfish100/libfastcommon/issues/55#issuecomment-3776757848 https://github.com/happyfish100/libfastcommon/issues/55#issue-3836362577 https://github.com/happyfish100/libfastcommon/commit/82f66af3e252e3e137dba0c3891570f085e79adf https://github.com/happyfish100/libfastcommon/ |
| D-Link--DIR-605L | A security flaw has been discovered in D-Link DIR-605L and DIR-619L 2.06B01/2.13B01. Impacted is an unknown function of the component Wifi Setting Handler. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-06 | 5.3 | CVE-2026-2054 | VDB-344614 | D-Link DIR-605L/DIR-619L Wifi Setting information disclosure VDB-344614 | CTI Indicators (IOB, IOC, TTP) Submit #744224 | D-Link DIR619L、DIR605L 2.06B01、2.13B01 Improper Access Controls https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_81/81.md https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_81/81.md#poc--result https://www.dlink.com/ |
| D-Link--DIR-605L | A weakness has been identified in D-Link DIR-605L and DIR-619L 2.06B01/2.13B01. The affected element is an unknown function of the component DHCP Client Information Handler. Executing a manipulation can lead to information disclosure. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-06 | 5.3 | CVE-2026-2055 | VDB-344615 | D-Link DIR-605L/DIR-619L DHCP Client Information information disclosure VDB-344615 | CTI Indicators (IOB, IOC, TTP) Submit #744225 | D-Link DIR619L、DIR605L 2.06B01、2.13B01 Improper Access Controls https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_82/82.md https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_82/82.md#poc--result https://www.dlink.com/ |
| D-Link--DIR-605L | A security vulnerability has been detected in D-Link DIR-605L and DIR-619L 2.06B01/2.13B01. The impacted element is an unknown function of the file /wan_connection_status.asp of the component DHCP Connection Status Handler. The manipulation leads to information disclosure. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-06 | 5.3 | CVE-2026-2056 | VDB-344616 | D-Link DIR-605L/DIR-619L DHCP Connection Status wan_connection_status.asp information disclosure VDB-344616 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744226 | D-Link DIR619L、DIR605L 2.06B01、2.13B01 Improper Access Controls https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_83/83.md https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_82/82.md#poc--result https://www.dlink.com/ |
| n/a--Open5GS | A vulnerability was identified in Open5GS up to 2.7.6. This affects the function sgwc_s5c_handle_modify_bearer_response/sgwc_sxa_handle_session_modification_response of the component PGW S5U Address Handler. The manipulation leads to null pointer dereference. The attack can be initiated remotely. The exploit is publicly available and might be used. The identifier of the patch is f1bbd7b57f831e2a070780a7d8d5d4c73babdb59. Applying a patch is the recommended action to fix this issue. | 2026-02-06 | 5.3 | CVE-2026-2062 | VDB-344622 | Open5GS PGW S5U Address sgwc_sxa_handle_session_modification_response null pointer dereference VDB-344622 | CTI Indicators (IOB, IOC, IOA) Submit #744719 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4257 https://github.com/open5gs/open5gs/issues/4257#issue-3787701521 https://github.com/open5gs/open5gs/commit/f1bbd7b57f831e2a070780a7d8d5d4c73babdb59 https://github.com/open5gs/open5gs/ |
| jsbroks--COCO Annotator | A vulnerability was determined in jsbroks COCO Annotator up to 0.11.1. This impacts an unknown function of the file /api/info/long_task of the component Endpoint. This manipulation causes denial of service. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 5.3 | CVE-2026-2108 | VDB-344684 | jsbroks COCO Annotator Endpoint long_task denial of service VDB-344684 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745547 | coco-annotator 0.11.1 Denial of Service https://github.com/nmmorette/vulnerability-research/blob/main/coco-anotator/Unauthenticated%20Task%20Queue%20Flood%20in%20COCO%20Annotator%202f1ef09b873680f99d39e3f7db9886fa.md |
| jsbroks--COCO Annotator | A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file /api/undo/ of the component Delete Category Handler. Such manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 5.4 | CVE-2026-2109 | VDB-344685 | jsbroks COCO Annotator Delete Category undo improper authorization VDB-344685 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745579 | coco-annotator v0.11.1 Broken Function Level Authorization https://github.com/nmmorette/vulnerability-research/blob/main/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo%202f1ef09b8736807aa1f7ede4b64fa35d.md |
| Tenda--AC21 | A weakness has been identified in Tenda AC21 16.03.08.16. This impacts an unknown function of the file /cgi-bin/DownloadLog of the component Web Management Interface. Executing a manipulation can lead to information disclosure. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 5.3 | CVE-2026-2147 | VDB-344849 | Tenda AC21 Web Management DownloadLog information disclosure VDB-344849 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747429 | Tenda AC21 V16.03.08.16 Missing Critical Step in Authentication https://github.com/master-abc/cve/issues/30 https://www.tenda.com.cn/ |
| Tenda--AC21 | A security vulnerability has been detected in Tenda AC21 16.03.08.16. Affected is an unknown function of the file /cgi-bin/DownloadFlash of the component Web Management Interface. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. | 2026-02-08 | 5.3 | CVE-2026-2148 | VDB-344850 | Tenda AC21 Web Management DownloadFlash information disclosure VDB-344850 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747557 | Tenda AC21 V16.03.08.16 Missing Critical Step in Authentication https://github.com/master-abc/cve/issues/27 https://www.tenda.com.cn/ |
| n/a--WeKan | A weakness has been identified in WeKan up to 8.20. This issue affects some unknown processing of the file server/publications/activities.js of the component Activity Publication Handler. Executing a manipulation can lead to information disclosure. It is possible to launch the attack remotely. Upgrading to version 8.21 is capable of addressing this issue. This patch is called 91a936e07d2976d4246dfe834281c3aaa87f9503. You should upgrade the affected component. | 2026-02-08 | 5.3 | CVE-2026-2207 | VDB-344921 | WeKan Activity Publication activities.js LinkedBoardActivitiesBleed information disclosure VDB-344921 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #752163 | Wekan <8.21 Information disclosure via insufficient authorization filtering https://github.com/wekan/wekan/commit/91a936e07d2976d4246dfe834281c3aaa87f9503 https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| F5--BIG-IP | When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests along with conditions beyond the attacker's control can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-02-04 | 5.9 | CVE-2026-22548 | https://my.f5.com/manage/s/article/K000158072 |
| NeoRazorX--facturascripts | FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8. | 2026-02-02 | 5.4 | CVE-2026-23476 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4 https://github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3 https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.8 |
| CollaboraOnline--online | Collabora Online is a collaborative online office suite based on LibreOffice technology. Prior to Collabora Online Development Edition version 25.04.08.2 and prior to Collabora Online versions 23.05.20.1, 24.04.17.3, and 25.04.7.5, a user with view-only rights and no download privileges can obtain a local copy of a shared file. Although there are no corresponding buttons in the interface, pressing Ctrl+Shift+S initiates the file download process. This allows the user to bypass the access restrictions and leads to unauthorized data retrieval. This issue has been patched in Collabora Online Development Edition version 25.04.08.2 and Collabora Online versions 23.05.20.1, 24.04.17.3, and 25.04.7.5. | 2026-02-05 | 5.3 | CVE-2026-23623 | https://github.com/CollaboraOnline/online/security/advisories/GHSA-68v6-r6qq-mmq2 |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a username enumeration vulnerability allows unauthenticated attackers to identify valid user accounts by analyzing differences in the login response behavior. This issue has been patched in version 4.2. | 2026-02-03 | 5.3 | CVE-2026-24664 | https://github.com/gunet/openeclass/security/advisories/GHSA-c3wq-m629-5h2j |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, failure to invalidate active user sessions after a password change allows existing session tokens to remain valid, potentially enabling unauthorized continued access to user accounts. This issue has been patched in version 4.2. | 2026-02-03 | 5 | CVE-2026-24667 | https://github.com/gunet/openeclass/security/advisories/GHSA-5h73-53mh-m224 |
| Huawei--HarmonyOS | Identity authentication bypass vulnerability in the window module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-02-06 | 5.9 | CVE-2026-24916 | https://consumer.huawei.com/en/support/bulletin/2026/2/ |
| Huawei--HarmonyOS | Out-of-bounds access vulnerability in the frequency modulation module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 5.5 | CVE-2026-24927 | https://consumer.huawei.com/en/support/bulletin/2026/2/ |
| Huawei--HarmonyOS | Out-of-bounds write vulnerability in the file system module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-02-06 | 5.8 | CVE-2026-24928 | https://consumer.huawei.com/en/support/bulletin/2026/2/ |
| Huawei--HarmonyOS | Out-of-bounds read vulnerability in the graphics module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 5.9 | CVE-2026-24929 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ |
| Huawei--HarmonyOS | Vulnerability of improper criterion security check in the card module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-02-06 | 5.9 | CVE-2026-24931 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ |
| chainguard-dev--apko | apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.0, expandapk.Split drains the first gzip stream of an APK archive via io.Copy(io.Discard, gzi) without explicit bounds. With an attacker-controlled input stream, this can force large gzip inflation work and lead to resource exhaustion (availability impact). The Split function reads the first tar header, then drains the remainder of the gzip stream by reading from the gzip reader directly without any maximum uncompressed byte limit or inflate-ratio cap. A caller that parses attacker-controlled APK streams may be forced to spend excessive CPU time inflating gzip data, leading to timeouts or process slowdown. This issue has been patched in version 1.1.0. | 2026-02-04 | 5.5 | CVE-2026-25122 | https://github.com/chainguard-dev/apko/security/advisories/GHSA-6p9p-q6wh-9j89 https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09 |
| homarr-labs--homarr | Homarr is an open-source dashboard. Prior to 1.52.0, a public (unauthenticated) tRPC endpoint widget.app.ping accepts an arbitrary url and performs a server-side request to that URL. This allows an unauthenticated attacker to trigger outbound HTTP requests from the Homarr server, enabling SSRF behavior and a reliable port-scanning primitive (open vs closed ports can be inferred from statusCode vs fetch failed and timing). This vulnerability is fixed in 1.52.0. | 2026-02-06 | 5.3 | CVE-2026-25123 | https://github.com/homarr-labs/homarr/security/advisories/GHSA-c6rh-8wj4-gv74 |
| Talishar--Talishar | Talishar is a fan-made Flesh and Blood project. A Stored XSS exists in the chat in-game system. The playerID parameter in SubmitChat.php and is saved without sanitization and executed whenever a user view the current page game. This vulnerability is fixed by 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4. | 2026-02-02 | 5.3 | CVE-2026-25144 | https://github.com/Talishar/Talishar/security/advisories/GHSA-rrr4-h2pc-57g6 https://github.com/Talishar/Talishar/commit/09dd00e5452e3cd998eb1406a88e5b0fa868e6b4 |
| chainguard-dev--melange | melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host system. The LicensingInfos function in pkg/config/config.go reads license files specified in copyright[].license-path without validating that paths remain within the workspace directory, allowing path traversal via ../ sequences. The contents of the traversed file are embedded into the generated SBOM as license text, enabling exfiltration of sensitive data through build artifacts. This issue has been patched in version 0.40.3. | 2026-02-04 | 5.5 | CVE-2026-25145 | https://github.com/chainguard-dev/melange/security/advisories/GHSA-2w4f-9fgg-q2v9 https://github.com/chainguard-dev/melange/commit/2f95c9f4355ed993f2670bf1bb82d88b0f65e9e4 |
| QwikDev--qwik | Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City's server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0. | 2026-02-03 | 5.9 | CVE-2026-25151 | https://github.com/QwikDev/qwik/security/advisories/GHSA-r666-8gjf-4v5f https://github.com/QwikDev/qwik/commit/eebf610e04cc3a690f11e10191d09ff0fca1c7ed |
| QwikDev--qwik | Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0. | 2026-02-03 | 5.9 | CVE-2026-25155 | https://github.com/QwikDev/qwik/security/advisories/GHSA-vm6g-8r4h-22x8 https://github.com/QwikDev/qwik/commit/d70d7099b90b998f1aac7cedc21c67d87bac4c75 |
| SignalK--signalk-server | Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3. | 2026-02-02 | 5 | CVE-2026-25228 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7 |
| ci4-cms-erp--ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can determine whether an email address is registered in the system by analyzing the application's response during the password reset process. This issue has been patched in version 0.28.5.0. | 2026-02-03 | 5.3 | CVE-2026-25509 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-654x-9q7r-g966 https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653 |
| cert-manager--cert-manager | cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. In versions from 1.18.0 to before 1.18.5 and from 1.19.0 to before 1.19.3, the cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in denial‑of‑service (DoS) of the cert-manager controller. The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor. This issue has been patched in versions 1.18.5 and 1.19.3. | 2026-02-04 | 5.9 | CVE-2026-25518 | https://github.com/cert-manager/cert-manager/security/advisories/GHSA-gx3x-vq4p-mhhv https://github.com/cert-manager/cert-manager/pull/8467 https://github.com/cert-manager/cert-manager/pull/8468 https://github.com/cert-manager/cert-manager/pull/8469 https://github.com/cert-manager/cert-manager/commit/409fc24e539711a07aae45ed45abbe03dfdad2cc https://github.com/cert-manager/cert-manager/commit/9a73a0b3853035827edd37ac463e4803ba10327d https://github.com/cert-manager/cert-manager/commit/d4faed26ae12115cceb807cdc12507ebc28980e2 |
| OpenMage--magento-lts | Magento-lts is a long-term support alternative to Magento Community Edition (CE). Prior to version 20.16.1, the admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. This issue has been patched in version 20.16.1. | 2026-02-04 | 5.3 | CVE-2026-25523 | https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jg68-vhv3-9r8f https://hackerone.com/bugs?subject=openmage&report_id=3416312 |
| payloadcms--payload | Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. This vulnerability has been patched in v3.74.0. | 2026-02-06 | 5.4 | CVE-2026-25574 | https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955 |
| samclarke--SCEditor | SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create(), like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration options. This vulnerability is fixed in 3.2.1. | 2026-02-06 | 5.4 | CVE-2026-25581 | https://github.com/samclarke/SCEditor/security/advisories/GHSA-25fq-6qgg-qpj8 https://github.com/samclarke/SCEditor/commit/5733aed4f0e257cb78e1ba191715fc458cbd473d |
| PrestaShop--PrestaShop | PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3. | 2026-02-06 | 5.3 | CVE-2026-25597 | https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-67v7-3g49-mxh2 https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.4 https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3 |
| Wing FTP Server--Wing FTP Server | Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery (CSRF) vulnerability in the web administration interface that allows attackers to delete admin users. Attackers can craft a malicious HTML page with a hidden form to submit a request that deletes the administrative user account without proper authorization. | 2026-02-06 | 4.3 | CVE-2020-37079 | ExploitDB-48200 Wing FTP Server Official Homepage Wing FTP Server Version History VulnCheck Advisory: Wing FTP Server < 6.2.7 - Cross-site Request Forgery |
| Openeclass--GUnet OpenEclass | GUnet OpenEclass 1.7.3 allows unauthenticated and authenticated users to access sensitive information, including system information, application version, and other students' uploaded assessments, due to improper access controls and information disclosure flaws in various modules. Attackers can retrieve system info, version info, and view or download other users' files without proper authorization. | 2026-02-03 | 4.3 | CVE-2020-37114 | ExploitDB-48163 Official Vendor Homepage Changelog VulnCheck Advisory: GUnet OpenEclass 1.7.3 E-learning platform - Information Disclosure |
| HRSALE--HRSALE | HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. Attackers can craft a malicious HTML page with hidden form fields to trick authenticated administrators into creating new user accounts with elevated privileges. | 2026-02-05 | 4.3 | CVE-2020-37145 | ExploitDB-48205 Archived Product Webpage VulnCheck Advisory: HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin) |
| IBM--Operations Analytics - Log Analysis | IBM Operations Analytics - Log Analysis versions 1.3.5.0 through 1.3.8.3 and IBM SmartCloud Analytics - Log Analysis are vulnerable to a cross-site request forgery (CSRF) vulnerability that could allow an attacker to trick a trusted user into performing unauthorized actions. | 2026-02-04 | 4.3 | CVE-2024-40685 | https://www.ibm.com/support/pages/node/7256429 |
| metagauss--ProfileGrid User Profiles, Groups and Communities | The ProfileGrid - User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to suspend arbitrary users from groups, including administrators, via the pm_deactivate_user_from_group AJAX action. | 2026-02-05 | 4.3 | CVE-2025-13416 | https://www.wordfence.com/threat-intel/vulnerabilities/id/31c2cd54-f258-43ea-8db2-8d98ad7014d1?source=cve https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/class-profile-magic-public.php#L3167 https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.5/public/class-profile-magic-public.php#L3167 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448434%40profilegrid-user-profiles-groups-and-communities&new=3448434%40profilegrid-user-profiles-groups-and-communities&sfp_email=&sfph_mail= |
| Tanium--Patch | Tanium addressed an improper access controls vulnerability in Patch. | 2026-02-05 | 4.3 | CVE-2025-15326 | TAN-2025-006 |
| Tanium--Deploy | Tanium addressed an improper access controls vulnerability in Deploy. | 2026-02-05 | 4.3 | CVE-2025-15327 | TAN-2025-006 |
| Tanium--Threat Response | Tanium addressed an information disclosure vulnerability in Threat Response. | 2026-02-05 | 4.9 | CVE-2025-15329 | TAN-2025-019 |
| Tanium--Connect | Tanium addressed an uncontrolled resource consumption vulnerability in Connect. | 2026-02-05 | 4.3 | CVE-2025-15331 | TAN-2025-015 |
| Tanium--Threat Response | Tanium addressed an information disclosure vulnerability in Threat Response. | 2026-02-05 | 4.9 | CVE-2025-15332 | TAN-2025-020 |
| Tanium--Threat Response | Tanium addressed an information disclosure vulnerability in Threat Response. | 2026-02-05 | 4.3 | CVE-2025-15333 | TAN-2025-025 |
| Tanium--Threat Response | Tanium addressed an information disclosure vulnerability in Threat Response. | 2026-02-05 | 4.3 | CVE-2025-15334 | TAN-2025-026 |
| Tanium--Threat Response | Tanium addressed an information disclosure vulnerability in Threat Response. | 2026-02-05 | 4.3 | CVE-2025-15335 | TAN-2025-027 |
| Tanium--Reputation | Tanium addressed an improper access controls vulnerability in Reputation. | 2026-02-05 | 4.3 | CVE-2025-15342 | TAN-2025-030 |
| IBM--Jazz Foundation | IBM Jazz Foundation 7.0.3 through 7.0.3 iFix019 and 7.1.0 through 7.1.0 iFix005 is vulnerable to access control violations that allows the users to view or access/perform actions beyond their expected capability. | 2026-02-02 | 4.3 | CVE-2025-15395 | https://www.ibm.com/support/pages/node/7258304 |
| simonfairbairn--The Bucketlister | The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and including, 0.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add delete or modify arbitrary bucket list items. | 2026-02-07 | 4.3 | CVE-2025-15476 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fc9e6374-8f9e-4c60-a86b-46cd4122abf9?source=cve https://plugins.trac.wordpress.org/browser/the-bucketlister/tags/0.1.5/bucketlister.php#L185 |
| qriouslad--Code Explorer | The Code Explorer plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.6 via the 'file' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2026-02-04 | 4.9 | CVE-2025-15487 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fad8ad54-56eb-40fa-a357-77b7d656d378?source=cve https://plugins.trac.wordpress.org/browser/code-explorer/tags/1.4.6/admin/class-code-explorer-admin.php#L211 |
| HCL--AION | A Potential Command Injection vulnerability in HCL AION. An This can allow unintended command execution, potentially leading to unauthorized actions on the underlying system. This issue affects AION: 2.0 | 2026-02-03 | 4.5 | CVE-2025-52626 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| HCL--AION | HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0. | 2026-02-03 | 4.6 | CVE-2025-52628 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| N/A--Moodle[.]org | A flaw was found in Moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information disclosure. | 2026-02-03 | 4.3 | CVE-2025-67857 | https://access.redhat.com/security/cve/CVE-2025-67857 RHBZ#2423868 https://moodle.org/mod/forum/discuss.php?d=471307 |
| Red Hat--Red Hat Ansible Automation Platform 2 | A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions. The APIs do not properly verify whether a conversation identifier belongs to the authenticated user making the request. As a result, an attacker with valid credentials could access or influence conversations owned by other users. This exposes sensitive conversation data and allows unauthorized manipulation of AI-generated outputs. | 2026-02-06 | 4.2 | CVE-2026-0598 | https://access.redhat.com/security/cve/CVE-2026-0598 RHBZ#2427094 |
| rtddev--Extended Random Number Generator | The Extended Random Number Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-02-04 | 4.4 | CVE-2026-0681 | https://www.wordfence.com/threat-intel/vulnerabilities/id/575c3329-8dbb-4d15-8e11-a86a01b96f50?source=cve https://plugins.trac.wordpress.org/browser/extended-random-number-generator/trunk/random_number_generator.php#L187 https://plugins.trac.wordpress.org/browser/extended-random-number-generator/tags/1.1/random_number_generator.php#L187 |
| orenhav--WP Content Permission | The WP Content Permission plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ohmem-message' parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-04 | 4.4 | CVE-2026-0743 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e44403cd-1cee-43c4-aabc-3eaad433c020?source=cve https://plugins.trac.wordpress.org/browser/wp-content-permission/trunk/admin/views/admin.php#L74 https://plugins.trac.wordpress.org/browser/wp-content-permission/tags/1.2/admin/views/admin.php#L74 |
| gtlwpdev--All push notification for WP | The All push notification for WP plugin for WordPress is vulnerable to time-based SQL Injection via the 'delete_id' parameter in all versions up to, and including, 1.5.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-02-04 | 4.9 | CVE-2026-0816 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fc1f36b1-cf28-472c-8a7a-f091ecb48c2d?source=cve https://plugins.trac.wordpress.org/browser/all-push-notification/tags/1.5.3/pushnotification-admin/class-pushnotification-admin.php#L95 https://plugins.trac.wordpress.org/browser/all-push-notification/trunk/pushnotification-admin/class-pushnotification-admin.php#L95 |
| arkapravamajumder--TITLE ANIMATOR | The TITLE ANIMATOR plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page form handler in `inc/settings-page.php`. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-02-07 | 4.3 | CVE-2026-1082 | https://www.wordfence.com/threat-intel/vulnerabilities/id/98736b9d-3e0a-40c0-900a-fbbaaac07958?source=cve https://plugins.trac.wordpress.org/browser/title-animator/trunk/inc/settings-page.php#L5 https://plugins.trac.wordpress.org/browser/title-animator/tags/1.0/inc/settings-page.php#L5 |
| bplugins--Timeline Block Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) | The Timeline Block - Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.3 via the tlgb_shortcode() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to disclose private timeline content via the id attribute supplied to the 'timeline_block' shortcode. | 2026-02-06 | 4.3 | CVE-2026-1228 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cecebfd0-c2af-4150-8793-299cdbeaa7b9?source=cve https://plugins.trac.wordpress.org/changeset/3446078/timeline-block-block |
| shortpixel--ShortPixel Image Optimizer Optimize Images, Convert WebP & AVIF | The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Arbitrary File Read via path traversal in the 'loadFile' parameter in all versions up to, and including, 6.4.2 due to insufficient path validation and sanitization in the 'loadLogFile' AJAX action. This makes it possible for authenticated attackers, with Editor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys. | 2026-02-05 | 4.9 | CVE-2026-1246 | https://www.wordfence.com/threat-intel/vulnerabilities/id/03cb41d2-67c8-457f-8d85-7aede8e12d44?source=cve https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/AjaxController.php#L309 https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/AjaxController.php#L1686 https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/BulkController.php#L200 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3449706%40shortpixel-image-optimiser&new=3449706%40shortpixel-image-optimiser&sfp_email=&sfph_mail= |
| comprassibs--SIBS woocommerce payment gateway | The SIBS woocommerce payment gateway plugin for WordPress is vulnerable to time-based SQL Injection via the 'referencedId' parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-02-04 | 4.9 | CVE-2026-1370 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eac8e81c-2f6f-4a4a-9678-f5d75f4954ae?source=cve https://plugins.trac.wordpress.org/browser/sibs-woocommerce/tags/2.2.0/class-sibs-payment-gateway.php#L1855 |
| n/a--iomad | A vulnerability was identified in iomad up to 5.0. Affected is an unknown function of the component Company Admin Block. Such manipulation leads to sql injection. The attack can be executed remotely. It is best practice to apply a patch to resolve this issue. | 2026-02-05 | 4.7 | CVE-2026-1517 | VDB-344487 | iomad Company Admin Block sql injection VDB-344487 | CTI Indicators (IOB, IOC, TTP) https://github.com/iomad/iomad/issues/2559 https://github.com/iomad/iomad/issues/2559#issuecomment-3841174677 https://github.com/iomad/iomad/ |
| Yealink--MeetingBar A30 | A weakness has been identified in Yealink MeetingBar A30 133.321.0.3. This issue affects some unknown processing of the component Diagnostic Handler. This manipulation causes command injection. It is feasible to perform the attack on the physical device. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-02 | 4.3 | CVE-2026-1735 | VDB-343634 | Yealink MeetingBar A30 Diagnostic command injection VDB-343634 | CTI Indicators (IOB, IOC, TTP) Submit #736622 | Yealink MeetingBar A30 133.321.0.3 Command Injection https://drive.google.com/file/d/1Uf46ihr8UmeXsFfkcvAeOtF1TkvGjozy/view?usp=sharing |
| EFM--ipTIME A8004T | A vulnerability was identified in EFM ipTIME A8004T 14.18.2. Affected by this vulnerability is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi of the component VPN Service. Such manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-02 | 4.7 | CVE-2026-1742 | VDB-343641 | EFM ipTIME A8004T VPN Service timepro.cgi commit_vpncli_file_upload unrestricted upload VDB-343641 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741450 | EFM IPTIME A8004T 14.18.2 Authentication Bypass & Arbitrary File Upload https://github.com/LX-LX88/cve/issues/29 |
| SourceCodester--Medical Certificate Generator App | A vulnerability was determined in SourceCodester Medical Certificate Generator App 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2026-02-02 | 4.3 | CVE-2026-1745 | VDB-343676 | SourceCodester Medical Certificate Generator App cross-site request forgery VDB-343676 | CTI Indicators (IOB, IOC) Submit #742653 | SourceCodester Medical Certificate Generator App 1.0 Cross-Site Request Forgery https://github.com/Asim-QAZi/Cross-Site-Request-Forgery-Arbitrary-Medical-Certificate-Deletion https://github.com/Asim-QAZi/Cross-Site-Request-Forgery-Arbitrary-Medical-Certificate-Deletion#proof-of-concept-csrf-exploit https://www.sourcecodester.com/ |
| codesnippetspro--Code Snippets | The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the Cloud_Search_List_Table class. This makes it possible for unauthenticated attackers to force logged-in administrators to download or update cloud snippets without their consent via a crafted request, granted they can trick an administrator into visiting a malicious page. | 2026-02-06 | 4.3 | CVE-2026-1785 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4a5787f3-6a16-491a-aa01-6222f275cf0f?source=cve https://plugins.trac.wordpress.org/browser/code-snippets/trunk/php/cloud/class-cloud-search-list-table.php#L105 https://plugins.trac.wordpress.org/browser/code-snippets/tags/3.9.4/php/cloud/class-cloud-search-list-table.php#L105 https://plugins.trac.wordpress.org/browser/code-snippets/trunk/php/cloud/list-table-shared-ops.php#L57 https://plugins.trac.wordpress.org/browser/code-snippets/tags/3.9.4/php/cloud/list-table-shared-ops.php#L57 https://github.com/codesnippetspro/code-snippets/pull/331/changes |
| lcg0124--BootDo | A vulnerability was identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. This affects an unknown part. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. | 2026-02-04 | 4.3 | CVE-2026-1835 | VDB-344028 | lcg0124 BootDo cross-site request forgery VDB-344028 | CTI Indicators (IOB, IOC) Submit #742484 | BootDo Web V1.0 CSRF https://github.com/webzzaa/CVE-/issues/6 |
| n/a--ZenTao | A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model. Php of the component Webhook Module. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-04 | 4.7 | CVE-2026-1884 | VDB-344264 | ZenTao Webhook model.php fetchHook server-side request forgery VDB-344264 | CTI Indicators (IOB, IOC, IOA) Submit #742633 | Zentao PMS <=21.7.6-85642 SSRF https://github.com/ez-lbz/ez-lbz.github.io/issues/9 https://github.com/ez-lbz/ez-lbz.github.io/issues/9#issue-3832844574 |
| n/a--WeKan | A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHistory.js of the component Position-History Tracking. The manipulation results in missing authorization. The attack may be performed from remote. Upgrading to version 8.21 can resolve this issue. The patch is identified as 55576ec17722db094835470b386162c9a662fb60. It is advisable to upgrade the affected component. | 2026-02-05 | 4.3 | CVE-2026-1897 | VDB-344269 | WeKan Position-History Tracking positionHistory.js PositionHistoryBleed authorization VDB-344269 | CTI Indicators (IOB, IOC, IOA) Submit #742671 | Wekan <8.21 Missing authorization checks leading to information disclosure a https://github.com/wekan/wekan/commit/55576ec17722db094835470b386162c9a662fb60 https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| wpsoul--Greenshift animation and page builder blocks | The Greenshift - animation and page builder blocks plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the greenshift_app_pass_validation() function in all versions up to, and including, 12.5.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve global plugin settings including stored AI API keys. | 2026-02-05 | 4.3 | CVE-2026-1927 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6e2128db-ca9f-4211-8bc5-01a2cc1cba64?source=cve https://plugins.trac.wordpress.org/changeset/3441535/greenshift-animation-and-page-builder-blocks/trunk/init.php |
| n/a--WeKan | A vulnerability was determined in WeKan up to 8.20. This impacts an unknown function of the file models/boards.js of the component REST Endpoint. This manipulation causes improper access controls. Remote exploitation of the attack is possible. Upgrading to version 8.21 will fix this issue. Patch name: 545566f5663545d16174e0f2399f231aa693ab6e. It is advisable to upgrade the affected component. | 2026-02-05 | 4.3 | CVE-2026-1964 | VDB-344486 | WeKan REST Endpoint boards.js BoardTitleRESTBleed access control VDB-344486 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742680 | Wekan <8.21 Improper access control in REST endpoint (CWE-284) https://github.com/wekan/wekan/commit/545566f5663545d16174e0f2399f231aa693ab6e https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| DCN--DCME-320 | A vulnerability was found in DCN DCME-320 up to 20260121. Impacted is the function apply_config of the file /function/system/basic/bridge_cfg.php of the component Web Management Backend. Performing a manipulation of the argument ip_list results in command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 4.7 | CVE-2026-2000 | VDB-344548 | DCN DCME-320 Web Management Backend bridge_cfg.php apply_config command injection VDB-344548 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743455 | 北京神州数码云科信息技术有限公司 Dcme320 latest Command Injection https://github.com/physicszq/Routers/tree/main/Dcme |
| Cisco--Cisco Secure Web Appliance | A vulnerability in the Dynamic Vectoring and Streaming (DVS) Engine implementation of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass the anti-malware scanner, allowing malicious archive files to be downloaded. This vulnerability is due to improper handling of certain archive files. An attacker could exploit this vulnerability by sending a crafted archive file, which should be blocked, through an affected device. A successful exploit could allow the attacker to bypass the anti-malware scanner and download malware onto an end user workstation. The downloaded malware will not automatically execute unless the end user extracts and launches the malicious file. | 2026-02-04 | 4 | CVE-2026-20056 | cisco-sa-wsa-archive-bypass-Scx2e8zF |
| Sanluan--PublicCMS | A vulnerability has been found in Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d. Impacted is the function Paid of the file publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java of the component Trade Payment Handler. The manipulation of the argument paymentId leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 7329437e1288540336b1c66c114ed3363adcba02. It is recommended to apply a patch to fix this issue. | 2026-02-06 | 4.2 | CVE-2026-2010 | VDB-344592 | Sanluan PublicCMS Trade Payment TradePaymentService.java paid improper authorization VDB-344592 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743487 | PublicCMS 5 Improper Access Controls https://github.com/sanluan/PublicCMS/issues/108 https://github.com/sanluan/PublicCMS/issues/108#issue-3838143772 https://github.com/sanluan/PublicCMS/commit/7329437e1288540336b1c66c114ed3363adcba02 https://github.com/sanluan/PublicCMS/ |
| Cisco--Cisco Prime Infrastructure | A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against users of the interface of an affected system. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious code into specific data fields in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker must have valid administrative credentials. | 2026-02-04 | 4.8 | CVE-2026-20111 | cisco-sa-pi-xss-bYeVKCD |
| Cisco--Cisco Evolved Programmable Network Manager (EPNM) | A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of the parameters in the HTTP request. An attacker could exploit this vulnerability by intercepting and modifying an HTTP request from a user. A successful exploit could allow the attacker to redirect the user to a malicious web page. | 2026-02-04 | 4.3 | CVE-2026-20123 | cisco-sa-epnm-pi-redirect-6sX82dN |
| D-Link--DIR-823X | A vulnerability was determined in D-Link DIR-823X 250416. Affected by this issue is the function sub_424D20 of the file /goform/set_ipv6. Executing a manipulation can lead to os command injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-06 | 4.7 | CVE-2026-2061 | VDB-344621 | D-Link DIR-823X set_ipv6 sub_424D20 os command injection VDB-344621 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744286 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/20 https://www.dlink.com/ |
| D-Link--DIR-823X | A security flaw has been discovered in D-Link DIR-823X 250416. This vulnerability affects unknown code of the file /goform/set_ac_server of the component Web Management Interface. The manipulation of the argument ac_server results in os command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-02-06 | 4.7 | CVE-2026-2063 | VDB-344623 | D-Link DIR-823X Web Management set_ac_server os command injection VDB-344623 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744720 | dlink DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/19 https://www.dlink.com/ |
| D-Link--DIR-823X | A vulnerability was determined in D-Link DIR-823X 250416. The affected element is an unknown function of the file /goform/set_password. This manipulation of the argument http_passwd causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-07 | 4.7 | CVE-2026-2081 | VDB-344648 | D-Link DIR-823X set_password os command injection VDB-344648 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745553 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/22 https://github.com/master-abc/cve/issues/22#issue-3847400767 https://www.dlink.com/ |
| D-Link--DIR-823X | A vulnerability was identified in D-Link DIR-823X 250416. The impacted element is an unknown function of the file /goform/set_mac_clone. Such manipulation of the argument mac leads to os command injection. The attack may be performed from remote. The exploit is publicly available and might be used. | 2026-02-07 | 4.7 | CVE-2026-2082 | VDB-344649 | D-Link DIR-823X set_mac_clone os command injection VDB-344649 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745854 | dlink DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/21 https://github.com/master-abc/cve/issues/21#issue-3847172823 https://www.dlink.com/ |
| n/a--JeecgBoot | A weakness has been identified in JeecgBoot up to 3.9.0. Affected by this issue is some unknown functionality of the file /airag/knowledge/doc/edit of the component Retrieval-Augmented Generation Module. Executing a manipulation of the argument filePath can lead to path traversal. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 4.3 | CVE-2026-2111 | VDB-344687 | JeecgBoot Retrieval-Augmented Generation edit path traversal VDB-344687 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746789 | jeecgboot 3.9.0 Absolute Path Traversal https://www.yuque.com/la12138/vxbwk9/ezodz20a26g36y8m |
| PHPGurukul--Hospital Management System | A security vulnerability has been detected in PHPGurukul Hospital Management System 4.0. The affected element is an unknown function of the file /hms/admin/manage-doctors.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2026-02-08 | 4.7 | CVE-2026-2134 | VDB-344769 | PHPGurukul Hospital Management System manage-doctors.php sql injection VDB-344769 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747214 | PHPGurukul Hospital Management System 4.0 SQL Injection https://github.com/Shaon-Xis/PHPGurukul-HMS-SQL-Injection https://phpgurukul.com/ |
| SourceCodester--Patients Waiting Area Queue Management System | A vulnerability was detected in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /appointments.php. The manipulation of the argument patient_id results in cross site scripting. It is possible to launch the attack remotely. The exploit is now public and may be used. | 2026-02-08 | 4.3 | CVE-2026-2149 | VDB-344851 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System appointments.php cross site scripting VDB-344851 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747920 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Doubled Character XSS Manipulations https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Patients-Waiting-Area-Queue-Management-System-appointments-XSS.md |
| SourceCodester--Patients Waiting Area Queue Management System | A flaw has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /checkin.php. This manipulation of the argument patient_id causes cross site scripting. The attack can be initiated remotely. The exploit has been published and may be used. | 2026-02-08 | 4.3 | CVE-2026-2150 | VDB-344852 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System checkin.php cross site scripting VDB-344852 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747921 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Doubled Character XSS Manipulations https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Patients-Waiting-Area-Queue-Management-System-checkin-php-XSS.md |
| mwielgoszewski--doorman | A vulnerability was determined in mwielgoszewski doorman up to 0.6. This issue affects the function is_safe_url of the file doorman/users/views.py. Executing a manipulation of the argument Next can lead to open redirect. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 4.3 | CVE-2026-2153 | VDB-344855 | mwielgoszewski doorman views.py is_safe_url redirect VDB-344855 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748072 | https://github.com/mwielgoszewski/doorman doorman Latest Version (commit 9a9b97c8) Open Redirect https://gist.github.com/RacerZ-fighting/39f230feb0e450ae54f0a80c63c5d924 |
| SourceCodester--Patients Waiting Area Queue Management System | A vulnerability was identified in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Impacted is an unknown function of the file /registration.php of the component Patient Registration Module. The manipulation of the argument First Name leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2026-02-08 | 4.3 | CVE-2026-2154 | VDB-344856 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System Patient Registration registration.php cross site scripting VDB-344856 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748208 | SourceCodester Patients Waiting Area Queue Management System 1 Cross Site Scripting https://medium.com/@rvpipalwa/stored-cross-site-scripting-xss-vulnerability-report-c97788dd6ea6 |
| SourceCodester--Simple Responsive Tourism Website | A flaw has been found in SourceCodester Simple Responsive Tourism Website 1.0. Affected is an unknown function of the file /tourism/classes/Master.php?f=register of the component Registration. Executing a manipulation of the argument firstname/lastname/username can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-02-08 | 4.3 | CVE-2026-2159 | VDB-344861 | SourceCodester Simple Responsive Tourism Website Registration Master.php cross site scripting VDB-344861 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #750995 | sourcecodester.com Simple Responsive Tourism Website 1.0 Cross Site Scripting https://github.com/CH0ico/CVE_choco_5/blob/main/report.md https://www.sourcecodester.com/ |
| SourceCodester--Simple Responsive Tourism Website | A vulnerability has been found in SourceCodester Simple Responsive Tourism Website 1.0. Affected by this vulnerability is an unknown functionality of the file /tourism/classes/Master.php?f=save_package. The manipulation of the argument Title leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2026-02-08 | 4.3 | CVE-2026-2160 | VDB-344862 | SourceCodester Simple Responsive Tourism Website Master.php cross site scripting VDB-344862 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #751016 | sourcecodester.com Simple Responsive Tourism Website 1.0 Cross Site Scripting https://github.com/CH0ico/CVE_choco_6/blob/main/report.md https://www.sourcecodester.com/ |
| itsourcecode--News Portal Project | A vulnerability was determined in itsourcecode News Portal Project 1.0. This affects an unknown part of the file /admin/aboutus.php. This manipulation of the argument pagetitle causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 4.7 | CVE-2026-2162 | VDB-344864 | itsourcecode News Portal Project aboutus.php sql injection VDB-344864 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #751083 | itsourcecode News Portal Project V1.0 SQL Injection https://github.com/Wzl731/test/issues/2 https://itsourcecode.com/ |
| D-Link--DIR-600 | A vulnerability was identified in D-Link DIR-600 up to 2.15WWb02. This vulnerability affects unknown code of the file ssdp.cgi. Such manipulation of the argument HTTP_ST/REMOTE_ADDR/REMOTE_PORT/SERVER_ID leads to command injection. The attack may be launched remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-08 | 4.7 | CVE-2026-2163 | VDB-344865 | D-Link DIR-600 ssdp.cgi command injection VDB-344865 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #751764 | D-Link D-Link DIR-600 v2.15WWb02 Remote Arbitrary Command Execution https://github.com/LonTan0/CVE/blob/main/Remote%20Arbitrary%20Command%20Execution%20Vulnerability%20in%20ssdpcgi%20of%20D-Link%20DIR%E2%80%91600.md https://github.com/LonTan0/CVE/blob/main/Remote%20Arbitrary%20Command%20Execution%20Vulnerability%20in%20ssdpcgi%20of%20D-Link%20DIR%E2%80%91600.md#poc https://www.dlink.com/ |
| PHPGurukul--Hospital Management System | A vulnerability was determined in PHPGurukul Hospital Management System 4.0. This impacts an unknown function of the file /admin/manage-users.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 4.7 | CVE-2026-2179 | VDB-344882 | PHPGurukul Hospital Management System manage-users.php sql injection VDB-344882 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749592 | PHPGurukul Hospital Management System 4.0 SQL Injection https://github.com/Shaon-Xis/PHPGurukul-HMS-SQLi-PoC/tree/main https://github.com/Shaon-Xis/PHPGurukul-HMS-SQLi-PoC/tree/main#4-proof-of-concept-reproduction-steps https://phpgurukul.com/ |
| n/a--WeKan | A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component Meteor Publication Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. Upgrading to version 8.21 is able to mitigate this issue. The name of the patch is 0f5a9c38778ca550cbab6c5093470e1e90cb837f. Upgrading the affected component is advised. | 2026-02-08 | 4.3 | CVE-2026-2205 | VDB-344919 | WeKan Meteor Publication cards.js CardPubSubBleed information disclosure VDB-344919 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #752161 | Wekan <8.21 Information disclosure via publish/subscribe authorization bug https://github.com/wekan/wekan/commit/0f5a9c38778ca550cbab6c5093470e1e90cb837f https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| n/a--WeKan | A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version 8.21 is recommended to address this issue. The identifier of the patch is a787bcddf33ca28afb13ff5ea9a4cb92dceac005. The affected component should be upgraded. | 2026-02-08 | 4.3 | CVE-2026-2208 | VDB-344922 | WeKan Rules rules.js RulesBleed authorization VDB-344922 | CTI Indicators (IOB, IOC, IOA) Submit #752164 | Wekan <8.21 Information disclosure / missing authorization on admin publicat https://github.com/wekan/wekan/commit/a787bcddf33ca28afb13ff5ea9a4cb92dceac005 https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| glpi-project--glpi | GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5. | 2026-02-04 | 4.1 | CVE-2026-22247 | https://github.com/glpi-project/glpi/security/advisories/GHSA-f6f6-v3qr-9p5x https://github.com/glpi-project/glpi/releases/tag/11.0.5 |
| F5--F5 BIG-IP Container Ingress Services | A vulnerability exists in F5 BIG-IP Container Ingress Services that may allow excessive permissions to read cluster secrets. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-02-04 | 4.9 | CVE-2026-22549 | https://my.f5.com/manage/s/article/K000157960 |
| rizinorg--rizin | Rizin is a UNIX-like reverse engineering framework and command-line toolset. Prior to 0.8.2, a heap overflow can be exploited when a malicious mach0 file, having bogus entries for the dyld chained segments, is parsed by rizin. This vulnerability is fixed in 0.8.2. | 2026-02-02 | 4.4 | CVE-2026-22780 | https://github.com/rizinorg/rizin/security/advisories/GHSA-f3v7-xhmj-9cjj https://github.com/rizinorg/rizin/issues/5768 https://github.com/rizinorg/rizin/pull/5770 https://github.com/rizinorg/rizin/commit/41ea75d5b07d9b41b27ae80675cdda65f1b1c989 https://github.com/rizinorg/rizin/blob/6dd0dba9ff4dc706f549d0cdcd93856b49e59aa0/librz/bin/format/mach0/mach0_chained_fixups.c#L200 https://github.com/rizinorg/rizin/releases/tag/v0.8.2 |
| glpi-project--glpi | GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions . | 2026-02-04 | 4.3 | CVE-2026-23624 | https://github.com/glpi-project/glpi/security/advisories/GHSA-5j4j-vx46-r477 https://github.com/glpi-project/glpi/releases/tag/10.0.23 https://github.com/glpi-project/glpi/releases/tag/11.0.5 |
| Enalean--tuleap | Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap is missing CSRF protection in the Overview inconsistent items. An attacker could use this vulnerability to trick victims into repairing inconsistent items (creating artifact links from the release). This vulnerability is fixed in Tuleap Community Edition 17.0.99.1768924735 and Tuleap Enterprise Edition 17.2-5, 17.1-6, and 17.0-9. | 2026-02-02 | 4.6 | CVE-2026-24007 | https://github.com/Enalean/tuleap/security/advisories/GHSA-7g48-rwqj-ffxw https://github.com/Enalean/tuleap/commit/5ec5e81e409892fe0e41f11d5d36ee6c85a6fbb5 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=5ec5e81e409892fe0e41f11d5d36ee6c85a6fbb5 https://tuleap.net/plugins/tracker/?aid=46389 |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a file upload validation bypass vulnerability allows attackers to upload files with prohibited extensions by embedding them inside ZIP archives and extracting them using the application's built-in decompression functionality. This issue has been patched in version 4.2. | 2026-02-03 | 4.3 | CVE-2026-24673 | https://github.com/gunet/openeclass/security/advisories/GHSA-3g4j-56gp-v6wv |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Reflected Cross-Site Scripting (XSS) vulnerability allows remote attackers to execute arbitrary JavaScript in the context of authenticated users by crafting malicious URLs and tricking victims into visiting them. This issue has been patched in version 4.2. | 2026-02-03 | 4.7 | CVE-2026-24674 | https://github.com/gunet/openeclass/security/advisories/GHSA-gqvp-w22w-w99r |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a business logic vulnerability allows authenticated students to improperly mark themselves as present in attendance activities, including activities that have already expired, by directly accessing a crafted URL. This issue has been patched in version 4.2. | 2026-02-03 | 4.3 | CVE-2026-24774 | https://github.com/gunet/openeclass/security/advisories/GHSA-rv2x-4rc8-93jh |
| opf--openproject | OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting (or is the backlog, in case of recurring meetings). This allowed an attacker to move a meeting agenda item into a different meeting. The attacker did not get access to meetings, but they could add arbitrary agenda items, that could cause confusions. The vulnerability is fixed in 17.0.2. | 2026-02-06 | 4.3 | CVE-2026-24776 | https://github.com/opf/openproject/security/advisories/GHSA-p9v8-w9ph-hqmf https://github.com/opf/openproject/releases/tag/v17.0.2 |
| Huawei--HarmonyOS | Type confusion vulnerability in the camera module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 4 | CVE-2026-24914 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ https://consumer.huawei.com/en/support/bulletinwearables/2026/2/ |
| Huawei--HarmonyOS | Address read vulnerability in the HDC module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. | 2026-02-06 | 4.8 | CVE-2026-24921 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ https://consumer.huawei.com/en/support/bulletinwearables/2026/2/ |
| Blesta--Blesta | Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka CORE-5665. | 2026-02-03 | 4.7 | CVE-2026-25616 | https://www.blesta.com/2026/01/28/security-advisory/ |
| hedgedoc--hedgedoc | HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.6, files served below the /uploads/ endpoint did not use a more strict security-policy. This resulted in a too open Content-Security-Policy and furthermore opened the possibility to host malicious interactive web content (such as fake login forms) using SVG files. This vulnerability is fixed in 1.10.6. | 2026-02-06 | 4.3 | CVE-2026-25642 | https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-x74j-jmf9-534w https://github.com/hedgedoc/hedgedoc/commit/74daa0e7a1cbfafd9aeb255eaf064dfe47cd401c https://github.com/hedgedoc/hedgedoc/commit/b930fe04cee92cd4723044030bb59c36781c7137 https://github.com/hedgedoc/hedgedoc/releases/tag/1.10.6 |
| siyuan-note--siyuan | Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks the rendered content, the script executes in the context of their session. | 2026-02-06 | 4.6 | CVE-2026-25647 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rw25-98wq-76qv https://github.com/88250/lute/commit/0118e218916cf0cc7df639b50ce74e0c6c3d1868 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| P5--FNIP-8x16A | P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user interaction. Attackers can craft malicious web pages to add new admin users, change passwords, and modify system configurations by tricking authenticated users into loading a specially crafted page. | 2026-02-05 | 3.5 | CVE-2020-37118 | Zero Science Lab Disclosure (ZSL-2020-5564) ExploitDB-48362 Packet Storm Entry IBM X-Force Vulnerability Report P5 Vendor Homepage VulnCheck Advisory: P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin) |
| P5--FNIP-8x16A | P5 FNIP-8x16A/FNIP-4xSH versions 1.0.20 and 1.0.11 suffer from a stored cross-site scripting vulnerability. Input passed to several GET/POST parameters is not properly sanitized before being returned to the user, allowing attackers to execute arbitrary HTML and script code in a user's browser session in the context of the affected site. This can be exploited by submitting crafted input to the label modification functionality, such as the 'lab4' parameter in config.html. | 2026-02-05 | 3.5 | CVE-2020-37148 | Zero Science Lab Disclosure (ZSL-2020-5564) ExploitDB-48362 Packet Storm Entry IBM X-Force Vulnerability Report P5 Vendor Homepage VulnCheck Advisory: P5 FNIP-8x16A/FNIP-4xSH 1.0.20, 1.0.11 - Stored Cross-Site Scripting (XSS) |
| Tanium--Interact | Tanium addressed an improper access controls vulnerability in Interact. | 2026-02-05 | 3.1 | CVE-2025-15289 | TAN-2025-033 |
| Tanium--Tanium Client | Tanium addressed a denial of service vulnerability in Tanium Client. | 2026-02-06 | 3.3 | CVE-2025-15320 | TAN-2025-023 |
| Tanium--Tanium Appliance | Tanium addressed an improper certificate validation vulnerability in Tanium Appliance. | 2026-02-05 | 3.7 | CVE-2025-15323 | TAN-2025-031 |
| n/a--Mapnik | A vulnerability has been found in Mapnik up to 4.2.0. This vulnerability affects the function mapnik::detail::mod<...>::operator of the file src/value.cpp. The manipulation leads to divide by zero. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 3.3 | CVE-2025-15564 | VDB-344502 | Mapnik value.cpp operator divide by zero VDB-344502 | CTI Indicators (IOB, IOC, IOA) Submit #743386 | mapnik Mapnik v4.2.0 and master branch Divide By Zero https://github.com/mapnik/mapnik/issues/4545 https://github.com/oneafter/1219/blob/main/repro https://github.com/mapnik/mapnik/ |
| IBM--Jazz Reporting Service | IBM Jazz Reporting Service could allow an authenticated user on the host network to cause a denial of service using specially crafted SQL query that consumes excess memory resources. | 2026-02-04 | 3.5 | CVE-2025-1823 | https://www.ibm.com/support/pages/node/7258083 |
| IBM--Jazz Reporting Service | IBM Jazz Reporting Service could allow an authenticated user on the network to affect the system's performance using complicated queries due to insufficient resource pooling. | 2026-02-04 | 3.5 | CVE-2025-2134 | https://www.ibm.com/support/pages/node/7258083 |
| IBM--Jazz Reporting Service | IBM Jazz Reporting Service could allow an authenticated user on the host network to obtain sensitive information about other projects that reside on the server. | 2026-02-04 | 3.5 | CVE-2025-27550 | https://www.ibm.com/support/pages/node/7258083 |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 stores potentially sensitive information in log files that could be read by a local user. | 2026-02-03 | 3.3 | CVE-2025-33081 | https://www.ibm.com/support/pages/node/7257565 |
| HCL--AION | HCL AION is affected by an Autocomplete HTML Attribute Not Disabled for Password Field vulnerability. This can allow autocomplete on password fields may lead to unintended storage or disclosure of sensitive credentials, potentially increasing the risk of unauthorized access. This issue affects AION: 2.0. | 2026-02-03 | 3.7 | CVE-2025-52623 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| HCL--AION | HCL AION is susceptible to Missing Content-Security-Policy. An The absence of a CSP header may increase the risk of cross-site scripting and other content injection attacks by allowing unsafe scripts or resources to execute. This issue affects AION: 2.0. | 2026-02-03 | 3.7 | CVE-2025-52629 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| HCL--AION | HCL AION is affected by a Missing or Insecure HTTP Strict-Transport-Security (HSTS) Header vulnerability. This can allow insecure connections, potentially exposing the application to man-in-the-middle and protocol downgrade attacks. This issue affects AION: 2.0. | 2026-02-03 | 3.7 | CVE-2025-52631 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| HCL--AION | HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing sensitive session data in persistent cookies may increase the risk of unauthorized access if the cookies are intercepted or compromised. This issue affects AION: 2.0. | 2026-02-03 | 3.1 | CVE-2025-52633 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| N/A--Moodle[.]org | A flaw was found in Moodle. An open redirect vulnerability in the OAuth login flow allows a remote attacker to redirect users to attacker-controlled pages after they have successfully authenticated. This occurs due to insufficient validation of redirect parameters, which could lead to phishing attacks or information disclosure. | 2026-02-03 | 3.5 | CVE-2025-67852 | https://access.redhat.com/security/cve/CVE-2025-67852 RHBZ#2423844 |
| webpack--webpack | Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack's HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0. | 2026-02-05 | 3.7 | CVE-2025-68157 | https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758 |
| webpack--webpack | Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack's HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1. | 2026-02-05 | 3.7 | CVE-2025-68458 | https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x |
| DJI--Mavic Mini | A vulnerability has been found in DJI Mavic Mini, Air, Spark and Mini SE up to 01.00.0500. Affected by this vulnerability is an unknown functionality of the component Enhanced Wi-Fi Pairing. The manipulation leads to authentication bypass by capture-replay. The attack must be carried out from within the local network. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-02 | 3.1 | CVE-2026-1743 | VDB-343674 | DJI Mavic Mini/Air/Spark/Mini SE Enhanced Wi-Fi Pairing authentication replay VDB-343674 | CTI Indicators (IOB, IOC, TTP) Submit #741323 | DJI DJI Mavic Mini, Spark, Mini SE 01.00.0500 and Below Authentication Bypass by Capture-replay https://github.com/ByteMe1001/DJI-CatNect https://github.com/ByteMe1001/DJI-CatNect/blob/main/exploit.c |
| GitLab--GitLab | A vulnerability has been discovered in GitLab CE/EE affecting all versions starting with 16.8 before 18.5.0 that could have allowed unauthorized edits to merge request approval rules under certain conditions. | 2026-02-02 | 3.1 | CVE-2026-1751 | GitLab Issue #519340 HackerOne Bug Bounty Report #2980839 |
| Edimax--BR-6258n | A flaw has been found in Edimax BR-6258n up to 1.18. This issue affects the function formStaDrvSetup of the file /goform/formStaDrvSetup. This manipulation of the argument submit-url causes open redirect. The attack can be initiated remotely. The exploit has been published and may be used. The vendor confirms that the affected product is end-of-life. They confirm that they "will issue a consolidated Security Advisory on our official support website." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-05 | 3.5 | CVE-2026-1970 | VDB-344492 | Edimax BR-6258n formStaDrvSetup redirect VDB-344492 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742734 | Edimax BR-6258n v1.18 Open Redirect https://tzh00203.notion.site/EDIMAX-BR-6258n-v1-18-Open-Redirect-Vulnerability-in-Web-formStaDrvSetup-handler-2eeb5c52018a803bb958e4f80cdf2550?source=copy_link |
| n/a--oatpp | A security vulnerability has been detected in oatpp up to 1.3.1. This impacts the function oatpp::data::type::ObjectWrapper::ObjectWrapper of the file src/oatpp/data/type/Type.hpp. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-06 | 3.3 | CVE-2026-1990 | VDB-344508 | oatpp Type.hpp ObjectWrapper null pointer dereference VDB-344508 | CTI Indicators (IOB, IOC, IOA) Submit #743387 | oatpp 1.3.1 and master-branch NULL Pointer Dereference https://github.com/oatpp/oatpp/issues/1080 https://github.com/oatpp/oatpp/issues/1080#issue-3806715350 https://github.com/oatpp/oatpp/ |
| n/a--libuvc | A vulnerability was detected in libuvc up to 0.0.7. Affected is the function uvc_scan_streaming of the file src/device.c of the component UVC Descriptor Handler. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-06 | 3.3 | CVE-2026-1991 | VDB-344509 | libuvc UVC Descriptor device.c uvc_scan_streaming null pointer dereference VDB-344509 | CTI Indicators (IOB, IOC, IOA) Submit #743388 | libuvc v0.0.7 and master-branch NULL Pointer Dereference https://github.com/libuvc/libuvc/issues/300 https://github.com/oneafter/0104/blob/main/repro https://github.com/libuvc/libuvc/ |
| n/a--micropython | A flaw has been found in micropython up to 1.27.0. This vulnerability affects the function mp_import_all of the file py/runtime.c. This manipulation causes memory corruption. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 570744d06c5ba9dba59b4c3f432ca4f0abd396b6. It is suggested to install a patch to address this issue. | 2026-02-06 | 3.3 | CVE-2026-1998 | VDB-344546 | micropython runtime.c mp_import_all memory corruption VDB-344546 | CTI Indicators (IOB, IOC, IOA) Submit #743396 | micropython 0fd0843 Memory Corruption https://github.com/micropython/micropython/issues/18639 https://github.com/micropython/micropython/pull/18671 https://github.com/micropython/micropython/issues/18639#issue-3780651410 https://github.com/dpgeorge/micropython/commit/570744d06c5ba9dba59b4c3f432ca4f0abd396b6 https://github.com/micropython/micropython/ |
| Portabilis--i-Educar | A vulnerability was identified in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /intranet/meusdadod.php of the component User Data Page. Such manipulation of the argument File leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 3.5 | CVE-2026-2064 | VDB-344631 | Portabilis i-Educar User Data meusdadod.php cross site scripting VDB-344631 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745108 | Portabilis i-Educar 2.10 Cross Site Scripting https://github.com/nmmorette/vulnerability-research/tree/main/XSS-Idiario |
| ggml-org--llama.cpp | A flaw has been found in ggml-org llama.cpp up to 55abc39. Impacted is the function llama_grammar_advance_stack of the file llama.cpp/src/llama-grammar.cpp of the component GBNF Grammar Handler. This manipulation causes stack-based buffer overflow. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 18993. To fix this issue, it is recommended to deploy a patch. | 2026-02-06 | 3.3 | CVE-2026-2069 | VDB-344636 | ggml-org llama.cpp GBNF Grammar llama-grammar.cpp llama_grammar_advance_stack stack-based overflow VDB-344636 | CTI Indicators (IOB, IOC, IOA) Submit #745263 | llama.cpp commit 55abc39 Stack-based Buffer Overflow https://github.com/ggml-org/llama.cpp/issues/18988 https://github.com/ggml-org/llama.cpp/issues/18988#event-4426704865 https://github.com/user-attachments/files/24761101/poc.zip https://github.com/ggml-org/llama.cpp/pull/18993 https://github.com/ggml-org/llama.cpp/ |
| F5--BIG-IP Edge Client | A vulnerability exists in BIG-IP Edge Client and browser VPN clients on Windows that may allow attackers to gain access to sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | 2026-02-04 | 3.3 | CVE-2026-20730 | https://my.f5.com/manage/s/article/K000158931 |
| F5--BIG-IP | A vulnerability exists in an undisclosed BIG-IP Configuration utility page that may allow an attacker to spoof error messages. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-02-04 | 3.1 | CVE-2026-20732 | https://my.f5.com/manage/s/article/K000156644 |
| Tasin1025--SwiftBuy | A security flaw has been discovered in Tasin1025 SwiftBuy up to 0f5011372e8d1d7edfd642d57d721c9fadc54ec7. Affected by this vulnerability is an unknown functionality of the file /login.php. Performing a manipulation results in improper restriction of excessive authentication attempts. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation appears to be difficult. The exploit has been released to the public and may be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 3.7 | CVE-2026-2110 | VDB-344686 | Tasin1025 SwiftBuy login.php excessive authentication VDB-344686 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746251 | Md Tasin Rahman Swiftbuy 1.0 Improper Restriction of Excessive Authentication Attempts https://www.websecurityinsights.my.id/2026/01/swiftbuy-v-10-loginphp-no-limit-to.html |
| cym1102--nginxWebUI | A vulnerability was identified in cym1102 nginxWebUI up to 4.3.7. The impacted element is an unknown function of the file /adminPage/conf/check of the component Web Management Interface. Such manipulation of the argument nginxDir leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-08 | 3.5 | CVE-2026-2145 | VDB-344847 | cym1102 nginxWebUI Web Management check cross site scripting VDB-344847 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747404 | cym1102 nginxWebUI 4.3.7 Cross Site Scripting https://github.com/cym1102/nginxWebUI/issues/203 https://github.com/cym1102/nginxWebUI/issues/203#issue-3860109934 https://github.com/cym1102/nginxWebUI/ |
| asterisk--asterisk | Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. | 2026-02-06 | 3.5 | CVE-2026-23738 | https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh |
| Kubernetes--ingress-nginx | A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the `auth-url` annotation may be accessed even when authentication fails. Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component. | 2026-02-03 | 3.1 | CVE-2026-24513 | https://github.com/kubernetes/kubernetes/issues/136679 |
| fastify--fastify | Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify's Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3. | 2026-02-03 | 3.7 | CVE-2026-25224 | https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37 https://hackerone.com/reports/3524779 |
| opf--openproject | OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work package with the name containing the HTML tags and add it to the Work package section when creating time tracking. This issue has been patched in versions 16.6.7 and 17.0.3. | 2026-02-06 | 3.5 | CVE-2026-25764 | https://github.com/opf/openproject/security/advisories/GHSA-q523-c695-h3hp https://github.com/opf/openproject/releases/tag/v16.6.7 https://github.com/opf/openproject/releases/tag/v17.0.3 |
| Fortinet--FortiOS | Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers' installations). NOTE: the Supplier's position is that the instance of CWE-1394 is not a vulnerability because customers "are supposed to enable" a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the "Managing FortiGates with private data encryption" document, and is therefore intentionally not a default option. | 2026-02-05 | 3.2 | CVE-2026-25815 | https://www.cert.at/en/blog/2026/1/threat-actors-use-forticloud-to-collect-ldap-connection-passwords https://docs.fortinet.com/document/fortimanager/7.6.6/administration-guide/30332/managing-fortigates-with-private-data-encryption |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings. | 2026-02-02 | 2.7 | CVE-2025-13881 | https://access.redhat.com/security/cve/CVE-2025-13881 RHBZ#2418330 |
| Tanium--Tanium Appliance | Tanium addressed an improper input validation vulnerability in Tanium Appliance. | 2026-02-05 | 2.7 | CVE-2025-15321 | TAN-2025-024 |
| IBM--PowerVM Hypervisor | IBM PowerVM Hypervisor FW1110.00 through FW1110.03, FW1060.00 through FW1060.51, and FW950.00 through FW950.F0 may expose a limited amount of data to a peer partition in specific shared processor configurations during certain operations. | 2026-02-02 | 2.8 | CVE-2025-36194 | https://www.ibm.com/support/pages/node/7257555 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak's CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services. | 2026-02-02 | 2.7 | CVE-2026-1518 | https://access.redhat.com/security/cve/CVE-2026-1518 RHBZ#2433727 |
| D-Link--DSL-6641K | A vulnerability was found in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function doSubmitPPP of the file sp_pppoe_user.js. The manipulation of the argument Username results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-02 | 2.4 | CVE-2026-1744 | VDB-343675 | D-Link DSL-6641K sp_pppoe_user.js doSubmitPPP cross site scripting VDB-343675 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742439 | D-Link DSL6641K version N8.TR069.20131126 Cross Site Scripting https://tzh00203.notion.site/D-Link-DSL6641K-version-N8-TR069-20131126-XSS-via-sp_pppoe_user-js-Configuration-2eeb5c52018a80d083aaf19efbaa9130?source=copy_link https://www.dlink.com/ |
| Hillstone Networks--Operation and Maintenance Security Gateway | Unrestricted Upload of File with Dangerous Type vulnerability in Hillstone Networks Operation and Maintenance Security Gateway on Linux allows Upload a Web Shell to a Web Server. This issue affects Operation and Maintenance Security Gateway: V5.5ST00001B113. | 2026-02-04 | 2.7 | CVE-2026-1791 | https://www.hillstonenet.com.cn/security-notification/2025/12/08/wgscld/ |
| Edimax--BR-6288ACL | A vulnerability has been found in Edimax BR-6288ACL up to 1.12. Impacted is the function wiz_WISP24gmanual of the file wiz_WISP24gmanual.asp. Such manipulation of the argument manualssid leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirms that the affected product is end-of-life. They confirm that they "will issue a consolidated Security Advisory on our official support website." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-06 | 2.4 | CVE-2026-1971 | VDB-344493 | Edimax BR-6288ACL wiz_WISP24gmanual.asp wiz_WISP24gmanual cross site scripting VDB-344493 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743318 | Edimax BR6288ACL v1.12 Cross Site Scripting https://tzh00203.notion.site/EDIMAX-BR6288ACL-v1-12-XSS-via-wiz_WISP24gmanual-asp-Configuration-2eeb5c52018a802e8ed9f6d000f7a6aa?source=copy_link |
| code-projects--Online Student Management System | A weakness has been identified in code-projects Online Student Management System 1.0. The impacted element is an unknown function of the file /admin/announcement/index.php?view=add of the component Announcement Management Module. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 2.4 | CVE-2026-2156 | VDB-344858 | code-projects Online Student Management System Announcement Management index.php cross site scripting VDB-344858 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748328 | code-projects Online Student Management System in PHP latest (no version specified by vendor) Cross-Site Scripting https://github.com/baguette168/CVE/issues/1 https://code-projects.org/ |
| asterisk--asterisk | Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can allow an attacker to trigger XML External Entity (XXE) or XInclude-based local file disclosure, potentially exposing sensitive files from the host system. This can also be triggered in other cases in which the user is able to supply input in xml format that triggers the asterisk process to parse it. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. | 2026-02-06 | 2 | CVE-2026-23739 | https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| wintercms--winter | Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10. | 2026-02-06 | not yet calculated | CVE-2026-22254 | https://github.com/wintercms/winter/security/advisories/GHSA-m7gw-rffq-rxjm https://github.com/wintercms/winter/commit/8a7f74b004fcd19721764fc63af0cdb339d9fb65 https://github.com/wintercms/winter/releases/tag/v1.2.10 |
| asterisk--asterisk | Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. | 2026-02-06 | not yet calculated | CVE-2026-23740 | https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c |
| asterisk--asterisk | Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. | 2026-02-06 | not yet calculated | CVE-2026-23741 | https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3 |
| Arox--School ERP Pro | School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitrary PHP files as profile photos by bypassing file extension checks. Attackers can exploit improper file validation in pre-editstudent.inc.php to execute arbitrary code on the server. | 2026-02-03 | not yet calculated | CVE-2020-37084 | ExploitDB-48392 Archived Vendor Homepage Archived SourceForge Product Page VulnCheck Advisory: School ERP Pro 1.0 Admin Profile Photo Upload Remote Code Execution Vulnerability |
| Rubikon Teknoloji--Easy Transfer | Easy Transfer Wifi Transfer v1.7 for iOS contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts by manipulating the oldPath, newPath, and path parameters in Create Folder and Move/Edit functions. Attackers can exploit improper input validation via POST requests to execute arbitrary JavaScript in the context of the mobile web application. | 2026-02-03 | not yet calculated | CVE-2020-37087 | ExploitDB-48395 Vulnerability-Lab Advisory Official App Store Product Page VulnCheck Advisory: Easy Transfer 1.7 for iOS - Persistent Cross-Site Scripting |
| PHP-Fusion--PHP-Fusion | PHP-Fusion 9.03.50 panels.php is vulnerable to cross-site scripting (XSS) via the 'panel_content' POST parameter. The application fails to properly sanitize user input before rendering it in the browser, allowing attackers to inject arbitrary JavaScript. This can be exploited by submitting crafted input to the 'panel_content' field in panels.php, resulting in execution of malicious scripts in the context of the affected site. | 2026-02-05 | not yet calculated | CVE-2020-37152 | Vendor Homepage ExploitDB-48299 VulnCheck Advisory: PHP-Fusion 9.03.50 panels.php - Cross-Site Scripting (XSS) |
| parisneo--parisneo/lollms-webui | A Local File Inclusion (LFI) vulnerability exists in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application, specifically within the `name` parameter of the `@router.post("/reinstall_extension")` route. This vulnerability allows attackers to inject a malicious `name` parameter, leading to the server loading and executing arbitrary Python files from the upload directory for discussions. This issue arises due to the concatenation of `data.name` directly with `lollmsElfServer.lollms_paths.extensions_zoo_path` and its use as an argument for `ExtensionBuilder().build_extension()`. The server's handling of the `__init__.py` file in arbitrary locations, facilitated by `importlib.machinery.SourceFileLoader`, enables the execution of arbitrary code, such as command execution or creating a reverse-shell connection. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to Remote Code Execution (RCE) when the application is exposed to an external endpoint or the UI, especially when bound to `0.0.0.0` or in `headless mode`. No user interaction is required for exploitation. | 2026-02-02 | not yet calculated | CVE-2024-2356 | https://huntr.com/bounties/cb9867b4-28e3-4406-9031-f66fc28553d4 https://github.com/parisneo/lollms-webui/commit/41dbb1b3f2e78ea276e5269544e50514252c0c25 |
| lunary-ai--lunary-ai/lunary | In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application's failure to validate the ownership of the prompt before deletion, only checking if the user has permissions to delete such resources without verifying if it belongs to the user's project or organization. As a result, users can remove prompts not owned by their organization or project, leading to legitimate users being unable to access the removed prompts and causing information inconsistencies. | 2026-02-02 | not yet calculated | CVE-2024-4147 | https://huntr.com/bounties/3f051943-71ea-414c-a528-cd8b5d82a7ad https://github.com/lunary-ai/lunary/commit/0755dde1afc2a74ec23b55eee03e4416916cf48f |
| lunary-ai--lunary-ai/lunary | In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when the 'viewer' role user sends a specific request to the server, which responds with a password reset token in the 'recoveryToken' parameter. This token can then be used to reset the password of another user's account without authorization. The issue results from an excessive attack surface, allowing lower-privileged users to escalate their privileges and take over accounts. | 2026-02-02 | not yet calculated | CVE-2024-5386 | https://huntr.com/bounties/602eb4a1-305d-46d6-b975-5a5d8b040ad1 https://github.com/lunary-ai/lunary/commit/fc7ab3d5621c18992da5dab3a2a9a8d227d42311 |
| h2oai--h2oai/h2o-3 | A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the `/3/Parse` endpoint to inject attacker-controlled data as the header of an empty file, which is then exported using the `/3/Frames/framename/export` endpoint. The impact of this vulnerability includes the potential for remote code execution and complete access to the system running h2o-3, as attackers can overwrite critical files such as private SSH keys or script files. | 2026-02-02 | not yet calculated | CVE-2024-5986 | https://huntr.com/bounties/64ff5319-6ac3-4447-87f7-b53495d4d5a3 |
| Nokia--Infinera DNA | Infinera DNA is vulnerable to a time-based SQL injection vulnerability due to insufficient input validation, which may result in leaking of sensitive information. | 2026-02-05 | not yet calculated | CVE-2025-10258 | Nokia Product Security Advisory |
| mlflow--mlflow/mlflow | In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This vulnerability allows an attacker with write access to the `/tmp` directory to exploit a race condition and overwrite `.py` files in the virtual environment, leading to arbitrary code execution. The issue is resolved in version 3.4.0. | 2026-02-02 | not yet calculated | CVE-2025-10279 | https://huntr.com/bounties/01d3b81e-13d1-43aa-b91a-443aec68bdc8 https://github.com/mlflow/mlflow/commit/1d7c8d4cf0a67d407499a8a4ffac387ea4f8194a |
| Wikimedia Foundation--OATHAuth | Vulnerability in Wikimedia Foundation OATHAuth. This vulnerability is associated with program files src/Special/OATHManage.Php. This issue affects OATHAuth: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-11173 | https://phabricator.wikimedia.org/T401862 https://phabricator.wikimedia.org/T402094 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Language/mediawiki.Language.Js. This issue affects MediaWiki: from * before 1.39.15, 1.43.5, 1.44.2. | 2026-02-03 | not yet calculated | CVE-2025-11261 | https://https://phabricator.wikimedia.org/T406322 https://phabricator.wikimedia.org/T402077 |
| Centralny Orodek Informatyki--mObywatel | In mObywatel iOS application an unauthorized user can use the App Switcher to view the account owner's personal information in the minimized app window, even after the login session has ended (reopening the app would require the user to log in). The data exposed depends on the last application view displayed before the application was minimized This issue was fixed in version 4.71.0 | 2026-02-03 | not yet calculated | CVE-2025-11598 | https://info.mobywatel.gov.pl/ https://cert.pl/posts/2026/02/CVE-2025-11598 |
| silabs.com--Simplicity SDK | A truncated 802.15.4 packet can lead to an assert, resulting in a denial of service. | 2026-02-05 | not yet calculated | CVE-2025-12131 | https://community.silabs.com/068Vm00000g8dP3 |
| Brocade--SANnav | A vulnerability in Brocade SANnav before 2.4.0b prints the Password-Based Encryption (PBE) key in plaintext in the system audit log file. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the pbe key. Note: The vulnerability is only triggered during a migration and not in a new installation. The system audit logs are accessible only to a privileged user on the server. These audit logs are the local server VM's audit logs and are not controlled by SANnav. These logs are only visible to the server admin of the host server and are not visible to the SANnav admin or any SANnav user. | 2026-02-02 | not yet calculated | CVE-2025-12679 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36845 |
| Brocade--SANnav | Brocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear text in the standby SANnav server, after disaster recovery failover. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the database password. | 2026-02-02 | not yet calculated | CVE-2025-12680 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36844 |
| Brocade--SANnav | Brocade SANnav before 2.4.0b logs the Brocade Fabric OS Switch admin password on the SANnav support save logs. When OOM occurs on a Brocade SANnav server, the call stack trace for the Brocade switch is also collected in the heap dump file which contains this switch password in clear text. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the switch admin password. | 2026-02-02 | not yet calculated | CVE-2025-12772 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36846 |
| Brocade--SANnav | A vulnerability in update-reports-purge-settings.sh script logging for Brocade SANnav before 2.4.0a could allow the collection of SANnav database password in the system audit logs. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the Brocade SANnav database password. | 2026-02-03 | not yet calculated | CVE-2025-12773 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36847 |
| Brocade--SANnav | A vulnerability in the migration script for Brocade SANnav before 3.0 could allow the collection of database sql queries in the SANnav support save file. An attacker with access to Brocade SANnav supportsave file, could open the file and then obtain sensitive information such as details of database tables and encrypted passwords. | 2026-02-03 | not yet calculated | CVE-2025-12774 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36848 |
| ASUS--ASUS Business Manager | An improper access control vulnerability exists in ASUS Secure Delete Driver of ASUS Business Manager. This vulnerability can be triggered by a local user sending a specially crafted request, potentially leading to the creation of arbitrary files in a specified path. Refer to the "Security Update for ASUS Business Manager" section on the ASUS Security Advisory for more information. | 2026-02-02 | not yet calculated | CVE-2025-13348 | https://www.asus.com/security-advisory/ |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue. | 2026-02-03 | not yet calculated | CVE-2025-13473 | Django security archive Django releases announcements Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 |
| ESET spol s.r.o.--ESET Management Agent | Local privilege escalation vulnerability via insecure temporary batch file execution in ESET Management Agent | 2026-02-06 | not yet calculated | CVE-2025-13818 | https://support.eset.com/en/ca8913-eset-customer-advisory-local-privilege-escalation-via-insecure-temporary-batch-file-execution-in-eset-management-agent-for-windows-fixed |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue. | 2026-02-03 | not yet calculated | CVE-2025-14550 | Django security archive Django releases announcements Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 |
| Unknown--User Profile Builder | The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account | 2026-02-02 | not yet calculated | CVE-2025-15030 | https://wpscan.com/vulnerability/344cb1b1-342e-44b2-ae4a-3bb31be56b22/ |
| Mitsubishi Electric Corporation--MELSEC iQ-R Series R08PCPU | Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric MELSEC iQ-R Series R08PCPU, R16PCPU, R32PCPU, and R120PCPU allows an unauthenticated attacker to read device data or part of a control program from the affected product, write device data in the affected product, or cause a denial of service (DoS) condition on the affected product by sending a specially crafted packet containing a specific command to the affected product. | 2026-02-05 | not yet calculated | CVE-2025-15080 | https://jvn.jp/vu/JVNVU95093080/ https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-020_en.pdf https://www.cisa.gov/news-events/ics-advisories/icsa-26-036-02 |
| Unknown--Library Viewer | The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | 2026-02-02 | not yet calculated | CVE-2025-15396 | https://wpscan.com/vulnerability/08790e11-019d-4680-a75f-ee0a937f8cc8/ |
| Unknown--Post Slides | The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks | 2026-02-07 | not yet calculated | CVE-2025-15491 | https://wpscan.com/vulnerability/eb0424cc-e60c-44a5-aa24-cd1fe042b27a/ |
| TP-Link Systems Inc.--Archer MR200 v5.2 | The response coming from TP-Link Archer MR200 v5.2, C20 v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack to execute JavaScript code on the router's admin web portal without the user's permission or knowledge. | 2026-02-05 | not yet calculated | CVE-2025-15551 | https://www.tp-link.com/en/support/download/archer-mr200/v5.20/#Firmware https://www.tp-link.com/en/support/download/archer-c20/v6/#Firmware https://www.tp-link.com/in/support/download/tl-wr850n/#Firmware https://www.tp-link.com/en/support/download/tl-wr845n/#Firmware https://www.tp-link.com/in/support/download/archer-mr200/v5.20/#Firmware https://www.tp-link.com/in/support/download/archer-c20/v6/#Firmware https://www.tp-link.com/in/support/download/tl-wr845n/#Firmware https://www.tp-link.com/us/support/faq/4948/ |
| notepad-plus-plus--notepad-plus-plus | Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user. | 2026-02-03 | not yet calculated | CVE-2025-15556 | https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix https://notepad-plus-plus.org/news/hijacked-incident-info-update/ https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab https://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdb https://www.vulncheck.com/advisories/notepad-plus-plus-wingup-updater-lacks-update-integrity-verification |
| TP-Link Systems Inc.--Tapo H100 v1 | An Improper Certificate Validation vulnerability in TP-Link Tapo H100 v1 and Tapo P100 v1 allows an on-path attacker on the same network segment to intercept and modify encrypted device-cloud communications. This may compromise the confidentiality and integrity of device-to-cloud communication, enabling manipulation of device data or operations. | 2026-02-05 | not yet calculated | CVE-2025-15557 | https://www.tp-link.com/us/support/download/tapo-h100/ https://www.tp-link.com/us/support/download/tapo-p100/ https://www.tp-link.com/en/support/download/tapo-h100/ https://www.tp-link.com/en/support/download/tapo-p100/ https://www.tp-link.com/us/support/faq/4949/ |
| Go standard library--os | It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent. | 2026-02-04 | not yet calculated | CVE-2025-22873 | https://go.dev/cl/670036 https://go.dev/issue/73555 https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ https://pkg.go.dev/vuln/GO-2026-4403 |
| Hancom Inc.--Hancom Office 2018 | Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Hancom Inc. Hancom Office 2018, Hancom Inc. Hancom Office 2020, Hancom Inc. Hancom Office 2022, Hancom Inc. Hancom Office 2024 allows File Content Injection. This issue affects Hancom Office 2018: before 10.0.0.12681; Hancom Office 2020: before 11.0.0.8916; Hancom Office 2022: before 12.0.0.4426; Hancom Office 2024: before 13.0.0.3050. | 2026-02-04 | not yet calculated | CVE-2025-29867 | https://www.boho.or.kr/kr/bbs/view.do?searchCnd=&bbsId=B0000302&searchWrd=&menuNo=205023&pageIndex=1&categoryCode=&nttId=71959 https://www.hancom.com/support/downloadCenter/download |
| Significant-Gravitas--AutoGPT | AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.32, there is a DoS vulnerability in ReadRSSFeedBlock. In RSSBlock, feedparser.parser is called to obtain the XML file according to the URL input by the user, parse the XML, and finally obtain the parsed result. However, during the parsing process, there is no limit on the parsing time and the resources that can be allocated for parsing. When a malicious user lets RSSBlock parse a carefully constructed, deep XML, it will cause memory resources to be exhausted, eventually causing DoS. This issue has been patched in autogpt-platform-beta-v0.6.32. | 2026-02-05 | not yet calculated | CVE-2025-32393 | https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-5cqw-g779-9f9x https://github.com/Significant-Gravitas/AutoGPT/commit/57a06f70883ce6be18738c6ae8bb41085c71e266 |
| Luna Imaging--LUNA | Stored Cross-Site Scripting (XSS) vulnerability type in LUNA software v7.5.5.6. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by inyecting a malicious payload through the 'Edit Batch Name' function. THe payload is stored by the application and subsequently displayed without proper sanitization when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | 2026-02-03 | not yet calculated | CVE-2025-41065 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-luna-luna-imaging |
| Apidog--Apidog Web Platform | Stored Cross-Site Scripting (XSS) vulnerability type in Apidog in the version 2.7.15, where SVG image uploads are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request to '/api/v1/user-avatar', which are then stored on the server and executed in the context of any user accessing the compromised resource. | 2026-02-04 | not yet calculated | CVE-2025-41085 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-apidog-web-platform |
| n/a--Tinyfilemanager 2.6 | Tiny File Manager through 2.6 contains a server-side request forgery (SSRF) vulnerability in the URL upload feature. Due to insufficient validation of user-supplied URLs, an attacker can send crafted requests to localhost by using http://www.127.0.0.1.example.com/ or a similarly constructed domain name. This may lead to unauthorized port scanning or access to internal-only services. | 2026-02-03 | not yet calculated | CVE-2025-46651 | https://github.com/prasathmani/tinyfilemanager/blob/master/tinyfilemanager.php#L608 https://github.com/RobertoLuzanilla/tinyfilemanager-security-advisories/blob/main/CVE-2025-46651.md |
| golang.org/x/net--golang.org/x/net/html | The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. | 2026-02-05 | not yet calculated | CVE-2025-47911 | https://go.dev/cl/709876 https://github.com/golang/vulndb/issues/4440 https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c https://pkg.go.dev/vuln/GO-2026-4440 |
| n/a--Beijing YouDataSum Tech | YouDataSum CPAS Audit Management System <=v4.9 is vulnerable to SQL Injection in /cpasList/findArchiveReportByDah due to insufficient input validation. This allows remote unauthenticated attackers to execute arbitrary SQL commands via crafted input to the parameter. Successful exploitation could lead to unauthorized data access | 2026-02-03 | not yet calculated | CVE-2025-57529 | https://github.com/songqb-xx/CPAS-bug https://github.com/songqb-xx/CVE-2025-57529/blob/main/README.md |
| TP-Link Systems Inc.--Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted set of network packets containing an excessive number of host entries This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-58077 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| golang.org/x/net--golang.org/x/net/html | The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. | 2026-02-05 | not yet calculated | CVE-2025-58190 | https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c https://github.com/golang/vulndb/issues/4441 https://go.dev/cl/709875 https://pkg.go.dev/vuln/GO-2026-4441 |
| Semiconductor[.]Samsung[.]com--Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/send_delts write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58340 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58340/ |
| Semiconductor[.]Samsung[.]com--Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/ap_cert_disable_ht_vht write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58341 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58341/ |
| Semiconductor[.]Samsung[.]com--Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/uapsd write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58342 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58342/ |
| Semiconductor[.]Samsung[.]com--Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/create_tspec write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58343 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58343/ |
| Semiconductor[.]Samsung[.]com--Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation in a /proc/driver/unifi0/conn_log_event_burst_to_us write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58344 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58344/ |
| Semiconductor[.]Samsung[.]com--Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/ap_certif_11ax_mode write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58345 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58345/ |
| Semiconductor[.]Samsung[.]com--Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/send_addts write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58346 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58346/ |
| Semiconductor[.]Samsung[.]com--Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/p2p_certif write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58347 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58347/ |
| Semiconductor[.]Samsung[.]com--Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/confg_tspec write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58348 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58348 |
| Brocade--Fabric OS | Brocade Fabric OS before 9.2.1 has a vulnerability that could allow a local authenticated attacker to reveal command line passwords using commands that may expose higher privilege sensitive information by a lower privileged user. | 2026-02-03 | not yet calculated | CVE-2025-58379 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36850 |
| Brocade--Fabric OS | A vulnerability in Brocade Fabric OS before 9.2.1 could allow an authenticated attacker with admin privileges using the shell command "grep" to modify the path variables and move upwards in the directory structure or to traverse to different directories. | 2026-02-03 | not yet calculated | CVE-2025-58380 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36854 |
| Brocade--Fabric OS | A vulnerability in Brocade Fabric OS before 9.2.1c2 could allow an authenticated attacker with admin privileges using the shell commands "source, ping6, sleep, disown, wait to modify the path variables and move upwards in the directory structure or to traverse to different directories. | 2026-02-03 | not yet calculated | CVE-2025-58381 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36853 |
| Brocade--Fabric OS | A vulnerability in the secure configuration of authentication and management services in Brocade Fabric OS before Fabric OS 9.2.1c2 could allow an authenticated, remote attacker with administrative credentials to execute arbitrary commands as root using "supportsave", "seccertmgmt", "configupload" command. | 2026-02-03 | not yet calculated | CVE-2025-58382 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36849 |
| Brocade--Fabric OS | A vulnerability in Brocade Fabric OS versions before 9.2.1c2 could allow an administrator-level user to execute the bind command, to escalate privileges and bypass security controls allowing the execution of arbitrary commands. | 2026-02-03 | not yet calculated | CVE-2025-58383 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36878 |
| TP-Link Systems Inc.--Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet whose length exceeds the maximum expected value. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-58455 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| Semiconductor[.]Samsung[.]com--Processor Exynos | An issue was discovered in Samsung Mobile Processor, Wearable Processor and Modem Exynos 980, 990, 850, 1080, 9110, W920, W930, W1000 and Modem 5123. Incorrect handling of NAS Registration messages leads to a Denial of Service because of Improper Handling of Exceptional Conditions. | 2026-02-03 | not yet calculated | CVE-2025-59439 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-59439/ |
| TP-Link Systems Inc.--Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a field whose length exceeds the maximum expected value. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-59482 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| TP-Link Systems Inc.--Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code. The vulnerability arises from improper validation of a packet field whose offset is used to determine the write location in memory. By crafting a packet with a manipulated field offset, an attacker can redirect writes to arbitrary memory locations. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-59487 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| NICE--NICE Chat | HTML injection vulnerability in NICE Chat. This vulnerability allows an attacker to inject and render arbitrary HTML content in email transcripts by modifying the 'firstName' and 'lastName' parameters during a chat session. The injected HTML is included in the body of the email sent by the system, which could enable phishing attacks, impersonation, or credential theft. | 2026-02-03 | not yet calculated | CVE-2025-59902 | https://www.incibe.es/en/incibe-cert/notices/aviso/html-injection-nice-chat |
| www[.]pchelpsoft[.]com--Avanquest Driver Updater v.9 | Insecure Permissions vulnerability in avanquest Driver Updater v.9.1.57803.1174 allows a local attacker to escalate privileges via the Driver Updater Service windows component. | 2026-02-03 | not yet calculated | CVE-2025-60865 | https://www.pchelpsoft.com/products/driver-updater/ https://github.com/parad0x1334/CVE-Disclosures/tree/50e5d2bf33b2926db2cb14d47d392b38ac619a41/Driver%20Updater%20-%20PCHelpsoft |
| n/a--MediaCrush | An issue was discovered in MediaCrush thru 1.0.1 allowing remote unauthenticated attackers to upload arbitrary files of any size to the /upload endpoint. | 2026-02-03 | not yet calculated | CVE-2025-61506 | https://gist.github.com/pescada-dev/a046d36e8026bbaf1ee591c6dad0d7e6 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Rest/Handler/PageHTMLHandler.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61634 | https://phabricator.wikimedia.org/T387478 |
| Wikimedia Foundation--ConfirmEdit | Vulnerability in Wikimedia Foundation ConfirmEdit. This vulnerability is associated with program files includes/FancyCaptcha/ApiFancyCaptchaReload.Php. This issue affects ConfirmEdit: *. | 2026-02-02 | not yet calculated | CVE-2025-61635 | https://phabricator.wikimedia.org/T355073 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61636 | https://phabricator.wikimedia.org/T394396 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Action/mediawiki.Action.Edit.Preview.Js, resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61637 | https://phabricator.wikimedia.org/T394856 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Parsoid: from * before 0.16.6, 0.20.4, 0.21.1. | 2026-02-02 | not yet calculated | CVE-2025-61638 | https://phabricator.wikimedia.org/T401099 |
| Wikimedia Foundation--MediaWiki | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61639 | https://phabricator.wikimedia.org/T280413 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61640 | https://phabricator.wikimedia.org/T402075 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiQueryAllPages.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61641 | https://phabricator.wikimedia.org/T298690 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/CodexHTMLForm.Php, includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61642 | https://phabricator.wikimedia.org/T402313 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/recentchanges/RecentChangeRCFeedNotifier.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61643 | https://phabricator.wikimedia.org/T403757 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/WatchlistTopSectionWidget.Js. This issue affects MediaWiki: from * before > fb856ce9cf121e046305116852cca4899ecb48ca. | 2026-02-02 | not yet calculated | CVE-2025-61644 | https://phabricator.wikimedia.org/T403411 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. This issue affects MediaWiki: from * before 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61645 | https://phabricator.wikimedia.org/T403761 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/RecentChanges/EnhancedChangesList.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61646 | https://phabricator.wikimedia.org/T398706 |
| Wikimedia Foundation--CheckUser | Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Api/Rest/Handler/UserInfoHandler.Php. This issue affects CheckUser: from a3dc1bbcc33acbcca6831d6afaccbb1054c93a57, 0584eb2ad564648aa3ce9c555dd044dda02b55f4. | 2026-02-03 | not yet calculated | CVE-2025-61647 | https://phabricator.wikimedia.org/T399093 |
| Wikimedia Foundation--CheckUser | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser.TempAccounts/components/ShowIPButton.Vue, modules/ext.CheckUser.TempAccounts/SpecialBlock.Js. This issue affects CheckUser: from * before 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61648 | https://phabricator.wikimedia.org/T402077 |
| Wikimedia Foundation--CheckUser | Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php. This issue affects CheckUser: from 7cedd58781d261f110651b6af4f41d2d11ae7309. | 2026-02-03 | not yet calculated | CVE-2025-61649 | https://phabricator.wikimedia.org/T397396 |
| Wikimedia Foundation--CheckUser | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php. This issue affects CheckUser: from * before 795bf333272206a0189050d975e94b70eb7dc507. | 2026-02-03 | not yet calculated | CVE-2025-61650 | https://phabricator.wikimedia.org/T403289 |
| Wikimedia Foundation--CheckUser | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser/checkuser/checkUserHelper/buildUserElement.Js. This issue affects CheckUser: from * before 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61651 | https://phabricator.wikimedia.org/T403408 |
| Wikimedia Foundation--DiscussionTools | Vulnerability in Wikimedia Foundation DiscussionTools. This issue affects DiscussionTools: from * before 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61652 | https://phabricator.wikimedia.org/T397580 |
| Wikimedia Foundation--TextExtracts | Vulnerability in Wikimedia Foundation TextExtracts. This vulnerability is associated with program files includes/ApiQueryExtracts.Php. This issue affects TextExtracts: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61653 | https://phabricator.wikimedia.org/T397577 |
| Wikimedia Foundation--Thanks | Vulnerability in Wikimedia Foundation Thanks. This vulnerability is associated with program files includes/ThanksQueryHelper.Php. This issue affects Thanks: from * before 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61654 | https://phabricator.wikimedia.org/T397497 https://nvd.nist.gov/vuln/detail/CVE-2025-62661 |
| Wikimedia Foundation--VisualEditor | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files includes/ApiVisualEditorEdit.Php, modules/ve-mw/init/targets/ve.Init.Mw.DesktopArticleTarget.Js, modules/ve-mw/ui/dialogs/ve.Ui.MWSaveDialog.Js. This issue affects VisualEditor: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61655 | https://phabricator.wikimedia.org/T395858 |
| Wikimedia Foundation--VisualEditor | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files src/ce/ve.Ce.ClipboardHandler.Js. This issue affects VisualEditor: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61656 | https://phabricator.wikimedia.org/T397232 |
| Wikimedia Foundation--Vector | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/stickyHeader.Js. This issue affects Vector: from * before 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61657 | https://phabricator.wikimedia.org/T398636 |
| Wikimedia Foundation--CheckUser | Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/GlobalContributions/GlobalContributionsPager.Php. This issue affects CheckUser: from * before 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61658 | https://phabricator.wikimedia.org/T404805 |
| Go toolchain--cmd/cgo | A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. | 2026-02-05 | not yet calculated | CVE-2025-61732 | https://go.dev/cl/734220 https://go.dev/issue/76697 https://groups.google.com/g/golang-announce/c/K09ubi9FQFk https://pkg.go.dev/vuln/GO-2026-4433 |
| TP-Link Systems Inc.--Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing an excessive number of fields with zero‑length values. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-61944 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| TP-Link Systems Inc.--Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing an excessive number of fields with zero‑length values. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-61983 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| run-llama--run-llama/llama_index | The `SimpleDirectoryReader` component in `llama_index.core` version 0.12.23 suffers from uncontrolled memory consumption due to a resource management flaw. The vulnerability arises because the user-specified file limit (`num_files_limit`) is applied after all files in a directory are loaded into memory. This can lead to memory exhaustion and degraded performance, particularly in environments with limited resources. The issue is resolved in version 0.12.41. | 2026-02-02 | not yet calculated | CVE-2025-6208 | https://huntr.com/bounties/7d722bb6-6567-4608-8b23-f95048d7605a https://github.com/run-llama/llama_index/commit/53614e2f7913c0e86b58add9470b3c900b6c60b2 |
| TP-Link Systems Inc.--Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet whose length exceeds the maximum expected value. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-62404 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| TP-Link Systems Inc.--Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a field whose length exceeds the maximum expected value. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-62405 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| TP-Link Systems Inc.--Archer AX53 v1.0 | SSH Hostkey misconfiguration vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows attackers to obtain device credentials through a specially crafted man‑in‑the‑middle (MITM) attack. This could enable unauthorized access if captured credentials are reused. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-62501 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| eProsima--Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t he fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage - specifically by tampering with the length field in readPropertySeq - are modified, an integer overflow occurs, leading to an OOM during the resize operation. Versi ons 3.4.1, 3.3.1, and 2.6.11 patch the issue. | 2026-02-03 | not yet calculated | CVE-2025-62599 | https://security-tracker.debian.org/tracker/CVE-2025-62599 https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b |
| eProsima--Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t he fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage - specifically by tampering with the length field in readBinaryPropertySeq - are modified, an integer overflow occurs, leading to an OOM during the resize operation. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. | 2026-02-03 | not yet calculated | CVE-2025-62600 | https://security-tracker.debian.org/tracker/CVE-2025-62600 https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b |
| eProsima--Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage - specifically by tampering with the `str_size` value read by `readString` (called from `readBinaryProperty`) - are modified, a 32-bit integer overflow can occur, causing `std::vector::resize` to use an attacker-controlled size and quickly trigger heap buffer overflow and remote process term ination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. | 2026-02-03 | not yet calculated | CVE-2025-62601 | https://security-tracker.debian.org/tracker/CVE-2025-62601 https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b |
| eProsima--Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with - specially `readOctetVector` reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter - the attacker-contro lled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca tion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. | 2026-02-03 | not yet calculated | CVE-2025-62602 | https://security-tracker.debian.org/tracker/CVE-2025-62602 https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b |
| eProsima--Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on going security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token delivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i .e., the `DataHolderSeq`) via the `readParticipantGenericMessage → readDataHolderSeq` path. The `DataHolderSeq` is parsed sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`), string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat es at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s o it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates, delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n umbers before discarding or processing a message; the current implementation, however, does not "peek" only at a minimal header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi ng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p atch the issue. | 2026-02-03 | not yet calculated | CVE-2025-62603 | https://security-tracker.debian.org/tracker/CVE-2025-62603 https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b |
| Significant-Gravitas--AutoGPT | AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.34, in RSSFeedBlock, the third-party library urllib.request.urlopen is used directly to access the URL, but the input URL is not filtered, which will cause SSRF vulnerability. This issue has been patched in autogpt-platform-beta-v0.6.34. | 2026-02-04 | not yet calculated | CVE-2025-62615 | https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-r55v-q5pc-j57f |
| Significant-Gravitas--AutoGPT | AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.34, in SendDiscordFileBlock, the third-party library aiohttp.ClientSession().get is used directly to access the URL, but the input URL is not filtered, which will cause SSRF vulnerability. This issue has been patched in autogpt-platform-beta-v0.6.34. | 2026-02-04 | not yet calculated | CVE-2025-62616 | https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-ggc4-4fmm-9hmc |
| TP-Link Systems Inc.--Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tdpserver modules) allows adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a maliciously formed field. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-62673 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| eProsima--Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un authenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft ed to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write s past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption ( RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. | 2026-02-03 | not yet calculated | CVE-2025-62799 | https://security-tracker.debian.org/tracker/CVE-2025-62799 https://github.com/eProsima/Fast-DDS/commit/d6dd58f4ecd28cd1c3bc4ef0467be9110fa94659 https://github.com/eProsima/Fast-DDS/commit/0c3824ef4991628de5dfba240669dc6172d63b46 https://github.com/eProsima/Fast-DDS/commit/955c8a15899dc6eb409e080fe7dc89e142d5a514 |
| Articentgroup--Zip Rar Extractor 1.3 | Articentgroup Zip Rar Extractor Tool 1.345.93.0 is vulnerable to Directory Traversal. The vulnerability resides in the ZIP file processing component, specifically in the functionality responsible for extracting and handling ZIP archive contents. | 2026-02-03 | not yet calculated | CVE-2025-63372 | https://articentgroup.com/zip-rar-extractor-tool/ |
| Shandong Kede Electronics--Water meter monitor v.1 | SQL Injection vulnerability in Shandong Kede Electronics Co., Ltd IoT smart water meter monitoring platform v.1.0 allows a remote attacker to execute arbitrary code via the imei_list.aspx file. | 2026-02-03 | not yet calculated | CVE-2025-63624 | https://github.com/songqb-xx/Internet-of-Things-Smart-Water-Meter-Monitoring-Platform-Unauthorized-RCE |
| eProsima--Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t he fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with - specifically by ta mpering with the the `vecsize` value read by `readOctetVector` - a 32-bit integer overflow can occur, causing `std::vector ::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions 3.4.1, 3 .3.1, and 2.6.11 patch the issue. | 2026-02-03 | not yet calculated | CVE-2025-64098 | https://security-tracker.debian.org/tracker/CVE-2025-64098 https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b |
| gogs--gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | 2026-02-06 | not yet calculated | CVE-2025-64111 | https://github.com/gogs/gogs/security/advisories/GHSA-gg64-xxr9-qhjp |
| gogs--gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs' 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim's username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim's 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | 2026-02-06 | not yet calculated | CVE-2025-64175 | https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj |
| eProsima--Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a remotely triggerable Out-of-Memory (OOM) denial-of-service exists in Fast -DDS when processing RTPS GAP submessages under RELIABLE QoS. By sending a tiny GAP packet with a huge gap range (`gapList .base - gapStart`), an attacker drives `StatefulReader::processGapMsg()` into an unbounded loop that inserts millions of s equence numbers into `WriterProxy::changes_received_` (`std::set`), causing multi-GB heap growth and process termination. No authentication is required beyond network reachability to the reader on the DDS domain. In environments without an RSS limit (non-ASan / unlimited), memory consumption was observed to rise to ~64 GB. Versions 3.4.1, 3.3.1, and 2.6.11 patch t he issue. | 2026-02-03 | not yet calculated | CVE-2025-64438 | https://security-tracker.debian.org/tracker/CVE-2025-64438 https://github.com/eProsima/Fast-DDS/commit/0b0cb308eaeeb2175694aa0a0a723106824ce9a7 https://github.com/eProsima/Fast-DDS/commit/71da01b4aea4d937558984f2cf0089f5ba3c871f https://github.com/eProsima/Fast-DDS/commit/8ca016134dac20b6e30e42b7b73466ef7cdbc213 |
| decidim--decidim | Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in versions 0.30.4 and 0.31.0. | 2026-02-03 | not yet calculated | CVE-2025-65017 | https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp https://github.com/decidim/decidim/pull/13571 https://github.com/decidim/decidim/releases/tag/v0.30.4 https://github.com/decidim/decidim/releases/tag/v0.31.0 |
| Lexmark--MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ | A relative path traversal vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user. | 2026-02-03 | not yet calculated | CVE-2025-65077 | https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html |
| Lexmark--MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ | An untrusted search path vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code. | 2026-02-03 | not yet calculated | CVE-2025-65078 | https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html |
| Lexmark--MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ | A heap-based buffer overflow vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user. | 2026-02-03 | not yet calculated | CVE-2025-65079 | https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html |
| Lexmark--MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ | A type confusion vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user. | 2026-02-03 | not yet calculated | CVE-2025-65080 | https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html |
| Lexmark--MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ | An out-of-bounds read vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user. | 2026-02-03 | not yet calculated | CVE-2025-65081 | https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php. This issue affects MediaWiki: >= 1.42.0. | 2026-02-02 | not yet calculated | CVE-2025-6589 | https://phabricator.wikimedia.org/T391343 |
| Wikimedia Foundation--MediaWiki | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php. This issue affects MediaWiki: from * through 1.39.12, 1.42.76 1.43.1, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6590 | https://phabricator.wikimedia.org/T392746 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiFeedContributions.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6591 | https://phabricator.wikimedia.org/T392276 |
| Wikimedia Foundation--AbuseFilter | Vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability is associated with program files includes/auth/AuthManager.Php. This issue affects AbuseFilter: from fe0b1cb9e9691faf4d8d9bd80646589f6ec37615 before 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6592 | https://phabricator.wikimedia.org/T391218 |
| n/a--ERPNext | A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and executed whenever the affected record is viewed by a user within the ERPNext web interface. This exposure may allow an attacker to compromise user sessions or perform unauthorized actions under the context of a victim's account. | 2026-02-03 | not yet calculated | CVE-2025-65923 | https://github.com/frappe/frappe_docker.git |
| n/a--ERPNext | ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files generated by the ERP system are generally considered trustworthy, users are highly likely to click these links, potentially enabling phishing attacks or malware delivery. This issue occurs in the Add Quality Goal' function. | 2026-02-03 | not yet calculated | CVE-2025-65924 | https://github.com/frappe/frappe_docker.git |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6593 | https://phabricator.wikimedia.org/T396230 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandbox.Js. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6594 | https://phabricator.wikimedia.org/T395063 |
| Wikimedia Foundation--MultimediaViewer | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MultimediaViewer. This issue affects MultimediaViewer: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6595 | https://phabricator.wikimedia.org/T394863 |
| Wikimedia Foundation--Vector | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/portlets.Js, resources/skins.Vector.Legacy.Js/portlets.Js. This issue affects Vector: from >= 1.40.0 before 1.42.7, 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6596 | https://phabricator.wikimedia.org/T396685 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/auth/AuthManager.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6597 | https://phabricator.wikimedia.org/T389009 |
| CyberArk--CyberArk Endpoint Agent v25.10.0 | CyberArk Endpoint Privilege Manager Agent through 25.10.0 allows a local user to achieve privilege escalation through policy elevation of an Administration task. | 2026-02-03 | not yet calculated | CVE-2025-66374 | https://www.cyberark.com/product-security/ https://www.cyberark.com/ca26-01 https://docs.cyberark.com/epm/latest/en/content/release%20notes/rn-whatsnew25-12.htm#Security |
| TOTOlink--A950RG Router | TOTOLINK A950RG V4.1.2cu.5204_B20210112 contains a buffer overflow vulnerability in the setUrlFilterRules interface of /lib/cste_modules/firewall.so. The vulnerability occurs because the `url` parameter is not properly validated for length, allowing remote attackers to trigger a buffer overflow, potentially leading to arbitrary code execution or denial of service. | 2026-02-03 | not yet calculated | CVE-2025-67186 | https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A950RG/5024-setUrlFliterRules-url-buffer.md |
| TOTOlink--A950RG Router | A stack-based buffer overflow vulnerability was identified in TOTOLINK A950RG V4.1.2cu.5204_B20210112. The flaw exists in the setIpQosRules interface of /lib/cste_modules/firewall.so where the comment parameter is not properly validated for length. | 2026-02-03 | not yet calculated | CVE-2025-67187 | https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A950RG/5024-setIpQosRules-comment-buffer.md |
| TOTOlink--A950RG Router | A buffer overflow vulnerability exists in TOTOLINK A950RG V4.1.2cu.5204_B20210112. The issue resides in the setRadvdCfg interface of the /lib/cste_modules/ipv6.so module. The function fails to properly validate the length of the user-controlled radvdinterfacename parameter, allowing remote attackers to trigger a stack buffer overflow. | 2026-02-03 | not yet calculated | CVE-2025-67188 | https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A950RG/5024-ipv6-setRadvdCfg-radvdinterfacename-buffer.md |
| TOTOlink--A950RG Router | A buffer overflow vulnerability exists in the setParentalRules interface of TOTOLINK A950RG V4.1.2cu.5204_B20210112. The urlKeyword parameter is not properly validated, and the function concatenates multiple user-controlled fields into a fixed-size stack buffer without performing boundary checks. A remote attacker can exploit this flaw to cause denial of service or potentially achieve arbitrary code execution. | 2026-02-03 | not yet calculated | CVE-2025-67189 | https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A950RG/5024-setParentRules-urlKeyWord-buffer.md |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67475 | https://phabricator.wikimedia.org/T406664 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Import/ImportableOldRevisionImporter.Php. This issue affects MediaWiki: from * before 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67476 | https://phabricator.wikimedia.org/T405859 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js. This issue affects MediaWiki: from * before 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67477 | https://phabricator.wikimedia.org/T406639 |
| Wikimedia Foundation--CheckUser | Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files includes/Mail/UserMailer.Php. This issue affects CheckUser: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-67478 | https://phabricator.wikimedia.org/T385403 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Cite. This vulnerability is associated with program files includes/Parser/CoreParserFunctions.Php, includes/Parser/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Cite: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-67479 | https://phabricator.wikimedia.org/T407131 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67480 | https://phabricator.wikimedia.org/T401053 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67481 | https://phabricator.wikimedia.org/T251032 |
| Wikimedia Foundation--Scribunto | Vulnerability in Wikimedia Foundation Scribunto, Wikimedia Foundation luasandbox. This vulnerability is associated with program files includes/Engines/LuaCommon/lualib/mwInit.Lua, library.C. This issue affects Scribunto: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1; luasandbox: from * before fea2304f8f6ab30314369a612f4f5b165e68e95a. | 2026-02-03 | not yet calculated | CVE-2025-67482 | https://phabricator.wikimedia.org/T408135 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.43.6, 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67483 | https://phabricator.wikimedia.org/T409226 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67484 | https://phabricator.wikimedia.org/T401995 |
| Go standard library--crypto/tls | During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake. | 2026-02-05 | not yet calculated | CVE-2025-68121 | https://groups.google.com/g/golang-announce/c/K09ubi9FQFk https://go.dev/cl/737700 https://go.dev/issue/77217 https://pkg.go.dev/vuln/GO-2026-4337 |
| Axigen--Mail Server | Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting (XSS) in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack. In the first stage, a malicious JavaScript payload is injected into the timeFormat preference by exploiting a separate vulnerability or using compromised credentials. In the second stage, when the victim logs into the WebMail interface, the unsanitized timeFormat value is loaded from storage and inserted into the DOM, causing the injected script to execute. | 2026-02-05 | not yet calculated | CVE-2025-68643 | https://www.axigen.com/mail-server/download/ https://www.axigen.com/knowledgebase/Axigen-WebMail-Stored-XSS-Vulnerability-CVE-2025-68643-_405.html |
| Axigen--Mail Server | Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint (page=sslcerts). This allows the attacker to view, download, upload, and delete SSL certificate files, despite lacking the necessary privileges to access the Security & Filtering section. | 2026-02-05 | not yet calculated | CVE-2025-68721 | https://www.axigen.com/mail-server/download/ https://www.axigen.com/knowledgebase/Axigen-WebAdmin-Improper-Access-Control-Vulnerability-CVE-2025-68721-_406.html |
| Axigen--Mail Server | Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery (CSRF) vulnerability in the WebAdmin interface through improper handling of the _s (breadcrumb) parameter. The application accepts state-changing requests via the GET method and automatically processes base64-encoded commands queued in the _s parameter immediately after administrator authentication. Attackers can craft malicious URLs that, when clicked by administrators, execute arbitrary administrative actions upon login without further user interaction, including creating rogue administrator accounts or modifying critical server configurations. | 2026-02-05 | not yet calculated | CVE-2025-68722 | https://www.axigen.com/mail-server/download/ https://www.axigen.com/knowledgebase/Axigen-WebAdmin-CSRF-Vulnerability-CVE-2025-68722-_407.html |
| Axigen--Mail Server | Axigen Mail Server before 10.5.57 contains multiple stored Cross-Site Scripting (XSS) vulnerabilities in the WebAdmin interface. Three instances exist: (1) the log file name parameter in the Local Services Log page, (2) certificate file content in the SSL Certificates View Usage feature, and (3) the Certificate File name parameter in the WebMail Listeners SSL settings. Attackers can inject malicious JavaScript payloads that execute in administrators' browsers when they access affected pages or features, enabling privilege escalation attacks where low-privileged admins can force high-privileged admins to perform unauthorized actions. | 2026-02-05 | not yet calculated | CVE-2025-68723 | https://www.axigen.com/mail-server/download/ https://www.axigen.com/knowledgebase/Axigen-WebAdmin-Stored-XSS-Vulnerabilities-CVE-2025-68723-_408.html |
| devcode-it--openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server. | 2026-02-06 | not yet calculated | CVE-2025-69212 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36 |
| devcode-it--openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, a SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through the idanagrafica parameter, leading to unauthorized database access. At time of publication, no known patch exists. | 2026-02-04 | not yet calculated | CVE-2025-69213 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg |
| devcode-it--openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an SQL Injection vulnerability exists in the ajax_select.php endpoint when handling the componenti operation. An authenticated attacker can inject malicious SQL code through the options[matricola] parameter. | 2026-02-06 | not yet calculated | CVE-2025-69214 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qjv8-63xq-gq8m |
| devcode-it--openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, there is a SQL Injection vulnerability in the Stampe Module. At time of publication, no known patch exists. | 2026-02-04 | not yet calculated | CVE-2025-69215 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qx9p-w3vj-q24q |
| devcode-it--openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an authenticated SQL injection vulnerability in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability exists in templates/scadenzario/init.php, where the id_anagrafica parameter is directly concatenated into an SQL query without proper sanitization. The vulnerability enables complete database read access through error-based SQL injection techniques. | 2026-02-06 | not yet calculated | CVE-2025-69216 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-q6g3-fv43-m2w6 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php, includes/api/ApiQueryBlocks.Php. This issue affects MediaWiki: from >= 1.42.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6927 | https://phabricator.wikimedia.org/T397595 |
| ORICO--NAS CD3510 | The ORICO NAS CD3510 (version V1.9.12 and below) contains an Incorrect Symlink Follow vulnerability that could be exploited by attackers to leak or tamper with the internal file system. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, then access the USB drive's symlink directory mounted on the NAS to obtain all files within the NAS system and tamper with those files. | 2026-02-03 | not yet calculated | CVE-2025-69429 | https://www.notion.so/ORICO-NAS-Incorrect-Symlink-Follow-2c36cf4e528a80b7bf0be4dcac758419?source=copy_link |
| Yottamaster NAS-- Symlink Follow | An Incorrect Symlink Follow vulnerability exists in multiple Yottamaster NAS devices, including DM2 (version equal to or prior to V1.9.12), DM3 (version equal to or prior to V1.9.12), and DM200 (version equal to or prior to V1.2.23) that could be exploited by attackers to leak or tamper with the internal file system. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, then access the USB drive's symlink directory mounted on the NAS to obtain all files within the NAS system and tamper with those files. | 2026-02-03 | not yet calculated | CVE-2025-69430 | https://www.notion.so/Yottamaster-Incorrect-Symlink-Follow-2c36cf4e528a8001b37cdad4be7431f8?source=copy_link |
| ZSPACE--Q2C NAS | The ZSPACE Q2C NAS contains a vulnerability related to incorrect symbolic link following. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, and then access the USB drive's directory mounted on the NAS using the Samba protocol. This allows them to obtain all files within the NAS system and tamper with those files. | 2026-02-03 | not yet calculated | CVE-2025-69431 | https://www.notion.so/ZSPACE-Incorrect-Symlink-Follow-2c26cf4e528a8087ba14d9b1d31a5bb2?source=copy_link |
| Coto[.]com--Tarot, Astro & Healing v11.4 | An arbitrary file overwrite vulnerability in the file import process of Tarot, Astro & Healing v11.4.0 allows attackers to overwrite critical internal files, potentially leading to arbitrary code execution or exposure of sensitive information. | 2026-02-04 | not yet calculated | CVE-2025-69618 | https://secsys.fudan.edu.cn/ http://coto.com https://coto.world/ https://github.com/Secsys-FDU/AF_CVEs/issues/9 |
| Zipperapp[.]cafe24--Text Editor v1.6.2 | A path traversal in My Text Editor v1.6.2 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage. | 2026-02-05 | not yet calculated | CVE-2025-69619 | http://my.com https://secsys.fudan.edu.cn/ http://zipperapp.cafe24.com/ https://github.com/Secsys-FDU/AF_CVEs/issues/10 |
| n/a--Moo Chan Song v4.5.7 | A path traversal in Moo Chan Song v4.5.7 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage. | 2026-02-04 | not yet calculated | CVE-2025-69620 | https://secsys.fudan.edu.cn/ http://office.com http://www.ntoolslab.com/ https://github.com/Secsys-FDU/AF_CVEs/issues/11 |
| n/a--Comic Book Reader v1.0.95 | An arbitrary file overwrite vulnerability in the file import process of Comic Book Reader v1.0.95 allows attackers to overwrite critical internal files, potentially leading to arbitrary code execution or exposure of sensitive information. | 2026-02-04 | not yet calculated | CVE-2025-69621 | https://secsys.fudan.edu.cn/ http://comic.com https://android-tools.ru/ https://github.com/Secsys-FDU/AF_CVEs/issues/12 |
| n/a--NetBox | NetBox is an open-source infrastructure resource modeling and IP address management platform. A reflected cross-site scripting (XSS) vulnerability exists in versions 2.11.0 through 3.7.x in the ProtectedError handling logic, where object names are included in HTML error messages without proper escaping. This allows user-controlled content to be rendered in the web interface when a delete operation fails due to protected relationships, potentially enabling execution of arbitrary client-side code in the context of a privileged user. | 2026-02-03 | not yet calculated | CVE-2025-69848 | https://github.com/netbox-community/netbox |
| n/a--Quick Heal Security 23.0.0 | A vulnerability exists in Quick Heal Total Security 23.0.0 in the quarantine management component where insufficient validation of restore paths and improper permission handling allow a low-privileged local user to restore quarantined files into protected system directories. This behavior can be abused by a local attacker to place files in high-privilege locations, potentially leading to privilege escalation. | 2026-02-03 | not yet calculated | CVE-2025-69875 | https://github.com/mertdas/QuickHealTotalSecurityPOC https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-59439/ |
| n/a--Monstra CMS v3.0.4 | Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklist-based file extension validation and stores uploaded files directly in a web-accessible directory. Under typical server configurations, this can allow an attacker to upload files that are interpreted as executable code, resulting in remote code execution. | 2026-02-05 | not yet calculated | CVE-2025-69906 | https://github.com/monstra-cms/monstra/tree/master/plugins/box/filesmanager https://github.com/cypherdavy/CVE-2025-69906-Monstra-CMS-3.0.4-Arbitrary-File-Upload-to-RCE |
| n/a--FUXA v1.2.7 | FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipment immediately after installation. | 2026-02-03 | not yet calculated | CVE-2025-69970 | https://github.com/frangoteam/FUXA/blob/master/server/settings.default.js |
| n/a--FUXA v1.2.7 | FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access. | 2026-02-03 | not yet calculated | CVE-2025-69971 | https://github.com/frangoteam/FUXA/blob/master/server/api/jwt-helper.js |
| n/a--FUXA v1.2.7 | FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user database) to gain administrative access, or to upload malicious scripts to execute arbitrary code. | 2026-02-03 | not yet calculated | CVE-2025-69981 | https://github.com/frangoteam/FUXA/blob/master/server/api/projects/index.js#L193 |
| n/a--FUXA v1.2.7 | FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attacker can upload a malicious project containing system commands, leading to full system compromise. | 2026-02-03 | not yet calculated | CVE-2025-69983 | https://github.com/frangoteam/FUXA/blob/master/server/api/projects/index.js |
| n/a--ChestnutCMS v.1.5.8 | An issue in ChestnutCMS v.1.5.8 and before allows a remote attacker to execute arbitrary code via the template creation function | 2026-02-05 | not yet calculated | CVE-2025-70073 | https://github.com/liweiyi/ChestnutCMS/issues/8 |
| n/a--JEEWMS 1.0 | JEEWMS 1.0 is vulnerable to SQL Injection. Attackers can inject malicious SQL statements through the id1 and id2 parameters in the /systemControl.do interface for attack. | 2026-02-03 | not yet calculated | CVE-2025-70311 | https://gitee.com/erzhongxmu/JEEWMS |
| PPC (Belden)--2K05X router firmware v1.1.9_206 | A stored cross-site scripting (XSS) vulnerability exists in the web management interface of the PPC (Belden) ONT 2K05X router running firmware v1.1.9_206L. The Common Gateway Interface (CGI) component improperly handles user-supplied input, allowing a remote, unauthenticated attacker to inject arbitrary JavaScript that is persistently stored and executed when the affected interface is accessed. | 2026-02-04 | not yet calculated | CVE-2025-70545 | http://ppc.com https://github.com/jeyabalaji711/CVE-2025-70545 |
|
n/a--pdfminer.six
|
pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading mechanism. The library uses Python pickle to deserialize CMap cache files without validation. An attacker with the ability to place a malicious pickle file in a location accessible to the application can trigger arbitrary code execution or privilege escalation when the file is loaded by a trusted process. This is caused by an incomplete patch to CVE-2025-64512. | 2026-02-03 | not yet calculated | CVE-2025-70559 | https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-f83h-ghpp-7wcc https://github.com/advisories/GHSA-f83h-ghpp-7wcc |
| n/a--Boltz 2.0 | Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed by boltz can achieve arbitrary code execution when the file is loaded. | 2026-02-03 | not yet calculated | CVE-2025-70560 | https://github.com/jwohlwend/boltz/issues/600 https://github.com/jwohlwend/boltz/blob/cb04aeccdd480fd4db707f0bbafde538397fa2ac/src/boltz/data/mol.py#L80 |
| n/a--chetans9 | chetans9 core-php-admin-panel through commit a94a780d6 contains an authentication bypass vulnerability in includes/auth_validate.php. The application sends an HTTP redirect via header(Location:login.php) when a user is not authenticated but fails to call exit() afterward. This allows remote unauthenticated attackers to access protected pages.customer database. | 2026-02-03 | not yet calculated | CVE-2025-70758 | https://github.com/chetans9/core-php-admin-panel https://github.com/chetans9/core-php-admin-panel/blob/master/includes/auth_validate.php https://github.com/XavLimSG/Vulnerability-Research/tree/main/CVE-2025-70758 |
| n/a--Microweber 2.0.19 | Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20. | 2026-02-05 | not yet calculated | CVE-2025-70791 | https://github.com/microweber/microweber/commit/aa0791fc286d785ccd33ccc706f7bb3ed05b1d7f https://gist.github.com/TimRecktenwald/9615b9915a4cacda9f57bb57f13ab6d4 |
| n/a--n/a | Cross Site Scripting vulnerability in the "/admin/category/create" endpoint of Microweber 2.0.19. An attacker can manipulate the "rel_id" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20. | 2026-02-05 | not yet calculated | CVE-2025-70792 | https://github.com/microweber/microweber/commit/aa0791fc286d785ccd33ccc706f7bb3ed05b1d7f https://gist.github.com/TimRecktenwald/f4b0d1edbb87e75c17c639ca0bacba57 |
| n/a--podinfo | Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Content-Security-Policy (CSP) or adequate Content-Type validation, leading to Stored Cross-Site Scripting (XSS). | 2026-02-03 | not yet calculated | CVE-2025-70849 | https://gist.github.com/kazisabu/27f3e272f474005001a9ecd2c258dbea |
| n/a--Subrion CMS v4.2.1 | Multiple reflected cross-site scripting (XSS) vulnerabilities in the installation module of Subrion CMS v4.2.1 allows attackers to execute arbitrary Javascript in the context of the user's browser via injecting a crafted payload into the dbuser, dbpwd, and dbname parameters. | 2026-02-02 | not yet calculated | CVE-2025-70958 | https://github.com/emirhanyucell/Subrion-CMS-4.2.1/blob/main/subrion-cms-exploit.txt |
| n/a--Tendenci CMS v15.3.7 | A stored cross-site scripting (XSS) vulnerability in the Jobs module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. | 2026-02-02 | not yet calculated | CVE-2025-70959 | https://github.com/emirhanyucelll/tendenci/blob/main/Readme.md |
| n/a--Tendenci CMS v15.3.7 | A stored cross-site scripting (XSS) vulnerability in the Forums module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. | 2026-02-02 | not yet calculated | CVE-2025-70960 | https://github.com/emirhanyucelll/tendenci/blob/main/Readme.md |
| n/a--Gophish | Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user's long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context. | 2026-02-06 | not yet calculated | CVE-2025-70963 | https://github.com/gophish/gophish/issues/9366 |
| n/a--eladmin v2.7 | A vulnerability has been discovered in eladmin v2.7 and before. This vulnerability allows for an arbitrary user password reset under any user permission level. | 2026-02-04 | not yet calculated | CVE-2025-70997 | https://github.com/elunez/eladmin https://github.com/fofo137/CVE/issues/1 |
| n/a--n/a | Water-Melon Melon commit 9df9292 and below is vulnerable to Denial of Service. The HTTP component doesn't have any maximum length. As a result, an excessive request header could cause a denial of service by consuming RAM memory. | 2026-02-04 | not yet calculated | CVE-2025-71031 | https://suphawith-phusanbai.gitbook.io/book-of-suphawith/my-exploits/denial-of-service-in-melon-c-library https://suphawith-phusanbai.gitbook.io/book-of-suphawith/my-exploits/cve-2025-71031-denial-of-service-in-melon-c-library |
| danny-avila--danny-avila/librechat | A vulnerability in danny-avila/librechat allows attackers to exploit the unrestricted Fork Function in `/api/convos/fork` to fork numerous contents rapidly. If the forked content includes a Mermaid graph with a large number of nodes, it can lead to a JavaScript heap out of memory error upon service restart, causing a denial of service. This issue affects the latest version of the product. | 2026-02-02 | not yet calculated | CVE-2025-7105 | https://huntr.com/bounties/e44f0740-48bd-443b-8826-528e6afe9e34 https://github.com/danny-avila/librechat/commit/97a99985fa339db0a21ad63604e0bb8db4442ffc |
| n/a--Creativeitem Academy LMS 7.0 | Creativeitem Academy LMS 7.0 contains reflected Cross-Site Scripting (XSS) vulnerabilities via the search parameter to the /academy/blogs endpoint, and the string parameter to the /academy/course_bundles/search/query endpoint. These vulnerabilities are distinct from the patch for CVE-2023-4119, which only fixed XSS in query and sort_by parameters to the /academy/home/courses endpoint. | 2026-02-03 | not yet calculated | CVE-2025-71179 | https://codecanyon.net/item/academy-course-based-learning-management-system/22703468 https://creativeitem.com/products/academy-learning-management-system/ https://github.com/cod3rLucas/security-advisories/blob/main/CVE-2025-71179.md |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: ac97: fix a double free in snd_ac97_controller_register() If ac97_add_adapter() fails, put_device() is the correct way to drop the device reference. kfree() is not required. Add kfree() if idr_alloc() fails and in ac97_adapter_release() to do the cleanup. Found by code review. | 2026-02-04 | not yet calculated | CVE-2025-71192 | https://git.kernel.org/stable/c/c80f9b3349a99a9d5b295f5bbc23f544c5995ad7 https://git.kernel.org/stable/c/21f8bc5179bed91c3f946adb5e55d717b891960c https://git.kernel.org/stable/c/fcc04c92cbb5497ce67c58dd2f0001bb87f40396 https://git.kernel.org/stable/c/cb73d37ac18bc1716690ff5255a0ef1952827e9e https://git.kernel.org/stable/c/830988b6cf197e6dcffdfe2008c5738e6c6c3c0f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend Enabling runtime PM before attaching the QPHY instance as driver data can lead to a NULL pointer dereference in runtime PM callbacks that expect valid driver data. There is a small window where the suspend callback may run after PM runtime enabling and before runtime forbid. This causes a sporadic crash during boot: ``` Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1 [...] CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT Workqueue: pm pm_runtime_work pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2] lr : pm_generic_runtime_suspend+0x2c/0x44 [...] ``` Attach the QPHY instance as driver data before enabling runtime PM to prevent NULL pointer dereference in runtime PM callbacks. Reorder pm_runtime_enable() and pm_runtime_forbid() to prevent a short window where an unnecessary runtime suspend can occur. Use the devres-managed version to ensure PM runtime is symmetrically disabled during driver removal for proper cleanup. | 2026-02-04 | not yet calculated | CVE-2025-71193 | https://git.kernel.org/stable/c/beba460a299150b5d8dcbe3474a8f4bdf0205180 https://git.kernel.org/stable/c/d50a9b7fd07296a1ab81c49ceba14cae3d31df86 https://git.kernel.org/stable/c/4ac15caa27ff842b068a54f1c6a8ff8b31f658e7 https://git.kernel.org/stable/c/1ca52c0983c34fca506921791202ed5bdafd5306 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock in wait_current_trans() due to ignored transaction type When wait_current_trans() is called during start_transaction(), it currently waits for a blocked transaction without considering whether the given transaction type actually needs to wait for that particular transaction state. The btrfs_blocked_trans_types[] array already defines which transaction types should wait for which transaction states, but this check was missing in wait_current_trans(). This can lead to a deadlock scenario involving two transactions and pending ordered extents: 1. Transaction A is in TRANS_STATE_COMMIT_DOING state 2. A worker processing an ordered extent calls start_transaction() with TRANS_JOIN 3. join_transaction() returns -EBUSY because Transaction A is in TRANS_STATE_COMMIT_DOING 4. Transaction A moves to TRANS_STATE_UNBLOCKED and completes 5. A new Transaction B is created (TRANS_STATE_RUNNING) 6. The ordered extent from step 2 is added to Transaction B's pending ordered extents 7. Transaction B immediately starts commit by another task and enters TRANS_STATE_COMMIT_START 8. The worker finally reaches wait_current_trans(), sees Transaction B in TRANS_STATE_COMMIT_START (a blocked state), and waits unconditionally 9. However, TRANS_JOIN should NOT wait for TRANS_STATE_COMMIT_START according to btrfs_blocked_trans_types[] 10. Transaction B is waiting for pending ordered extents to complete 11. Deadlock: Transaction B waits for ordered extent, ordered extent waits for Transaction B This can be illustrated by the following call stacks: CPU0 CPU1 btrfs_finish_ordered_io() start_transaction(TRANS_JOIN) join_transaction() # -EBUSY (Transaction A is # TRANS_STATE_COMMIT_DOING) # Transaction A completes # Transaction B created # ordered extent added to # Transaction B's pending list btrfs_commit_transaction() # Transaction B enters # TRANS_STATE_COMMIT_START # waiting for pending ordered # extents wait_current_trans() # waits for Transaction B # (should not wait!) Task bstore_kv_sync in btrfs_commit_transaction waiting for ordered extents: __schedule+0x2e7/0x8a0 schedule+0x64/0xe0 btrfs_commit_transaction+0xbf7/0xda0 [btrfs] btrfs_sync_file+0x342/0x4d0 [btrfs] __x64_sys_fdatasync+0x4b/0x80 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Task kworker in wait_current_trans waiting for transaction commit: Workqueue: btrfs-syno_nocow btrfs_work_helper [btrfs] __schedule+0x2e7/0x8a0 schedule+0x64/0xe0 wait_current_trans+0xb0/0x110 [btrfs] start_transaction+0x346/0x5b0 [btrfs] btrfs_finish_ordered_io.isra.0+0x49b/0x9c0 [btrfs] btrfs_work_helper+0xe8/0x350 [btrfs] process_one_work+0x1d3/0x3c0 worker_thread+0x4d/0x3e0 kthread+0x12d/0x150 ret_from_fork+0x1f/0x30 Fix this by passing the transaction type to wait_current_trans() and checking btrfs_blocked_trans_types[cur_trans->state] against the given type before deciding to wait. This ensures that transaction types which are allowed to join during certain blocked states will not unnecessarily wait and cause deadlocks. | 2026-02-04 | not yet calculated | CVE-2025-71194 | https://git.kernel.org/stable/c/e563f59395981fcd69d130761290929806e728d6 https://git.kernel.org/stable/c/dc84036c173cff6a432d9ab926298850b1d2a659 https://git.kernel.org/stable/c/d7b04b40ac8e6d814e35202a0e1568809b818295 https://git.kernel.org/stable/c/99da896614d17e8a84aeb2b2d464ac046cc8633d https://git.kernel.org/stable/c/8b0bb145d3bc264360f525c9717653be3522e528 https://git.kernel.org/stable/c/9ac63333d600732a56b35ee1fa46836da671eb50 https://git.kernel.org/stable/c/5037b342825df7094a4906d1e2a9674baab50cb2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: xilinx: xdma: Fix regmap max_register The max_register field is assigned the size of the register memory region instead of the offset of the last register. The result is that reading from the regmap via debugfs can cause a segmentation fault: tail /sys/kernel/debug/regmap/xdma.1.auto/registers Unable to handle kernel paging request at virtual address ffff800082f70000 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault [...] Call trace: regmap_mmio_read32le+0x10/0x30 _regmap_bus_reg_read+0x74/0xc0 _regmap_read+0x68/0x198 regmap_read+0x54/0x88 regmap_read_debugfs+0x140/0x380 regmap_map_read_file+0x30/0x48 full_proxy_read+0x68/0xc8 vfs_read+0xcc/0x310 ksys_read+0x7c/0x120 __arm64_sys_read+0x24/0x40 invoke_syscall.constprop.0+0x64/0x108 do_el0_svc+0xb0/0xd8 el0_svc+0x38/0x130 el0t_64_sync_handler+0x120/0x138 el0t_64_sync+0x194/0x198 Code: aa1e03e9 d503201f f9400000 8b214000 (b9400000) ---[ end trace 0000000000000000 ]--- note: tail[1217] exited with irqs disabled note: tail[1217] exited with preempt_count 1 Segmentation fault | 2026-02-04 | not yet calculated | CVE-2025-71195 | https://git.kernel.org/stable/c/df8a131a41ff6202d47f59452735787f2b71dd2d https://git.kernel.org/stable/c/606ea969e78295407f4bf06aa0e272fe59897184 https://git.kernel.org/stable/c/5e7ad329d259cf5bed7530d6d2525bcf7cb487a1 https://git.kernel.org/stable/c/c7d436a6c1a274c1ac28d5fb3b8eb8f03b6d0e10 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: phy: stm32-usphyc: Fix off by one in probe() The "index" variable is used as an index into the usbphyc->phys[] array which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys then it is one element out of bounds. The "index" comes from the device tree so it's data that we trust and it's unlikely to be wrong, however it's obviously still worth fixing the bug. Change the > to >=. | 2026-02-04 | not yet calculated | CVE-2025-71196 | https://git.kernel.org/stable/c/a9eec890879731c280697fdf1c50699e905b2fa7 https://git.kernel.org/stable/c/fb9d513cdf1614bf0f0e785816afb1faae3f81af https://git.kernel.org/stable/c/c06f13876cbad702582cd67fc77356e5524d02cd https://git.kernel.org/stable/c/76b870fdaad82171a24b8aacffe5e4d9e0d2ee2c https://git.kernel.org/stable/c/b91c9f6bfb04e430adeeac7e7ebc9d80f9d72bad https://git.kernel.org/stable/c/7c27eaf183563b86d815ff6e9cca0210b4cfa051 https://git.kernel.org/stable/c/cabd25b57216ddc132efbcc31f972baa03aad15a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: w1: therm: Fix off-by-one buffer overflow in alarms_store The sysfs buffer passed to alarms_store() is allocated with 'size + 1' bytes and a NUL terminator is appended. However, the 'size' argument does not account for this extra byte. The original code then allocated 'size' bytes and used strcpy() to copy 'buf', which always writes one byte past the allocated buffer since strcpy() copies until the NUL terminator at index 'size'. Fix this by parsing the 'buf' parameter directly using simple_strtoll() without allocating any intermediate memory or string copying. This removes the overflow while simplifying the code. | 2026-02-04 | not yet calculated | CVE-2025-71197 | https://git.kernel.org/stable/c/49ff9b4b9deacbefa6654a0a2bcaf910c9de7e95 https://git.kernel.org/stable/c/060b08d72a38b158a7f850d4b83c17c2969e0f6b https://git.kernel.org/stable/c/b3fc3e1f04dcc7c41787bbf08a6e0d2728e022cf https://git.kernel.org/stable/c/6a5820ecfa5a76c3d3e154802c8c15f391ef442e https://git.kernel.org/stable/c/6fd6d2a8e41b7f544a4d26cbd60bedf9c67893a0 https://git.kernel.org/stable/c/e6b2609af21b5cccc9559339591b8a2cbf884169 https://git.kernel.org/stable/c/761fcf46a1bd797bd32d23f3ea0141ffd437668a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event detection The st_lsm6dsx_acc_channels array of struct iio_chan_spec has a non-NULL event_spec field, indicating support for IIO events. However, event detection is not supported for all sensors, and if userspace tries to configure accelerometer wakeup events on a sensor device that does not support them (e.g. LSM6DS0), st_lsm6dsx_write_event() dereferences a NULL pointer when trying to write to the wakeup register. Define an additional struct iio_chan_spec array whose members have a NULL event_spec field, and use this array instead of st_lsm6dsx_acc_channels for sensors without event detection capability. | 2026-02-04 | not yet calculated | CVE-2025-71198 | https://git.kernel.org/stable/c/7673167fac9323110973a3300637adba7d45de3a https://git.kernel.org/stable/c/4d60ffcdedfe2cdb68a1cde19bb292bc67451629 https://git.kernel.org/stable/c/81ed6e42d6e555dd978c9dd5e3f7c20cb121221b https://git.kernel.org/stable/c/c34e2e2d67b3bb8d5a6d09b0d6dac845cdd13fb3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver at91_adc_interrupt can call at91_adc_touch_data_handler function to start the work by schedule_work(&st->touch_st.workq). If we remove the module which will call at91_adc_remove to make cleanup, it will free indio_dev through iio_device_unregister but quite a bit later. While the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | at91_adc_workq_handler at91_adc_remove | iio_device_unregister(indio_dev) | //free indio_dev a bit later | | iio_push_to_buffers(indio_dev) | //use indio_dev Fix it by ensuring that the work is canceled before proceeding with the cleanup in at91_adc_remove. | 2026-02-04 | not yet calculated | CVE-2025-71199 | https://git.kernel.org/stable/c/4c83dd62595ee7b7c9298a4d19a256b6647e7240 https://git.kernel.org/stable/c/fdc8c835c637a3473878d1e7438c77ab8928af63 https://git.kernel.org/stable/c/919d176b05776c7ede79c36744c823a07d631617 https://git.kernel.org/stable/c/9795fe80976f8c31cafda7d44edfc0f532d1f7c4 https://git.kernel.org/stable/c/d7b6fc224c7f5d6d8adcb18037138d3cfe2bbdfe https://git.kernel.org/stable/c/d890234a91570542c228a20f132ce74f9fedd904 https://git.kernel.org/stable/c/dbdb442218cd9d613adeab31a88ac973f22c4873 |
| Brocade--Fabric OS | A vulnerability in Brocade Fabric OS before 9.2.1c3 could allow elevating the privileges of the local authenticated user to "root" using the export option of seccertmgmt and seccryptocfg commands. | 2026-02-03 | not yet calculated | CVE-2025-9711 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36852 |
| Nokia--Nokia ONT | The unified WEBUI application of the ONT/Beacon device contains an input handling flaw that allows authenticated users to trigger unintended system-level command execution. Due to insufficient validation of user-supplied data, a low-privileged authenticated attacker may be able to execute arbitrary commands on the underlying ONT/Beacon operating system, potentially impacting the confidentiality, integrity, and availability of the device. | 2026-02-02 | not yet calculated | CVE-2025-9974 | Nokia Security Advisory |
| Google--Android | In vpu_mmap of vpu_ioctl, there is a possible arbitrary address mmap due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-02-05 | not yet calculated | CVE-2026-0106 | https://source.android.com/security/bulletin/pixel/2026-02-01 |
| Brocade--Fabric OS | A vulnerability in Brocade Fabric OS could allow an authenticated, local attacker with privileges to access the Bash shell to access insecurely stored file contents including the history command. | 2026-02-03 | not yet calculated | CVE-2026-0383 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36851 |
| TYDAC AG--MAP+ | A reflected cross-site scripting (XSS) vulnerability in the PDF export functionality of the TYDAC AG MAP+ solution allows unauthenticated attackers to craft a malicious URL, that if visited by a victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker. This issue was verified in MAP+: 3.4.0. | 2026-02-06 | not yet calculated | CVE-2026-0521 | https://www.tydac.ch/en/mapplus/ https://www.redguard.ch/blog/2026/02/05/advisory-tydac-mapplus/ |
| huggingface--huggingface/text-generation-inference | A vulnerability in huggingface/text-generation-inference version 3.3.6 allows unauthenticated remote attackers to exploit unbounded external image fetching during input validation in VLM mode. The issue arises when the router scans inputs for Markdown image links and performs a blocking HTTP GET request, reading the entire response body into memory and cloning it before decoding. This behavior can lead to resource exhaustion, including network bandwidth saturation, memory inflation, and CPU overutilization. The vulnerability is triggered even if the request is later rejected for exceeding token limits. The default deployment configuration, which lacks memory usage limits and authentication, exacerbates the impact, potentially crashing the host machine. The issue is resolved in version 3.3.7. | 2026-02-02 | not yet calculated | CVE-2026-0599 | https://huntr.com/bounties/1d3f2085-666c-4441-b265-22f6f7d8d9cd https://github.com/huggingface/text-generation-inference/commit/24ee40d143d8d046039f12f76940a85886cbe152 |
| TP-Link Systems Inc.--AXE75 | When configured as L2TP/IPSec VPN server, Archer AXE75 V1 may accept connections using L2TP without IPSec protection, even when IPSec is enabled. This allows VPN sessions without encryption, exposing data in transit and compromising confidentiality. | 2026-02-03 | not yet calculated | CVE-2026-0620 | https://www.tp-link.com/en/support/download/archer-axe75/v1/#Firmware https://www.tp-link.com/us/support/download/archer-axe75/v1/#Firmware https://www.tp-link.com/us/support/faq/4942/ |
| TP-Link Systems Inc.--Archer BE230 v1.2 | An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(web modules) allows adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-0630 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.--Archer BE230 v1.2 | An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows an adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-0631 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| Unknown--Five Star Restaurant Reservations | The Five Star Restaurant Reservations WordPress plugin before 2.7.9 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting bookings via CSRF attacks. | 2026-02-02 | not yet calculated | CVE-2026-0658 | https://wpscan.com/vulnerability/6e39090e-a4b2-4c16-806f-e2b1c456fb00/ |
| Moxa--UC-1200A Series | A physical attack vulnerability exists in certain Moxa industrial computers using TPM-backed LUKS full-disk encryption on Moxa Industrial Linux 3, where the discrete TPM is connected to the CPU via an SPI bus. Exploitation requires invasive physical access, including opening the device and attaching external equipment to the SPI bus to capture TPM communications. If successful, the captured data may allow offline decryption of eMMC contents. This attack cannot be performed through brief or opportunistic physical access and requires extended physical access, possession of the device, appropriate equipment, and sufficient time for signal capture and analysis. Remote exploitation is not possible. | 2026-02-05 | not yet calculated | CVE-2026-0714 | https://www.moxa.com/en/support/product-support/security-advisory/mpsa-255121-cve-2026-0714-cve-2026-0715-multiple-vulnerabilities-in-industrial-computers |
| Moxa--UC-1200A Series | Moxa Arm-based industrial computers running Moxa Industrial Linux Secure use a device-unique bootloader password provided on the device. An attacker with physical access to the device could use this information to access the bootloader menu via a serial interface. Access to the bootloader menu does not allow full system takeover or privilege escalation. The bootloader enforces digital signature verification and only permits flashing of Moxa-signed images. As a result, an attacker cannot install malicious firmware or execute arbitrary code. The primary impact is limited to a potential temporary denial-of-service condition if a valid image is reflashed. Remote exploitation is not possible. | 2026-02-05 | not yet calculated | CVE-2026-0715 | https://www.moxa.com/en/support/product-support/security-advisory/mpsa-255121-cve-2026-0714-cve-2026-0715-multiple-vulnerabilities-in-industrial-computers |
| Ercom--Cryptobox | On a Cryptobox platform where administrator segregation based on entities is used, some vulnerabilities in Ercom Cryptobox administration console allows an authenticated entity administrator with knowledge to elevate his account to global administrator. | 2026-02-04 | not yet calculated | CVE-2026-0873 | https://info.cryptobox.com/doc/v4.40/4.40.en/ |
| Dr.Buho--BuhoCleaner | BuhoCleaner contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via insecure functions. This issue affects BuhoCleaner: 1.15.2. | 2026-02-02 | not yet calculated | CVE-2026-0924 | https://fluidattacks.com/advisories/solstafir https://www.drbuho.com/buhocleaner https://www.drbuho.com/buhocleaner/download |
| Drupal--Group invite | Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing. This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4. | 2026-02-04 | not yet calculated | CVE-2026-0944 | https://www.drupal.org/sa-contrib-2026-001 |
| Drupal--Role Delegation | Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation. This issue affects Role Delegation: from 1.3.0 before 1.5.0. | 2026-02-04 | not yet calculated | CVE-2026-0945 | https://www.drupal.org/sa-contrib-2026-002 |
| Drupal--AT Internet SmartTag | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS). This issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1. | 2026-02-04 | not yet calculated | CVE-2026-0946 | https://www.drupal.org/sa-contrib-2026-003 |
| Drupal--AT Internet Piano Analytics | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet Piano Analytics allows Cross-Site Scripting (XSS). This issue affects AT Internet Piano Analytics: from 0.0.0 before 1.0.1, from 2.0.0 before 2.3.1. | 2026-02-04 | not yet calculated | CVE-2026-0947 | https://www.drupal.org/sa-contrib-2026-004 |
| Drupal--Microsoft Entra ID SSO Login | Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Microsoft Entra ID SSO Login allows Privilege Escalation. This issue affects Microsoft Entra ID SSO Login: from 0.0.0 before 1.0.4. | 2026-02-04 | not yet calculated | CVE-2026-0948 | https://www.drupal.org/sa-contrib-2026-005 |
| parisneo--parisneo/lollms | A vulnerability in the `lollms_generation_events.py` component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The `add_events` function registers event handlers such as `generate_text`, `cancel_generation`, `generate_msg`, and `generate_msg_from` without implementing authentication or authorization checks. This allows unauthenticated clients to execute resource-intensive or state-altering operations, leading to potential denial of service, state corruption, and race conditions. Additionally, the use of global flags (`lollmsElfServer.busy`, `lollmsElfServer.cancel_gen`) for state management in a multi-client environment introduces further vulnerabilities, enabling one client's actions to affect the server's state and other clients' operations. The lack of proper access control and reliance on insecure global state management significantly impacts the availability and integrity of the service. | 2026-02-02 | not yet calculated | CVE-2026-1117 | https://huntr.com/bounties/d2846a7f-0140-4105-b1bb-5ef64ec8b829 https://github.com/parisneo/lollms/commit/36a5b513dfefe9c2913bf9b618457b4fea603e3b |
| ABC PRO SP. Z O.O.--EAP Legislator | EAP Legislator is vulnerable to Path Traversal in file extraction functionality. Attacker can prepare zipx archive (default file type used by the Legislator application) and choose arbitrary path outside the intended directory (e.x. system startup) where files will be extracted by the victim upon opening the file. This issue was fixed in version 2.25a. | 2026-02-02 | not yet calculated | CVE-2026-1186 | https://abcpro.pl/eap-legislator https://cert.pl/posts/2026/02/CVE-2026-1186 |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue. | 2026-02-03 | not yet calculated | CVE-2026-1207 | Django security archive Django releases announcements Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 |
| BeyondTrust--Privilege management for Windows | A medium-severity vulnerability has been identified in BeyondTrust Privilege Management for Windows versions <=25.7. Under certain conditions, a local authenticated user with elevated privileges may be able to bypass the product's anti-tamper protections, which could allow access to protected application components and the ability to modify product configuration. | 2026-02-02 | not yet calculated | CVE-2026-1232 | https://www.beyondtrust.com/trust-center/security-advisories/bt26-01 https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0023100 |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. | 2026-02-03 | not yet calculated | CVE-2026-1285 | Django security archive Django releases announcements Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue. | 2026-02-03 | not yet calculated | CVE-2026-1287 | Django security archive Django releases announcements Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 |
| o6 Automation GmbH--Open62541 | In builds with PubSub and JSON enabled, a crafted JSON message can cause the decoder to write beyond a heap-allocated array before authentication, reliably crashing the process and corrupting memory. | 2026-02-05 | not yet calculated | CVE-2026-1301 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-036-03 |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue. | 2026-02-03 | not yet calculated | CVE-2026-1312 | Django security archive Django releases announcements Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 |
| neo4j--Enterprise Edition | Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01. Proof of concept exploit: https://github.com/JoakimBulow/CVE-2026-1337 | 2026-02-06 | not yet calculated | CVE-2026-1337 | https://github.com/JoakimBulow/CVE-2026-1337 |
| Avation--Avation Light Engine Pro | Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control. | 2026-02-03 | not yet calculated | CVE-2026-1341 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-034-02 |
| T-Systems--Buroweb | SQL injection vulnerability in the Buroweb platform version 2505.0.12, specifically in the 'tablon' component. This vulnerability is present in several parameters that do not correctly sanitize user input in the endpoint '/sta/CarpetaPublic/doEvent?APP_CODE=STA&PAGE_CODE=TABLON'. Exploiting this vulnerability could allow an attacker to execute queries on the database and gain access to confidential information. | 2026-02-03 | not yet calculated | CVE-2026-1432 | https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-sqli-buroweb-platform |
| PRIMION DIGITEK--Digitek ADT1100 | Path Traversal vulnerability in Digitek ADT1100 and Digitek DT950 from PRIMION DIGITEK, S.L.U (Azkoyen Group). This vulnerability allows an attacker to access arbitrary files in the server's file system, thet is, 'http://<host>/..%2F..% 2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd'. By manipulating the input to include URL encoded directory traversal sequences (e.g., %2F representing /), an attacker can bypass the input validation mechanisms ans retrieve sensitive files outside the intended directory, which could lead to information disclosure or further system compromise. | 2026-02-05 | not yet calculated | CVE-2026-1523 | https://www.incibe.es/en/incibe-cert/notices/aviso/path-traversal-digitek-grupo-azkoyen |
| Drupal--Drupal Canvas | Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing. This issue affects Drupal Canvas: from 0.0.0 before 1.0.4. | 2026-02-04 | not yet calculated | CVE-2026-1553 | https://www.drupal.org/sa-contrib-2026-006 |
| Drupal--Central Authentication System (CAS) Server | XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation. This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2. | 2026-02-04 | not yet calculated | CVE-2026-1554 | https://www.drupal.org/sa-contrib-2026-007 |
| neo4j--Enterprise Edition | Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "obfuscate_literals" option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate access to the local log files to obtain information they are not authorised to see. If this user is also in a position to run queries and trigger errors, this vulnerability can potentially help them to infer information they are not authorised to see through their intended database access. We recommend upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If your configuration had db.logs.query.obfuscate_literals enabled, and you wish the obfuscation to cover the error messages as well, you need to enable the new configuration setting db.logs.query.obfuscate_errors once you have upgraded Neo4j. | 2026-02-04 | not yet calculated | CVE-2026-1622 | https://neo4j.com/security/CVE-2026-1622 |
| N/A--N/A | Summary An Insecure Direct Object Reference has been found to exist in `createHeaderBasedEmailResolver()` function within the Cloudflare Agents SDK. The issue occurs because the `Message-ID` and `References` headers are parsed to derive the target agentName and agentId without proper validation or origin checks, allowing an external attacker with control of these headers to route inbound mail to arbitrary Durable Object instances and namespaces . Root cause The `createHeaderBasedEmailResolver()` function lacks cryptographic verification or origin validation for the headers used in the routing logic, effectively allowing external input to dictate internal object routing. Impact Insecure Direct Object Reference (IDOR) in email routing lets an attacker steer inbound mail to arbitrary Agent instances via spoofed Message-ID. Mitigation: * PR: https://github.com/cloudflare/agents/blob/main/docs/email.md ] provides the necessary architectural context for coding agents to mitigate the issue by refactoring the resolver to enforce strict identity boundaries. * Agents-sdk users should upgrade to agents@0.3.7 | 2026-02-03 | not yet calculated | CVE-2026-1664 | https://github.com/cloudflare/agents |
| Python Packaging Authority--pip | When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations. | 2026-02-02 | not yet calculated | CVE-2026-1703 | https://github.com/pypa/pip/pull/13777 https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735 https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/ |
| Google Cloud--Gemini Enterprise (formerly Agentspace) | The Agentspace service was affected by a vulnerability that exposed sensitive information due to the use of predictable Google Cloud Storage bucket names. These names were utilized for error logs and temporary staging during data imports from GCS and Cloud SQL. This predictability allowed an attacker to engage in "bucket squatting" by establishing these buckets before a victim's initial use. All versions after December 12th, 2025 have been updated to protect from this vulnerability. No user action is required for this. | 2026-02-06 | not yet calculated | CVE-2026-1727 | https://docs.cloud.google.com/gemini/enterprise/docs/release-notes#February_06_2026 |
| BeyondTrust--Remote Support(RS) & Privileged Remote Access(PRA) | BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user. | 2026-02-06 | not yet calculated | CVE-2026-1731 | https://beyondtrustcorp.service-now.com/csm?id=csm_kb_article&sysparm_article=KB0023293 https://www.beyondtrust.com/trust-center/security-advisories/bt26-02 |
| CrafterCMS--CrafterCMS | Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass sandbox restrictions and obtain RCE (Remote Code Execution). | 2026-02-02 | not yet calculated | CVE-2026-1770 | https://docs.craftercms.org/current/security/advisory.html#cv-2026020201 |
| Xquic Project--Xquic Server | : Out-of-bounds Write vulnerability in Xquic Project Xquic Server xquic on Linux (QUIC protocol implementation, packet processing module modules) allows : Buffer Manipulation. This issue affects Xquic Server: through 1.8.3. | 2026-02-03 | not yet calculated | CVE-2026-1788 | https://github.com/alibaba/xquic |
| Rapid7--InsightVM/Nexpose | A security vulnerability has been identified in Rapid7 Nexpose. Remediation is in progress. | 2026-02-03 | not yet calculated | CVE-2026-1814 | https://www.atredis.com/disclosure |
| Google--Chrome | Heap buffer overflow in libvpx in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-02-03 | not yet calculated | CVE-2026-1861 | https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/478942410 |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-02-03 | not yet calculated | CVE-2026-1862 | https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/479726070 |
| Nukegraphic CMS--Nukegraphic CMS | Nukegraphic CMS v3.1.2 contains a stored cross-site scripting (XSS) vulnerability in the user profile edit functionality at /ngc-cms/user-edit-profile.php. The application fails to properly sanitize user input in the name field before storing it in the database and rendering it across multiple CMS pages. An authenticated attacker with low privileges can inject malicious JavaScript payloads through the profile edit request, which are then executed site-wide whenever the affected user's name is displayed. This allows the attacker to execute arbitrary JavaScript in the context of other users' sessions, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. | 2026-02-05 | not yet calculated | CVE-2026-1953 | https://github.com/carlosbudiman/CVE-2026-1953-Disclosure |
| YugabyteDB Inc--YugabyteDB Anywhere | YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services. | 2026-02-05 | not yet calculated | CVE-2026-1966 | https://docs.yugabyte.com/stable/secure/vulnerability-disclosure-policy/ |
| MediaTek, Inc.--MT2735, MT6833, MT6853, MT6855, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01738310; Issue ID: MSV-5933. | 2026-02-02 | not yet calculated | CVE-2026-20401 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT2735, MT6833, MT6853, MT6855, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00693083; Issue ID: MSV-5928. | 2026-02-02 | not yet calculated | CVE-2026-20402 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6989, MT6990, MT6991, MT6993, MT8673, MT8675, MT8676, MT8771, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8893 | In Modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689254 (Note: For N15 and NR16) / MOLY01689259 (Note: For NR17 and NR17R); Issue ID: MSV-4843. | 2026-02-02 | not yet calculated | CVE-2026-20403 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8668, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689248; Issue ID: MSV-4837. | 2026-02-02 | not yet calculated | CVE-2026-20404 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8668, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01688495; Issue ID: MSV-4818. | 2026-02-02 | not yet calculated | CVE-2026-20405 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8668, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01726634; Issue ID: MSV-5728. | 2026-02-02 | not yet calculated | CVE-2026-20406 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT7902, MT7920, MT7921, MT7922, MT7925, MT7927 | In wlan STA driver, there is a possible escalation of privilege due to a missing bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00464377; Issue ID: MSV-4905. | 2026-02-02 | not yet calculated | CVE-2026-20407 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT6890, MT7615, MT7915, MT7916, MT7981, MT7986 | In wlan, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00461651; Issue ID: MSV-4758. | 2026-02-02 | not yet calculated | CVE-2026-20408 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT6897, MT6989 | In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10363246; Issue ID: MSV-5779. | 2026-02-02 | not yet calculated | CVE-2026-20409 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT6897, MT6989, MT8370, MT8390, MT8395 | In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362552; Issue ID: MSV-5760. | 2026-02-02 | not yet calculated | CVE-2026-20410 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT6878, MT6879, MT6881, MT6886, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT6993, MT8168, MT8188, MT8195, MT8365, MT8370, MT8390, MT8395, MT8666, MT8667, MT8673, MT8676, MT8793 | In cameraisp, there is a possible escalation of privilege due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10351676; Issue ID: MSV-5737. | 2026-02-02 | not yet calculated | CVE-2026-20411 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT6878, MT6879, MT6881, MT6886, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT6993, MT8168, MT8188, MT8195, MT8365, MT8390, MT8395, MT8666, MT8667, MT8673, MT8676, MT8696, MT8793 | In cameraisp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10351676; Issue ID: MSV-5733. | 2026-02-02 | not yet calculated | CVE-2026-20412 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT6899, MT6991, MT8678, MT8793 | In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362725; Issue ID: MSV-5694. | 2026-02-02 | not yet calculated | CVE-2026-20413 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT6897, MT6989, MT8196, MT8678, MT8766, MT8768, MT8786, MT8796 | In imgsys, there is a possible escalation of privilege due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362999; Issue ID: MSV-5625. | 2026-02-02 | not yet calculated | CVE-2026-20414 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT6897, MT6989 | In imgsys, there is a possible memory corruption due to improper locking. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10363254; Issue ID: MSV-5617. | 2026-02-02 | not yet calculated | CVE-2026-20415 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT6991, MT6993, MT8678 | In pcie, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10314946 / ALPS10340155; Issue ID: MSV-5154. | 2026-02-02 | not yet calculated | CVE-2026-20417 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT7931, MT7933 | In Thread, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00465153; Issue ID: MSV-4927. | 2026-02-02 | not yet calculated | CVE-2026-20418 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT6890, MT6989TB, MT7902, MT7915, MT7916, MT7920, MT7921, MT7922, MT7925, MT7927, MT7981, MT7986, MT8196, MT8668, MT8676, MT8678, MT8775, MT8791T, MT8792, MT8793, MT8796, MT8873, MT8883, MT8893, MT8910 | In wlan AP/STA firmware, there is a possible system becoming irresponsive due to an uncaught exception. This could lead to remote (proximal/adjacent) denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00461663 / WCNCR00463309; Issue ID: MSV-4852. | 2026-02-02 | not yet calculated | CVE-2026-20419 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8676, MT8791 | In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01738313; Issue ID: MSV-5935. | 2026-02-02 | not yet calculated | CVE-2026-20420 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT2735, MT6833, MT6853, MT6855, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8791 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01738293; Issue ID: MSV-5922. | 2026-02-02 | not yet calculated | CVE-2026-20421 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8668, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8775, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00827332; Issue ID: MSV-5919. | 2026-02-02 | not yet calculated | CVE-2026-20422 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| ELECOM CO.,LTD.--WRC-X1500GS-B | Cross-site request forgery vulnerability exists in WRC-X1500GS-B and WRC-X1500GSA-B. If a user accesses a malicious page while logged-in to the affected product, unintended operations may be performed. | 2026-02-03 | not yet calculated | CVE-2026-20704 | https://www.elecom.co.jp/news/security/20260203-01/ https://jvn.jp/en/jp/JVN94012927/ |
| Cybozu, Inc.--Cybozu Garoon | Cross-site scripting vulnerability exists in E-mail function of Cybozu Garoon 5.0.0 to 6.0.3, which may allow an attacker to reset arbitrary users' passwords. | 2026-02-02 | not yet calculated | CVE-2026-20711 | https://kb.cybozu.support/article/39081/ https://jvn.jp/en/jp/JVN35265756/ |
| Samsung Mobile--Samsung Mobile Devices | Improper access control in Emergency Sharing prior to SMR Feb-2026 Release 1 allows local attackers to interrupt its functioning. | 2026-02-04 | not yet calculated | CVE-2026-20977 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile--Samsung Mobile Devices | Improper authorization in KnoxGuardManager prior to SMR Feb-2026 Release 1 allows local attackers to bypass the persistence configuration of the application. | 2026-02-04 | not yet calculated | CVE-2026-20978 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile--Samsung Mobile Devices | Improper privilege management in Settings prior to SMR Feb-2026 Release 1 allows local attackers to launch arbitrary activity with Settings privilege. | 2026-02-04 | not yet calculated | CVE-2026-20979 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile--Samsung Mobile Devices | Improper input validation in PACM prior to SMR Feb-2026 Release 1 allows physical attacker to execute arbitrary commands. | 2026-02-04 | not yet calculated | CVE-2026-20980 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile--Samsung Mobile Devices | Improper input validation in FacAtFunction prior to SMR Feb-2026 Release 1 allows privileged physical attacker to execute arbitrary command with system privilege. | 2026-02-04 | not yet calculated | CVE-2026-20981 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile--Samsung Mobile Devices | Path traversal in ShortcutService prior to SMR Feb-2026 Release 1 allows privileged local attacker to create file with system privilege. | 2026-02-04 | not yet calculated | CVE-2026-20982 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile--Samsung Mobile Devices | Improper export of android application components in Samsung Dialer prior to SMR Feb-2026 Release 1 allows local attackers to launch arbitrary activity with Samsung Dialer privilege. | 2026-02-04 | not yet calculated | CVE-2026-20983 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile--Galaxy Wearable | Improper handling of insufficient permission in Galaxy Wearable installed on non-Samsung Device prior to version 2.2.68 allows local attackers to access sensitive information. | 2026-02-04 | not yet calculated | CVE-2026-20984 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=02 |
| Samsung Mobile--Samsung Members | Improper input validation in Samsung Members prior to version 5.6.00.11 allows remote attackers to connect arbitrary URL and launch arbitrary activity with Samsung Members privilege. User interaction is required for triggering this vulnerability. | 2026-02-04 | not yet calculated | CVE-2026-20985 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=02 |
| Samsung Mobile--Chinese Samsung Members | Path traversal in Samsung Members prior to Chinese version 15.5.05.4 allows local attackers to overwrite data within Samsung Members. | 2026-02-04 | not yet calculated | CVE-2026-20986 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=02 |
| Samsung Mobile--GalaxyDiagnostics | Improper input validation in GalaxyDiagnostics prior to version 3.5.050 allows local privileged attackers to execute privileged commands. | 2026-02-04 | not yet calculated | CVE-2026-20987 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=02 |
| Six Apart Ltd.--Movable Type (Software Edition) | Movable Type contains a stored cross-site scripting vulnerability in Edit Comment. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. | 2026-02-04 | not yet calculated | CVE-2026-21393 | https://movabletype.org/news/2026/02/mt-906-released.html https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html https://jvn.jp/en/jp/JVN45405689/ |
| Stackideas.com--EasyDiscuss extension for Joomla | Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure | 2026-02-06 | not yet calculated | CVE-2026-21626 | https://stackideas.com/easydiscuss |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies. This issue has been patched in version alpha.78. | 2026-02-03 | not yet calculated | CVE-2026-21862 | https://github.com/rustfs/rustfs/security/advisories/GHSA-fc6g-2gcp-2qrq |
| n8n-io--n8n | n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n's community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. This issue has been patched in version 1.120.3. | 2026-02-04 | not yet calculated | CVE-2026-21893 | https://github.com/n8n-io/n8n/security/advisories/GHSA-7c4h-vh2m-743m https://github.com/n8n-io/n8n/commit/ae0669a736cc496beeb296e115267862727ae838 |
| TP-Link Systems Inc.--Archer BE230 v1.2 | A lack of proper input validation in the HTTP processing path in TP-Link Archer BE230 v1.2 (web modules) may allow a crafted request to cause the device's web service to become unresponsive, resulting in a denial of service condition. A network adjacent attacker with high privileges could cause the device's web interface to temporarily stop responding until it recovers or is rebooted. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-03 | not yet calculated | CVE-2026-22220 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4941/ |
| TP-Link Systems Inc.--Archer BE230 v1.2 | An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows adjacent authenticated attacker execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22221 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.--Archer BE230 v1.2 | An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(web modules) allows adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22222 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link System Inc.--Archer BE230 v1.2 | An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows adjacent authenticated attacker execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22223 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.--Archer BE230 v1.2 | A command injection vulnerability may be exploited after the admin's authentication in the cloud communication interface on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22224 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.--Archer BE230 v1.2 | A command injection vulnerability may be exploited after the admin's authentication in the VPN Connection Service on the Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22225 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.--Archer BE230 v1.2 | A command injection vulnerability may be exploited after the admin's authentication in the VPN server configuration module on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22226 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.--Archer BE230 v1.2 | A command injection vulnerability may be exploited after the admin's authentication via the configuration backup restoration function of the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22227 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.--Archer BE230 v1.2 | An authenticated user with high privileges may trigger a denial‑of‑service condition in TP-Link Archer BE230 v1.2 by restoring a crafted configuration file containing an excessively long parameter. Restoring such a file can cause the device to become unresponsive, requiring a reboot to restore normal operation. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-03 | not yet calculated | CVE-2026-22228 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4941/ |
| TP-Link Systems Inc.--Archer BE230 v1.2 | A command injection vulnerability may be exploited after the admin's authentication via the import of a crafted VPN client configuration file on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22229 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| ELECOM CO.,LTD.--WRC-X1500GS-B | OS command injection vulnerability exists in WRC-X1500GS-B and WRC-X1500GSA-B. A crafted request from a logged-in user may lead to an arbitrary OS command execution. | 2026-02-03 | not yet calculated | CVE-2026-22550 | https://www.elecom.co.jp/news/security/20260203-01/ https://jvn.jp/en/jp/JVN94012927/ |
| Six Apart Ltd.--Movable Type (Software Edition) | Movable Type contains a stored cross-site scripting vulnerability in Export Sites. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. | 2026-02-04 | not yet calculated | CVE-2026-22875 | https://movabletype.org/news/2026/02/mt-906-released.html https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html https://jvn.jp/en/jp/JVN45405689/ |
| Cybozu, Inc.--Cybozu Garoon | Cross-site scripting vulnerability exists in Message function of Cybozu Garoon 5.15.0 to 6.0.3, which may allow an attacker to reset arbitrary users' passwords. | 2026-02-02 | not yet calculated | CVE-2026-22881 | https://kb.cybozu.support/article/39084/ https://jvn.jp/en/jp/JVN35265756/ |
| Cybozu, Inc.--Cybozu Garoon | Improper input verification issue exists in Cybozu Garoon 5.0.0 to 6.0.3, which may lead to unauthorized alteration of portal settings, potentially blocking access to the product. | 2026-02-02 | not yet calculated | CVE-2026-22888 | https://kb.cybozu.support/article/39083/ https://jvn.jp/en/jp/JVN35265756/ |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211_hwsim: fix typo in frequency notification The NAN notification is for 5745 MHz which corresponds to channel 149 and not 5475 which is not actually a valid channel. This could result in a NULL pointer dereference in cfg80211_next_nan_dw_notif. | 2026-02-04 | not yet calculated | CVE-2026-23040 | https://git.kernel.org/stable/c/1251bbdb8f5b2ea86ca9b4268a2e6aa34372ab33 https://git.kernel.org/stable/c/333418872bfecf4843f1ded7a4151685dfcf07d5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup When bnxt_init_one() fails during initialization (e.g., bnxt_init_int_mode returns -ENODEV), the error path calls bnxt_free_hwrm_resources() which destroys the DMA pool and sets bp->hwrm_dma_pool to NULL. Subsequently, bnxt_ptp_clear() is called, which invokes ptp_clock_unregister(). Since commit a60fc3294a37 ("ptp: rework ptp_clock_unregister() to disable events"), ptp_clock_unregister() now calls ptp_disable_all_events(), which in turn invokes the driver's .enable() callback (bnxt_ptp_enable()) to disable PTP events before completing the unregistration. bnxt_ptp_enable() attempts to send HWRM commands via bnxt_ptp_cfg_pin() and bnxt_ptp_cfg_event(), both of which call hwrm_req_init(). This function tries to allocate from bp->hwrm_dma_pool, causing a NULL pointer dereference: bnxt_en 0000:01:00.0 (unnamed net_device) (uninitialized): bnxt_init_int_mode err: ffffffed KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] Call Trace: __hwrm_req_init (drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c:72) bnxt_ptp_enable (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:323 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:517) ptp_disable_all_events (drivers/ptp/ptp_chardev.c:66) ptp_clock_unregister (drivers/ptp/ptp_clock.c:518) bnxt_ptp_clear (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:1134) bnxt_init_one (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889) Lines are against commit f8f9c1f4d0c7 ("Linux 6.19-rc3") Fix this by clearing and unregistering ptp (bnxt_ptp_clear()) before freeing HWRM resources. | 2026-02-04 | not yet calculated | CVE-2026-23041 | https://git.kernel.org/stable/c/0174d5466caefc22f03a36c43b2a3cce7e332627 https://git.kernel.org/stable/c/3358995b1a7f9dcb52a56ec8251570d71024dad0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: fix aux device unplugging when rdma is not supported by vport If vport flags do not contain VIRTCHNL2_VPORT_ENABLE_RDMA, driver does not allocate vdev_info for this vport. This leads to kernel NULL pointer dereference in idpf_idc_vport_dev_down(), which references vdev_info for every vport regardless. Check, if vdev_info was ever allocated before unplugging aux device. | 2026-02-04 | not yet calculated | CVE-2026-23042 | https://git.kernel.org/stable/c/0ad6d6e50e9d8bf596cfe77a882ddc20b29f525a https://git.kernel.org/stable/c/4648fb2f2e7210c53b85220ee07d42d1e4bae3f9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL pointer dereference in do_abort_log_replay() Coverity reported a NULL pointer dereference issue (CID 1666756) in do_abort_log_replay(). When btrfs_alloc_path() fails in replay_one_buffer(), wc->subvol_path is NULL, but btrfs_abort_log_replay() calls do_abort_log_replay() which unconditionally dereferences wc->subvol_path when attempting to print debug information. Fix this by adding a NULL check before dereferencing wc->subvol_path in do_abort_log_replay(). | 2026-02-04 | not yet calculated | CVE-2026-23043 | https://git.kernel.org/stable/c/6d1b61b8e1e44888c643d89225ab819b10649b2e https://git.kernel.org/stable/c/530e3d4af566ca44807d79359b90794dea24c4f3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PM: hibernate: Fix crash when freeing invalid crypto compressor When crypto_alloc_acomp() fails, it returns an ERR_PTR value, not NULL. The cleanup code in save_compressed_image() and load_compressed_image() unconditionally calls crypto_free_acomp() without checking for ERR_PTR, which causes crypto_acomp_tfm() to dereference an invalid pointer and crash the kernel. This can be triggered when the compression algorithm is unavailable (e.g., CONFIG_CRYPTO_LZO not enabled). Fix by adding IS_ERR_OR_NULL() checks before calling crypto_free_acomp() and acomp_request_free(), similar to the existing kthread_stop() check. [ rjw: Added 2 empty code lines ] | 2026-02-04 | not yet calculated | CVE-2026-23044 | https://git.kernel.org/stable/c/b7a883b0135dbc6817e90a829421c9fc8cd94bad https://git.kernel.org/stable/c/7966cf0ebe32c981bfa3db252cb5fc3bb1bf2e77 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/ena: fix missing lock when update devlink params Fix assert lock warning while calling devl_param_driverinit_value_set() in ena. WARNING: net/devlink/core.c:261 at devl_assert_locked+0x62/0x90, CPU#0: kworker/0:0/9 CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.19.0-rc2+ #1 PREEMPT(lazy) Hardware name: Amazon EC2 m8i-flex.4xlarge/, BIOS 1.0 10/16/2017 Workqueue: events work_for_cpu_fn RIP: 0010:devl_assert_locked+0x62/0x90 Call Trace: <TASK> devl_param_driverinit_value_set+0x15/0x1c0 ena_devlink_alloc+0x18c/0x220 [ena] ? __pfx_ena_devlink_alloc+0x10/0x10 [ena] ? trace_hardirqs_on+0x18/0x140 ? lockdep_hardirqs_on+0x8c/0x130 ? __raw_spin_unlock_irqrestore+0x5d/0x80 ? __raw_spin_unlock_irqrestore+0x46/0x80 ? devm_ioremap_wc+0x9a/0xd0 ena_probe+0x4d2/0x1b20 [ena] ? __lock_acquire+0x56a/0xbd0 ? __pfx_ena_probe+0x10/0x10 [ena] ? local_clock+0x15/0x30 ? __lock_release.isra.0+0x1c9/0x340 ? mark_held_locks+0x40/0x70 ? lockdep_hardirqs_on_prepare.part.0+0x92/0x170 ? trace_hardirqs_on+0x18/0x140 ? lockdep_hardirqs_on+0x8c/0x130 ? __raw_spin_unlock_irqrestore+0x5d/0x80 ? __raw_spin_unlock_irqrestore+0x46/0x80 ? __pfx_ena_probe+0x10/0x10 [ena] ...... </TASK> | 2026-02-04 | not yet calculated | CVE-2026-23045 | https://git.kernel.org/stable/c/f2c4bcfa193eef1b7457a56be9c47a8de015f225 https://git.kernel.org/stable/c/8da901ffe497a53fa4ecc3ceed0e6d771586f88e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: virtio_net: fix device mismatch in devm_kzalloc/devm_kfree Initial rss_hdr allocation uses virtio_device->device, but virtnet_set_queues() frees using net_device->device. This device mismatch causing below devres warning [ 3788.514041] ------------[ cut here ]------------ [ 3788.514044] WARNING: drivers/base/devres.c:1095 at devm_kfree+0x84/0x98, CPU#16: vdpa/1463 [ 3788.514054] Modules linked in: octep_vdpa virtio_net virtio_vdpa [last unloaded: virtio_vdpa] [ 3788.514064] CPU: 16 UID: 0 PID: 1463 Comm: vdpa Tainted: G W 6.18.0 #10 PREEMPT [ 3788.514067] Tainted: [W]=WARN [ 3788.514069] Hardware name: Marvell CN106XX board (DT) [ 3788.514071] pstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) [ 3788.514074] pc : devm_kfree+0x84/0x98 [ 3788.514076] lr : devm_kfree+0x54/0x98 [ 3788.514079] sp : ffff800084e2f220 [ 3788.514080] x29: ffff800084e2f220 x28: ffff0003b2366000 x27: 000000000000003f [ 3788.514085] x26: 000000000000003f x25: ffff000106f17c10 x24: 0000000000000080 [ 3788.514089] x23: ffff00045bb8ab08 x22: ffff00045bb8a000 x21: 0000000000000018 [ 3788.514093] x20: ffff0004355c3080 x19: ffff00045bb8aa00 x18: 0000000000080000 [ 3788.514098] x17: 0000000000000040 x16: 000000000000001f x15: 000000000007ffff [ 3788.514102] x14: 0000000000000488 x13: 0000000000000005 x12: 00000000000fffff [ 3788.514106] x11: ffffffffffffffff x10: 0000000000000005 x9 : ffff800080c8c05c [ 3788.514110] x8 : ffff800084e2eeb8 x7 : 0000000000000000 x6 : 000000000000003f [ 3788.514115] x5 : ffff8000831bafe0 x4 : ffff800080c8b010 x3 : ffff0004355c3080 [ 3788.514119] x2 : ffff0004355c3080 x1 : 0000000000000000 x0 : 0000000000000000 [ 3788.514123] Call trace: [ 3788.514125] devm_kfree+0x84/0x98 (P) [ 3788.514129] virtnet_set_queues+0x134/0x2e8 [virtio_net] [ 3788.514135] virtnet_probe+0x9c0/0xe00 [virtio_net] [ 3788.514139] virtio_dev_probe+0x1e0/0x338 [ 3788.514144] really_probe+0xc8/0x3a0 [ 3788.514149] __driver_probe_device+0x84/0x170 [ 3788.514152] driver_probe_device+0x44/0x120 [ 3788.514155] __device_attach_driver+0xc4/0x168 [ 3788.514158] bus_for_each_drv+0x8c/0xf0 [ 3788.514161] __device_attach+0xa4/0x1c0 [ 3788.514164] device_initial_probe+0x1c/0x30 [ 3788.514168] bus_probe_device+0xb4/0xc0 [ 3788.514170] device_add+0x614/0x828 [ 3788.514173] register_virtio_device+0x214/0x258 [ 3788.514175] virtio_vdpa_probe+0xa0/0x110 [virtio_vdpa] [ 3788.514179] vdpa_dev_probe+0xa8/0xd8 [ 3788.514183] really_probe+0xc8/0x3a0 [ 3788.514186] __driver_probe_device+0x84/0x170 [ 3788.514189] driver_probe_device+0x44/0x120 [ 3788.514192] __device_attach_driver+0xc4/0x168 [ 3788.514195] bus_for_each_drv+0x8c/0xf0 [ 3788.514197] __device_attach+0xa4/0x1c0 [ 3788.514200] device_initial_probe+0x1c/0x30 [ 3788.514203] bus_probe_device+0xb4/0xc0 [ 3788.514206] device_add+0x614/0x828 [ 3788.514209] _vdpa_register_device+0x58/0x88 [ 3788.514211] octep_vdpa_dev_add+0x104/0x228 [octep_vdpa] [ 3788.514215] vdpa_nl_cmd_dev_add_set_doit+0x2d0/0x3c0 [ 3788.514218] genl_family_rcv_msg_doit+0xe4/0x158 [ 3788.514222] genl_rcv_msg+0x218/0x298 [ 3788.514225] netlink_rcv_skb+0x64/0x138 [ 3788.514229] genl_rcv+0x40/0x60 [ 3788.514233] netlink_unicast+0x32c/0x3b0 [ 3788.514237] netlink_sendmsg+0x170/0x3b8 [ 3788.514241] __sys_sendto+0x12c/0x1c0 [ 3788.514246] __arm64_sys_sendto+0x30/0x48 [ 3788.514249] invoke_syscall.constprop.0+0x58/0xf8 [ 3788.514255] do_el0_svc+0x48/0xd0 [ 3788.514259] el0_svc+0x48/0x210 [ 3788.514264] el0t_64_sync_handler+0xa0/0xe8 [ 3788.514268] el0t_64_sync+0x198/0x1a0 [ 3788.514271] ---[ end trace 0000000000000000 ]--- Fix by using virtio_device->device consistently for allocation and deallocation | 2026-02-04 | not yet calculated | CVE-2026-23046 | https://git.kernel.org/stable/c/a5e2d902f64c76169c771f584559c82b588090e3 https://git.kernel.org/stable/c/acb4bc6e1ba34ae1a34a9334a1ce8474c909466e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: make calc_target() set t->paused, not just clear it Currently calc_target() clears t->paused if the request shouldn't be paused anymore, but doesn't ever set t->paused even though it's able to determine when the request should be paused. Setting t->paused is left to __submit_request() which is fine for regular requests but doesn't work for linger requests -- since __submit_request() doesn't operate on linger requests, there is nowhere for lreq->t.paused to be set. One consequence of this is that watches don't get reestablished on paused -> unpaused transitions in cases where requests have been paused long enough for the (paused) unwatch request to time out and for the subsequent (re)watch request to enter the paused state. On top of the watch not getting reestablished, rbd_reregister_watch() gets stuck with rbd_dev->watch_mutex held: rbd_register_watch __rbd_register_watch ceph_osdc_watch linger_reg_commit_wait It's waiting for lreq->reg_commit_wait to be completed, but for that to happen the respective request needs to end up on need_resend_linger list and be kicked when requests are unpaused. There is no chance for that if the request in question is never marked paused in the first place. The fact that rbd_dev->watch_mutex remains taken out forever then prevents the image from getting unmapped -- "rbd unmap" would inevitably hang in D state on an attempt to grab the mutex. | 2026-02-04 | not yet calculated | CVE-2026-23047 | https://git.kernel.org/stable/c/2b3329b3c29d9e188e40d902d5230c2d5989b940 https://git.kernel.org/stable/c/5d0dc83cb9a69c1d0bea58f1c430199b05f6b021 https://git.kernel.org/stable/c/4d3399c52e0e61720ae898f5a0b5b75d4460ae24 https://git.kernel.org/stable/c/4ebc711b738d139cabe2fc9e7e7749847676a342 https://git.kernel.org/stable/c/6f468f6ff233c6a81e0e761d9124e982903fe9a5 https://git.kernel.org/stable/c/5647d42c47b535573b63e073e91164d6a5bb058c https://git.kernel.org/stable/c/c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: udp: call skb_orphan() before skb_attempt_defer_free() Standard UDP receive path does not use skb->destructor. But skmsg layer does use it, since it calls skb_set_owner_sk_safe() from udp_read_skb(). This then triggers this warning in skb_attempt_defer_free(): DEBUG_NET_WARN_ON_ONCE(skb->destructor); We must call skb_orphan() to fix this issue. | 2026-02-04 | not yet calculated | CVE-2026-23048 | https://git.kernel.org/stable/c/0c63d5683eae6a7b4d81382bcbecb2a19feff90d https://git.kernel.org/stable/c/e5c8eda39a9fc1547d1398d707aa06c1d080abdd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel The connector type for the DataImage SCF0700C48GGU18 panel is missing and devm_drm_panel_bridge_add() requires connector type to be set. This leads to a warning and a backtrace in the kernel log and panel does not work: " WARNING: CPU: 3 PID: 38 at drivers/gpu/drm/bridge/panel.c:379 devm_drm_of_get_bridge+0xac/0xb8 " The warning is triggered by a check for valid connector type in devm_drm_panel_bridge_add(). If there is no valid connector type set for a panel, the warning is printed and panel is not added. Fill in the missing connector type to fix the warning and make the panel operational once again. | 2026-02-04 | not yet calculated | CVE-2026-23049 | https://git.kernel.org/stable/c/f4c330b4499e7334ec6fce535574e09d55843d71 https://git.kernel.org/stable/c/bb309377eece5317207d71fd833f99cca4727fbd https://git.kernel.org/stable/c/83e0d8d22e7ee3151af1951595104887eebed6ab https://git.kernel.org/stable/c/bc0b17bdba3838e9e17e7e9adc968384ac99938b https://git.kernel.org/stable/c/04218cd68d1502000823c8288f37b4f171dcdcae https://git.kernel.org/stable/c/f7940d3ec1dc6bf719eddc69d4b8e52cc2201896 https://git.kernel.org/stable/c/6ab3d4353bf75005eaa375677c9fed31148154d6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix a deadlock when returning a delegation during open() Ben Coddington reports seeing a hang in the following stack trace: 0 [ffffd0b50e1774e0] __schedule at ffffffff9ca05415 1 [ffffd0b50e177548] schedule at ffffffff9ca05717 2 [ffffd0b50e177558] bit_wait at ffffffff9ca061e1 3 [ffffd0b50e177568] __wait_on_bit at ffffffff9ca05cfb 4 [ffffd0b50e1775c8] out_of_line_wait_on_bit at ffffffff9ca05ea5 5 [ffffd0b50e177618] pnfs_roc at ffffffffc154207b [nfsv4] 6 [ffffd0b50e1776b8] _nfs4_proc_delegreturn at ffffffffc1506586 [nfsv4] 7 [ffffd0b50e177788] nfs4_proc_delegreturn at ffffffffc1507480 [nfsv4] 8 [ffffd0b50e1777f8] nfs_do_return_delegation at ffffffffc1523e41 [nfsv4] 9 [ffffd0b50e177838] nfs_inode_set_delegation at ffffffffc1524a75 [nfsv4] 10 [ffffd0b50e177888] nfs4_process_delegation at ffffffffc14f41dd [nfsv4] 11 [ffffd0b50e1778a0] _nfs4_opendata_to_nfs4_state at ffffffffc1503edf [nfsv4] 12 [ffffd0b50e1778c0] _nfs4_open_and_get_state at ffffffffc1504e56 [nfsv4] 13 [ffffd0b50e177978] _nfs4_do_open at ffffffffc15051b8 [nfsv4] 14 [ffffd0b50e1779f8] nfs4_do_open at ffffffffc150559c [nfsv4] 15 [ffffd0b50e177a80] nfs4_atomic_open at ffffffffc15057fb [nfsv4] 16 [ffffd0b50e177ad0] nfs4_file_open at ffffffffc15219be [nfsv4] 17 [ffffd0b50e177b78] do_dentry_open at ffffffff9c09e6ea 18 [ffffd0b50e177ba8] vfs_open at ffffffff9c0a082e 19 [ffffd0b50e177bd0] dentry_open at ffffffff9c0a0935 The issue is that the delegreturn is being asked to wait for a layout return that cannot complete because a state recovery was initiated. The state recovery cannot complete until the open() finishes processing the delegations it was given. The solution is to propagate the existing flags that indicate a non-blocking call to the function pnfs_roc(), so that it knows not to wait in this situation. | 2026-02-04 | not yet calculated | CVE-2026-23050 | https://git.kernel.org/stable/c/a316fd9d3065b753b03d802530004aea481512cc https://git.kernel.org/stable/c/d6c75aa9d607044d1e5c8498eff0259eed356c32 https://git.kernel.org/stable/c/857bf9056291a16785ae3be1d291026b2437fc48 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix drm panic null pointer when driver not support atomic When driver not support atomic, fb using plane->fb rather than plane->state->fb. (cherry picked from commit 2f2a72de673513247cd6fae14e53f6c40c5841ef) | 2026-02-04 | not yet calculated | CVE-2026-23051 | https://git.kernel.org/stable/c/a1aedf4053af7dad3772b94b057a7d1f5473055f https://git.kernel.org/stable/c/9cb6278b44c38899961b36d303d7b18b38be2a6e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ftrace: Do not over-allocate ftrace memory The pg_remaining calculation in ftrace_process_locs() assumes that ENTRIES_PER_PAGE multiplied by 2^order equals the actual capacity of the allocated page group. However, ENTRIES_PER_PAGE is PAGE_SIZE / ENTRY_SIZE (integer division). When PAGE_SIZE is not a multiple of ENTRY_SIZE (e.g. 4096 / 24 = 170 with remainder 16), high-order allocations (like 256 pages) have significantly more capacity than 256 * 170. This leads to pg_remaining being underestimated, which in turn makes skip (derived from skipped - pg_remaining) larger than expected, causing the WARN(skip != remaining) to trigger. Extra allocated pages for ftrace: 2 with 654 skipped WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:7295 ftrace_process_locs+0x5bf/0x5e0 A similar problem in ftrace_allocate_records() can result in allocating too many pages. This can trigger the second warning in ftrace_process_locs(). Extra allocated pages for ftrace WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:7276 ftrace_process_locs+0x548/0x580 Use the actual capacity of a page group to determine the number of pages to allocate. Have ftrace_allocate_pages() return the number of allocated pages to avoid having to calculate it. Use the actual page group capacity when validating the number of unused pages due to skipped entries. Drop the definition of ENTRIES_PER_PAGE since it is no longer used. | 2026-02-04 | not yet calculated | CVE-2026-23052 | https://git.kernel.org/stable/c/9aef476717994e96dadfb359641c4b82b521aa36 https://git.kernel.org/stable/c/be55257fab181b93af38f8c4b1b3cb453a78d742 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFS: Fix a deadlock involving nfs_release_folio() Wang Zhaolong reports a deadlock involving NFSv4.1 state recovery waiting on kthreadd, which is attempting to reclaim memory by calling nfs_release_folio(). The latter cannot make progress due to state recovery being needed. It seems that the only safe thing to do here is to kick off a writeback of the folio, without waiting for completion, or else kicking off an asynchronous commit. | 2026-02-04 | not yet calculated | CVE-2026-23053 | https://git.kernel.org/stable/c/49d352bc263fe4a834233338bfaad31b3109addf https://git.kernel.org/stable/c/19b4d9ab5e77843eac0429c019470c02f8710b55 https://git.kernel.org/stable/c/cce0be6eb4971456b703aaeafd571650d314bcca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: hv_netvsc: reject RSS hash key programming without RX indirection table RSS configuration requires a valid RX indirection table. When the device reports a single receive queue, rndis_filter_device_add() does not allocate an indirection table, accepting RSS hash key updates in this state leads to a hang. Fix this by gating netvsc_set_rxfh() on ndc->rx_table_sz and return -EOPNOTSUPP when the table is absent. This aligns set_rxfh with the device capabilities and prevents incorrect behavior. | 2026-02-04 | not yet calculated | CVE-2026-23054 | https://git.kernel.org/stable/c/8288136f508e78eb3563e7073975999cf225a2f9 https://git.kernel.org/stable/c/82c9039c8ebb715753a40434df714f865a3aec9c https://git.kernel.org/stable/c/4cd55c609e85ae2313248ef1a33619a3eef44a16 https://git.kernel.org/stable/c/11dd9a9ef4dc4507a15a69b8511a0013c6c28fa3 https://git.kernel.org/stable/c/d23564955811da493f34412d7de60fa268c8cb50 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: i2c: riic: Move suspend handling to NOIRQ phase Commit 53326135d0e0 ("i2c: riic: Add suspend/resume support") added suspend support for the Renesas I2C driver and following this change on RZ/G3E the following WARNING is seen on entering suspend ... [ 134.275704] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) [ 134.285536] ------------[ cut here ]------------ [ 134.290298] i2c i2c-2: Transfer while suspended [ 134.295174] WARNING: drivers/i2c/i2c-core.h:56 at __i2c_smbus_xfer+0x1e4/0x214, CPU#0: systemd-sleep/388 [ 134.365507] Tainted: [W]=WARN [ 134.368485] Hardware name: Renesas SMARC EVK version 2 based on r9a09g047e57 (DT) [ 134.375961] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 134.382935] pc : __i2c_smbus_xfer+0x1e4/0x214 [ 134.387329] lr : __i2c_smbus_xfer+0x1e4/0x214 [ 134.391717] sp : ffff800083f23860 [ 134.395040] x29: ffff800083f23860 x28: 0000000000000000 x27: ffff800082ed5d60 [ 134.402226] x26: 0000001f4395fd74 x25: 0000000000000007 x24: 0000000000000001 [ 134.409408] x23: 0000000000000000 x22: 000000000000006f x21: ffff800083f23936 [ 134.416589] x20: ffff0000c090e140 x19: ffff0000c090e0d0 x18: 0000000000000006 [ 134.423771] x17: 6f63657320313030 x16: 2e30206465737061 x15: ffff800083f23280 [ 134.430953] x14: 0000000000000000 x13: ffff800082b16ce8 x12: 0000000000000f09 [ 134.438134] x11: 0000000000000503 x10: ffff800082b6ece8 x9 : ffff800082b16ce8 [ 134.445315] x8 : 00000000ffffefff x7 : ffff800082b6ece8 x6 : 80000000fffff000 [ 134.452495] x5 : 0000000000000504 x4 : 0000000000000000 x3 : 0000000000000000 [ 134.459672] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c9ee9e80 [ 134.466851] Call trace: [ 134.469311] __i2c_smbus_xfer+0x1e4/0x214 (P) [ 134.473715] i2c_smbus_xfer+0xbc/0x120 [ 134.477507] i2c_smbus_read_byte_data+0x4c/0x84 [ 134.482077] isl1208_i2c_read_time+0x44/0x178 [rtc_isl1208] [ 134.487703] isl1208_rtc_read_time+0x14/0x20 [rtc_isl1208] [ 134.493226] __rtc_read_time+0x44/0x88 [ 134.497012] rtc_read_time+0x3c/0x68 [ 134.500622] rtc_suspend+0x9c/0x170 The warning is triggered because I2C transfers can still be attempted while the controller is already suspended, due to inappropriate ordering of the system sleep callbacks. If the controller is autosuspended, there is no way to wake it up once runtime PM disabled (in suspend_late()). During system resume, the I2C controller will be available only after runtime PM is re-enabled (in resume_early()). However, this may be too late for some devices. Wake up the controller in the suspend() callback while runtime PM is still enabled. The I2C controller will remain available until the suspend_noirq() callback (pm_runtime_force_suspend()) is called. During resume, the I2C controller can be restored by the resume_noirq() callback (pm_runtime_force_resume()). Finally, the resume() callback re-enables autosuspend. As a result, the I2C controller can remain available until the system enters suspend_noirq() and from resume_noirq(). | 2026-02-04 | not yet calculated | CVE-2026-23055 | https://git.kernel.org/stable/c/469f8fe4c87e43520f279e45b927c35d6fe99194 https://git.kernel.org/stable/c/0b4c0fbbe00b7de76bdaea7fa771017d7a979b0d https://git.kernel.org/stable/c/e383f0961422f983451ac4dd6aed1a3d3311f2be |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: uacce: implement mremap in uacce_vm_ops to return -EPERM The current uacce_vm_ops does not support the mremap operation of vm_operations_struct. Implement .mremap to return -EPERM to remind users. The reason we need to explicitly disable mremap is that when the driver does not implement .mremap, it uses the default mremap method. This could lead to a risk scenario: An application might first mmap address p1, then mremap to p2, followed by munmap(p1), and finally munmap(p2). Since the default mremap copies the original vma's vm_private_data (i.e., q) to the new vma, both munmap operations would trigger vma_close, causing q->qfr to be freed twice(qfr will be set to null here, so repeated release is ok). | 2026-02-04 | not yet calculated | CVE-2026-23056 | https://git.kernel.org/stable/c/78d99f062d42e3af2ca46bde1a8e46e0dfd372e3 https://git.kernel.org/stable/c/ebfa85658a39b49ec3901ceea7535b73aa0429e6 https://git.kernel.org/stable/c/75b29bdc935ff93b8e8bf6f6b4d8a4810b26e06f https://git.kernel.org/stable/c/4c042bc71474dbe417c268f4bfb8ec196f802f07 https://git.kernel.org/stable/c/a407ddd61b3e6afc5ccfcd1478797171cf5686ee https://git.kernel.org/stable/c/ba29b59d124e725e0377f09b2044909c91d657a1 https://git.kernel.org/stable/c/02695347be532b628f22488300d40c4eba48b9b7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Coalesce only linear skb vsock/virtio common tries to coalesce buffers in rx queue: if a linear skb (with a spare tail room) is followed by a small skb (length limited by GOOD_COPY_LEN = 128), an attempt is made to join them. Since the introduction of MSG_ZEROCOPY support, assumption that a small skb will always be linear is incorrect. In the zerocopy case, data is lost and the linear skb is appended with uninitialized kernel memory. Of all 3 supported virtio-based transports, only loopback-transport is affected. G2H virtio-transport rx queue operates on explicitly linear skbs; see virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G vhost-transport may allocate non-linear skbs, but only for sizes that are not considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in virtio_vsock_alloc_skb(). Ensure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0 guarantees last_skb is linear. | 2026-02-04 | not yet calculated | CVE-2026-23057 | https://git.kernel.org/stable/c/568e9cd8ed7ca9bf748c7687ba6501f29d30e59f https://git.kernel.org/stable/c/63ef9b300bd09e24c57050c5dbe68feedce42e72 https://git.kernel.org/stable/c/0386bd321d0f95d041a7b3d7b07643411b044a96 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In ems_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In ems_usb_close() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in ems_usb_close(). Fix the memory leak by anchoring the URB in the ems_usb_read_bulk_callback() to the dev->rx_submitted anchor. | 2026-02-04 | not yet calculated | CVE-2026-23058 | https://git.kernel.org/stable/c/e2c71030dc464d437110bcfb367c493fd402bddb https://git.kernel.org/stable/c/f48eabd15194b216030b32445f44230df95f5fe0 https://git.kernel.org/stable/c/61e6d3674c3d1da1475dc207b3e75c55d678d18e https://git.kernel.org/stable/c/e9410fdd4d5f7eaa6526d8c80e83029d7c86a8e8 https://git.kernel.org/stable/c/46a191ff7eeec33a2ccb2a1bfea34e18fbc5dc1a https://git.kernel.org/stable/c/68c62b3e53901846b5f68c5a8bade72a5d9c0b87 https://git.kernel.org/stable/c/0ce73a0eb5a27070957b67fd74059b6da89cc516 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Sanitize payload size to prevent member overflow In qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the frame_size reported by firmware is used to calculate the copy length into item->iocb. However, the iocb member is defined as a fixed-size 64-byte array within struct purex_item. If the reported frame_size exceeds 64 bytes, subsequent memcpy calls will overflow the iocb member boundary. While extra memory might be allocated, this cross-member write is unsafe and triggers warnings under CONFIG_FORTIFY_SOURCE. Fix this by capping total_bytes to the size of the iocb member (64 bytes) before allocation and copying. This ensures all copies remain within the bounds of the destination structure member. | 2026-02-04 | not yet calculated | CVE-2026-23059 | https://git.kernel.org/stable/c/408bfa8d70f79ac696cec1bdbdfb3bf43a02e6d0 https://git.kernel.org/stable/c/1922468a4a80424e5a69f7ba50adcee37f4722e9 https://git.kernel.org/stable/c/aa14451fa5d5f2de919384c637e2a8c604e1a1fe https://git.kernel.org/stable/c/19bc5f2a6962dfaa0e32d0e0bc2271993d85d414 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a NULL pointer dereference in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). Add a minimum AAD length check to fail fast on invalid inputs. | 2026-02-04 | not yet calculated | CVE-2026-23060 | https://git.kernel.org/stable/c/df22c9a65e9a9daa368a72fed596af9d7d5876bb https://git.kernel.org/stable/c/fee86edf5803f1d1f19e3b4f2dacac241bddfa48 https://git.kernel.org/stable/c/767e8349f7e929b7dd95c08f0b4cb353459b365e https://git.kernel.org/stable/c/b0a9609283a5c852addb513dafa655c61eebc1ef https://git.kernel.org/stable/c/161bdc90fce25bd9890adc67fa1c8563a7acbf40 https://git.kernel.org/stable/c/9532ff0d0e90ff78a214299f594ab9bac81defe4 https://git.kernel.org/stable/c/2397e9264676be7794f8f7f1e9763d90bd3c7335 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback kvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In kvaser_usb_remove_interfaces() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the kvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor. | 2026-02-04 | not yet calculated | CVE-2026-23061 | https://git.kernel.org/stable/c/d9d824582f2ec76459ffab449e9b05c7bc49645c https://git.kernel.org/stable/c/40a3334ffda479c63e416e61ff086485e24401f7 https://git.kernel.org/stable/c/c1b39fa24c140bc616f51fef4175c1743e2bb132 https://git.kernel.org/stable/c/7c308f7530bffafa994e0aa8dc651a312f4b9ff4 https://git.kernel.org/stable/c/94a7fc42e21c7d9d1c49778cd1db52de5df52a01 https://git.kernel.org/stable/c/3b1a593eab941c3f32417896cc7df564191f2482 https://git.kernel.org/stable/c/248e8e1a125fa875158df521b30f2cc7e27eeeaa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro The GET_INSTANCE_ID macro that caused a kernel panic when accessing sysfs attributes: 1. Off-by-one error: The loop condition used '<=' instead of '<', causing access beyond array bounds. Since array indices are 0-based and go from 0 to instances_count-1, the loop should use '<'. 2. Missing NULL check: The code dereferenced attr_name_kobj->name without checking if attr_name_kobj was NULL, causing a null pointer dereference in min_length_show() and other attribute show functions. The panic occurred when fwupd tried to read BIOS configuration attributes: Oops: general protection fault [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:min_length_show+0xcf/0x1d0 [hp_bioscfg] Add a NULL check for attr_name_kobj before dereferencing and corrects the loop boundary to match the pattern used elsewhere in the driver. | 2026-02-04 | not yet calculated | CVE-2026-23062 | https://git.kernel.org/stable/c/eb5ff1025c92117d5d1cc728bcfa294abe484da1 https://git.kernel.org/stable/c/eba49c1dee9c5e514ca18e52c545bba524e8a045 https://git.kernel.org/stable/c/193922a23d7294085a47d7719fdb7d66ad0a236f https://git.kernel.org/stable/c/25150715e0b049b99df664daf05dab12f41c3e13 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: uacce: ensure safe queue release with state management Directly calling `put_queue` carries risks since it cannot guarantee that resources of `uacce_queue` have been fully released beforehand. So adding a `stop_queue` operation for the UACCE_CMD_PUT_Q command and leaving the `put_queue` operation to the final resource release ensures safety. Queue states are defined as follows: - UACCE_Q_ZOMBIE: Initial state - UACCE_Q_INIT: After opening `uacce` - UACCE_Q_STARTED: After `start` is issued via `ioctl` When executing `poweroff -f` in virt while accelerator are still working, `uacce_fops_release` and `uacce_remove` may execute concurrently. This can cause `uacce_put_queue` within `uacce_fops_release` to access a NULL `ops` pointer. Therefore, add state checks to prevent accessing freed pointers. | 2026-02-04 | not yet calculated | CVE-2026-23063 | https://git.kernel.org/stable/c/b457abeb5d962db88aaf60e249402fd3073dbfab https://git.kernel.org/stable/c/8b57bf1d3b1db692f34bce694a03e41be79f6016 https://git.kernel.org/stable/c/336fb41a186e7c0415ae94fec9e23d1f04b87483 https://git.kernel.org/stable/c/43f233eb6e7b9d88536881a9bc43726d0e34800d https://git.kernel.org/stable/c/47634d70073890c9c37e39ab4ff93d4b585b028a https://git.kernel.org/stable/c/92e4f11e29b98ef424ff72d6371acac03e5d973c https://git.kernel.org/stable/c/26c08dabe5475d99a13f353d8dd70e518de45663 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: avoid possible NULL deref tcf_ife_encode() must make sure ife_encode() does not return NULL. syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166 CPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full) Call Trace: <TASK> ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101 tcf_ife_encode net/sched/act_ife.c:841 [inline] tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877 tc_act include/net/tc_wrapper.h:130 [inline] tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152 tcf_exts_exec include/net/pkt_cls.h:349 [inline] mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42 tc_classify include/net/tc_wrapper.h:197 [inline] __tcf_classify net/sched/cls_api.c:1764 [inline] tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860 multiq_classify net/sched/sch_multiq.c:39 [inline] multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66 dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147 __dev_xmit_skb net/core/dev.c:4262 [inline] __dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798 | 2026-02-04 | not yet calculated | CVE-2026-23064 | https://git.kernel.org/stable/c/4ef2c77851676b7ed106f0c47755bee9eeec9a40 https://git.kernel.org/stable/c/dd9442aedbeae87c44cc64c0ee41abd296dc008b https://git.kernel.org/stable/c/1440d749fe49c8665da6f744323b1671d25a56a0 https://git.kernel.org/stable/c/03710cebfc0bcfe247a9e04381e79ea33896e278 https://git.kernel.org/stable/c/374915dfc932adf57712df3be010667fd1190e3c https://git.kernel.org/stable/c/6c75fed55080014545f262b7055081cec4768b20 https://git.kernel.org/stable/c/27880b0b0d35ad1c98863d09788254e36f874968 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd: Fix memory leak in wbrf_record() The tmp buffer is allocated using kcalloc() but is not freed if acpi_evaluate_dsm() fails. This causes a memory leak in the error path. Fix this by explicitly freeing the tmp buffer in the error handling path of acpi_evaluate_dsm(). | 2026-02-04 | not yet calculated | CVE-2026-23065 | https://git.kernel.org/stable/c/1152dffe01af86e42ce2b208b92ef7f8c275d130 https://git.kernel.org/stable/c/1a0072bd1f1e559eda3e91a24dbc51c9eb025c54 https://git.kernel.org/stable/c/2bf1877b7094c684e1d652cac6912cfbc507ad3e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recvmsg() unconditional requeue If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at the front of the recvmsg queue already has its mutex locked, it requeues the call - whether or not the call is already queued. The call may be on the queue because MSG_PEEK was also passed and so the call was not dequeued or because the I/O thread requeued it. The unconditional requeue may then corrupt the recvmsg queue, leading to things like UAFs or refcount underruns. Fix this by only requeuing the call if it isn't already on the queue - and moving it to the front if it is already queued. If we don't queue it, we have to put the ref we obtained by dequeuing it. Also, MSG_PEEK doesn't dequeue the call so shouldn't call rxrpc_notify_socket() for the call if we didn't use up all the data on the queue, so fix that also. | 2026-02-04 | not yet calculated | CVE-2026-23066 | https://git.kernel.org/stable/c/930114425065f7ace6e0c0630fab4af75e059ea8 https://git.kernel.org/stable/c/2c28769a51deb6022d7fbd499987e237a01dd63a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/io-pgtable-arm: fix size_t signedness bug in unmap path __arm_lpae_unmap() returns size_t but was returning -ENOENT (negative error code) when encountering an unmapped PTE. Since size_t is unsigned, -ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE on 64-bit systems). This corrupted value propagates through the call chain: __arm_lpae_unmap() returns -ENOENT as size_t -> arm_lpae_unmap_pages() returns it -> __iommu_unmap() adds it to iova address -> iommu_pgsize() triggers BUG_ON due to corrupted iova This can cause IOVA address overflow in __iommu_unmap() loop and trigger BUG_ON in iommu_pgsize() from invalid address alignment. Fix by returning 0 instead of -ENOENT. The WARN_ON already signals the error condition, and returning 0 (meaning "nothing unmapped") is the correct semantic for size_t return type. This matches the behavior of other io-pgtable implementations (io-pgtable-arm-v7s, io-pgtable-dart) which return 0 on error conditions. | 2026-02-04 | not yet calculated | CVE-2026-23067 | https://git.kernel.org/stable/c/41ec6988547819756fb65e94fc24f3e0dddf84ac https://git.kernel.org/stable/c/374e7af67d9d9d6103c2cfc8eb32abfecf3a2fd8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: spi-sprd-adi: Fix double free in probe error path The driver currently uses spi_alloc_host() to allocate the controller but registers it using devm_spi_register_controller(). If devm_register_restart_handler() fails, the code jumps to the put_ctlr label and calls spi_controller_put(). However, since the controller was registered via a devm function, the device core will automatically call spi_controller_put() again when the probe fails. This results in a double-free of the spi_controller structure. Fix this by switching to devm_spi_alloc_host() and removing the manual spi_controller_put() call. | 2026-02-04 | not yet calculated | CVE-2026-23068 | https://git.kernel.org/stable/c/bddd3d10d039729b81cfb0804520c8832a701a0e https://git.kernel.org/stable/c/417cdfd9b9f986e95bfcb1d68eb443e6e0a15f8c https://git.kernel.org/stable/c/346775f2b4cf839177e8e86b94aa180a06dc15b0 https://git.kernel.org/stable/c/f6d6b3f172df118db582fe5ec43ae223a55d99cf https://git.kernel.org/stable/c/383d4f5cffcc8df930d95b06518a9d25a6d74aac |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix potential underflow in virtio_transport_get_credit() The credit calculation in virtio_transport_get_credit() uses unsigned arithmetic: ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); If the peer shrinks its advertised buffer (peer_buf_alloc) while bytes are in flight, the subtraction can underflow and produce a large positive value, potentially allowing more data to be queued than the peer can handle. Reuse virtio_transport_has_space() which already handles this case and add a comment to make it clear why we are doing that. [Stefano: use virtio_transport_has_space() instead of duplicating the code] [Stefano: tweak the commit message] | 2026-02-04 | not yet calculated | CVE-2026-23069 | https://git.kernel.org/stable/c/d96de882d6b99955604669d962ae14e94b66a551 https://git.kernel.org/stable/c/02f9af192b98d15883c70dd41ac76d1b0217c899 https://git.kernel.org/stable/c/d05bc313788f0684b27f0f5b60c52a844669b542 https://git.kernel.org/stable/c/ec0f1b3da8061be3173d1c39faaf9504f91942c3 https://git.kernel.org/stable/c/3ef3d52a1a9860d094395c7a3e593f3aa26ff012 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Octeontx2-af: Add proper checks for fwdata firmware populates MAC address, link modes (supported, advertised) and EEPROM data in shared firmware structure which kernel access via MAC block(CGX/RPM). Accessing fwdata, on boards booted with out MAC block leading to kernel panics. Internal error: Oops: 0000000096000005 [#1] SMP [ 10.460721] Modules linked in: [ 10.463779] CPU: 0 UID: 0 PID: 174 Comm: kworker/0:3 Not tainted 6.19.0-rc5-00154-g76ec646abdf7-dirty #3 PREEMPT [ 10.474045] Hardware name: Marvell OcteonTX CN98XX board (DT) [ 10.479793] Workqueue: events work_for_cpu_fn [ 10.484159] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 10.491124] pc : rvu_sdp_init+0x18/0x114 [ 10.495051] lr : rvu_probe+0xe58/0x1d18 | 2026-02-04 | not yet calculated | CVE-2026-23070 | https://git.kernel.org/stable/c/e343973fab43c266a40e4e0dabdc4216db6d5eff https://git.kernel.org/stable/c/4a3dba48188208e4f66822800e042686784d29d1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: regmap: Fix race condition in hwspinlock irqsave routine Previously, the address of the shared member '&map->spinlock_flags' was passed directly to 'hwspin_lock_timeout_irqsave'. This creates a race condition where multiple contexts contending for the lock could overwrite the shared flags variable, potentially corrupting the state for the current lock owner. Fix this by using a local stack variable 'flags' to store the IRQ state temporarily. | 2026-02-04 | not yet calculated | CVE-2026-23071 | https://git.kernel.org/stable/c/e1a7072bc4f958c9e852dc7e57e39f12b0bb44b5 https://git.kernel.org/stable/c/766e243ae8c8b27087a4cc605752c0d5ee2daeab https://git.kernel.org/stable/c/f1e2fe26a51eca95b41420af76d22c2e613efd5e https://git.kernel.org/stable/c/24f31be6ad70537fd7706269d99c92cade465a09 https://git.kernel.org/stable/c/4aab0ca0a0f7760e33edcb4e47576064d05128f5 https://git.kernel.org/stable/c/c2d2cf710dc3ee1a69e00b4ed8de607a92a07889 https://git.kernel.org/stable/c/4b58aac989c1e3fafb1c68a733811859df388250 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: l2tp: Fix memleak in l2tp_udp_encap_recv(). syzbot reported memleak of struct l2tp_session, l2tp_tunnel, sock, etc. [0] The cited commit moved down the validation of the protocol version in l2tp_udp_encap_recv(). The new place requires an extra error handling to avoid the memleak. Let's call l2tp_session_put() there. [0]: BUG: memory leak unreferenced object 0xffff88810a290200 (size 512): comm "syz.0.17", pid 6086, jiffies 4294944299 hex dump (first 32 bytes): 7d eb 04 0c 00 00 00 00 01 00 00 00 00 00 00 00 }............... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc babb6a4f): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4958 [inline] slab_alloc_node mm/slub.c:5263 [inline] __do_kmalloc_node mm/slub.c:5656 [inline] __kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669 kmalloc_noprof include/linux/slab.h:961 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] l2tp_session_create+0x3a/0x3b0 net/l2tp/l2tp_core.c:1778 pppol2tp_connect+0x48b/0x920 net/l2tp/l2tp_ppp.c:755 __sys_connect_file+0x7a/0xb0 net/socket.c:2089 __sys_connect+0xde/0x110 net/socket.c:2108 __do_sys_connect net/socket.c:2114 [inline] __se_sys_connect net/socket.c:2111 [inline] __x64_sys_connect+0x1c/0x30 net/socket.c:2111 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f | 2026-02-04 | not yet calculated | CVE-2026-23072 | https://git.kernel.org/stable/c/5cd158a88eef34e7b100cd9b963873d3b4e41b35 https://git.kernel.org/stable/c/d4ce79e6dce2a4a49eebceea7b4caf5dc0f0ef3d https://git.kernel.org/stable/c/4d10edfd1475b69dbd4c47f34b61a3772ece83ca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Fix memory corruption due to not set vif driver data size The struct ieee80211_vif contains trailing space for vif driver data, when struct ieee80211_vif is allocated, the total memory size that is allocated is sizeof(struct ieee80211_vif) + size of vif driver data. The size of vif driver data is set by each WiFi driver as needed. The RSI911x driver does not set vif driver data size, no trailing space for vif driver data is therefore allocated past struct ieee80211_vif . The RSI911x driver does however use the vif driver data to store its vif driver data structure "struct vif_priv". An access to vif->drv_priv leads to access out of struct ieee80211_vif bounds and corruption of some memory. In case of the failure observed locally, rsi_mac80211_add_interface() would write struct vif_priv *vif_info = (struct vif_priv *)vif->drv_priv; vif_info->vap_id = vap_idx. This write corrupts struct fq_tin member struct list_head new_flows . The flow = list_first_entry(head, struct fq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus address, which when accessed causes a crash. The trigger is very simple, boot the machine with init=/bin/sh , mount devtmpfs, sysfs, procfs, and then do "ip link set wlan0 up", "sleep 1", "ip link set wlan0 down" and the crash occurs. Fix this by setting the correct size of vif driver data, which is the size of "struct vif_priv", so that memory is allocated and the driver can store its driver data in it, instead of corrupting memory around it. | 2026-02-04 | not yet calculated | CVE-2026-23073 | https://git.kernel.org/stable/c/49ef094fdbc3526e5db2aebb404b84f79c5603dc https://git.kernel.org/stable/c/0d7c9e793e351cbbe9e06a9ca47d77b6ad288fb0 https://git.kernel.org/stable/c/7c54d0c3e2cad4300be721ec2aecfcf8a63bc9f4 https://git.kernel.org/stable/c/7761d7801f40e61069b4df3db88b36d80d089f8a https://git.kernel.org/stable/c/99129d80a5d4989ef8566f434f3589f60f28042b https://git.kernel.org/stable/c/31efbcff90884ea5f65bf3d1de01267db51ee3d1 https://git.kernel.org/stable/c/4f431d88ea8093afc7ba55edf4652978c5a68f33 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF. | 2026-02-04 | not yet calculated | CVE-2026-23074 | https://git.kernel.org/stable/c/73d970ff0eddd874a84c953387c7f4464b705fc6 https://git.kernel.org/stable/c/ae810e6a8ac4fe25042e6825d2a401207a2e41fb https://git.kernel.org/stable/c/dad49a67c2d817bfec98e6e45121b351e3a0202c https://git.kernel.org/stable/c/0686bedfed34155520f3f735cbf3210cb9044380 https://git.kernel.org/stable/c/4c7e8aa71c9232cba84c289b4b56cba80b280841 https://git.kernel.org/stable/c/16ed73c1282d376b956bff23e5139add061767ba https://git.kernel.org/stable/c/50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In esd_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback esd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In esd_usb_close() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in esd_usb_close(). Fix the memory leak by anchoring the URB in the esd_usb_read_bulk_callback() to the dev->rx_submitted anchor. | 2026-02-04 | not yet calculated | CVE-2026-23075 | https://git.kernel.org/stable/c/93b34d4ba7266030801a509c088ac77c0d7a12e9 https://git.kernel.org/stable/c/dc934d96673992af8568664c1b58e13eb164010d https://git.kernel.org/stable/c/92d26ce07ac3b7a850dc68c8d73d487b39c39b33 https://git.kernel.org/stable/c/adec5e1f9c99fe079ec4c92cca3f1109a3e257c3 https://git.kernel.org/stable/c/9d1807b442fc3286b204f8e59981b10e743533ce https://git.kernel.org/stable/c/a9503ae43256e80db5cba9d449b238607164c51d https://git.kernel.org/stable/c/5a4391bdc6c8357242f62f22069c865b792406b3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Fix potential OOB access in audio mixer handling In the audio mixer handling code of ctxfi driver, the conf field is used as a kind of loop index, and it's referred in the index callbacks (amixer_index() and sum_index()). As spotted recently by fuzzers, the current code causes OOB access at those functions. | UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/sound/pci/ctxfi/ctamixer.c:347:48 | index 8 is out of range for type 'unsigned char [8]' After the analysis, the cause was found to be the lack of the proper (re-)initialization of conj field. This patch addresses those OOB accesses by adding the proper initializations of the loop indices. | 2026-02-04 | not yet calculated | CVE-2026-23076 | https://git.kernel.org/stable/c/6524205326e0c1a21263b5c14e48e14ef7e449ae https://git.kernel.org/stable/c/afca7ff5d5d4d63a1acb95461f55ca9a729feedf https://git.kernel.org/stable/c/8c1d09806e1441bc6a54b9a4f2818918046d5174 https://git.kernel.org/stable/c/a8c42d11b0526a89192bd2f79facb4c60c8a1f38 https://git.kernel.org/stable/c/d77ba72558cd66704f0fb7e0969f697e87c0f71c https://git.kernel.org/stable/c/873e2360d247eeee642878fcc3398babff7e387c https://git.kernel.org/stable/c/61006c540cbdedea83b05577dc7fb7fa18fe1276 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/vma: fix anon_vma UAF on mremap() faulted, unfaulted merge Patch series "mm/vma: fix anon_vma UAF on mremap() faulted, unfaulted merge", v2. Commit 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merges") introduced the ability to merge previously unavailable VMA merge scenarios. However, it is handling merges incorrectly when it comes to mremap() of a faulted VMA adjacent to an unfaulted VMA. The issues arise in three cases: 1. Previous VMA unfaulted: copied -----| v |-----------|.............| | unfaulted |(faulted VMA)| |-----------|.............| prev 2. Next VMA unfaulted: copied -----| v |.............|-----------| |(faulted VMA)| unfaulted | |.............|-----------| next 3. Both adjacent VMAs unfaulted: copied -----| v |-----------|.............|-----------| | unfaulted |(faulted VMA)| unfaulted | |-----------|.............|-----------| prev next This series fixes each of these cases, and introduces self tests to assert that the issues are corrected. I also test a further case which was already handled, to assert that my changes continues to correctly handle it: 4. prev unfaulted, next faulted: copied -----| v |-----------|.............|-----------| | unfaulted |(faulted VMA)| faulted | |-----------|.............|-----------| prev next This bug was discovered via a syzbot report, linked to in the first patch in the series, I confirmed that this series fixes the bug. I also discovered that we are failing to check that the faulted VMA was not forked when merging a copied VMA in cases 1-3 above, an issue this series also addresses. I also added self tests to assert that this is resolved (and confirmed that the tests failed prior to this). I also cleaned up vma_expand() as part of this work, renamed vma_had_uncowed_parents() to vma_is_fork_child() as the previous name was unduly confusing, and simplified the comments around this function. This patch (of 4): Commit 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merges") introduced the ability to merge previously unavailable VMA merge scenarios. The key piece of logic introduced was the ability to merge a faulted VMA immediately next to an unfaulted VMA, which relies upon dup_anon_vma() to correctly handle anon_vma state. In the case of the merge of an existing VMA (that is changing properties of a VMA and then merging if those properties are shared by adjacent VMAs), dup_anon_vma() is invoked correctly. However in the case of the merge of a new VMA, a corner case peculiar to mremap() was missed. The issue is that vma_expand() only performs dup_anon_vma() if the target (the VMA that will ultimately become the merged VMA): is not the next VMA, i.e. the one that appears after the range in which the new VMA is to be established. A key insight here is that in all other cases other than mremap(), a new VMA merge either expands an existing VMA, meaning that the target VMA will be that VMA, or would have anon_vma be NULL. Specifically: * __mmap_region() - no anon_vma in place, initial mapping. * do_brk_flags() - expanding an existing VMA. * vma_merge_extend() - expanding an existing VMA. * relocate_vma_down() - no anon_vma in place, initial mapping. In addition, we are in the unique situation of needing to duplicate anon_vma state from a VMA that is neither the previous or next VMA being merged with. dup_anon_vma() deals exclusively with the target=unfaulted, src=faulted case. This leaves four possibilities, in each case where the copied VMA is faulted: 1. Previous VMA unfaulted: copied -----| ---truncated--- | 2026-02-04 | not yet calculated | CVE-2026-23077 | https://git.kernel.org/stable/c/a4d9dbfc1bab16e25fefd34b5e537a46bed8fc96 https://git.kernel.org/stable/c/61f67c230a5e7c741c352349ea80147fbe65bfae |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Fix buffer overflow in config retrieval The scarlett2_usb_get_config() function has a logic error in the endianness conversion code that can cause buffer overflows when count > 1. The code checks `if (size == 2)` where `size` is the total buffer size in bytes, then loops `count` times treating each element as u16 (2 bytes). This causes the loop to access `count * 2` bytes when the buffer only has `size` bytes allocated. Fix by checking the element size (config_item->size) instead of the total buffer size. This ensures the endianness conversion matches the actual element type. | 2026-02-04 | not yet calculated | CVE-2026-23078 | https://git.kernel.org/stable/c/d5e80d1f97ae55bcea1426f551e4419245b41b9c https://git.kernel.org/stable/c/51049f6e3f05d70660e2458ad3bb302a3721b751 https://git.kernel.org/stable/c/91a756d22f0482eac5bedb113c8922f90b254449 https://git.kernel.org/stable/c/27049f50be9f5ae3a62d272128ce0b381cb26a24 https://git.kernel.org/stable/c/31a3eba5c265a763260976674a22851e83128f6d https://git.kernel.org/stable/c/6f5c69f72e50d51be3a8c028ae7eda42c82902cb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gpio: cdev: Fix resource leaks on errors in lineinfo_changed_notify() On error handling paths, lineinfo_changed_notify() doesn't free the allocated resources which results leaks. Fix it. | 2026-02-04 | not yet calculated | CVE-2026-23079 | https://git.kernel.org/stable/c/16414341b0dd58b650b5df45c79115bc5977bb76 https://git.kernel.org/stable/c/70b3c280533167749a8f740acaa8ef720f78f984 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback mcba_usb_read_bulk_callback(), the URBs are processed and resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by calling usb_kill_anchored_urbs(&priv->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor. | 2026-02-04 | not yet calculated | CVE-2026-23080 | https://git.kernel.org/stable/c/8b34c611a4feb81921bc4728c091e4e3ba0270c0 https://git.kernel.org/stable/c/b5a1ccdc63b71d93a69a6b72f7a3f3934293ea60 https://git.kernel.org/stable/c/59153b6388e05609144ad56a9b354e9100a91983 https://git.kernel.org/stable/c/179f6f0cf5ae489743273b7c1644324c0c477ea9 https://git.kernel.org/stable/c/94c9f6f7b953f6382fef4bdc48c046b861b8868f https://git.kernel.org/stable/c/d374d715e338dfc3804aaa006fa6e470ffebb264 https://git.kernel.org/stable/c/710a7529fb13c5a470258ff5508ed3c498d54729 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: phy: intel-xway: fix OF node refcount leakage Automated review spotted am OF node reference count leakage when checking if the 'leds' child node exists. Call of_put_node() to correctly maintain the refcount. | 2026-02-04 | not yet calculated | CVE-2026-23081 | https://git.kernel.org/stable/c/1f24dfd556401b75f78e8d9cbd94dd9f31411c3a https://git.kernel.org/stable/c/79912b256e14054e6ba177d7e7e631485ce23dbe |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error In commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"), the URB was re-anchored before usb_submit_urb() in gs_usb_receive_bulk_callback() to prevent a leak of this URB during cleanup. However, this patch did not take into account that usb_submit_urb() could fail. The URB remains anchored and usb_kill_anchored_urbs(&parent->rx_submitted) in gs_can_close() loops infinitely since the anchor list never becomes empty. To fix the bug, unanchor the URB when an usb_submit_urb() error occurs, also print an info message. | 2026-02-04 | not yet calculated | CVE-2026-23082 | https://git.kernel.org/stable/c/aa8a8866c533a150be4763bcb27993603bd5426c https://git.kernel.org/stable/c/ce4352057fc5a986c76ece90801b9755e7c6e56c https://git.kernel.org/stable/c/c610b550ccc0438d456dfe1df9f4f36254ccaae3 https://git.kernel.org/stable/c/c3edc14da81a8d8398682f6e4ab819f09f37c0b7 https://git.kernel.org/stable/c/79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fou: Don't allow 0 for FOU_ATTR_IPPROTO. fou_udp_recv() has the same problem mentioned in the previous patch. If FOU_ATTR_IPPROTO is set to 0, skb is not freed by fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu(). Let's forbid 0 for FOU_ATTR_IPPROTO. | 2026-02-04 | not yet calculated | CVE-2026-23083 | https://git.kernel.org/stable/c/c7498f9bc390479ccfad7c7f2332237ff4945b03 https://git.kernel.org/stable/c/611ef4bd9c73d9e6d87bed57a635ff1fdd8c91ea https://git.kernel.org/stable/c/6e983789b7588ee59cbf303583546c043bad8e19 https://git.kernel.org/stable/c/1cc98b8887cabb1808d2f4a37cd10a7be7574771 https://git.kernel.org/stable/c/b7db31a52c3862a1a32202a273a4c32e7f5f4823 https://git.kernel.org/stable/c/9b75dff8446ec871030d8daf5a69e74f5fe8b956 https://git.kernel.org/stable/c/7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list When the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is set to false, the driver may request the PMAC_ID from the firmware of the network card, and this function will store that PMAC_ID at the provided address pmac_id. This is the contract of this function. However, there is a location within the driver where both pmac_id_valid == false and pmac_id == NULL are being passed. This could result in dereferencing a NULL pointer. To resolve this issue, it is necessary to pass the address of a stub variable to the function. | 2026-02-04 | not yet calculated | CVE-2026-23084 | https://git.kernel.org/stable/c/4cba480c9b9a3861a515262225cb53a1f5978344 https://git.kernel.org/stable/c/92c6dc181a18e6e0ddb872ed35cb48a9274829e4 https://git.kernel.org/stable/c/6c3e00888dbec887125a08b51a705b9b163fcdd1 https://git.kernel.org/stable/c/e206fb415db36bad52bb90c08d46ce71ffbe8a80 https://git.kernel.org/stable/c/47ffb4dcffe336f4a7bd0f3284be7aadc6484698 https://git.kernel.org/stable/c/31410a01a86bcb98c798d01061abf1f789c4f75a https://git.kernel.org/stable/c/8215794403d264739cc676668087512950b2ff31 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3-its: Avoid truncating memory addresses On 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem allocations to be backed by addresses physical memory above the 32-bit address limit, as found while experimenting with larger VMSPLIT configurations. This caused the qemu virt model to crash in the GICv3 driver, which allocates the 'itt' object using GFP_KERNEL. Since all memory below the 4GB physical address limit is in ZONE_DMA in this configuration, kmalloc() defaults to higher addresses for ZONE_NORMAL, and the ITS driver stores the physical address in a 32-bit 'unsigned long' variable. Change the itt_addr variable to the correct phys_addr_t type instead, along with all other variables in this driver that hold a physical address. The gicv5 driver correctly uses u64 variables, while all other irqchip drivers don't call virt_to_phys or similar interfaces. It's expected that other device drivers have similar issues, but fixing this one is sufficient for booting a virtio based guest. | 2026-02-04 | not yet calculated | CVE-2026-23085 | https://git.kernel.org/stable/c/e332b3b69e5b3acf07204a4b185071bab15c2b88 https://git.kernel.org/stable/c/e2f9c751f73a2d5bb62d94ab030aec118a811f27 https://git.kernel.org/stable/c/85215d633983233809f7d4dad163b953331b8238 https://git.kernel.org/stable/c/1b323391560354d8c515de8658b057a1daa82adb https://git.kernel.org/stable/c/084ba3b99f2dfd991ce7e84fb17117319ec3cd9f https://git.kernel.org/stable/c/03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98 https://git.kernel.org/stable/c/8d76a7d89c12d08382b66e2f21f20d0627d14859 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: cap TX credit to local buffer size The virtio transports derives its TX credit directly from peer_buf_alloc, which is set from the remote endpoint's SO_VM_SOCKETS_BUFFER_SIZE value. On the host side this means that the amount of data we are willing to queue for a connection is scaled by a guest-chosen buffer size, rather than the host's own vsock configuration. A malicious guest can advertise a large buffer and read slowly, causing the host to allocate a correspondingly large amount of sk_buff memory. The same thing would happen in the guest with a malicious host, since virtio transports share the same code base. Introduce a small helper, virtio_transport_tx_buf_size(), that returns min(peer_buf_alloc, buf_alloc), and use it wherever we consume peer_buf_alloc. This ensures the effective TX window is bounded by both the peer's advertised buffer and our own buf_alloc (already clamped to buffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer cannot force the other to queue more data than allowed by its own vsock settings. On an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with 32 guest vsock connections advertising 2 GiB each and reading slowly drove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only recovered after killing the QEMU process. That said, if QEMU memory is limited with cgroups, the maximum memory used will be limited. With this patch applied: Before: MemFree: ~61.6 GiB Slab: ~142 MiB SUnreclaim: ~117 MiB After 32 high-credit connections: MemFree: ~61.5 GiB Slab: ~178 MiB SUnreclaim: ~152 MiB Only ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest remains responsive. Compatibility with non-virtio transports: - VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per socket based on the local vsk->buffer_* values; the remote side cannot enlarge those queues beyond what the local endpoint configured. - Hyper-V's vsock transport uses fixed-size VMBus ring buffers and an MTU bound; there is no peer-controlled credit field comparable to peer_buf_alloc, and the remote endpoint cannot drive in-flight kernel memory above those ring sizes. - The loopback path reuses virtio_transport_common.c, so it naturally follows the same semantics as the virtio transport. This change is limited to virtio_transport_common.c and thus affects virtio-vsock, vhost-vsock, and loopback, bringing them in line with the "remote window intersected with local policy" behaviour that VMCI and Hyper-V already effectively have. [Stefano: small adjustments after changing the previous patch] [Stefano: tweak the commit message] | 2026-02-04 | not yet calculated | CVE-2026-23086 | https://git.kernel.org/stable/c/fef7110ae5617555c792a2bb4d27878d84583adf https://git.kernel.org/stable/c/d9d5f222558b42f6277eafaaa6080966faf37676 https://git.kernel.org/stable/c/c0e42fb0e054c2b2ec4ee80f48ccd256ae0227ce https://git.kernel.org/stable/c/84ef86aa7120449828d1e0ce438c499014839711 https://git.kernel.org/stable/c/8ee784fdf006cbe8739cfa093f54d326cbf54037 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: xen: scsiback: Fix potential memory leak in scsiback_remove() Memory allocated for struct vscsiblk_info in scsiback_probe() is not freed in scsiback_remove() leading to potential memory leaks on remove, as well as in the scsiback_probe() error paths. Fix that by freeing it in scsiback_remove(). | 2026-02-04 | not yet calculated | CVE-2026-23087 | https://git.kernel.org/stable/c/a8bb3ec8d85951a56af0a72d93ccbc2aee42eef9 https://git.kernel.org/stable/c/427b0fb30ddec3bad05dcd73b00718f98c7026d2 https://git.kernel.org/stable/c/4a975c72429b050c234405668b742cdecc11548e https://git.kernel.org/stable/c/f86264ec0e2b102fcd49bf3e4f32fee669d482fc https://git.kernel.org/stable/c/32e52b56056daf0f0881fd9254706acf25b4be97 https://git.kernel.org/stable/c/24c441f0e24da175d7912095663f526ac480dc4f https://git.kernel.org/stable/c/901a5f309daba412e2a30364d7ec1492fa11c32c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tracing: Fix crash on synthetic stacktrace field usage When creating a synthetic event based on an existing synthetic event that had a stacktrace field and the new synthetic event used that field a kernel crash occurred: ~# cd /sys/kernel/tracing ~# echo 's:stack unsigned long stack[];' > dynamic_events ~# echo 'hist:keys=prev_pid:s0=common_stacktrace if prev_state & 3' >> events/sched/sched_switch/trigger ~# echo 'hist:keys=next_pid:s1=$s0:onmatch(sched.sched_switch).trace(stack,$s1)' >> events/sched/sched_switch/trigger The above creates a synthetic event that takes a stacktrace when a task schedules out in a non-running state and passes that stacktrace to the sched_switch event when that task schedules back in. It triggers the "stack" synthetic event that has a stacktrace as its field (called "stack"). ~# echo 's:syscall_stack s64 id; unsigned long stack[];' >> dynamic_events ~# echo 'hist:keys=common_pid:s2=stack' >> events/synthetic/stack/trigger ~# echo 'hist:keys=common_pid:s3=$s2,i0=id:onmatch(synthetic.stack).trace(syscall_stack,$i0,$s3)' >> events/raw_syscalls/sys_exit/trigger The above makes another synthetic event called "syscall_stack" that attaches the first synthetic event (stack) to the sys_exit trace event and records the stacktrace from the stack event with the id of the system call that is exiting. When enabling this event (or using it in a historgram): ~# echo 1 > events/synthetic/syscall_stack/enable Produces a kernel crash! BUG: unable to handle page fault for address: 0000000000400010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 6 UID: 0 PID: 1257 Comm: bash Not tainted 6.16.3+deb14-amd64 #1 PREEMPT(lazy) Debian 6.16.3-1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:trace_event_raw_event_synth+0x90/0x380 Code: c5 00 00 00 00 85 d2 0f 84 e1 00 00 00 31 db eb 34 0f 1f 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 <49> 8b 04 24 48 83 c3 01 8d 0c c5 08 00 00 00 01 cd 41 3b 5d 40 0f RSP: 0018:ffffd2670388f958 EFLAGS: 00010202 RAX: ffff8ba1065cc100 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000001 RSI: fffff266ffda7b90 RDI: ffffd2670388f9b0 RBP: 0000000000000010 R08: ffff8ba104e76000 R09: ffffd2670388fa50 R10: ffff8ba102dd42e0 R11: ffffffff9a908970 R12: 0000000000400010 R13: ffff8ba10a246400 R14: ffff8ba10a710220 R15: fffff266ffda7b90 FS: 00007fa3bc63f740(0000) GS:ffff8ba2e0f48000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000400010 CR3: 0000000107f9e003 CR4: 0000000000172ef0 Call Trace: <TASK> ? __tracing_map_insert+0x208/0x3a0 action_trace+0x67/0x70 event_hist_trigger+0x633/0x6d0 event_triggers_call+0x82/0x130 trace_event_buffer_commit+0x19d/0x250 trace_event_raw_event_sys_exit+0x62/0xb0 syscall_exit_work+0x9d/0x140 do_syscall_64+0x20a/0x2f0 ? trace_event_raw_event_sched_switch+0x12b/0x170 ? save_fpregs_to_fpstate+0x3e/0x90 ? _raw_spin_unlock+0xe/0x30 ? finish_task_switch.isra.0+0x97/0x2c0 ? __rseq_handle_notify_resume+0xad/0x4c0 ? __schedule+0x4b8/0xd00 ? restore_fpregs_from_fpstate+0x3c/0x90 ? switch_fpu_return+0x5b/0xe0 ? do_syscall_64+0x1ef/0x2f0 ? do_fault+0x2e9/0x540 ? __handle_mm_fault+0x7d1/0xf70 ? count_memcg_events+0x167/0x1d0 ? handle_mm_fault+0x1d7/0x2e0 ? do_user_addr_fault+0x2c3/0x7f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The reason is that the stacktrace field is not labeled as such, and is treated as a normal field and not as a dynamic event that it is. In trace_event_raw_event_synth() the event is field is still treated as a dynamic array, but the retrieval of the data is considered a normal field, and the reference is just the meta data: // Meta data is retrieved instead of a dynamic array ---truncated--- | 2026-02-04 | not yet calculated | CVE-2026-23088 | https://git.kernel.org/stable/c/98ecbfb2598c9c7ca755a29f402da9d36c057077 https://git.kernel.org/stable/c/327af07dff6ab5650b21491eb4f69694999ff3d1 https://git.kernel.org/stable/c/3b90d099efa2b67239bd3b3dc3521ec584261748 https://git.kernel.org/stable/c/90f9f5d64cae4e72defd96a2a22760173cb3c9ec |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees mixer->id_elems but the controls already added to the card still reference the freed memory. Later when snd_card_register() runs, the OSS mixer layer calls their callbacks and hits a use-after-free read. Call trace: get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411 get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241 mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381 snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887 ... snd_card_register+0x4ed/0x6d0 sound/core/init.c:923 usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025 Fix by calling snd_ctl_remove() for all mixer controls before freeing id_elems. We save the next pointer first because snd_ctl_remove() frees the current element. | 2026-02-04 | not yet calculated | CVE-2026-23089 | https://git.kernel.org/stable/c/51b1aa6fe7dc87356ba58df06afb9677c9b841ea https://git.kernel.org/stable/c/56fb6efd5d04caf6f14994d51ec85393b9a896c6 https://git.kernel.org/stable/c/7009daeefa945973a530b2f605fe445fc03747af https://git.kernel.org/stable/c/7bff0156d13f0ad9436e5178b979b063d59f572a https://git.kernel.org/stable/c/e6f103a22b08daf5df2f4aa158081840e5910963 https://git.kernel.org/stable/c/dc1a5dd80af1ee1f29d8375b12dd7625f6294dad https://git.kernel.org/stable/c/930e69757b74c3ae083b0c3c7419bfe7f0edc7b2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: slimbus: core: fix device reference leak on report present Slimbus devices can be allocated dynamically upon reception of report-present messages. Make sure to drop the reference taken when looking up already registered devices. Note that this requires taking an extra reference in case the device has not yet been registered and has to be allocated. | 2026-02-04 | not yet calculated | CVE-2026-23090 | https://git.kernel.org/stable/c/b1217e40705b2f6d311c197b12866752656217ff https://git.kernel.org/stable/c/948615429c9f2ac9d25d4e1f1a4472926b217a9a https://git.kernel.org/stable/c/02b78bbfbafe49832e508079148cb87cdfa55825 https://git.kernel.org/stable/c/2ddc09f6a0a221b1d91a7cbc8cc2cefdbd334fe6 https://git.kernel.org/stable/c/54de72a7aabc0749938d7a2833a0c1a5d3ed7ac9 https://git.kernel.org/stable/c/6602bb4d1338e92b5838e50322b87697bdbd2ee0 https://git.kernel.org/stable/c/9391380eb91ea5ac792aae9273535c8da5b9aa01 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: intel_th: fix device leak on output open() Make sure to drop the reference taken when looking up the th device during output device open() on errors and on close(). Note that a recent commit fixed the leak in a couple of open() error paths but not all of them, and the reference is still leaking on successful open(). | 2026-02-04 | not yet calculated | CVE-2026-23091 | https://git.kernel.org/stable/c/af4b9467296b9a16ebc008147238070236982b6d https://git.kernel.org/stable/c/64015cbf06e8bb75b81ae95b997e847b55280f7f https://git.kernel.org/stable/c/b71e64ef7ff9443835d1333e3e80ab1e49e5209f https://git.kernel.org/stable/c/bf7785434b5d05d940d936b78925080950bd54dd https://git.kernel.org/stable/c/0fca16c5591534cc1fec8b6181277ee3a3d0f26c https://git.kernel.org/stable/c/f9b059bda4276f2bb72cb98ec7875a747f042ea2 https://git.kernel.org/stable/c/95fc36a234da24bbc5f476f8104a5a15f99ed3e3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source When simple_write_to_buffer() succeeds, it returns the number of bytes actually copied to the buffer. The code incorrectly uses 'count' as the index for null termination instead of the actual bytes copied. If count exceeds the buffer size, this leads to out-of-bounds write. Add a check for the count and use the return value as the index. The bug was validated using a demo module that mirrors the original code and was tested under QEMU. Pattern of the bug: - A fixed 64-byte stack buffer is filled using count. - If count > 64, the code still does buf[count] = '\0', causing an - out-of-bounds write on the stack. Steps for reproduce: - Opens the device node. - Writes 128 bytes of A to it. - This overflows the 64-byte stack buffer and KASAN reports the OOB. Found via static analysis. This is similar to the commit da9374819eb3 ("iio: backend: fix out-of-bound write") | 2026-02-04 | not yet calculated | CVE-2026-23092 | https://git.kernel.org/stable/c/db16e7c52032c79156930a337ee17232931794ba https://git.kernel.org/stable/c/978d28136c53df38f8f0b747191930e2f95e9084 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbd: fix dma_unmap_sg() nents The dma_unmap_sg() functions should be called with the same nents as the dma_map_sg(), not the value the map function returned. | 2026-02-04 | not yet calculated | CVE-2026-23093 | https://git.kernel.org/stable/c/f569f5b8bfd5133defdf9c7f8a72c63aa11f54ec https://git.kernel.org/stable/c/6ececffd3e9fe93a87738625dc0671165d27bf96 https://git.kernel.org/stable/c/4d1e9a4a450aae47277763562122cc80ed703ab2 https://git.kernel.org/stable/c/70ba85e439221a5d6dda34a3004db6640f0525e6 https://git.kernel.org/stable/c/d1943bc9dc9508f5933788a76f8a35d10e43a646 https://git.kernel.org/stable/c/98e3e2b561bc88f4dd218d1c05890672874692f6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: uacce: fix isolate sysfs check condition uacce supports the device isolation feature. If the driver implements the isolate_err_threshold_read and isolate_err_threshold_write callback functions, uacce will create sysfs files now. Users can read and configure the isolation policy through sysfs. Currently, sysfs files are created as long as either isolate_err_threshold_read or isolate_err_threshold_write callback functions are present. However, accessing a non-existent callback function may cause the system to crash. Therefore, intercept the creation of sysfs if neither read nor write exists; create sysfs if either is supported, but intercept unsupported operations at the call site. | 2026-02-04 | not yet calculated | CVE-2026-23094 | https://git.kernel.org/stable/c/9ab05cdcac354b1b1139918f49c6418b9005d042 https://git.kernel.org/stable/c/fdbbb47d15ae17bf39fafec7e2028c1f8efba15e https://git.kernel.org/stable/c/82821a681d5dcce31475a65190fc39ea8f372cc0 https://git.kernel.org/stable/c/98eec349259b1fd876f350b1c600403bcef8f85d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gue: Fix skb memleak with inner IP protocol 0. syzbot reported skb memleak below. [0] The repro generated a GUE packet with its inner protocol 0. gue_udp_recv() returns -guehdr->proto_ctype for "resubmit" in ip_protocol_deliver_rcu(), but this only works with non-zero protocol number. Let's drop such packets. Note that 0 is a valid number (IPv6 Hop-by-Hop Option). I think it is not practical to encap HOPOPT in GUE, so once someone starts to complain, we could pass down a resubmit flag pointer to distinguish two zeros from the upper layer: * no error * resubmit HOPOPT [0] BUG: memory leak unreferenced object 0xffff888109695a00 (size 240): comm "syz.0.17", pid 6088, jiffies 4294943096 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. backtrace (crc a84b336f): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4958 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270 __build_skb+0x23/0x60 net/core/skbuff.c:474 build_skb+0x20/0x190 net/core/skbuff.c:490 __tun_build_skb drivers/net/tun.c:1541 [inline] tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636 tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770 tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x45d/0x710 fs/read_write.c:686 ksys_write+0xa7/0x170 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f | 2026-02-04 | not yet calculated | CVE-2026-23095 | https://git.kernel.org/stable/c/886f186328b718400dbf79e1bc8cbcbd710ab766 https://git.kernel.org/stable/c/380a82d36e37db49fd41ecc378c22fd29392e96a https://git.kernel.org/stable/c/536f5bbc322eb1e175bdd1ced22b236a951c4d8f https://git.kernel.org/stable/c/f87b9b7a618c82e7465e872eb10e14c803871892 https://git.kernel.org/stable/c/ce569b389a5c78d64788a5ea94560e17fa574b35 https://git.kernel.org/stable/c/5437a279804ced8088cabb945dba88a26d828f8c https://git.kernel.org/stable/c/9a56796ad258786d3624eef5aefba394fc9bdded |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: uacce: fix cdev handling in the cleanup path When cdev_device_add fails, it internally releases the cdev memory, and if cdev_device_del is then executed, it will cause a hang error. To fix it, we check the return value of cdev_device_add() and clear uacce->cdev to avoid calling cdev_device_del in the uacce_remove. | 2026-02-04 | not yet calculated | CVE-2026-23096 | https://git.kernel.org/stable/c/c94c7188d325bc5137d447d67a2f18f7d4f2f4a3 https://git.kernel.org/stable/c/1bc3e51367c420e6db31f41efa874c7a8e12194a https://git.kernel.org/stable/c/819d647406200d0e83e56fd2df8f451b11290559 https://git.kernel.org/stable/c/d9031575a2f8aabc53af3025dd79af313a2e046b https://git.kernel.org/stable/c/98d67a1bd6caddd0a8b8c82a0b925742cf500936 https://git.kernel.org/stable/c/bd2393ed7712513e7e2dbcb6e21464a67ff9e702 https://git.kernel.org/stable/c/a3bece3678f6c88db1f44c602b2a63e84b4040ac |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: migrate: correct lock ordering for hugetlb file folios Syzbot has found a deadlock (analyzed by Lance Yang): 1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock). 2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire folio_lock. migrate_pages() -> migrate_hugetlbs() -> unmap_and_move_huge_page() <- Takes folio_lock! -> remove_migration_ptes() -> __rmap_walk_file() -> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)! hugetlbfs_fallocate() -> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)! -> hugetlbfs_zero_partial_page() -> filemap_lock_hugetlb_folio() -> filemap_lock_folio() -> __filemap_get_folio <- Waits for folio_lock! The migration path is the one taking locks in the wrong order according to the documentation at the top of mm/rmap.c. So expand the scope of the existing i_mmap_lock to cover the calls to remove_migration_ptes() too. This is (mostly) how it used to be after commit c0d0381ade79. That was removed by 336bf30eb765 for both file & anon hugetlb pages when it should only have been removed for anon hugetlb pages. | 2026-02-04 | not yet calculated | CVE-2026-23097 | https://git.kernel.org/stable/c/e7396d23f9d5739f56cf9ab430c3a169f5508394 https://git.kernel.org/stable/c/ad97b9a55246eb940a26ac977f80892a395cabf9 https://git.kernel.org/stable/c/5edb9854f8df5428b40990a1c7d60507da5bd330 https://git.kernel.org/stable/c/526394af4e8ade89cacd1a9ce2b97712712fcc34 https://git.kernel.org/stable/c/b75070823b89009f5123fd0e05a8e0c3d39937c1 https://git.kernel.org/stable/c/1b68efce6dd483d22f50d0d3800c4cfda14b1305 https://git.kernel.org/stable/c/b7880cb166ab62c2409046b2347261abf701530e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netrom: fix double-free in nr_route_frame() In nr_route_frame(), old_skb is immediately freed without checking if nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL, the caller function will free old_skb again, causing a double-free bug. Therefore, to prevent this, we need to modify it to check whether nr_neigh->ax25 is NULL before freeing old_skb. | 2026-02-04 | not yet calculated | CVE-2026-23098 | https://git.kernel.org/stable/c/25aab6bfc31017a7e52035b99aef5c2b6bde8ffb https://git.kernel.org/stable/c/6e0110ea90313b7c0558a0b77038274a6821caf8 https://git.kernel.org/stable/c/7c48fdf2d1349bb54815b56fb012b9d577707708 https://git.kernel.org/stable/c/bd8955337e3764f912f49b360e176d8aaecf7016 https://git.kernel.org/stable/c/94d1a8bd08af1f4cc345c5c29f5db1ea72b8bb8c https://git.kernel.org/stable/c/9f5fa78d9980fe75a69835521627ab7943cb3d67 https://git.kernel.org/stable/c/ba1096c315283ee3292765f6aea4cca15816c4f7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bonding: limit BOND_MODE_8023AD to Ethernet devices BOND_MODE_8023AD makes sense for ARPHRD_ETHER only. syzbot reported: BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline] BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497 CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 __hw_addr_create net/core/dev_addr_lists.c:63 [inline] __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 __dev_mc_add net/core/dev_addr_lists.c:868 [inline] dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886 bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180 do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963 do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165 rtnl_changelink net/core/rtnetlink.c:3776 [inline] __rtnl_newlink net/core/rtnetlink.c:3935 [inline] rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 ____sys_sendmsg+0x505/0x820 net/socket.c:2592 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646 __sys_sendmsg+0x164/0x220 net/socket.c:2678 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307 do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332 entry_SYSENTER_compat_after_hwframe+0x84/0x8e </TASK> The buggy address belongs to the variable: lacpdu_mcast_addr+0x0/0x40 | 2026-02-04 | not yet calculated | CVE-2026-23099 | https://git.kernel.org/stable/c/72925dbb0c8c7b16bf922e93c6cc03cbd8c955c4 https://git.kernel.org/stable/c/5063b2cd9b27d35ab788d707d7858ded0acc8f1d https://git.kernel.org/stable/c/80c881e53a4fa0a80fa4bef7bc0ead0e8e88940d https://git.kernel.org/stable/c/ef68afb1bee8d35a18896c27d7358079353d8d8a https://git.kernel.org/stable/c/43dee6f7ef1d228821de1b61c292af3744c8d7da https://git.kernel.org/stable/c/c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix hugetlb_pmd_shared() Patch series "mm/hugetlb: fixes for PMD table sharing (incl. using mmu_gather)", v3. One functional fix, one performance regression fix, and two related comment fixes. I cleaned up my prototype I recently shared [1] for the performance fix, deferring most of the cleanups I had in the prototype to a later point. While doing that I identified the other things. The goal of this patch set is to be backported to stable trees "fairly" easily. At least patch #1 and #4. Patch #1 fixes hugetlb_pmd_shared() not detecting any sharing Patch #2 + #3 are simple comment fixes that patch #4 interacts with. Patch #4 is a fix for the reported performance regression due to excessive IPI broadcasts during fork()+exit(). The last patch is all about TLB flushes, IPIs and mmu_gather. Read: complicated There are plenty of cleanups in the future to be had + one reasonable optimization on x86. But that's all out of scope for this series. Runtime tested, with a focus on fixing the performance regression using the original reproducer [2] on x86. This patch (of 4): We switched from (wrongly) using the page count to an independent shared count. Now, shared page tables have a refcount of 1 (excluding speculative references) and instead use ptdesc->pt_share_count to identify sharing. We didn't convert hugetlb_pmd_shared(), so right now, we would never detect a shared PMD table as such, because sharing/unsharing no longer touches the refcount of a PMD table. Page migration, like mbind() or migrate_pages() would allow for migrating folios mapped into such shared PMD tables, even though the folios are not exclusive. In smaps we would account them as "private" although they are "shared", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the pagemap interface. Fix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared(). | 2026-02-04 | not yet calculated | CVE-2026-23100 | https://git.kernel.org/stable/c/69c4e241ff13545d410a8b2a688c932182a858bf https://git.kernel.org/stable/c/ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: leds: led-class: Only Add LED to leds_list when it is fully ready Before this change the LED was added to leds_list before led_init_core() gets called adding it the list before led_classdev.set_brightness_work gets initialized. This leaves a window where led_trigger_register() of a LED's default trigger will call led_trigger_set() which calls led_set_brightness() which in turn will end up queueing the *uninitialized* led_classdev.set_brightness_work. This race gets hit by the lenovo-thinkpad-t14s EC driver which registers 2 LEDs with a default trigger provided by snd_ctl_led.ko in quick succession. The first led_classdev_register() causes an async modprobe of snd_ctl_led to run and that async modprobe manages to exactly hit the window where the second LED is on the leds_list without led_init_core() being called for it, resulting in: ------------[ cut here ]------------ WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390 Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025 ... Call trace: __flush_work+0x344/0x390 (P) flush_work+0x2c/0x50 led_trigger_set+0x1c8/0x340 led_trigger_register+0x17c/0x1c0 led_trigger_register_simple+0x84/0xe8 snd_ctl_led_init+0x40/0xf88 [snd_ctl_led] do_one_initcall+0x5c/0x318 do_init_module+0x9c/0x2b8 load_module+0x7e0/0x998 Close the race window by moving the adding of the LED to leds_list to after the led_init_core() call. | 2026-02-04 | not yet calculated | CVE-2026-23101 | https://git.kernel.org/stable/c/f7a6df659af777058833802c29b3b7974db5e78a https://git.kernel.org/stable/c/d117fdcb21b05c0e0460261d017b92303cd9ba77 https://git.kernel.org/stable/c/e90c861411fc84629a240384b0a72830539d3386 https://git.kernel.org/stable/c/2757f7748ce2d0fa44112024907bafb37e104d6e https://git.kernel.org/stable/c/da565bf98c9ad0eabcb09fc97859e0b52f98b7c3 https://git.kernel.org/stable/c/78822628165f3d817382f67f91129161159ca234 https://git.kernel.org/stable/c/d1883cefd31752f0504b94c3bcfa1f6d511d6e87 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Fix restoration of SVE context When SME is supported, Restoring SVE signal context can go wrong in a few ways, including placing the task into an invalid state where the kernel may read from out-of-bounds memory (and may potentially take a fatal fault) and/or may kill the task with a SIGKILL. (1) Restoring a context with SVE_SIG_FLAG_SM set can place the task into an invalid state where SVCR.SM is set (and sve_state is non-NULL) but TIF_SME is clear, consequently resuting in out-of-bounds memory reads and/or killing the task with SIGKILL. This can only occur in unusual (but legitimate) cases where the SVE signal context has either been modified by userspace or was saved in the context of another task (e.g. as with CRIU), as otherwise the presence of an SVE signal context with SVE_SIG_FLAG_SM implies that TIF_SME is already set. While in this state, task_fpsimd_load() will NOT configure SMCR_ELx (leaving some arbitrary value configured in hardware) before restoring SVCR and attempting to restore the streaming mode SVE registers from memory via sve_load_state(). As the value of SMCR_ELx.LEN may be larger than the task's streaming SVE vector length, this may read memory outside of the task's allocated sve_state, reading unrelated data and/or triggering a fault. While this can result in secrets being loaded into streaming SVE registers, these values are never exposed. As TIF_SME is clear, fpsimd_bind_task_to_cpu() will configure CPACR_ELx.SMEN to trap EL0 accesses to streaming mode SVE registers, so these cannot be accessed directly at EL0. As fpsimd_save_user_state() verifies the live vector length before saving (S)SVE state to memory, no secret values can be saved back to memory (and hence cannot be observed via ptrace, signals, etc). When the live vector length doesn't match the expected vector length for the task, fpsimd_save_user_state() will send a fatal SIGKILL signal to the task. Hence the task may be killed after executing userspace for some period of time. (2) Restoring a context with SVE_SIG_FLAG_SM clear does not clear the task's SVCR.SM. If SVCR.SM was set prior to restoring the context, then the task will be left in streaming mode unexpectedly, and some register state will be combined inconsistently, though the task will be left in legitimate state from the kernel's PoV. This can only occur in unusual (but legitimate) cases where ptrace has been used to set SVCR.SM after entry to the sigreturn syscall, as syscall entry clears SVCR.SM. In these cases, the the provided SVE register data will be loaded into the task's sve_state using the non-streaming SVE vector length and the FPSIMD registers will be merged into this using the streaming SVE vector length. Fix (1) by setting TIF_SME when setting SVCR.SM. This also requires ensuring that the task's sme_state has been allocated, but as this could contain live ZA state, it should not be zeroed. Fix (2) by clearing SVCR.SM when restoring a SVE signal context with SVE_SIG_FLAG_SM clear. For consistency, I've pulled the manipulation of SVCR, TIF_SVE, TIF_SME, and fp_type earlier, immediately after the allocation of sve_state/sme_state, before the restore of the actual register state. This makes it easier to ensure that these are always modified consistently, even if a fault is taken while reading the register data from the signal context. I do not expect any software to depend on the exact state restored when a fault is taken while reading the context. | 2026-02-04 | not yet calculated | CVE-2026-23102 | https://git.kernel.org/stable/c/9bc3adba8c35119be80ab20217027720446742f2 https://git.kernel.org/stable/c/ce820dd4e6e2d711242dc4331713b9bb4fe06d09 https://git.kernel.org/stable/c/7b5a52cf252a0d2e89787b645290ad288878f332 https://git.kernel.org/stable/c/d2907cbe9ea0a54cbe078076f9d089240ee1e2d9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipvlan: Make the addrs_lock be per port Make the addrs_lock be per port, not per ipvlan dev. Initial code seems to be written in the assumption, that any address change must occur under RTNL. But it is not so for the case of IPv6. So 1) Introduce per-port addrs_lock. 2) It was needed to fix places where it was forgotten to take lock (ipvlan_open/ipvlan_close) This appears to be a very minor problem though. Since it's highly unlikely that ipvlan_add_addr() will be called on 2 CPU simultaneously. But nevertheless, this could cause: 1) False-negative of ipvlan_addr_busy(): one interface iterated through all port->ipvlans + ipvlan->addrs under some ipvlan spinlock, and another added IP under its own lock. Though this is only possible for IPv6, since looks like only ipvlan_addr6_event() can be called without rtnl_lock. 2) Race since ipvlan_ht_addr_add(port) is called under different ipvlan->addrs_lock locks This should not affect performance, since add/remove IP is a rare situation and spinlock is not taken on fast paths. | 2026-02-04 | not yet calculated | CVE-2026-23103 | https://git.kernel.org/stable/c/3c149b662cbb202a450e81f938e702ba333864ad https://git.kernel.org/stable/c/70feb16e3fbfb10b15de1396557c38e99f1ab8df https://git.kernel.org/stable/c/88f83e6c9cdb46b8c8ddd0ba01393362963cf589 https://git.kernel.org/stable/c/04ba6de6eff61238e5397c14ac26a6578c7735a5 https://git.kernel.org/stable/c/1f300c10d92c547c3a7d978e1212ff52f18256ed https://git.kernel.org/stable/c/6a81e2db096913d7e43aada1c350c1282e76db39 https://git.kernel.org/stable/c/d3ba32162488283c0a4c5bedd8817aec91748802 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ice: fix devlink reload call trace Commit 4da71a77fc3b ("ice: read internal temperature sensor") introduced internal temperature sensor reading via HWMON. ice_hwmon_init() was added to ice_init_feature() and ice_hwmon_exit() was added to ice_remove(). As a result if devlink reload is used to reinit the device and then the driver is removed, a call trace can occur. BUG: unable to handle page fault for address: ffffffffc0fd4b5d Call Trace: string+0x48/0xe0 vsnprintf+0x1f9/0x650 sprintf+0x62/0x80 name_show+0x1f/0x30 dev_attr_show+0x19/0x60 The call trace repeats approximately every 10 minutes when system monitoring tools (e.g., sadc) attempt to read the orphaned hwmon sysfs attributes that reference freed module memory. The sequence is: 1. Driver load, ice_hwmon_init() gets called from ice_init_feature() 2. Devlink reload down, flow does not call ice_remove() 3. Devlink reload up, ice_hwmon_init() gets called from ice_init_feature() resulting in a second instance 4. Driver unload, ice_hwmon_exit() called from ice_remove() leaving the first hwmon instance orphaned with dangling pointer Fix this by moving ice_hwmon_exit() from ice_remove() to ice_deinit_features() to ensure proper cleanup symmetry with ice_hwmon_init(). | 2026-02-04 | not yet calculated | CVE-2026-23104 | https://git.kernel.org/stable/c/87c1dacca197cc64e06fedeb269e3dd6699bae60 https://git.kernel.org/stable/c/d3f867e7a04678640ebcbfb81893c59f4af48586 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag This is more of a preventive patch to make the code more consistent and to prevent possible exploits that employ child qlen manipulations on qfq. use cl_is_active instead of relying on the child qdisc's qlen to determine class activation. | 2026-02-04 | not yet calculated | CVE-2026-23105 | https://git.kernel.org/stable/c/fac2c67bb2bb732eae4283e45fc338af7e08c254 https://git.kernel.org/stable/c/b8c24cf5268fb3bfb8d16324c3dbb985f698c835 https://git.kernel.org/stable/c/f27047abf7cac1b6f90c3ad60de21ef9f717c26d https://git.kernel.org/stable/c/93b8635974fb050c43d07e35e5edfe6e685ca28a https://git.kernel.org/stable/c/abd9fc26ea577561a5ef6241a1b058755ffdad0c https://git.kernel.org/stable/c/77f1afd0bb4d5da95236f6114e6d0dfcde187ff6 https://git.kernel.org/stable/c/d837fbee92453fbb829f950c8e7cf76207d73f33 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: timekeeping: Adjust the leap state for the correct auxiliary timekeeper When __do_ajdtimex() was introduced to handle adjtimex for any timekeeper, this reference to tk_core was not updated. When called on an auxiliary timekeeper, the core timekeeper would be updated incorrectly. This gets caught by the lock debugging diagnostics because the timekeepers sequence lock gets written to without holding its associated spinlock: WARNING: include/linux/seqlock.h:226 at __do_adjtimex+0x394/0x3b0, CPU#2: test/125 aux_clock_adj (kernel/time/timekeeping.c:2979) __do_sys_clock_adjtime (kernel/time/posix-timers.c:1161 kernel/time/posix-timers.c:1173) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131) Update the correct auxiliary timekeeper. | 2026-02-04 | not yet calculated | CVE-2026-23106 | https://git.kernel.org/stable/c/8f7c9dbeaa0be5810e44d323735967d3dba9239d https://git.kernel.org/stable/c/e806f7dde8ba28bc72a7a0898589cac79f6362ac |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA The code to restore a ZA context doesn't attempt to allocate the task's sve_state before setting TIF_SME. Consequently, restoring a ZA context can place a task into an invalid state where TIF_SME is set but the task's sve_state is NULL. In legitimate but uncommon cases where the ZA signal context was NOT created by the kernel in the context of the same task (e.g. if the task is saved/restored with something like CRIU), we have no guarantee that sve_state had been allocated previously. In these cases, userspace can enter streaming mode without trapping while sve_state is NULL, causing a later NULL pointer dereference when the kernel attempts to store the register state: | # ./sigreturn-za | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000096000046 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x06: level 2 translation fault | Data abort info: | ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 | CM = 0, WnR = 1, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00 | [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000 | Internal error: Oops: 0000000096000046 [#1] SMP | Modules linked in: | CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT | Hardware name: linux,dummy-virt (DT) | pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) | pc : sve_save_state+0x4/0xf0 | lr : fpsimd_save_user_state+0xb0/0x1c0 | sp : ffff80008070bcc0 | x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658 | x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000 | x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40 | x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000 | x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c | x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020 | x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0 | x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48 | x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000 | x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440 | Call trace: | sve_save_state+0x4/0xf0 (P) | fpsimd_thread_switch+0x48/0x198 | __switch_to+0x20/0x1c0 | __schedule+0x36c/0xce0 | schedule+0x34/0x11c | exit_to_user_mode_loop+0x124/0x188 | el0_interrupt+0xc8/0xd8 | __el0_irq_handler_common+0x18/0x24 | el0t_64_irq_handler+0x10/0x1c | el0t_64_irq+0x198/0x19c | Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800) | ---[ end trace 0000000000000000 ]--- Fix this by having restore_za_context() ensure that the task's sve_state is allocated, matching what we do when taking an SME trap. Any live SVE/SSVE state (which is restored earlier from a separate signal context) must be preserved, and hence this is not zeroed. | 2026-02-04 | not yet calculated | CVE-2026-23107 | https://git.kernel.org/stable/c/c5a5b150992ebab779c1ce54f54676786e47e94c https://git.kernel.org/stable/c/19b2c3f3ca1b4b6dccd2a42aca2692d8c79c4214 https://git.kernel.org/stable/c/0af233d66eff90fb8f3e0fc09f2316bba0b72bb9 https://git.kernel.org/stable/c/70f7f54566afc23f2c71bf1411af81f5d8009e0f https://git.kernel.org/stable/c/ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback usb_8dev_read_bulk_callback(), the URBs are processed and resubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed by calling usb_kill_anchored_urbs(&priv->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the usb_8dev_read_bulk_callback() to the priv->rx_submitted anchor. | 2026-02-04 | not yet calculated | CVE-2026-23108 | https://git.kernel.org/stable/c/feb8243eaea7efd5279b19667d7189fd8654c87a https://git.kernel.org/stable/c/ef6e608e5ee71eca0cd3475c737e684cef24f240 https://git.kernel.org/stable/c/60719661b4cbd7ffbed1a0e0fa3bbc82d8bd2be9 https://git.kernel.org/stable/c/59ff56992bba28051ad67cd8cc7b0edfe7280796 https://git.kernel.org/stable/c/ea4a98e924164586066b39f29bfcc7cc9da108cd https://git.kernel.org/stable/c/07e9373739c6388af9d99797cdb2e79dbbcbe92b https://git.kernel.org/stable/c/f7a980b3b8f80fe367f679da376cf76e800f9480 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/writeback: skip AS_NO_DATA_INTEGRITY mappings in wait_sb_inodes() Above the while() loop in wait_sb_inodes(), we document that we must wait for all pages under writeback for data integrity. Consequently, if a mapping, like fuse, traditionally does not have data integrity semantics, there is no need to wait at all; we can simply skip these inodes. This restores fuse back to prior behavior where syncs are no-ops. This fixes a user regression where if a system is running a faulty fuse server that does not reply to issued write requests, this causes wait_sb_inodes() to wait forever. | 2026-02-04 | not yet calculated | CVE-2026-23109 | https://git.kernel.org/stable/c/3f4ed5e2b8f111553562507ad6202432c7c57731 https://git.kernel.org/stable/c/f9a49aa302a05e91ca01f69031cb79a0ea33031f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: core: Wake up the error handler when final completions race against each other The fragile ordering between marking commands completed or failed so that the error handler only wakes when the last running command completes or times out has race conditions. These race conditions can cause the SCSI layer to fail to wake the error handler, leaving I/O through the SCSI host stuck as the error state cannot advance. First, there is an memory ordering issue within scsi_dec_host_busy(). The write which clears SCMD_STATE_INFLIGHT may be reordered with reads counting in scsi_host_busy(). While the local CPU will see its own write, reordering can allow other CPUs in scsi_dec_host_busy() or scsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to see a host busy equal to the host_failed count. This race condition can be prevented with a memory barrier on the error path to force the write to be visible before counting host busy commands. Second, there is a general ordering issue with scsi_eh_inc_host_failed(). By counting busy commands before incrementing host_failed, it can race with a final command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does not see host_failed incremented but scsi_eh_inc_host_failed() counts busy commands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(), resulting in neither waking the error handler task. This needs the call to scsi_host_busy() to be moved after host_failed is incremented to close the race condition. | 2026-02-04 | not yet calculated | CVE-2026-23110 | https://git.kernel.org/stable/c/cc872e35c0df80062abc71268d690a2f749e542e https://git.kernel.org/stable/c/6d9a367be356101963c249ebf10ea10b32886607 https://git.kernel.org/stable/c/9fdc6f28d5e81350ab1d2cac8389062bd09e61e1 https://git.kernel.org/stable/c/64ae21b9c4f0c7e60cf47a53fa7ab68852079ef0 https://git.kernel.org/stable/c/219f009ebfd1ef3970888ee9eef4c8a06357f862 https://git.kernel.org/stable/c/fe2f8ad6f0999db3b318359a01ee0108c703a8c3 |
| Six Apart Ltd.--Movable Type (Software Edition) | A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. | 2026-02-04 | not yet calculated | CVE-2026-23704 | https://movabletype.org/news/2026/02/mt-906-released.html https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html https://jvn.jp/en/jp/JVN45405689/ |
| Apache Software Foundation--Apache Syncope | Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue. | 2026-02-03 | not yet calculated | CVE-2026-23794 | https://lists.apache.org/thread/7h30ghqdsf3spl3h7gdmscxofrm8ygjo |
| Apache Software Foundation--Apache Syncope | Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue. | 2026-02-03 | not yet calculated | CVE-2026-23795 | https://lists.apache.org/thread/mzgbdn8hzk8vr94o660njcc7w62c2pos |
| OpenSolution--Quick.Cart | Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-02-05 | not yet calculated | CVE-2026-23796 | https://opensolution.org/sklep-internetowy-quick-cart.html https://cert.pl/posts/2026/02/CVE-2026-23796 |
| OpenSolution--Quick.Cart | In Quick.Cart user passwords are stored in plaintext form. An attacker with high privileges can display users' password in user editing page. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-02-05 | not yet calculated | CVE-2026-23797 | https://opensolution.org/sklep-internetowy-quick-cart.html https://cert.pl/posts/2026/02/CVE-2026-23796 |
| parallax--jsPDF | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B. Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side. The vulnerability has been fixed in jsPDF@4.1.0. | 2026-02-02 | not yet calculated | CVE-2026-24040 | https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4 https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e https://github.com/parallax/jsPDF/releases/tag/v4.1.0 |
| parallax--jsPDF | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in jsPDF@4.1.0. | 2026-02-02 | not yet calculated | CVE-2026-24043 | https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422 https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e5416b2495e3c24624fc80b6cff https://github.com/parallax/jsPDF/releases/tag/v4.1.0 |
| zulip--zulip | Zulip is an open-source team collaboration tool. From 5.0 to before 11.5, some administrative actions on the user profile were susceptible to stored XSS in group names or channel names. Exploiting these vulnerabilities required the user explicitly interacting with the problematic object. This vulnerability is fixed in 11.5. | 2026-02-06 | not yet calculated | CVE-2026-24050 | https://github.com/zulip/zulip/security/advisories/GHSA-56qv-8823-6fq9 https://github.com/zulip/zulip/commit/e6093d9e4788f4d82236d856c5ed7b16767886a7 https://github.com/zulip/zulip/releases/tag/11.5 https://zulip.readthedocs.io/en/latest/overview/changelog.html#zulip-server-11-5 |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org, modelcontextprotocol.io), this could have enabled attackers to register domains like modelcontextprotocol.io.example.com that would pass validation. This could enable automatic requests to attacker-controlled domains without user consent, potentially leading to data exfiltration. This issue has been patched in version 1.0.111. | 2026-02-03 | not yet calculated | CVE-2026-24052 | https://github.com/anthropics/claude-code/security/advisories/GHSA-vhw5-3g5m-8ggf |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting this required the user to use ZSH and the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.74. | 2026-02-03 | not yet calculated | CVE-2026-24053 | https://github.com/anthropics/claude-code/security/advisories/GHSA-q728-gf8j-w49r |
| Native Instruments--Native Access | During the installation of the Native Access application, a privileged helper `com.native-instruments.NativeAccess.Helper2`, which is used by Native Access to trigger functions via XPC communication like copy-file, remove or set-permissions, is deployed as well. The communication with the XPC service of the privileged helper is only allowed if the client process is signed with the corresponding certificate and fulfills the following code signing requirement: "anchor trusted and certificate leaf[subject.CN] = \"Developer ID Application: Native Instruments GmbH (83K5EG6Z9V)\"" The Native Access application was found to be signed with the `com.apple.security.cs.allow-dyld-environment-variables` and `com.apple.security.cs.disable-library-validation` entitlements leading to DYLIB injection and therefore command execution in the context of this application. A low privileged user can exploit the DYLIB injection to trigger functions of the privileged helper XPC service resulting in privilege escalation by first deleting the /etc/sudoers file and then copying a malicious version of that file to /etc/sudoers. | 2026-02-02 | not yet calculated | CVE-2026-24070 | https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-native-instruments-native-access-macos/ |
| Native Instruments--Native Access | It was found that the XPC service offered by the privileged helper of Native Access uses the PID of the connecting client to verify its code signature. This is considered insecure and can be exploited by PID reuse attacks. The connection handler function uses _xpc_connection_get_pid(arg2) as argument for the hasValidSignature function. This value can not be trusted since it is vulnerable to PID reuse attacks. | 2026-02-02 | not yet calculated | CVE-2026-24071 | https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-native-instruments-native-access-macos/ |
| parallax--jsPDF | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file that results in out of memory errors and denial of service. Harmful BMP files have large width and/or height entries in their headers, which lead to excessive memory allocation. The html method is also affected. The vulnerability has been fixed in jsPDF@4.1.0. | 2026-02-02 | not yet calculated | CVE-2026-24133 | https://github.com/parallax/jsPDF/security/advisories/GHSA-95fx-jjr5-f39c https://github.com/parallax/jsPDF/commit/ae4b93f76d8fc1baa5614bd5fdb5d174c3b85f0d https://github.com/parallax/jsPDF/releases/tag/v4.1.0 |
| gogs--gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the server by manipulating the old_title parameter in the wiki editing form. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | 2026-02-06 | not yet calculated | CVE-2026-24135 | https://github.com/gogs/gogs/security/advisories/GHSA-jp7c-wj6q-3qf2 |
| devcode-it--openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the article pricing completion handler. The application fails to properly sanitize the idarticolo parameter before using it in SQL queries, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference. | 2026-02-06 | not yet calculated | CVE-2026-24416 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-p864-fqgv-92q4 |
| devcode-it--openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the term parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference. | 2026-02-06 | not yet calculated | CVE-2026-24417 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4hc4-8599-xh2h |
| devcode-it--openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages. | 2026-02-06 | not yet calculated | CVE-2026-24418 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq |
| devcode-it--openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module's add.php file. The application fails to validate that comma-separated values from the id_documenti GET parameter are integers before using them in SQL IN() clauses, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages. | 2026-02-06 | not yet calculated | CVE-2026-24419 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6 |
| Shenzhen Tenda Technology Co., Ltd.--Tenda AC7 | Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior contain an improper output encoding vulnerability in the web management interface. User-supplied input is reflected in HTTP responses without adequate escaping, allowing injection of arbitrary HTML or JavaScript in a victim's browser context. | 2026-02-03 | not yet calculated | CVE-2026-24426 | https://www.tendacn.com/product/AC7 https://www.vulncheck.com/advisories/tenda-ac7-reflected-xss-via-web-interface-output-encoding |
| Shenzhen Tenda Technology Co., Ltd.--Tenda AC7 | Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose sensitive information in web management responses. Administrative credentials, including the router and/or admin panel password, are included in plaintext within configuration response bodies. In addition, responses lack appropriate Cache-Control directives, which may permit web browsers to cache pages containing these credentials and enable subsequent disclosure to an attacker with access to the client system or browser profile. | 2026-02-03 | not yet calculated | CVE-2026-24427 | https://www.tendacn.com/product/AC7 https://www.vulncheck.com/advisories/tenda-ac7-exposes-admin-credentials-in-configuration-responses |
| Shenzhen Tenda Technology Co., Ltd.--Tenda AC7 | Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior does not implement CSRF protections for administrative functions in the web management interface. The interface does not enforce anti-CSRF tokens or robust origin validation, which can allow an attacker to induce a logged-in administrator to perform unintended state-changing requests and modify router settings. | 2026-02-03 | not yet calculated | CVE-2026-24434 | https://www.tendacn.com/product/AC7 https://www.vulncheck.com/advisories/tenda-ac7-web-interface-lacks-csrf-protections-for-admin-actions |
| Shenzhen Tenda Technology Co., Ltd.--Tenda AC7 | Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose account credentials in plaintext within HTTP responses, allowing an on-path attacker to obtain sensitive authentication material. | 2026-02-03 | not yet calculated | CVE-2026-24441 | https://www.tendacn.com/product/AC7 https://www.vulncheck.com/advisories/tenda-ac7-transmits-admin-credentials-without-https-protection |
| Six Apart Ltd.--Movable Type (Software Edition) | If a malformed data is input to the affected product, a CSV file downloaded from the affected product may contain such malformed data. When a victim user download and open such a CSV file, the embedded code may be executed in the user's environment. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. | 2026-02-04 | not yet calculated | CVE-2026-24447 | https://movabletype.org/news/2026/02/mt-906-released.html https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html https://jvn.jp/en/jp/JVN45405689/ |
| ELECOM CO.,LTD.--WRC-X1500GS-B | For WRC-X1500GS-B and WRC-X1500GSA-B, the initial passwords can be calculated easily from the system information. | 2026-02-03 | not yet calculated | CVE-2026-24449 | https://www.elecom.co.jp/news/security/20260203-01/ https://jvn.jp/en/jp/JVN94012927/ |
| ELECOM CO.,LTD.--WAB-S733IW2-PD | Stack-based buffer overflow vulnerability exists in ELECOM wireless LAN access point devices. A crafted packet may lead to arbitrary code execution. | 2026-02-03 | not yet calculated | CVE-2026-24465 | https://www.elecom.co.jp/news/security/20260203-01/ https://www.elecom.co.jp/news/security/20260203-02/ https://jvn.jp/en/jp/JVN94012927/ |
| continuwuity--continuwuity | continuwuity is a Matrix homeserver written in Rust. This vulnerability allows an attacker with a malicious remote server to cause the local server to sign an arbitrary event upon user interaction. Upon a user account leaving a room (rejecting an invite), joining a room or knocking on a room, the victim server may ask a remote server for assistance. If the victim asks the attacker server for assistance the attacker is able to provide an arbitrary event, which the victim will sign and return to the attacker. For the /leave endpoint, this works for any event with a supported room version, where the origin and origin_server_ts is set by the victim. For the /join endpoint, an additionally victim-set content field in the format of a join membership is needed. For the /knock endpoint, an additional victim-set content field in the format of a knock membership and a room version not between 1 and 6 is needed. This was exploited as a part of a larger chain against the continuwuity.org homeserver. This vulnerability affects all Conduit-derived servers. This vulnerability is fixed in Continuwuity 0.5.1, Conduit 0.10.11, Grapevine 0aae932b, and Tuwunel 1.4.9. | 2026-02-02 | not yet calculated | CVE-2026-24471 | https://github.com/continuwuity/continuwuity/security/advisories/GHSA-m5p2-vccg-8c9v https://forgejo.ellis.link/continuwuation/continuwuity/commit/12aecf809172205436c852a1eaf268c1a2c3a900 |
| Roland Corporation--Roland Cloud Manager | The installer for Roland Cloud Manager ver.3.1.19 and prior insecurely loads Dynamic Link Libraries (DLLs), which could allow an attacker to execute arbitrary code with the privileges of the application. | 2026-02-03 | not yet calculated | CVE-2026-24694 | https://www.roland.com/global/products/rc_roland_cloud_manager/support/#dl-support_documents https://jvn.jp/en/jp/JVN89992160/ |
| Apache Software Foundation--Apache Answer | Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 1.7.1. An unauthenticated API endpoint incorrectly exposes full revision history for deleted content. This allows unauthorized user to retrieve restricted or sensitive information. Users are recommended to upgrade to version 2.0.0, which fixes the issue. | 2026-02-04 | not yet calculated | CVE-2026-24735 | https://lists.apache.org/thread/whxloom7mpxlyt5wzdskflsg5mzdzd60 |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material (access key, secret key, session token) to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be accessible to internal or external log consumers and could lead to compromise of sensitive credentials. This issue has been patched in version alpha.82. | 2026-02-03 | not yet calculated | CVE-2026-24762 | https://github.com/rustfs/rustfs/security/advisories/GHSA-r54g-49rx-98cr |
| RaspAP--raspap-webgui | RaspAP raspap-webgui versions prior to 3.3.6 contain an OS command injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product. | 2026-02-02 | not yet calculated | CVE-2026-24788 | https://github.com/RaspAP/raspap-webgui/releases https://jvn.jp/en/jp/JVN27202136/ |
| openfga--openfga | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed. The vulnerability requires a model that has a a relation directly assignable by a type bound public access and assignable by type bound non-public access, a tuple assigned for the relation that is a type bound public access, a tuple assigned for the same object with the same relation that is not type bound public access, and a tuple assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access. This vulnerability is fixed in v1.11.3. | 2026-02-06 | not yet calculated | CVE-2026-24851 | https://github.com/openfga/openfga/security/advisories/GHSA-jq9f-gm9w-rwm9 https://github.com/openfga/openfga/releases/tag/v1.11.3 |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 2.0.72, due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.72. | 2026-02-03 | not yet calculated | CVE-2026-24887 | https://github.com/anthropics/claude-code/security/advisories/GHSA-qgqw-h4xq-7w8w |
| AlgoNetLab--OrcaStatLLM-Researcher | OrcaStatLLM Researcher is an LLM Based Research Paper Generator. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Log Message in the Session Page in OrcaStatLLM-Researcher that allows attackers to inject and execute arbitrary JavaScript code in victims' browsers through malicious research topic inputs. | 2026-02-06 | not yet calculated | CVE-2026-24903 | https://github.com/AlgoNetLab/OrcaStatLLM-Researcher/security/advisories/GHSA-47wv-g894-82m4 |
| ASUSTOR--ADM | The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to perform a Man-in-the-Middle (MitM) attack, which may obtain the sensitive information of DDNS updating process, including the user's account email, MD5 hashed password, and device serial number. This issue affects ADM: from 4.1.0 through 4.3.3.ROF1, from 5.0.0 through 5.1.1.RCI1. | 2026-02-03 | not yet calculated | CVE-2026-24932 | https://www.asustor.com/security/security_advisory_detail?id=50 |
| ASUSTOR--ADM | The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to intercept the cleartext communication, potentially leading to the exposure of sensitive user information, including account emails, MD5 hashed passwords, and device serial numbers. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. | 2026-02-03 | not yet calculated | CVE-2026-24933 | https://www.asustor.com/security/security_advisory_detail?id=50 |
| ASUSTOR--ADM | The DDNS function uses an insecure HTTP connection or fails to validate the SSL/TLS certificate when querying an external server for the device's WAN IP address. An unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to spoof the response, leading the device to update its DDNS record with an incorrect IP address. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. | 2026-02-03 | not yet calculated | CVE-2026-24934 | https://www.asustor.com/security/security_advisory_detail?id=50 |
| ASUSTOR--ADM | A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access to device services requires additional authentication, a Man-in-the-Middle (MitM) attacker can intercept or redirect the NAT tunnel establishment. This could allow an attacker to disrupt service availability or facilitate further targeted attacks by acting as a proxy between the user and the device services. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. | 2026-02-03 | not yet calculated | CVE-2026-24935 | https://www.asustor.com/security/security_advisory_detail?id=50 |
| ASUSTOR--ADM | When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this vulnerability, attackers can overwrite critical system files, leading to a complete system compromise. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. | 2026-02-03 | not yet calculated | CVE-2026-24936 | https://www.asustor.com/security/security_advisory_detail?id=51 |
| Ajay--Better Search | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Better Search better-search allows Stored XSS. This issue affects Better Search: from n/a through <= 4.2.1. | 2026-02-03 | not yet calculated | CVE-2026-24938 | https://patchstack.com/database/Wordpress/Plugin/better-search/vulnerability/wordpress-better-search-plugin-4-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP Chill--Modula Image Gallery | Missing Authorization vulnerability in WP Chill Modula Image Gallery modula-best-grid-gallery allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Modula Image Gallery: from n/a through <= 2.13.6. | 2026-02-03 | not yet calculated | CVE-2026-24939 | https://patchstack.com/database/Wordpress/Plugin/modula-best-grid-gallery/vulnerability/wordpress-modula-image-gallery-plugin-2-13-6-broken-access-control-vulnerability?_s_id=cve |
| Themefic--Travelfic Toolkit | Missing Authorization vulnerability in Themefic Travelfic Toolkit travelfic-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Travelfic Toolkit: from n/a through <= 1.3.3. | 2026-02-03 | not yet calculated | CVE-2026-24940 | https://patchstack.com/database/Wordpress/Plugin/travelfic-toolkit/vulnerability/wordpress-travelfic-toolkit-plugin-1-3-3-broken-access-control-vulnerability?_s_id=cve |
| magepeopleteam--WpEvently | Cross-Site Request Forgery (CSRF) vulnerability in magepeopleteam WpEvently mage-eventpress allows Cross Site Request Forgery. This issue affects WpEvently: from n/a through <= 5.1.1. | 2026-02-03 | not yet calculated | CVE-2026-24942 | https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-1-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Themefic--Ultimate Addons for Contact Form 7 | Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ultimate Addons for Contact Form 7: from n/a through <= 3.5.34. | 2026-02-03 | not yet calculated | CVE-2026-24945 | https://patchstack.com/database/Wordpress/Plugin/ultimate-addons-for-contact-form-7/vulnerability/wordpress-ultimate-addons-for-contact-form-7-plugin-3-5-34-broken-access-control-vulnerability?_s_id=cve |
| LA-Studio--LA-Studio Element Kit for Elementor | Missing Authorization vulnerability in LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects LA-Studio Element Kit for Elementor: from n/a through < 1.5.6.3. | 2026-02-03 | not yet calculated | CVE-2026-24947 | https://patchstack.com/database/Wordpress/Plugin/lastudio-element-kit/vulnerability/wordpress-la-studio-element-kit-for-elementor-plugin-1-5-6-3-broken-access-control-vulnerability?_s_id=cve |
| Saad Iqbal--myCred | Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects myCred: from n/a through <= 2.9.7.3. | 2026-02-03 | not yet calculated | CVE-2026-24951 | https://patchstack.com/database/Wordpress/Plugin/mycred/vulnerability/wordpress-mycred-plugin-2-9-7-3-broken-access-control-vulnerability?_s_id=cve |
| Craig Hewitt--Seriously Simple Podcasting | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Stored XSS. This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.1. | 2026-02-03 | not yet calculated | CVE-2026-24952 | https://patchstack.com/database/Wordpress/Plugin/seriously-simple-podcasting/vulnerability/wordpress-seriously-simple-podcasting-plugin-3-14-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| magepeopleteam--WpEvently | Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection. This issue affects WpEvently: from n/a through <= 5.0.8. | 2026-02-03 | not yet calculated | CVE-2026-24954 | https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-0-8-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| WP Chill--Strong Testimonials | Missing Authorization vulnerability in WP Chill Strong Testimonials strong-testimonials allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Strong Testimonials: from n/a through <= 3.2.20. | 2026-02-03 | not yet calculated | CVE-2026-24957 | https://patchstack.com/database/Wordpress/Plugin/strong-testimonials/vulnerability/wordpress-strong-testimonials-plugin-3-2-20-broken-access-control-vulnerability?_s_id=cve |
| Crocoblock--JetElements For Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows DOM-Based XSS. This issue affects JetElements For Elementor: from n/a through <= 2.7.12.2. | 2026-02-03 | not yet calculated | CVE-2026-24958 | https://patchstack.com/database/Wordpress/Plugin/jet-elements/vulnerability/wordpress-jetelements-for-elementor-plugin-2-7-12-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Grand Blog | Server-Side Request Forgery (SSRF) vulnerability in ThemeGoods Grand Blog grandblog allows Server Side Request Forgery. This issue affects Grand Blog: from n/a through < 3.1.5. | 2026-02-03 | not yet calculated | CVE-2026-24961 | https://patchstack.com/database/Wordpress/Theme/grandblog/vulnerability/wordpress-grand-blog-theme-3-1-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Brainstorm Force--Sigmize | Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Sigmize sigmize allows Cross Site Request Forgery. This issue affects Sigmize: from n/a through <= 0.0.9. | 2026-02-03 | not yet calculated | CVE-2026-24962 | https://patchstack.com/database/Wordpress/Plugin/sigmize/vulnerability/wordpress-sigmize-plugin-0-0-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Wasiliy Strecker / ContestGallery developer--Contest Gallery | Missing Authorization vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Contest Gallery: from n/a through <= 28.1.1. | 2026-02-03 | not yet calculated | CVE-2026-24965 | https://patchstack.com/database/Wordpress/Plugin/contest-gallery/vulnerability/wordpress-contest-gallery-plugin-28-1-1-broken-access-control-vulnerability?_s_id=cve |
| Copyscape--Copyscape Premium | Cross-Site Request Forgery (CSRF) vulnerability in Copyscape Copyscape Premium copyscape-premium allows Cross Site Request Forgery. This issue affects Copyscape Premium: from n/a through <= 1.4.1. | 2026-02-03 | not yet calculated | CVE-2026-24966 | https://patchstack.com/database/Wordpress/Plugin/copyscape-premium/vulnerability/wordpress-copyscape-premium-plugin-1-4-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ameliabooking--Amelia | Missing Authorization vulnerability in ameliabooking Amelia ameliabooking allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Amelia: from n/a through <= 1.2.38. | 2026-02-03 | not yet calculated | CVE-2026-24967 | https://patchstack.com/database/Wordpress/Plugin/ameliabooking/vulnerability/wordpress-amelia-plugin-1-2-38-broken-access-control-vulnerability?_s_id=cve |
| Brainstorm Force--Spectra | Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Spectra: from n/a through <= 2.19.17. | 2026-02-03 | not yet calculated | CVE-2026-24982 | https://patchstack.com/database/Wordpress/Plugin/ultimate-addons-for-gutenberg/vulnerability/wordpress-spectra-plugin-2-19-17-broken-access-control-vulnerability?_s_id=cve |
| Brecht--Visual Link Preview | Missing Authorization vulnerability in Brecht Visual Link Preview visual-link-preview allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Visual Link Preview: from n/a through <= 2.2.9. | 2026-02-03 | not yet calculated | CVE-2026-24984 | https://patchstack.com/database/Wordpress/Plugin/visual-link-preview/vulnerability/wordpress-visual-link-preview-plugin-2-2-9-broken-access-control-vulnerability?_s_id=cve |
| approveme--WP Forms Signature Contract Add-On | Missing Authorization vulnerability in approveme WP Forms Signature Contract Add-On wp-forms-signature-contract-add-on allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Forms Signature Contract Add-On: from n/a through <= 1.8.2. | 2026-02-03 | not yet calculated | CVE-2026-24985 | https://patchstack.com/database/Wordpress/Plugin/wp-forms-signature-contract-add-on/vulnerability/wordpress-wp-forms-signature-contract-add-on-plugin-1-8-2-broken-access-control-to-notice-dismissal-vulnerability?_s_id=cve |
| wp.insider--Simple Membership WP user Import | Cross-Site Request Forgery (CSRF) vulnerability in wp.insider Simple Membership WP user Import simple-membership-wp-user-import allows Cross Site Request Forgery. This issue affects Simple Membership WP user Import: from n/a through <= 1.9.1. | 2026-02-03 | not yet calculated | CVE-2026-24986 | https://patchstack.com/database/Wordpress/Plugin/simple-membership-wp-user-import/vulnerability/wordpress-simple-membership-wp-user-import-plugin-1-9-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Brian Hogg--The Events Calendar Shortcode & Block | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Hogg The Events Calendar Shortcode & Block the-events-calendar-shortcode allows Stored XSS. This issue affects The Events Calendar Shortcode & Block: from n/a through <= 3.1.1. | 2026-02-03 | not yet calculated | CVE-2026-24988 | https://patchstack.com/database/Wordpress/Plugin/the-events-calendar-shortcode/vulnerability/wordpress-the-events-calendar-shortcode-block-plugin-3-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Fahad Mahmood--WP Docs | Missing Authorization vulnerability in Fahad Mahmood WP Docs wp-docs allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Docs: from n/a through <= 2.2.8. | 2026-02-03 | not yet calculated | CVE-2026-24990 | https://patchstack.com/database/Wordpress/Plugin/wp-docs/vulnerability/wordpress-wp-docs-plugin-2-2-8-broken-access-control-vulnerability?_s_id=cve |
| HT Plugins--Extensions For CF7 | Authorization Bypass Through User-Controlled Key vulnerability in HT Plugins Extensions For CF7 extensions-for-cf7 allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Extensions For CF7: from n/a through <= 3.4.0. | 2026-02-03 | not yet calculated | CVE-2026-24991 | https://patchstack.com/database/Wordpress/Plugin/extensions-for-cf7/vulnerability/wordpress-extensions-for-cf7-plugin-3-4-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| WPFactory--Advanced WooCommerce Product Sales Reporting | Insertion of Sensitive Information Into Sent Data vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Retrieve Embedded Sensitive Data. This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through <= 4.1.2. | 2026-02-03 | not yet calculated | CVE-2026-24992 | https://patchstack.com/database/Wordpress/Plugin/webd-woocommerce-advanced-reporting-statistics/vulnerability/wordpress-advanced-woocommerce-product-sales-reporting-plugin-4-1-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| sunshinephotocart--Sunshine Photo Cart | Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sunshine Photo Cart: from n/a through <= 3.5.7.2. | 2026-02-03 | not yet calculated | CVE-2026-24994 | https://patchstack.com/database/Wordpress/Plugin/sunshine-photo-cart/vulnerability/wordpress-sunshine-photo-cart-plugin-3-5-7-2-broken-access-control-vulnerability?_s_id=cve |
| Iulia Cazan--Latest Post Shortcode | Missing Authorization vulnerability in Iulia Cazan Latest Post Shortcode latest-post-shortcode allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Latest Post Shortcode: from n/a through <= 14.2.0. | 2026-02-03 | not yet calculated | CVE-2026-24995 | https://patchstack.com/database/Wordpress/Plugin/latest-post-shortcode/vulnerability/wordpress-latest-post-shortcode-plugin-14-2-0-broken-access-control-vulnerability?_s_id=cve |
| wpelemento--WPElemento Importer | Missing Authorization vulnerability in wpelemento WPElemento Importer wpelemento-importer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPElemento Importer: from n/a through <= 0.6.4. | 2026-02-03 | not yet calculated | CVE-2026-24996 | https://patchstack.com/database/Wordpress/Plugin/wpelemento-importer/vulnerability/wordpress-wpelemento-importer-plugin-0-6-4-broken-access-control-vulnerability?_s_id=cve |
| Wired Impact--Wired Impact Volunteer Management | Missing Authorization vulnerability in Wired Impact Wired Impact Volunteer Management wired-impact-volunteer-management allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Wired Impact Volunteer Management: from n/a through <= 2.8. | 2026-02-03 | not yet calculated | CVE-2026-24997 | https://patchstack.com/database/Wordpress/Plugin/wired-impact-volunteer-management/vulnerability/wordpress-wired-impact-volunteer-management-plugin-2-8-broken-access-control-vulnerability?_s_id=cve |
| WPMU DEV - Your All-in-One WordPress Platform--Hustle | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPMU DEV - Your All-in-One WordPress Platform Hustle wordpress-popup allows Retrieve Embedded Sensitive Data. This issue affects Hustle: from n/a through <= 7.8.9.2. | 2026-02-03 | not yet calculated | CVE-2026-24998 | https://patchstack.com/database/Wordpress/Plugin/wordpress-popup/vulnerability/wordpress-hustle-plugin-7-8-9-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| ILLID--Share This Image | Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Share This Image: from n/a through <= 2.09. | 2026-02-03 | not yet calculated | CVE-2026-25010 | https://patchstack.com/database/Wordpress/Plugin/share-this-image/vulnerability/wordpress-share-this-image-plugin-2-09-broken-access-control-vulnerability?_s_id=cve |
| Northern Beaches Websites--WP Custom Admin Interface | Missing Authorization vulnerability in Northern Beaches Websites WP Custom Admin Interface wp-custom-admin-interface allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Custom Admin Interface: from n/a through <= 7.41. | 2026-02-03 | not yet calculated | CVE-2026-25011 | https://patchstack.com/database/Wordpress/Plugin/wp-custom-admin-interface/vulnerability/wordpress-wp-custom-admin-interface-plugin-7-41-broken-access-control-vulnerability?_s_id=cve |
| gfazioli--WP Bannerize Pro | Missing Authorization vulnerability in gfazioli WP Bannerize Pro wp-bannerize-pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Bannerize Pro: from n/a through <= 1.11.0. | 2026-02-03 | not yet calculated | CVE-2026-25012 | https://patchstack.com/database/Wordpress/Plugin/wp-bannerize-pro/vulnerability/wordpress-wp-bannerize-pro-plugin-1-11-0-broken-access-control-vulnerability?_s_id=cve |
| themelooks--Enter Addons | Cross-Site Request Forgery (CSRF) vulnerability in themelooks Enter Addons enteraddons allows Cross Site Request Forgery. This issue affects Enter Addons: from n/a through <= 2.3.2. | 2026-02-03 | not yet calculated | CVE-2026-25014 | https://patchstack.com/database/Wordpress/Plugin/enteraddons/vulnerability/wordpress-enter-addons-plugin-2-3-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Stiofan--UsersWP | Cross-Site Request Forgery (CSRF) vulnerability in Stiofan UsersWP userswp allows Cross Site Request Forgery. This issue affects UsersWP: from n/a through <= 1.2.53. | 2026-02-03 | not yet calculated | CVE-2026-25015 | https://patchstack.com/database/Wordpress/Plugin/userswp/vulnerability/wordpress-userswp-plugin-1-2-53-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Nelio Software--Nelio Popups | Missing Authorization vulnerability in Nelio Software Nelio Popups nelio-popups allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nelio Popups: from n/a through <= 1.3.5. | 2026-02-03 | not yet calculated | CVE-2026-25016 | https://patchstack.com/database/Wordpress/Plugin/nelio-popups/vulnerability/wordpress-nelio-popups-plugin-1-3-5-broken-access-control-vulnerability?_s_id=cve |
| Vito Peleg--Atarim | Missing Authorization vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Atarim: from n/a through <= 4.3.1. | 2026-02-03 | not yet calculated | CVE-2026-25019 | https://patchstack.com/database/Wordpress/Plugin/atarim-visual-collaboration/vulnerability/wordpress-atarim-plugin-4-3-1-broken-access-control-vulnerability?_s_id=cve |
| WP connect--WP Sync for Notion | Missing Authorization vulnerability in WP connect WP Sync for Notion wp-sync-for-notion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Sync for Notion: from n/a through <= 1.7.0. | 2026-02-03 | not yet calculated | CVE-2026-25020 | https://patchstack.com/database/Wordpress/Plugin/wp-sync-for-notion/vulnerability/wordpress-wp-sync-for-notion-plugin-1-7-0-broken-access-control-vulnerability?_s_id=cve |
| Mizan Themes--Mizan Demo Importer | Missing Authorization vulnerability in Mizan Themes Mizan Demo Importer mizan-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Mizan Demo Importer: from n/a through <= 0.1.3. | 2026-02-03 | not yet calculated | CVE-2026-25021 | https://patchstack.com/database/Wordpress/Plugin/mizan-demo-importer/vulnerability/wordpress-mizan-demo-importer-plugin-0-1-3-broken-access-control-vulnerability?_s_id=cve |
| Iqonic Design--KiviCare | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Blind SQL Injection. This issue affects KiviCare: from n/a through <= 3.6.16. | 2026-02-03 | not yet calculated | CVE-2026-25022 | https://patchstack.com/database/Wordpress/Plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-3-6-16-sql-injection-vulnerability?_s_id=cve |
| mdedev--Run Contests, Raffles, and Giveaways with ContestsWP | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in mdedev Run Contests, Raffles, and Giveaways with ContestsWP contest-code-checker allows Retrieve Embedded Sensitive Data. This issue affects Run Contests, Raffles, and Giveaways with ContestsWP: from n/a through <= 2.0.7. | 2026-02-03 | not yet calculated | CVE-2026-25023 | https://patchstack.com/database/Wordpress/Plugin/contest-code-checker/vulnerability/wordpress-run-contests-raffles-and-giveaways-with-contestswp-plugin-2-0-7-sensitive-data-exposure-vulnerability?_s_id=cve |
| Blair Williams--ThirstyAffiliates | Cross-Site Request Forgery (CSRF) vulnerability in Blair Williams ThirstyAffiliates thirstyaffiliates allows Cross Site Request Forgery. This issue affects ThirstyAffiliates: from n/a through <= 3.11.9. | 2026-02-03 | not yet calculated | CVE-2026-25024 | https://patchstack.com/database/Wordpress/Plugin/thirstyaffiliates/vulnerability/wordpress-thirstyaffiliates-plugin-3-11-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ThemeMove--Unicamp | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Unicamp unicamp allows PHP Local File Inclusion. This issue affects Unicamp: from n/a through <= 2.7.1. | 2026-02-03 | not yet calculated | CVE-2026-25027 | https://patchstack.com/database/Wordpress/Theme/unicamp/vulnerability/wordpress-unicamp-theme-2-7-1-local-file-inclusion-vulnerability?_s_id=cve |
| Element Invader--ElementInvader Addons for Elementor | Missing Authorization vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementInvader Addons for Elementor: from n/a through <= 1.4.1. | 2026-02-03 | not yet calculated | CVE-2026-25028 | https://patchstack.com/database/Wordpress/Plugin/elementinvader-addons-for-elementor/vulnerability/wordpress-elementinvader-addons-for-elementor-plugin-1-4-1-broken-access-control-vulnerability?_s_id=cve |
| WP Chill--Passster | Missing Authorization vulnerability in WP Chill Passster content-protector allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Passster: from n/a through <= 4.2.25. | 2026-02-03 | not yet calculated | CVE-2026-25036 | https://patchstack.com/database/Wordpress/Plugin/content-protector/vulnerability/wordpress-passster-plugin-4-2-25-broken-access-control-vulnerability?_s_id=cve |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2. | 2026-02-04 | not yet calculated | CVE-2026-25049 | https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8 https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to version 1.123.2, a Cross-Site Scripting (XSS) vulnerability has been identified in the handling of webhook responses and related HTTP endpoints. Under certain conditions, the Content Security Policy (CSP) sandbox protection intended to isolate HTML responses may not be applied correctly. An authenticated user with permission to create or modify workflows could abuse this to execute malicious scripts with same-origin privileges when other users interact with the crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in version 1.123.2. | 2026-02-04 | not yet calculated | CVE-2026-25051 | https://github.com/n8n-io/n8n/security/advisories/GHSA-825q-w924-xhgx https://github.com/n8n-io/n8n/commit/ced34c0f93ab4c759a56065965986094d8ef7323 https://github.com/n8n-io/n8n/commit/e8cf4d6bb3af94dc296cbb67bc3dd20e9b508ac9 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.18 and 2.5.0, a vulnerability in the file access controls allows authenticated users with permission to create or modify workflows to read sensitive files from the n8n host system. This can be exploited to obtain critical configuration data and user credentials, leading to complete account takeover of any user on the instance. This issue has been patched in versions 1.123.18 and 2.5.0. | 2026-02-04 | not yet calculated | CVE-2026-25052 | https://github.com/n8n-io/n8n/security/advisories/GHSA-gfvg-qv54-r4pc |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.10 and 2.5.0, vulnerabilities in the Git node allowed authenticated users with permission to create or modify workflows to execute arbitrary system commands or read arbitrary files on the n8n host. This issue has been patched in versions 1.123.10 and 2.5.0. | 2026-02-04 | not yet calculated | CVE-2026-25053 | https://github.com/n8n-io/n8n/security/advisories/GHSA-9g95-qf3f-ggrw |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.9 and 2.2.1, a Cross-Site Scripting (XSS) vulnerability existed in a markdown rendering component used in n8n's interface, including workflow sticky notes and other areas that support markdown content. An authenticated user with permission to create or modify workflows could abuse this to execute scripts with same-origin privileges when other users interact with a maliciously crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in versions 1.123.9 and 2.2.1. | 2026-02-04 | not yet calculated | CVE-2026-25054 | https://github.com/n8n-io/n8n/security/advisories/GHSA-qpq4-pw7f-pp8w |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. This issue has been patched in versions 1.123.12 and 2.4.0. | 2026-02-04 | not yet calculated | CVE-2026-25055 | https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.118.0 and 2.4.0, a vulnerability in the Merge node's SQL Query mode allowed authenticated users with permission to create or modify workflows to write arbitrary files to the n8n server's filesystem potentially leading to remote code execution. This issue has been patched in versions 1.118.0 and 2.4.0. | 2026-02-04 | not yet calculated | CVE-2026-25056 | https://github.com/n8n-io/n8n/security/advisories/GHSA-hv53-3329-vmrm |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to version 2.4.8, a vulnerability in the Python Code node allows authenticated users to break out of the Python sandbox environment and execute code outside the intended security boundary. This issue has been patched in version 2.4.8. | 2026-02-04 | not yet calculated | CVE-2026-25115 | https://github.com/n8n-io/n8n/security/advisories/GHSA-8398-gmmx-564h |
| Intermesh--groupoffice | Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang parameter and passes it directly to a system zip command via exec(). This can be combined with uploading a crafted zip file to achieve remote code execution. This vulnerability is fixed in 6.8.150, 25.0.82, and 26.0.5. | 2026-02-02 | not yet calculated | CVE-2026-25134 | https://github.com/Intermesh/groupoffice/security/advisories/GHSA-v39j-549w-8849 https://github.com/Intermesh/groupoffice/commit/d28490a6a29936db7888aa841ab8ade88800540b |
| RIOT-OS--RIOT | RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In version 2025.10 and prior, multiple out-of-bounds read allow any unauthenticated user, with ability to send or manipulate input packets, to read adjacent memory locations, or crash a vulnerable device running the 6LoWPAN stack. The received packet is cast into a sixlowpan_sfr_rfrag_t struct and dereferenced without validating the packet is large enough to contain the struct object. At time of publication, no known patch exists. | 2026-02-04 | not yet calculated | CVE-2026-25139 | https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-c8fh-23qr-97mc |
| QwikDev--qwik | Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim's browser in the context of the affected origin. This issue has been patched in version 1.19.0. | 2026-02-03 | not yet calculated | CVE-2026-25148 | https://github.com/QwikDev/qwik/security/advisories/GHSA-m6jq-g7gq-5w3c https://github.com/QwikDev/qwik/commit/fe2d9232c0bcec99411d51a00dae29295871d094 |
| QwikDev--qwik | Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This issue has been patched in version 1.19.0. | 2026-02-03 | not yet calculated | CVE-2026-25149 | https://github.com/QwikDev/qwik/security/advisories/GHSA-92j7-wgmg-f32m https://github.com/QwikDev/qwik/commit/9959eab30a3ad9cc03689eaa080fcfbc33df71ed |
| web2py--web2py | web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack. | 2026-02-05 | not yet calculated | CVE-2026-25198 | https://github.com/web2py/web2py/commit/b4e1ddbd6d40fb30863f6263a67bcdf411a0c6df https://github.com/web2py/web2py/releases https://web2py.com/ https://jvn.jp/en/jp/JVN46925341/ |
| polarnl--PolarLearn | PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, the OAuth 2.0 implementation for GitHub and Google login providers is vulnerable to Login Cross-Site Request Forgery (CSRF). The application fails to implement and verify the state parameter during the authentication flow. This allows an attacker to pre-authenticate a session and trick a victim into logging into the attacker's account. Any data the victim then enters or academic progress they make is stored on the attacker's account, leading to data loss for the victim and information disclosure to the attacker. | 2026-02-02 | not yet calculated | CVE-2026-25221 | https://github.com/polarnl/PolarLearn/security/advisories/GHSA-fhhm-574m-7rpw https://github.com/polarnl/PolarLearn/commit/44669bbb5b647c7625f22dd82f3121c7d7bfbe19 |
| polarnl--PolarLearn | PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, a timing attack vulnerability in the sign-in process allows unauthenticated attackers to determine if a specific email address is registered on the platform. By measuring the response time of the login endpoint, an attacker can distinguish between valid and invalid email addresses. This occurs because the server only performs the computationally expensive Argon2 password hashing if the user exists in the database. Requests for existing users take significantly longer (~650ms) than requests for non-existent users (~160ms). | 2026-02-02 | not yet calculated | CVE-2026-25222 | https://github.com/polarnl/PolarLearn/security/advisories/GHSA-wcr9-mvr9-4qh5 https://github.com/polarnl/PolarLearn/commit/6c276855172c7310cce0df996cb47ffe0d886741 |
| pear--pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, logic bug in the roadmap role check allows non-lead maintainers to create, update, or delete roadmaps. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25233 | https://github.com/pear/pearweb/security/advisories/GHSA-p92v-9j73-fxx3 |
| pear--pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in category deletion can allow an attacker with access to the category manager workflow to inject SQL via a category id. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25234 | https://github.com/pear/pearweb/security/advisories/GHSA-q28j-3p7r-6722 |
| pear--pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25235 | https://github.com/pear/pearweb/security/advisories/GHSA-477r-4cmw-3cgf |
| pear--pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection risk exists in karma queries due to unsafe literal substitution for an IN (...) list. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25236 | https://github.com/pear/pearweb/security/advisories/GHSA-95mc-p966-c29f |
| pear--pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25237 | https://github.com/pear/pearweb/security/advisories/GHSA-vhw6-hqh9-8r23 |
| pear--pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in bug subscription deletion may allow attackers to inject SQL via a crafted email value. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25238 | https://github.com/pear/pearweb/security/advisories/GHSA-cv3c-27h5-7gmv |
| pear--pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker can influence the inserted filename value. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25239 | https://github.com/pear/pearweb/security/advisories/GHSA-f9mg-x463-3vxg |
| pear--pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability can occur in user::maintains() when role filters are provided as an array and interpolated into an IN (...) clause. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25240 | https://github.com/pear/pearweb/security/advisories/GHSA-xw9g-5gr2-c44f |
| pear--pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, an unauthenticated SQL injection in the /get/<package>/<version> endpoint allows remote attackers to execute arbitrary SQL via a crafted package version. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25241 | https://github.com/pear/pearweb/security/advisories/GHSA-63fv-vpq5-gv8p |
| langroid--langroid | Langroid is a framework for building large-language-model-powered applications. Prior to version 0.59.32, there is a bypass to the fix for CVE-2025-46724. TableChatAgent can call pandas_eval tool to evaluate the expression. There is a WAF in langroid/utils/pandas_utils.py introduced to block code injection CVE-2025-46724. However it can be bypassed due to _literal_ok() returning False instead of raising UnsafeCommandError on invalid input, combined with unrestricted access to dangerous dunder attributes (__init__, __globals__, __builtins__). This allows chaining whitelisted DataFrame methods to leak the eval builtin and execute arbitrary code. This issue has been patched in version 0.59.32. | 2026-02-04 | not yet calculated | CVE-2026-25481 | https://github.com/langroid/langroid/security/advisories/GHSA-x34r-63hx-w57f https://github.com/langroid/langroid/security/advisories/GHSA-jqq5-wc57-f8hj https://github.com/langroid/langroid/commit/30abbc1a854dee22fbd2f8b2f575dfdabdb603ea |
| craftcms--commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25482 | https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65 https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms--commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce's Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25483 | https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5 https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms--commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25484 | https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms--commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Shipping Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25485 | https://github.com/craftcms/commerce/security/advisories/GHSA-w8gw-qm8p-j9j3 https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms--commerce | Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in version 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25486 | https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22 https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms--commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25487 | https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms--commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25488 | https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8 https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms--commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25489 | https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms--commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25490 | https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| bpg--terraform-provider-proxmox | Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in escaping the folder using ../, allowing any files on the system to be edited. This issue has been patched in version 0.93.1. | 2026-02-04 | not yet calculated | CVE-2026-25499 | https://github.com/bpg/terraform-provider-proxmox/security/advisories/GHSA-gwch-7m8v-7544 https://github.com/bpg/terraform-provider-proxmox/commit/bd604c41a31e2a55dd6acc01b0608be3ea49c023 |
| Intermesh--groupoffice | Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, an authenticated user within the System Administrator group can trigger a full SSRF via the WOPI service discovery URL, including access to internal hosts/ports. The SSRF response body can be exfiltrated via the built‑in debug system, turning it into a visible SSRF. This also allows full server-side file read. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5. | 2026-02-04 | not yet calculated | CVE-2026-25511 | https://github.com/Intermesh/groupoffice/security/advisories/GHSA-r9v4-jm2r-r9pm https://github.com/Intermesh/groupoffice/commit/5ac199dce758e1ce0d1cdb6905df5da3c2af42b3 |
| Intermesh--groupoffice | Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5. | 2026-02-04 | not yet calculated | CVE-2026-25512 | https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4 http://github.com/Intermesh/groupoffice/commit/6c612deca97a6cd2a1bd4feea0ce7e8e9d907792 |
| NeoRazorX--facturascripts | FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The vulnerability exists in the ModelClass::getOrderBy() method where user-supplied sorting parameters are directly concatenated into the SQL ORDER BY clause without validation or sanitization. This affects all API endpoints that support sorting functionality. This issue has been patched in version 2025.81. | 2026-02-04 | not yet calculated | CVE-2026-25513 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-cjfx-qhwm-hf99 https://github.com/NeoRazorX/facturascripts/commit/1b6cdfa9ee1bb3365ea4a4ad753452035a027605 |
| NeoRazorX--facturascripts | FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored business data. The vulnerability exists in the CodeModel::all() method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding. This issue has been patched in version 2025.81. | 2026-02-04 | not yet calculated | CVE-2026-25514 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pqqg-5f4f-8952 https://github.com/NeoRazorX/facturascripts/commit/5c070f82665b98efd2f914a4769c6dc9415f5b0f |
| wagtail--wagtail | Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3. | 2026-02-04 | not yet calculated | CVE-2026-25517 | https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348 https://github.com/wagtail/wagtail/commit/01fd3477365a193e6a8270311defb76e890d2719 https://github.com/wagtail/wagtail/commit/5f09b6da61e779b0e8499bdbba52bf2f7bd3241f https://github.com/wagtail/wagtail/commit/73f070dbefbd3b39ea6649ce36bd2d2a6eef2190 https://github.com/wagtail/wagtail/commit/7dfe8de5f8b3f112c73c87b6729197db16454915 https://github.com/wagtail/wagtail/commit/dd824023a031f1b82a6b6f83a97a5c73391b7c03 |
| locutusjs--locutus | Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39. | 2026-02-04 | not yet calculated | CVE-2026-25521 | https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c |
| craftcms--commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25522 | https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| agentfront--enclave | Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.10.1, the existing layers of security in enclave-vm are insufficient: The AST sanitization can be bypassed with dynamic property accesses, the hardening of the error objects does not cover the peculiar behavior or the vm module and the function constructor access prevention can be side-stepped by leveraging host object references. This vulnerability is fixed in 2.10.1. | 2026-02-06 | not yet calculated | CVE-2026-25533 | https://github.com/agentfront/enclave/security/advisories/GHSA-x39w-8vm5-5m3p https://github.com/agentfront/enclave/commit/2fcf5da81e7e2578ede6f94cae4f379165426dca https://www.staicu.org/publications/usenixSec2023-SandDriller.pdf |
| Keats--jsonwebtoken | jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library's internal parsing mechanism marks the claim as "FailedToParse". Crucially, the validation logic treats this "FailedToParse" state identically to "NotPresent". This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like "Not Before" checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0. | 2026-02-04 | not yet calculated | CVE-2026-25537 | https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc https://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01 |
| devtron-labs--devtron | Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user (including low-privileged CI/CD Developers) to obtain the global API Token signing key by accessing the /orchestrator/attributes?key=apiTokenSecret endpoint. After obtaining the key, attackers can forge JWT tokens for arbitrary user identities offline, thereby gaining complete control over the Devtron platform and laterally moving to the underlying Kubernetes cluster. This issue has been patched via commit d2b0d26. | 2026-02-04 | not yet calculated | CVE-2026-25538 | https://github.com/devtron-labs/devtron/security/advisories/GHSA-8wpc-j9q9-j5m2 https://github.com/devtron-labs/devtron/commit/d2b0d260d858ab1354b73a8f50f7f078ca62706f |
| tokio-rs--bytes | Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an unchecked addition. When new_cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare_capacity_mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB. This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks. This issue has been patched in version 1.11.1. | 2026-02-04 | not yet calculated | CVE-2026-25541 | https://github.com/tokio-rs/bytes/security/advisories/GHSA-434x-w66g-qw3r https://github.com/tokio-rs/bytes/commit/d0293b0e35838123c51ca5dfdf468ecafee4398f https://github.com/tokio-rs/bytes/releases/tag/v1.11.1 https://rustsec.org/advisories/RUSTSEC-2026-0007.html |
| mganss--HtmlSanitizer | HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. Prior to versions 9.0.892 and 9.1.893-beta, if the template tag is allowed, its contents are not sanitized. The template tag is a special tag that does not usually render its contents, unless the shadowrootmode attribute is set to open or closed. This issue has been patched in versions 9.0.892 and 9.1.893-beta. | 2026-02-04 | not yet calculated | CVE-2026-25543 | https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-j92c-7v7g-gj3f https://github.com/mganss/HtmlSanitizer/commit/0ac53dca30ddad963f2b243669a5066933d82b81 https://www.nuget.org/packages/HtmlSanitizer/9.0.892 https://www.nuget.org/packages/HtmlSanitizer/9.1.893-beta |
| isaacs--brace-expansion | @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1. | 2026-02-04 | not yet calculated | CVE-2026-25547 | https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2 |
| Artifex Software--MuPDF | MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes. | 2026-02-06 | not yet calculated | CVE-2026-25556 | https://bugs.ghostscript.com/show_bug.cgi?id=709029 https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=d4743b6092d513321c23c6f7fe5cff87cde043c1 https://mupdf.com/ https://www.vulncheck.com/advisories/mupdf-barcode-decoding-double-free |
| WeKan--WeKan | WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication. | 2026-02-07 | not yet calculated | CVE-2026-25560 | https://github.com/wekan/wekan/commit/0b0e16c3eae28bbf453d33a81a9c58ce7db6d5bb https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-ldap-authentication-filter-injection |
| WeKan--WeKan | WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId) are consistent and refer to a coherent card/board relationship, enabling attempts to upload attachments with mismatched object relationships. | 2026-02-07 | not yet calculated | CVE-2026-25561 | https://github.com/wekan/wekan/commit/1d16955b6d4f0a0282e89c2c1b0415c7597019b8 https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-attachment-upload-object-relationship-validation-bypass |
| WeKan--WeKan | WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users. | 2026-02-07 | not yet calculated | CVE-2026-25562 | https://github.com/wekan/wekan/commit/6dfa3beb2b6ab23438d0f4395b84bf0749eb4820 https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-attachments-publication-information-disclosure |
| WeKan--WeKan | WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers. | 2026-02-07 | not yet calculated | CVE-2026-25563 | https://github.com/wekan/wekan/commit/5cd875813fdec5a3c40a0358b30a347967c85c14 https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-checklist-creation-cross-board-idor |
| WeKan--WeKan | WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers. | 2026-02-07 | not yet calculated | CVE-2026-25564 | https://github.com/wekan/wekan/commit/08a6f084eba09487743a7c807fb4a9000fcfa9ac https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-checklist-deletion-idor-via-missing-relationship-validation |
| WeKan--WeKan | WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access. | 2026-02-07 | not yet calculated | CVE-2026-25565 | https://github.com/wekan/wekan/commit/181f837d8cbae96bdf9dcbd31beaa3653c2c0285 https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-read-only-board-roles-can-update-cards |
| WeKan--WeKan | WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves. | 2026-02-07 | not yet calculated | CVE-2026-25566 | https://github.com/wekan/wekan/commit/198509e7600981400353aec6259247b3c04e043e https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-cross-board-card-move-without-destination-authorization |
| WeKan--WeKan | WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier. | 2026-02-07 | not yet calculated | CVE-2026-25567 | https://github.com/wekan/wekan/commit/67cb47173c1a152d9eaf5469740992b2dacdf62d https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-card-comment-author-spoofing-via-user-controlled-authorid |
| WeKan--WeKan | WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement. | 2026-02-07 | not yet calculated | CVE-2026-25568 | https://github.com/wekan/wekan/commit/7ed76c180ede46ab1dac6b8ad27e9128a272c2c8 https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-allowprivateonly-setting-enforcement-bypass |
| TUM-Dev--NavigaTUM | NavigaTUM is a website and API to search for rooms, buildings and other places. Prior to commit 86f34c7, there is a path traversal vulnerability in the propose_edits endpoint allows unauthenticated users to overwrite files in directories writable by the application user (e.g., /cdn). By supplying unsanitized file keys containing traversal sequences (e.g., ../../) in the JSON payload, an attacker can escape the intended temporary directory and replace public facing images or fill the server's storage. This issue has been patched via commit 86f34c7. | 2026-02-04 | not yet calculated | CVE-2026-25575 | https://github.com/TUM-Dev/NavigaTUM/security/advisories/GHSA-59hj-f48w-hjfm https://github.com/TUM-Dev/NavigaTUM/pull/2650 https://github.com/TUM-Dev/NavigaTUM/commit/86f34c72886a59ec8f1e6c00f78a5ab889a70fd0 |
| navidrome--navidrome | Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/<token>). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage. If the system has sufficient memory and survives the allocation, Navidrome then writes these extremely large resized images into its cache directory, allowing an attacker to rapidly exhaust server disk space as well. This issue has been patched in version 0.60.0. | 2026-02-04 | not yet calculated | CVE-2026-25579 | https://github.com/navidrome/navidrome/security/advisories/GHSA-hrr4-3wgr-68x3 https://github.com/navidrome/navidrome/releases/tag/v0.60.0 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to 1.121.0, there is a vulnerability in the HTTP Request node's credential domain validation allowed an authenticated attacker to send requests with credentials to unintended domains, potentially leading to credential exfiltration. This only might affect user who have credentials that use wildcard domain patterns (e.g., *.example.com) in the "Allowed domains" setting. This issue is fixed in version 1.121.0 and later. | 2026-02-06 | not yet calculated | CVE-2026-25631 | https://github.com/n8n-io/n8n/security/advisories/GHSA-2xcx-75h9-vr9h |
| smn2gnt--MCP-Salesforce | MCP Salesforce Connector is a Model Context Protocol (MCP) server implementation for Salesforce integration. Prior to 0.1.10, arbitrary attribute access leads to disclosure of Salesforce auth token. This vulnerability is fixed in 0.1.10. | 2026-02-06 | not yet calculated | CVE-2026-25650 | https://github.com/smn2gnt/MCP-Salesforce/security/advisories/GHSA-vf6j-c56p-cq58 https://github.com/smn2gnt/MCP-Salesforce/commit/a1e3a5a786f48508d066b6d40b58201ebf9b7fd6 https://github.com/smn2gnt/MCP-Salesforce/releases/tag/v0.1.10 |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude, it was possible to bypass write protection and create or modify files without user confirmation. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.57. | 2026-02-06 | not yet calculated | CVE-2026-25722 | https://github.com/anthropics/claude-code/security/advisories/GHSA-66q4-vfjg-2qhh |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 2.0.55, Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability enabled writing to sensitive directories like the .claude folder and paths outside the project scope. Exploiting this required the ability to execute commands through Claude Code with the "accept edits" feature enabled. This issue has been patched in version 2.0.55. | 2026-02-06 | not yet calculated | CVE-2026-25723 | https://github.com/anthropics/claude-code/security/advisories/GHSA-mhg7-666j-cqg4 |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude Code to read the restricted file through the symlink without triggering deny rule enforcement. This issue has been patched in version 2.1.7. | 2026-02-06 | not yet calculated | CVE-2026-25724 | https://github.com/anthropics/claude-code/security/advisories/GHSA-4q92-rfm6-2cqx |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2. | 2026-02-06 | not yet calculated | CVE-2026-25725 | https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf |
| time-rs--time | time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack. | 2026-02-06 | not yet calculated | CVE-2026-25727 | https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05 https://github.com/time-rs/time/releases/tag/v0.3.47 |
| lintsinghua--DeepAudit | DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and earlier, there is an improper access control vulnerability in the /api/v1/users/ endpoint allows any authenticated user to enumerate all users in the system and retrieve sensitive information including email addresses, phone numbers, full names, and role information. | 2026-02-06 | not yet calculated | CVE-2026-25729 | https://github.com/lintsinghua/DeepAudit/security/advisories/GHSA-vmmm-48w2-q56q https://github.com/lintsinghua/DeepAudit/commit/b2a3b26579d3fdbab5236ae12ed67ae2313175fd |
| frangoteam--FUXA | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker to obtain the full system configuration, including administrative credentials for the InfluxDB database. Possession of these credentials may allow an attacker to authenticate directly to the database service, enabling them to read, modify, or delete all historical process data, or perform a Denial of Service by corrupting the database. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10. | 2026-02-06 | not yet calculated | CVE-2026-25751 | https://github.com/frangoteam/FUXA/security/advisories/GHSA-c5gq-4h56-4mmx https://github.com/frangoteam/FUXA/releases/tag/v1.2.10 |
| frangoteam--FUXA | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated, remote attacker to bypass role-based access controls and overwrite arbitrary device tags or disable communication drivers, exposing connected ICS/SCADA environments to follow-on actions. This may allow an attacker to manipulate physical processes and disconnected devices from the HMI. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10. | 2026-02-06 | not yet calculated | CVE-2026-25752 | https://github.com/frangoteam/FUXA/security/advisories/GHSA-ggxw-g3cp-mgf8 https://github.com/frangoteam/FUXA/releases/tag/v1.2.10 |
| Praskla-Technology--assessment-placipy | PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static default password for all newly created student accounts. This results in mass account takeover, allowing any attacker to log in as any student once the password is known. | 2026-02-06 | not yet calculated | CVE-2026-25753 | https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-6537-cf56-j9w2 |
| spree--spree | Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2. | 2026-02-06 | not yet calculated | CVE-2026-25757 | https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9 https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14 https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8 https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45 |
| spree--spree | Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. This vulnerability is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2. | 2026-02-06 | not yet calculated | CVE-2026-25758 | https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6 https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734 https://github.com/spree/spree/commit/29282d1565ba4f7bc2bbc47d550e2c0c6d0ae59f https://github.com/spree/spree/commit/6650f96356faa0d16c05bcb516f1ffd5641741b8 https://github.com/spree/spree/commit/902d301ac83fd2047db1b9a3a99545162860f748 https://github.com/spree/spree/commit/ff7cfcfcfe0c40c60d03317e1d0ee361c6a6b054 https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L38 https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254 https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48 https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96 |
| opf--openproject | OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject's repository changes endpoint (/projects/:project_id/repository/changes) when rendering the "latest changes" view via git log. By supplying a specially crafted rev value (for example, rev=--output=/tmp/poc.txt), an attacker can inject git log command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the :browse_repository permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git log output, but by crafting custom commits the attacker can still upload valid shell scripts, ultimately leading to RCE. The RCE lets the attacker create a reverse shell to the target host and view confidential files outside of OpenProject, such as /etc/passwd. This issue has been patched in versions 16.6.7 and 17.0.3. | 2026-02-06 | not yet calculated | CVE-2026-25763 | https://github.com/opf/openproject/security/advisories/GHSA-x37c-hcg5-r5m7 https://github.com/opf/openproject/releases/tag/v16.6.7 https://github.com/opf/openproject/releases/tag/v17.0.3 |
| slackhq--nebula | Nebula is a scalable overlay networking tool. In versions from 1.7.0 to 1.10.2, when using P256 certificates (which is not the default configuration), it is possible to evade a blocklist entry created against the fingerprint of a certificate by using ECDSA Signature Malleability to use a copy of the certificate with a different fingerprint. This issue has been patched in version 1.10.3. | 2026-02-06 | not yet calculated | CVE-2026-25793 | https://github.com/slackhq/nebula/security/advisories/GHSA-69x3-g4r3-p962 https://github.com/slackhq/nebula/commit/f573e8a26695278f9d71587390fbfe0d0933aa21 |
| antrea-io--antrea | Antrea is a Kubernetes networking solution intended to be Kubernetes native. Prior to versions 2.3.2 and 2.4.3, Antrea's network policy priority assignment system has a uint16 arithmetic overflow bug that causes incorrect OpenFlow priority calculations when handling a large numbers of policies with various priority values. This results in potentially incorrect traffic enforcement. This issue has been patched in versions 2.4.3. | 2026-02-06 | not yet calculated | CVE-2026-25804 | https://github.com/antrea-io/antrea/security/advisories/GHSA-86x4-wp9f-wrr9 https://github.com/antrea-io/antrea/pull/7496 https://github.com/antrea-io/antrea/commit/86c4b6010f3be536866f339b632621c23d7186fa |
| Shenzhen Tenda Technology--Tenda G300-F | Tenda G300-F router firmware versio 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process. | 2026-02-07 | not yet calculated | CVE-2026-25857 | https://blog.evan.lat/blog/cve-2026-25857/ https://www.tendacn.com/material/show/736333682028613 https://www.vulncheck.com/advisories/tenda-g300-f-command-injection-via-formsetwandiag |
| macrozheng--mall | macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim's telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number. | 2026-02-07 | not yet calculated | CVE-2026-25858 | https://github.com/macrozheng/mall/issues/946 https://www.macrozheng.com/ https://www.vulncheck.com/advisories/macrozheng-mall-unauthenticated-password-reset-via-otp-disclosure |
| WeKan--WeKan | Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations. | 2026-02-07 | not yet calculated | CVE-2026-25859 | https://github.com/wekan/wekan/commit/cbb1cd78de3e40264a5e047ace0ce27f8635b4e6 https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-migration-functionality-insufficient-permission-checks |
Vulnerability Summary for the Week of January 26, 2026
Posted on Monday February 02, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 10-Strike Software--Bandwidth Monitor | 10-Strike Bandwidth Monitor 3.9 contains a buffer overflow vulnerability that allows attackers to bypass SafeSEH, ASLR, and DEP protections through carefully crafted input. Attackers can exploit the vulnerability by sending a malicious payload to the application's registration key input, enabling remote code execution and launching arbitrary system commands. | 2026-01-30 | 9.8 | CVE-2020-37043 | ExploitDB-48570 Product Webpage VulnCheck Advisory: 10-Strike Bandwidth Monitor 3.9 - Buffer Overflow |
| 10-Strike Software--Network Inventory Explorer | 10-Strike Network Inventory Explorer 8.65 contains a buffer overflow vulnerability in exception handling that allows remote attackers to execute arbitrary code. Attackers can craft a malicious file with 209 bytes of padding and a specially constructed Structured Exception Handler to trigger code execution. | 2026-01-28 | 9.8 | CVE-2020-36961 | ExploitDB-49134 10-Strike Network Inventory Explorer Vendor Homepage VulnCheck Advisory: 10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH) |
| 10-Strike--Bandwidth Monitor | 10-Strike Bandwidth Monitor 3.9 contains an unquoted service path vulnerability in multiple services that allows local attackers to escalate privileges. Attackers can place a malicious executable in specific file path locations to achieve privilege escalation to SYSTEM during service startup. | 2026-01-29 | 7.8 | CVE-2020-37021 | ExploitDB-48591 Vendor Homepage VulnCheck Advisory: Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path |
| Acer--Global Registration Service | Acer Global Registration Service 1.0.0.3 contains an unquoted service path vulnerability in its service configuration that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\Acer\Registration\ to inject malicious executables that would run with elevated LocalSystem privileges during service startup. | 2026-01-27 | 7.8 | CVE-2020-36976 | ExploitDB-49142 Acer Official Homepage VulnCheck Advisory: Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path |
| Ajenti Project--Ajenti | Ajenti 2.1.36 contains an authentication bypass vulnerability that allows remote attackers to execute arbitrary commands after successful login. Attackers can leverage the /api/terminal/create endpoint to send a netcat reverse shell payload targeting a specified IP and port. | 2026-01-29 | 9.8 | CVE-2020-37002 | ExploitDB-48929 Ajenti GitHub Repository VulnCheck Advisory: Ajenti 2.1.36 - Remote Code Execution |
| Akn Software Computer Import Export Industry and Trade Ltd.--QR Menu | Improper Access Control vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Authentication Abuse. This issue affects QR Menu: before s1.05.12. | 2026-01-29 | 8 | CVE-2025-7016 | https://www.usom.gov.tr/bildirim/tr-26-0006 |
| aliasrobotics--cai | Cybersecurity AI (CAI) is a framework for AI Security. In versions up to and including 0.5.10, the CAI (Cybersecurity AI) framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via `subprocess.Popen()` with `shell=True`, allowing attackers to execute arbitrary commands on the host system. The `find_file()` tool executes without requiring user approval because find is considered a "safe" pre-approved command. This means an attacker can achieve Remote Code Execution (RCE) by injecting malicious arguments (like -exec) into the args parameter, completely bypassing any human-in-the-loop safety mechanisms. Commit e22a1220f764e2d7cf9da6d6144926f53ca01cde contains a fix. | 2026-01-30 | 9.7 | CVE-2026-25130 | https://github.com/aliasrobotics/cai/security/advisories/GHSA-jfpc-wj3m-qw2m https://github.com/aliasrobotics/cai/commit/e22a1220f764e2d7cf9da6d6144926f53ca01cde https://github.com/aliasrobotics/cai/blob/559de8fcbc2b44f3b0360f35ffdc2bb975e7d7e4/src/cai/tools/reconnaissance/filesystem.py#L60 |
| amitkolloldey--e-learning PHP Script | e-Learning PHP Script 0.1.0 contains a SQL injection vulnerability in the search functionality that allows attackers to manipulate database queries through unvalidated user input. Attackers can inject malicious SQL code in the 'search' parameter to potentially extract, modify, or access sensitive database information. | 2026-01-30 | 8.2 | CVE-2020-37035 | ExploitDB-48629 Vendor Homepage VulnCheck Advisory: e-learning Php Script 0.1.0 - 'search' SQL Injection |
| ammarfaizi2--Tea LaTex | Tea LaTex 1.0 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. Attackers can craft a malicious LaTeX payload with shell commands that are executed when processed by the application's tex2png API action. | 2026-01-29 | 9.8 | CVE-2020-37012 | ExploitDB-48805 Vendor Homepage VulnCheck Advisory: Tea LaTex 1.0 - Remote Code Execution |
| Andrea Electronics--Andrea ST Filters Service | Andrea ST Filters Service 1.0.64.7 contains an unquoted service path vulnerability in its Windows service configuration. Local attackers can exploit the unquoted path to inject malicious code that will execute with elevated LocalSystem privileges during service startup. | 2026-01-30 | 7.8 | CVE-2020-37058 | ExploitDB-48396 Andrea Electronics Official Homepage VulnCheck Advisory: Andrea ST Filters Service 1.0.64.7 - Unquoted service path |
| Arcadia Technology, LLC--Crafty Controller | An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal. | 2026-01-30 | 9.9 | CVE-2026-0963 | GitLab Issue #660 |
| Arcadia Technology, LLC--Crafty Controller | An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal. | 2026-01-30 | 8.2 | CVE-2026-0805 | GitLab Issue #650 |
| asc Applied Software Consultants, s.r.o.--asc Timetables | aSc TimeTables 2021.6.2 contains a denial of service vulnerability that allows attackers to crash the application by overwriting subject title fields with excessive data. Attackers can generate a 10,000-character buffer and paste it into the subject title to trigger application instability and potential crash. | 2026-01-28 | 7.5 | CVE-2020-36943 | ExploitDB-49147 Vendor Homepage Software Download Page VulnCheck Advisory: aSc TimeTables 2021.6.2 - Denial of Service |
| Ashkon Software--Simple Startup Manager | Simple Startup Manager 1.17 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting memory through the 'File' input parameter. Attackers can craft a malicious payload with 268 bytes to trigger code execution, bypassing DEP and overwriting memory addresses to launch calc.exe. | 2026-01-30 | 8.4 | CVE-2020-37031 | ExploitDB-48678 Product Webpage VulnCheck Advisory: Simple Startup Manager 1.17 - 'File' Local Buffer Overflow |
| Atheros--Coex Service Application | Atheros Coex Service Application 8.0.0.255 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path by placing malicious executables in the service path to gain elevated system privileges during service startup. | 2026-01-27 | 7.8 | CVE-2020-36979 | ExploitDB-49053 Vendor Homepage Software Download Link VulnCheck Advisory: Atheros Coex Service Application 8.0.0.255 -'ZAtheros Bt&Wlan Coex Agent' Unquoted Service Path |
| avalanche123--Cassandra Web | Cassandra Web 0.5.0 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating path traversal parameters. Attackers can exploit the disabled Rack::Protection module to read sensitive system files like /etc/passwd and retrieve Apache Cassandra database credentials. | 2026-01-27 | 7.5 | CVE-2020-36939 | ExploitDB-49362 Cassandra Web GitHub Repository Cassandra Web RubyGems Package VulnCheck Advisory: Cassandra Web 0.5.0 - Remote File Read |
| Avast--AVAST SecureLine | Avast SecureLine 5.5.522.0 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem account permissions during service startup. | 2026-02-01 | 7.8 | CVE-2020-37037 | ExploitDB-48249 Avast Official Homepage VulnCheck Advisory: AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path |
| backstage--backstage | Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with `runIn: local`, a malicious actor who can submit or modify a repository's `mkdocs.yml` file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. @backstage/plugin-techdocs-node versions 1.13.11 and 1.14.1 contain a fix. The fix introduces an allowlist of supported MkDocs configuration keys. Unsupported configuration keys (including `hooks`) are now removed from `mkdocs.yml` before running the generator, with a warning logged to indicate which keys were removed. Users of `@techdocs/cli` should also upgrade to the latest version, which includes the fixed `@backstage/plugin-techdocs-node` dependency. Some workarounds are available. Configure TechDocs with `runIn: docker` instead of `runIn: local` to provide container isolation, though it does not fully mitigate the risk. Limit who can modify `mkdocs.yml` files in repositories that TechDocs processes; only allow trusted contributors. Implement PR review requirements for changes to `mkdocs.yml` files to detect malicious `hooks` configurations before they are merged. Use MkDocs < 1.4.0 (e.g., 1.3.1) which does not support hooks. Note: This may limit access to newer MkDocs features. Building documentation in CI/CD pipelines using `@techdocs/cli` does not mitigate this vulnerability, as the CLI uses the same vulnerable `@backstage/plugin-techdocs-node` package. | 2026-01-30 | 7.7 | CVE-2026-25153 | https://github.com/backstage/backstage/security/advisories/GHSA-6jr7-99pf-8vgf |
| Barcode-Ocr--BarcodeOCR | BarcodeOCR 19.3.6 contains an unquoted service path vulnerability that allows local attackers to execute code with elevated privileges during system startup. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will run with LocalSystem privileges. | 2026-01-29 | 7.8 | CVE-2020-37016 | ExploitDB-48740 BarcodeOCR Official Homepage VulnCheck Advisory: BarcodeOCR 19.3.6 - 'BarcodeOCR' Unquoted Service Path |
| BearshareOfficial--BearShare Lite | BearShare Lite 5.2.5 contains a buffer overflow vulnerability in the Advanced Search keywords input that allows attackers to execute arbitrary code. Attackers can craft a specially designed payload to overwrite the EIP register and execute shellcode by pasting malicious content into the search keywords field. | 2026-01-29 | 9.8 | CVE-2020-37010 | ExploitDB-48839 Official BearShare Homepage BearShare Lite 5.2.5 Download Page VulnCheck Advisory: BearShare Lite 5.2.5 - 'Advanced Search'Buffer Overflow in (PoC) |
| Beckhoff Automation--Beckhoff.Device.Manager.XAR | A low privileged remote attacker can execute arbitrary code by sending specially crafted calls to the web service of the Device Manager or locally via an API and can cause integer overflows which then may lead to arbitrary code execution within privileged processes. | 2026-01-27 | 8.8 | CVE-2025-41726 | https://certvde.com/de/advisories/VDE-2025-092 |
| Beckhoff Automation--Beckhoff.Device.Manager.XAR | A local low privileged attacker can bypass the authentication of the Device Manager user interface, allowing them to perform privileged operations and gain administrator access. | 2026-01-27 | 7.8 | CVE-2025-41727 | https://certvde.com/de/advisories/VDE-2025-092 |
| bentoml--BentoML | BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to version 1.4.34, BentoML's `bentofile.yaml` configuration allows path traversal attacks through multiple file path fields (`description`, `docker.setup_script`, `docker.dockerfile_template`, `conda.environment_yml`). An attacker can craft a malicious bentofile that, when built by a victim, exfiltrates arbitrary files from the filesystem into the bento archive. This enables supply chain attacks where sensitive files (SSH keys, credentials, environment variables) are silently embedded in bentos and exposed when pushed to registries or deployed. Version 1.4.34 contains a patch for the issue. | 2026-01-26 | 7.4 | CVE-2026-24123 | https://github.com/bentoml/BentoML/security/advisories/GHSA-6r62-w2q3-48hf https://github.com/bentoml/BentoML/commit/84d08cfeb40c5f2ce71b3d3444bbaa0fb16b5ca4 https://github.com/bentoml/BentoML/releases/tag/v1.4.34 |
| bloompixel--TableMaster for Elementor Advanced Responsive Tables for Elementor | The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations, including localhost and internal network services, and read sensitive files such as wp-config.php via the 'csv_url' parameter. | 2026-01-28 | 7.2 | CVE-2025-14610 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ef07d6b0-ccdb-4b33-817f-6d4b3ad96243?source=cve https://plugins.trac.wordpress.org/browser/tablemaster-for-elementor/trunk/modules/data-table/widgets/data-table.php#L446 https://plugins.trac.wordpress.org/browser/tablemaster-for-elementor/tags/1.3.6/modules/data-table/widgets/data-table.php#L446 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442158%40tablemaster-for-elementor&new=3442158%40tablemaster-for-elementor&sfp_email=&sfph_mail= |
| Broadcom--Symantec Web Security Services Agent | WSS Agent, prior to 9.8.5, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. | 2026-01-28 | 7 | CVE-2025-13917 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36778 |
| C4illin--ConvertX | ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the `POST /delete` endpoint uses a user-controlled `filename` value to construct a filesystem path and deletes it via `unlink` without sufficient validation. By supplying path traversal sequences (e.g., `../`), an attacker can delete arbitrary files outside the intended uploads directory, limited only by the permissions of the server process. Version 0.17.0 fixes the issue. | 2026-01-27 | 8.1 | CVE-2026-24741 | https://github.com/C4illin/ConvertX/security/advisories/GHSA-w372-w6cr-45jp https://github.com/C4illin/ConvertX/commit/7a936bdc0463936463616381ca257b13babc5e77 |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue. | 2026-01-30 | 8.8 | CVE-2026-24854 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p3q7-q68q-h2gr http://github.com/ChurchCRM/CRM/commit/748f5084fc06c5e12463dc7fdd62d1d31fc08d38 |
| Cleanersoft Software--Free MP3 CD Ripper | Free MP3 CD Ripper 2.8 contains a stack buffer overflow vulnerability that allows remote attackers to execute arbitrary code by crafting a malicious WAV file with oversized payload. Attackers can leverage a specially crafted exploit file with shellcode, SEH bypass, and egghunter technique to achieve remote code execution on vulnerable Windows systems. | 2026-01-29 | 9.8 | CVE-2020-37000 | ExploitDB-48696 Vendor Homepage VulnCheck Advisory: Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter) |
| code-projects--Online Examination System | A vulnerability was found in code-projects Online Examination System 1.0. Affected by this vulnerability is an unknown functionality of the file /index.php of the component Login Page. Performing a manipulation of the argument User results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2026-01-26 | 7.3 | CVE-2026-1422 | VDB-342838 | code-projects Online Examination System Login Page index.php sql injection VDB-342838 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736606 | code-projects Online Examination System 1 SQL Injection https://github.com/geo-chen/code-projects/blob/main/Online%20Examination%20System%20In%20PHP%20With%20Source%20Code.md#finding-2-sql-injection-on-login-page https://code-projects.org/ |
| code-projects--Online Music Site | A flaw has been found in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /Administrator/PHP/AdminDeleteUser.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. | 2026-01-26 | 7.3 | CVE-2026-1443 | VDB-342872 | code-projects Online Music Site AdminDeleteUser.php sql injection VDB-342872 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736967 | code-projects Online Music Site V1.0 SQL Injection https://github.com/Volije/cve/issues/1 https://code-projects.org/ |
| code-projects--Online Music Site | A weakness has been identified in code-projects Online Music Site 1.0. This affects an unknown function of the file /Administrator/PHP/AdminEditUser.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-28 | 7.3 | CVE-2026-1534 | VDB-343220 | code-projects Online Music Site AdminEditUser.php sql injection VDB-343220 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738705 | Code-Projects ONLINE MUSIC SITE V1.0 SQL injection https://github.com/yuji0903/silver-guide/issues/3 https://code-projects.org/ |
| code-projects--Online Music Site | A security vulnerability has been detected in code-projects Online Music Site 1.0. This impacts an unknown function of the file /Administrator/PHP/AdminReply.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2026-01-28 | 7.3 | CVE-2026-1535 | VDB-343221 | code-projects Online Music Site AdminReply.php sql injection VDB-343221 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738706 | Code-Projects ONLINE MUSIC SITE V1.0 SQL injection https://github.com/yuji0903/silver-guide/issues/4 https://code-projects.org/ |
| Code::Blocks--Code::Blocks | Code Blocks 17.12 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting a malicious file name with Unicode characters. Attackers can trigger the vulnerability by pasting a specially crafted payload into the file name field during project creation, potentially executing system commands like calc.exe. | 2026-01-30 | 8.4 | CVE-2020-37040 | ExploitDB-48594 Code Blocks Official Website Code Blocks SourceForge Page VulnCheck Advisory: Code Blocks 17.12 - 'File Name' Local Buffer Overflow |
| Code::Blocks--Code::Blocks | Code Blocks 20.03 contains a denial of service vulnerability that allows attackers to crash the application by manipulating input in the FSymbols search field. Attackers can paste a large payload of 5000 repeated characters into the search field to trigger an application crash. | 2026-01-30 | 7.5 | CVE-2020-37038 | ExploitDB-48617 Code Blocks Official Homepage Code Blocks SourceForge Page VulnCheck Advisory: Code Blocks 20.03 - Denial Of Service |
| codexcube--Ultimate Project Manager CRM PRO | Ultimate Project Manager CRM PRO 2.0.5 contains a blind SQL injection vulnerability that allows attackers to extract usernames and password hashes from the tbl_users database table. Attackers can exploit the /frontend/get_article_suggestion/ endpoint by crafting malicious search parameters to progressively guess and retrieve user credentials through boolean-based inference techniques. | 2026-01-29 | 8.2 | CVE-2020-37004 | ExploitDB-48912 Ultimate Project Manager CRM PRO Vendor Homepage VulnCheck Advisory: Ultimate Project Manager CRM PRO 2.0.5 - SQLi Credentials Leakage |
| Codriapp Innovation and Software Technologies Inc.--HeyGarson | Generation of Error Message Containing Sensitive Information vulnerability in Codriapp Innovation and Software Technologies Inc. HeyGarson allows Fuzzing for application mapping. This issue affects HeyGarson: through 30012026. NOTE: The vendor was contacted several times to verifying fixing process but did not respond in any way. | 2026-01-30 | 8.2 | CVE-2025-1395 | https://www.usom.gov.tr/bildirim/tr-26-0009 |
| crm-now GmbH--berliCRM | berliCRM 1.0.24 contains a SQL injection vulnerability in the 'src_record' parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through a crafted POST request to the index.php endpoint to potentially extract or modify database information. | 2026-01-29 | 8.2 | CVE-2020-37006 | ExploitDB-48872 Vendor Homepage VulnCheck Advisory: berliCRM 1.0.24 - 'src_record' SQL Injection |
| Crystal Shard--http-protection | Crystal Shard http-protection 0.2.0 contains an IP spoofing vulnerability that allows attackers to bypass protection middleware by manipulating request headers. Attackers can hardcode consistent IP values across X-Forwarded-For, X-Client-IP, and X-Real-IP headers to circumvent security checks and gain unauthorized access. | 2026-01-30 | 9.8 | CVE-2020-37056 | ExploitDB-48533 HTTP Protection Crystal Shard Repository VulnCheck Advisory: Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass |
| D-Link--DIR-615 | A vulnerability was detected in D-Link DIR-615 up to 4.10. This impacts an unknown function of the file /wiz_policy_3_machine.php of the component Web Management Interface. Performing a manipulation of the argument ipaddr results in os command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-01-26 | 7.2 | CVE-2026-1448 | VDB-342880 | D-Link DIR-615 Web Management wiz_policy_3_machine.php os command injection VDB-342880 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #737006 | Dlink DIR615 Firmware v4.10 and earlier (DIR-615 Rev D) OS Command Injection https://pentagonal-time-3a7.notion.site/DIR-615-v4-10-2e7e5dd4c5a580a5aac5c8ce35933396?pvs=73 https://www.dlink.com/ |
| D-Link--DIR-615 | A vulnerability was found in D-Link DIR-615 4.10. This issue affects some unknown processing of the file /set_temp_nodes.php of the component URL Filter. The manipulation results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-01-28 | 7.2 | CVE-2026-1505 | VDB-343117 | D-Link DIR-615 URL Filter set_temp_nodes.php os command injection VDB-343117 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #737061 | Dlink DIR-615 v4.10 OS Command Injection https://pentagonal-time-3a7.notion.site/D-Link-DIR-615-2e7e5dd4c5a580109a14fdeb6f105cd6 https://www.dlink.com/ |
| D-Link--DIR-615 | A vulnerability was determined in D-Link DIR-615 4.10. Impacted is an unknown function of the file /adv_mac_filter.php of the component MAC Filter Configuration. This manipulation of the argument mac causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-01-28 | 7.2 | CVE-2026-1506 | VDB-343118 | D-Link DIR-615 MAC Filter Configuration adv_mac_filter.php os command injection VDB-343118 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #737078 | Dlink DIR-615 v4.10 OS Command Injection https://pentagonal-time-3a7.notion.site/DIR-615-MAC_FILTER-2e7e5dd4c5a58091b027f50271cc7c6a https://www.dlink.com/ |
| Dassault Systmes--SOLIDWORKS eDrawings | A Heap-based Buffer Overflow vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS 2025 through Release SOLIDWORKS 2026 could allow an attacker to execute arbitrary code while opening a specially crafted EPRT file. | 2026-01-26 | 7.8 | CVE-2026-1283 | https://www.3ds.com/trust-center/security/security-advisories/cve-2026-1283 |
| Dassault Systmes--SOLIDWORKS eDrawings | An Out-Of-Bounds Write vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS 2025 through Release SOLIDWORKS 2026 could allow an attacker to execute arbitrary code while opening a specially crafted EPRT file. | 2026-01-26 | 7.8 | CVE-2026-1284 | https://www.3ds.com/trust-center/security/security-advisories/cve-2026-1284 |
| Deepinstinct--Deep Instinct Windows Agent | Deep Instinct Windows Agent 1.2.29.0 contains an unquoted service path vulnerability in the DeepMgmtService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files\HP Sure Sense\DeepMgmtService.exe to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-02-01 | 7.8 | CVE-2020-37047 | ExploitDB-48174 Deep Instinct Official Homepage VulnCheck Advisory: Deep Instinct Windows Agent 1.2.29.0 - 'DeepMgmtService' Unquoted Service Path |
| Dell--CloudBoost Virtual Appliance | Dell CloudBoost Virtual Appliance, versions prior to 19.14.0.0, contains a Plaintext Storage of Password vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. | 2026-01-27 | 7 | CVE-2026-21417 | https://www.dell.com/support/kbdoc/en-us/000419894/dsa-2026-025-security-update-for-dell-cloudboost-virtual-appliance-multiple-vulnerabilities |
| Dell--PremierColor | Dell PremierColor Panel Driver, versions prior to 1.0.0.1 A01, contains an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. | 2026-01-28 | 7.8 | CVE-2025-46691 | https://www.dell.com/support/kbdoc/en-us/000394670/dsa-2025-444?lang=en |
| Dell--Unity | Dell Unity, version(s) 5.5.2 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges. | 2026-01-30 | 7.8 | CVE-2026-21418 | https://www.dell.com/support/kbdoc/en-us/000421197/dsa-2026-054-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities |
| Dell--UnityVSA | Dell UnityVSA, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges. | 2026-01-30 | 7.8 | CVE-2026-22277 | https://www.dell.com/support/kbdoc/en-us/000421197/dsa-2026-054-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities |
| Delta Electronics--ASDA-Soft | ASDA-Soft Stack-based Buffer Overflow Vulnerability | 2026-01-27 | 7.8 | CVE-2026-1361 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00003_ASDA-Soft%20Stack-based%20Buffer%20Overflow%20Vulnerability%20(CVE-2026-1361).pdf |
| discourse--discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. | 2026-01-28 | 7.1 | CVE-2025-68479 | https://github.com/discourse/discourse/security/advisories/GHSA-6gjr-5897-m327 |
| discourse--discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, a hostname validation issue in FinalDestination could allow bypassing SSRF protections under certain conditions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. | 2026-01-28 | 7.6 | CVE-2025-68662 | https://github.com/discourse/discourse/security/advisories/GHSA-gcfp-rjfc-925c |
| dnnsoftware--Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, module title supports richtext which could include scripts that would execute in certain scenarios. Versions 9.13.10 and 10.2.0 contain a fix for the issue. | 2026-01-27 | 9.1 | CVE-2026-24838 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-w9pf-h6m6-v89h |
| dnnsoftware--Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its description field which could contain scripts that will run for user in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue. | 2026-01-27 | 7.7 | CVE-2026-24833 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-9r3h-mpf8-25gj |
| dnnsoftware--Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write richtext in log notes which can include scripts that would run in the PersonaBar when displayed. Versions 9.13.10 and 10.2.0 contain a fix for the issue. | 2026-01-27 | 7.7 | CVE-2026-24836 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-2g5g-hcgh-q3rp |
| dnnsoftware--Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a module friendly name could include scripts that will run during some module operations in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue. | 2026-01-27 | 7.7 | CVE-2026-24837 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-vm5q-8qww-h238 |
| Dokploy--dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue. | 2026-01-28 | 9.9 | CVE-2026-24841 | https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r https://github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f https://github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.ts |
| Dokploy--dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line 154) uses a hardcoded password when creating the database container. This means that nearly all Dokploy installations use the same database credentials and could be compromised. Version 0.26.6 contains a patch for the issue. | 2026-01-28 | 8 | CVE-2026-24840 | https://github.com/Dokploy/dokploy/security/advisories/GHSA-jr65-3j3w-gjmc https://github.com/Dokploy/dokploy/commit/b902c160a256ad345ac687c87eb092f1fab2c64d |
| Drive-Software--Atomic Alarm Clock x86 | Atomic Alarm Clock 6.3 contains a local privilege escalation vulnerability in its service configuration that allows attackers to execute arbitrary code with SYSTEM privileges. Attackers can exploit the unquoted service path by placing a malicious executable named 'Program.exe' to gain persistent system-level access. | 2026-01-30 | 7.8 | CVE-2020-37060 | ExploitDB-48352 Vendor Homepage VulnCheck Advisory: Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path |
| Dummysoftware--BacklinkSpeed | BacklinkSpeed 2.4 contains a buffer overflow vulnerability that allows attackers to corrupt the Structured Exception Handler (SEH) chain through malicious file import. Attackers can craft a specially designed payload file to overwrite SEH addresses, potentially executing arbitrary code and gaining control of the application. | 2026-01-29 | 9.8 | CVE-2020-36997 | ExploitDB-48726 Vendor Homepage Software Download Page VulnCheck Advisory: BacklinkSpeed 2.4 - Buffer Overflow PoC (SEH) |
| Eclipse Foundation--Eclipse Theia - Website | In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository. | 2026-01-30 | 10 | CVE-2026-1699 | https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/332 |
| Eclipse Foundation--Eclipse ThreadX | The vulnerability stems from an incorrect error-checking logic in the CreateCounter() function (in threadx/utility/rtos_compatibility_layers/OSEK/tx_osek.c) when handling the return value of osek_get_counter(). Specifically, the current code checks if cntr_id equals 0u to determine failure, but @osek_get_counter() actually returns E_OS_SYS_STACK (defined as 12U) when it fails. This mismatch causes the error branch to never execute even when the counter pool is exhausted. As a result, when the counter pool is depleted, the code proceeds to cast the error code (12U) to a pointer (OSEK_COUNTER *), creating a wild pointer. Subsequent writes to members of this pointer lead to writes to illegal memory addresses (e.g., 0x0000000C), which can trigger immediate HardFaults or silent memory corruption. This vulnerability poses significant risks, including potential denial-of-service attacks (via repeated calls to exhaust the counter pool) and unauthorized memory access. | 2026-01-27 | 7.8 | CVE-2026-0648 | https://github.com/eclipse-threadx/threadx/security/advisories/GHSA-xj75-fc68-h4rw |
| Elaniin--Elaniin CMS | Elaniin CMS 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard by manipulating the login page with SQL injection. Attackers can bypass authentication by sending crafted email and password parameters with '=''or' payload to login.php, granting unauthorized access to the system. | 2026-01-29 | 8.2 | CVE-2020-36999 | ExploitDB-48705 Vendor Homepage Elaniin CMS GitHub Repository VulnCheck Advisory: elaniin CMS 1.0 - Authentication Bypass |
| Elektraweb--EasyPMS | EasyPMS 1.0.0 contains an authentication bypass vulnerability that allows unprivileged users to manipulate SQL queries in JSON requests to access admin user information. Attackers can exploit weak input validation by injecting single quotes in ID parameters and modify admin user passwords without proper token authentication. | 2026-01-29 | 7.5 | CVE-2020-37008 | ExploitDB-48858 Vendor Homepage VulnCheck Advisory: EasyPMS 1.0.0 - Authentication Bypass |
| Enigmasoftware--SpyHunter | SpyHunter 4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific file system locations to gain elevated access during service startup. | 2026-02-01 | 7.8 | CVE-2020-37055 | ExploitDB-48172 Vendor Homepage VulnCheck Advisory: SpyHunter 4 - 'SpyHunter 4 Service' Unquoted Service Path |
| Epson--EPSON | EPSON 1.124 contains an unquoted service path vulnerability in the SENADB service that allows local attackers to execute code with elevated system privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\EPSON_P2B\Printer Software\Status Monitor\ to inject malicious executables that will run with LocalSystem permissions. | 2026-01-28 | 7.8 | CVE-2020-36984 | ExploitDB-48965 EPSON Official Support Page VulnCheck Advisory: EPSON 1.124 - 'seksmdb.exe' Unquoted Service Path |
| Epson--EPSON EasyMP Network Projection | EPSON EasyMP Network Projection 2.81 contains an unquoted service path vulnerability in the EMP_NSWLSV service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\ to inject malicious code that would execute with LocalSystem privileges. | 2026-02-01 | 7.8 | CVE-2020-37064 | ExploitDB-48069 EPSON EasyMP Network Projection Support Page VulnCheck Advisory: EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path |
| ErugoOSS--Erugo | Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user supplied paths when creating shares. By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue. | 2026-01-28 | 10 | CVE-2026-24897 | https://github.com/ErugoOSS/Erugo/security/advisories/GHSA-336w-hgpq-6369 https://github.com/ErugoOSS/Erugo/commit/256bc63831a0b5e9a94cb024a0724e0cd5fa5e38 https://github.com/ErugoOSS/Erugo/releases/tag/v0.2.15 |
| Filehorse--Motorola Device Manager | Motorola Device Manager 2.4.5 contains an unquoted service path vulnerability in the PST Service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in ForwardDaemon.exe to inject malicious code that will execute with elevated system privileges during service startup. | 2026-01-27 | 7.8 | CVE-2020-36981 | ExploitDB-49011 Motorola Device Manager Download Page ExploitDB-49013 VulnCheck Advisory: Motorola Device Manager 2.4.5 - 'ForwardDaemon.exe ' Unquoted Service Path |
| Filigran--OpenCTI | OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can read arbitrary files from the filesystem by sending crafted GET requests with path traversal sequences (e.g., '../') in the URL. For example, requesting /static/css//../../../../../../../../etc/passwd returns the contents of /etc/passwd. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10. | 2026-01-30 | 7.5 | CVE-2020-37041 | ExploitDB-48595 OpenCTI Official Homepage OpenCTI GitHub Repository VulnCheck Advisory: OpenCTI 3.3.1 - Directory Traversal |
| Flexense Ltd.--SyncBreeze | SyncBreeze 10.0.28 contains a denial of service vulnerability in the login endpoint that allows remote attackers to crash the service. Attackers can send an oversized payload in the login request to overwhelm the application and potentially disrupt service availability. | 2026-01-27 | 7.5 | CVE-2020-36946 | ExploitDB-49291 Vendor Homepage VulnCheck Advisory: SyncBreeze 10.0.28 - 'login' Denial of Service |
| Forensit--ForensiTAppxService | ForensiT AppX Management Service 2.2.0.4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem account permissions during service startup. | 2026-01-28 | 7.8 | CVE-2020-36989 | ExploitDB-48821 ForensiT Official Downloads Page VulnCheck Advisory: ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path |
| Fortinet--FortiProxy | An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0 through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices. | 2026-01-27 | 9.4 | CVE-2026-24858 | https://fortiguard.fortinet.com/psirt/FG-IR-26-060 |
| Frigate3--Frigate Professional | Frigate Professional 3.36.0.9 contains a local buffer overflow vulnerability in the Pack File feature that allows attackers to execute arbitrary code by overflowing the 'Archive To' input field. Attackers can craft a malicious payload that overwrites the Structured Exception Handler (SEH) and uses an egghunter technique to execute a reverse shell payload. | 2026-01-29 | 8.4 | CVE-2020-37001 | ExploitDB-48688 Archived Vendor Homepage VulnCheck Advisory: Frigate Professional 3.36.0.9 - 'Pack File' Buffer Overflow (SEH Egghunter) |
| Gearboxcomputers--IP Watcher | IP Watcher 3.0.0.30 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with elevated LocalSystem privileges during service startup. | 2026-01-28 | 7.8 | CVE-2020-36985 | ExploitDB-48968 Vendor Homepage VulnCheck Advisory: IP Watcher v3.0.0.30 - 'PACService.exe' Unquoted Service Path |
| Gearboxcomputers--Program Access Controller | Program Access Controller 1.2.0.0 contains an unquoted service path vulnerability in PACService.exe that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. | 2026-01-28 | 7.8 | CVE-2020-36987 | ExploitDB-48966 Vendor Homepage VulnCheck Advisory: Program Access Controller v1.2.0.0 - 'PACService.exe' Unquoted Service Path |
| geraked--phpscript-sgh | Phpscript-sgh 0.1.0 contains a time-based blind SQL injection vulnerability in the admin interface that allows attackers to manipulate database queries through the 'id' parameter. Attackers can exploit this vulnerability by crafting malicious payloads that trigger time delays, enabling them to extract sensitive database information through conditional sleep techniques. | 2026-01-27 | 8.2 | CVE-2020-36951 | ExploitDB-49192 Vendor Homepage VulnCheck Advisory: Phpscript-sgh 0.1.0 - Time Based Blind SQL Injection |
| gerstrong--Commander-Genius | Out-of-bounds Write vulnerability in gerstrong Commander-Genius. This issue affects Commander-Genius: before Release refs/pull/358/merge. | 2026-01-27 | 7.5 | CVE-2026-24827 | https://github.com/gerstrong/Commander-Genius/pull/379 |
| Getoutline--Outline Service | Outline Service 1.3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in C:\Program Files (x86)\Outline to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-30 | 7.8 | CVE-2020-37030 | ExploitDB-48414 Outline Service Official Homepage VulnCheck Advisory: Outline Service 1.3.3 - 'Outline Service ' Unquoted Service Path |
| Getpopcorntime--Popcorn Time | Popcorn Time 6.2.1.14 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. Attackers can insert malicious executables in Program Files (x86) or system root directories to be executed with SYSTEM-level permissions during service startup. | 2026-01-30 | 7.8 | CVE-2020-37059 | ExploitDB-48378 Popcorn Time Official Homepage VulnCheck Advisory: Popcorn Time 6.2 - 'Update service' Unquoted Service Path |
| Gila CMS--Gila CMS | Gila CMS versions prior to 2.0.0 contain a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through manipulated HTTP headers. Attackers can inject PHP code in the User-Agent header with shell_exec() to run system commands by sending crafted requests to the admin endpoint. | 2026-01-27 | 9.8 | CVE-2021-47900 | ExploitDB-49412 Official Vendor Homepage Gila CMS GitHub Repository VulnCheck Advisory: Gila CMS < 2.0.0 - Remote Code Execution |
| Global Interactive Design Media Software Inc.--Content Management System (CMS) | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows XSS Through HTTP Headers. This issue affects Content Management System (CMS): through 21072025. | 2026-01-29 | 7.5 | CVE-2025-7713 | https://www.usom.gov.tr/bildirim/tr-26-0008 |
| Global Interactive Design Media Software Inc.--Content Management System (CMS) | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows Command Line Execution through SQL Injection. This issue affects Content Management System (CMS): through 21072025. | 2026-01-29 | 7.5 | CVE-2025-7714 | https://www.usom.gov.tr/bildirim/tr-26-0008 |
| GNOME--Fonts Viewer | Gnome Fonts Viewer 3.34.0 contains a heap corruption vulnerability that allows attackers to trigger an out-of-bounds write by crafting a malicious TTF font file. Attackers can generate a specially crafted TTF file with an oversized pattern to cause an infinite malloc() loop and potentially crash the gnome-font-viewer process. | 2026-01-29 | 7.5 | CVE-2020-37011 | ExploitDB-48803 Gnome Official Website Gnome Font Viewer App Webpage VulnCheck Advisory: Gnome Fonts Viewer 3.34.0 Heap Corruption |
| GnuPG--GnuPG | In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also memory corruption that could lead to remote code execution. | 2026-01-27 | 8.1 | CVE-2026-24881 | https://www.openwall.com/lists/oss-security/2026/01/27/8 https://dev.gnupg.org/T8044 |
| GnuPG--GnuPG | In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. | 2026-01-27 | 8.4 | CVE-2026-24882 | https://www.openwall.com/lists/oss-security/2026/01/27/8 https://dev.gnupg.org/T8045 |
| Grafana--grafana/grafana | The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization internal privilege escalation. | 2026-01-27 | 8.1 | CVE-2026-21721 | https://grafana.com/security/security-advisories/CVE-2026-21721 |
| Grafana--grafana/grafana-enterprise | Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems. | 2026-01-27 | 7.5 | CVE-2026-21720 | https://grafana.com/security/security-advisories/CVE-2026-21720 |
| guelfoweb--knock | Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in spreadsheet applications. | 2026-01-27 | 9.8 | CVE-2020-36941 | ExploitDB-49342 Knockpy GitHub Repository VulnCheck Advisory: Knockpy 4.1.1 - CSV Injection |
| hayyatapps--Sell BTC Cryptocurrency Selling Calculator | The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in order records that will execute whenever an administrator accesses the Orders page in the admin dashboard. The vulnerability was partially patched in version 1.5. | 2026-01-31 | 7.2 | CVE-2025-14554 | https://www.wordfence.com/threat-intel/vulnerabilities/id/720be34d-3fe4-4395-a27b-d386f8612ba9?source=cve https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/functions-admin.php#L39 https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/functions/form_tab.php#L12 https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/Pages/orders.php#L30 https://plugins.trac.wordpress.org/changeset/3433480/ https://plugins.trac.wordpress.org/changeset/3450361/ |
| HELLOWEB--HelloWeb | HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and filename parameters. Attackers can send crafted GET requests to download.asp with directory traversal to access sensitive configuration and system files. | 2026-01-30 | 7.5 | CVE-2020-37034 | ExploitDB-48659 Archived HelloWeb Vendor Homepage VulnCheck Advisory: HelloWeb 2.0 - Arbitrary File Download |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking Fabric Composer | Insecure file operations in HPE Aruba Networking Fabric Composer’s backup functionality could allow authenticated attackers to achieve remote code execution. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. | 2026-01-27 | 7.2 | CVE-2026-23592 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04996en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking Fabric Composer | A vulnerability in the web-based management interface of HPE Aruba Networking Fabric Composer could allow an unauthenticated remote attacker to view some system files. Successful exploitation could allow an attacker to read files within the affected directory. | 2026-01-27 | 7.5 | CVE-2026-23593 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04996en_us&docLocale=en_US |
| HIKSEMI--HS-AFS-S1H1 | Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can execute arbitrary commands on the device by crafting specific messages. | 2026-01-30 | 7.2 | CVE-2026-22623 | https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html |
| Hikvision--DS-3WAP521-SI | Some Hikvision Wireless Access Points are vulnerable to authenticated command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution. | 2026-01-30 | 7.2 | CVE-2026-0709 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/command-execution-vulnerability-in-some-hikvision-wireless-access-point-products/ |
| Hisense TransTech--Smart Bus Management System | A flaw has been found in Hisense TransTech Smart Bus Management System up to 20260113. Affected is the function Page_Load of the file YZSoft/Forms/XForm/BM/BusComManagement/TireMng.aspx. Executing a manipulation of the argument key can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-26 | 7.3 | CVE-2026-1449 | VDB-342881 | Hisense TransTech Smart Bus Management System TireMng.aspx Page_Load sql injection VDB-342881 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #737032 | Hisense TransTech Hisense Smart Bus Management System 1.0 SQL Injection https://github.com/master-abc/cve/issues/15 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Windows 12.1.0 - 12.1.3 could allow a local user with filesystem access to escalate their privileges due to the use of an unquoted search path element. | 2026-01-30 | 8.4 | CVE-2025-36384 | https://www.ibm.com/support/pages/node/7257678 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 could allow an instance owner to execute malicious code that escalate their privileges to root due to execution of unnecessary privileges operated at a higher than minimum level. | 2026-01-30 | 7.2 | CVE-2025-36184 | https://www.ibm.com/support/pages/node/7257519 |
| IDT--IDT PC Audio | IDT PC Audio 1.0.6499.0 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the STacSV service to inject malicious code that would execute with LocalSystem account permissions during service startup. | 2026-01-26 | 7.8 | CVE-2020-36959 | ExploitDB-49191 Software Download Link VulnCheck Advisory: IDT PC Audio 1.0.6499.0 - 'STacSV' Unquoted Service Path |
| iForwarder and upRedSun Technologies, LLC.--Port Forwarding Wizard | Port Forwarding Wizard 4.8.0 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code through a long request in the Register feature. Attackers can craft a malicious payload with an egg tag and overwrite SEH handlers to potentially execute shellcode on vulnerable Windows systems. | 2026-01-30 | 8.4 | CVE-2020-37025 | ExploitDB-48695 Vendor Homepage VulnCheck Advisory: Port Forwarding Wizard 4.8.0 - Buffer Overflow |
| ik80--YATinyWinFTP | YATinyWinFTP contains a denial of service vulnerability that allows attackers to crash the FTP service by sending a 272-byte buffer with a trailing space. Attackers can exploit the service by connecting and sending a malformed command that triggers a buffer overflow and service crash. | 2026-01-28 | 9.8 | CVE-2020-36964 | ExploitDB-49127 YATinyWinFTP GitHub Repository VulnCheck Advisory: YATinyWinFTP - Denial of Service |
| immich-app--immich | immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue. | 2026-01-29 | 7.2 | CVE-2026-23896 | https://github.com/immich-app/immich/security/advisories/GHSA-237r-x578-h5mv |
| inc2734--Snow Monkey Forms | The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function in all versions up to, and including, 12.0.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2026-01-28 | 9.8 | CVE-2026-1056 | https://www.wordfence.com/threat-intel/vulnerabilities/id/37a8642d-07f5-4b1b-8419-e30589089162?source=cve https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/snow-monkey-forms.php#L186 https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/App/Model/Directory.php#L58 https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/App/Rest/Route/View.php#L189 https://plugins.trac.wordpress.org/changeset/3448278/ |
| infiniflow--ragflow | RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions, the MinerU parser contains a "Zip Slip" vulnerability, allowing an attacker to overwrite arbitrary files on the server (leading to Remote Code Execution) via a malicious ZIP archive. The MinerUParser class retrieves and extracts ZIP files from an external source (mineru_server_url). The extraction logic in `_extract_zip_no_root` fails to sanitize filenames within the ZIP archive. Commit 64c75d558e4a17a4a48953b4c201526431d8338f contains a patch for the issue. | 2026-01-27 | 9.8 | CVE-2026-24770 | https://github.com/infiniflow/ragflow/security/advisories/GHSA-v7cf-w7gj-pgf4 https://github.com/infiniflow/ragflow/commit/64c75d558e4a17a4a48953b4c201526431d8338f |
| Inputdirector--Input Director | Input Director 1.4.3 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. | 2026-01-28 | 7.8 | CVE-2020-36990 | ExploitDB-48795 Input Director Official Homepage VulnCheck Advisory: Input Director 1.4.3 - 'Input Director' Unquoted Service Path |
| Insite Software--Infor Storefront B2B | Infor Storefront B2B 1.0 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'usr_name' parameter in login requests. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'usr_name' parameter to potentially extract or modify database information. | 2026-01-30 | 8.2 | CVE-2020-37033 | ExploitDB-48674 Archived Infor Storefront Homepage VulnCheck Advisory: Infor Storefront B2B 1.0 - 'usr_name' SQL Injection |
| Intelbras--Intelbras Router RF 301K | Intelbras Router RF 301K firmware version 1.1.2 contains an authentication bypass vulnerability that allows unauthenticated attackers to download router configuration files. Attackers can send a specific HTTP GET request to /cgi-bin/DownloadCfg/RouterCfm.cfg to retrieve sensitive router configuration without authentication. | 2026-01-28 | 7.5 | CVE-2020-36963 | ExploitDB-49126 Intelbras Official Homepage VulnCheck Advisory: Intelbras Router RF 301K 1.1.2 - Authentication Bypass |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Versions prior to 2.3.1.2 have an undefined behavior issue when floating-point NaN values are converted to unsigned short integer types during ICC profile XML parsing potentially corrupting memory structures and enabling arbitrary code execution. This vulnerability affects users of the iccDEV library who process ICC color profiles. ICC Profile Injection vulnerabilities arise when user-controllable input is incorporated into ICC profile data or other structured binary blobs in an unsafe manner. Version 2.3.1.2 contains a fix for the issue. No known workarounds are available. | 2026-01-28 | 7.8 | CVE-2026-24856 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-w585-cv3v-c396 https://github.com/InternationalColorConsortium/iccDEV/issues/532 https://github.com/InternationalColorConsortium/iccDEV/pull/541 https://github.com/InternationalColorConsortium/iccDEV/commit/5e53a5d25923b7794ba44e390e9b35d391f2b9c1 |
| Iobit--IObit Uninstaller | IObit Uninstaller 10 Pro contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted service path in the IObit Uninstaller Service to insert malicious code that would execute with SYSTEM-level permissions during service startup. | 2026-01-26 | 7.8 | CVE-2020-36952 | ExploitDB-49371 IObit Official Homepage VulnCheck Advisory: IObit Uninstaller 10 Pro - Unquoted Service Path |
| Is-Daouda--is-Engine | Missing Release of Memory after Effective Lifetime vulnerability in Is-Daouda is-Engine. This issue affects is-Engine: before 3.3.4. | 2026-01-27 | 7.5 | CVE-2026-24828 | https://github.com/Is-Daouda/is-Engine/pull/6 |
| isaacs--node-tar | node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue. | 2026-01-28 | 8.2 | CVE-2026-24842 | https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46 |
| Iskysoft--Iskysoft Application Framework Service | Iskysoft Application Framework Service 2.4.3.241 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that would be run with the service's high-level system permissions. | 2026-02-01 | 7.8 | CVE-2020-37048 | ExploitDB-48171 Vendor Homepage VulnCheck Advisory: Iskysoft Application Framework Service 2.4.3.241 - 'IsAppService' Unquoted Service Path |
| itsourcecode--Directory Management System | A security vulnerability has been detected in itsourcecode Directory Management System 1.0. The affected element is an unknown function of the file /admin/index.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-01-30 | 7.3 | CVE-2026-1688 | VDB-343482 | itsourcecode Directory Management System index.php sql injection VDB-343482 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741283 | itsourcecode Directory Management System V1.0 SQL Injection https://github.com/jackhong1236/CVE_1/issues/1 https://itsourcecode.com/ |
| itsourcecode--School Management System | A weakness has been identified in itsourcecode School Management System 1.0. The affected element is an unknown function of the file /course/index.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. | 2026-01-28 | 7.3 | CVE-2026-1545 | VDB-343229 | itsourcecode School Management System index.php sql injection VDB-343229 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739647 | itsourcecode School Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/33 https://itsourcecode.com/ |
| itsourcecode--School Management System | A vulnerability was determined in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/inquiry/index.php. This manipulation of the argument txtsearch causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-29 | 7.3 | CVE-2026-1589 | VDB-343352 | itsourcecode School Management System index.php sql injection VDB-343352 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740686 | itsourcecode School Management System v1.0 SQL Injection https://mega.nz/file/DQUWSY7Y#CLcuhD1KE2s0VtEvYqH_PDCyhpGS0HDo_MKj9sheUPA https://itsourcecode.com/ |
| itsourcecode--School Management System | A vulnerability was identified in itsourcecode School Management System 1.0. This impacts an unknown function of the file /ramonsys/faculty/index.php. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. | 2026-01-29 | 7.3 | CVE-2026-1590 | VDB-343353 | itsourcecode School Management System index.php sql injection VDB-343353 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740687 | itsourcecode School Management System v1.0 SQL Injection https://mega.nz/file/GYsm2Q7K#B7NUGX5Fy9iLYssM474U3zFsmZp_14v0n5Sp-5N95yI https://itsourcecode.com/ |
| itsourcecode--Society Management System | A weakness has been identified in itsourcecode Society Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/edit_expenses_query.php. Executing a manipulation of the argument detail can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-29 | 7.3 | CVE-2026-1593 | VDB-343355 | itsourcecode Society Management System edit_expenses_query.php sql injection VDB-343355 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740689 | itsourcecode Society Management System V1.0 SQL injection https://github.com/yyzq-wsx/for_cve/issues/3 https://itsourcecode.com/ |
| itsourcecode--Society Management System | A security vulnerability has been detected in itsourcecode Society Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/add_expenses.php. The manipulation of the argument detail leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2026-01-29 | 7.3 | CVE-2026-1594 | VDB-343356 | itsourcecode Society Management System add_expenses.php sql injection VDB-343356 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740691 | itsourcecode Society Management System V1.0 SQL Injection https://github.com/yyzq-wsx/for_cve/issues/2 https://itsourcecode.com/ |
| itsourcecode--Society Management System | A vulnerability was detected in itsourcecode Society Management System 1.0. This affects an unknown part of the file /admin/edit_student_query.php. The manipulation of the argument student_id results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. | 2026-01-29 | 7.3 | CVE-2026-1595 | VDB-343357 | itsourcecode Society Management System edit_student_query.php sql injection VDB-343357 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740692 | itsourcecode Society Management System V1.0 SQL Injection https://github.com/yyzq-wsx/for_cve/issues/1 https://itsourcecode.com/ |
| itsourcecode--Student Management System | A security vulnerability has been detected in itsourcecode Student Management System 1.0. This issue affects some unknown processing of the file /enrollment/index.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2026-01-30 | 7.3 | CVE-2026-1701 | VDB-343491 | itsourcecode Student Management System index.php sql injection VDB-343491 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742024 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/34 https://itsourcecode.com/ |
| Ivanti--Endpoint Manager Mobile | A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. | 2026-01-29 | 9.8 | CVE-2026-1281 | https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 |
| Ivanti--Endpoint Manager Mobile | A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. | 2026-01-29 | 9.8 | CVE-2026-1340 | https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 |
| ixray-team--ixray-1.6-stcop | Out-of-bounds Write vulnerability in ixray-team ixray-1.6-stcop. This issue affects ixray-1.6-stcop: before 1.3. | 2026-01-27 | 9.8 | CVE-2026-24832 | https://github.com/ixray-team/ixray-1.6-stcop/pull/257 |
| ixray-team--ixray-1.6-stcop | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ixray-team ixray-1.6-stcop. This issue affects ixray-1.6-stcop: before 1.3. | 2026-01-27 | 7.5 | CVE-2026-24831 | https://github.com/ixray-team/ixray-1.6-stcop/pull/248 |
| Juniper Networks--Session Smart Router | An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router may allows a network-based attacker to bypass authentication and take administrative control of the device. This issue affects Session Smart Router: * from 5.6.7 before 5.6.17, * from 6.0 before 6.0.8 (affected from 6.0.8), * from 6.1 before 6.1.12-lts, * from 6.2 before 6.2.8-lts, * from 6.3 before 6.3.3-r2; This issue affects Session Smart Conductor: * from 5.6.7 before 5.6.17, * from 6.0 before 6.0.8 (affected from 6.0.8), * from 6.1 before 6.1.12-lts, * from 6.2 before 6.2.8-lts, * from 6.3 before 6.3.3-r2; This issue affects WAN Assurance Managed Routers: * from 5.6.7 before 5.6.17, * from 6.0 before 6.0.8 (affected from 6.0.8), * from 6.1 before 6.1.12-lts, * from 6.2 before 6.2.8-lts, * from 6.3 before 6.3.3-r2. | 2026-01-27 | 9.8 | CVE-2025-21589 | https://supportportal.juniper.net/ https://support.juniper.net/support/eol/software/ssr/ https://kb.juniper.net/JSA94663 |
| K.soft--FTPDummy | FTPDummy 4.80 contains a local buffer overflow vulnerability in its preference file handling that allows attackers to execute arbitrary code. Attackers can craft a malicious preference file with carefully constructed shellcode to trigger a structured exception handler overwrite and execute system commands. | 2026-01-30 | 8.4 | CVE-2020-37029 | ExploitDB-48685 Official FTPDummy Software Homepage VulnCheck Advisory: FTPDummy 4.80 - Local Buffer Overflow |
| KiloView--Encoder Series E1 hardware Version 1.4 | A missing authentication for critical function vulnerability in KiloView Encoder Series could allow an unauthenticated attacker to create or delete administrator accounts. This vulnerability can grant the attacker full administrative control over the product. | 2026-01-29 | 9.8 | CVE-2026-1453 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-029-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-029-01.json |
| Kite--Kite | Kite 1.2020.1119.0 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Kite\KiteService.exe' to inject malicious executables and escalate privileges on the system. | 2026-01-26 | 7.8 | CVE-2020-36958 | ExploitDB-49205 Vendor Homepage VulnCheck Advisory: Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path |
| Kludex--python-multipart | Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations. | 2026-01-27 | 8.6 | CVE-2026-24486 | https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4 https://github.com/Kludex/python-multipart/releases/tag/0.0.22 |
| Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co.--Online Exam and Assessment | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co. Online Exam and Assessment allows SQL Injection. This issue affects Online Exam and Assessment: through 30012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-30 | 8.6 | CVE-2025-4686 | https://www.usom.gov.tr/bildirim/tr-26-0010 |
| kohler--hotcrp | HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user's browser rather than downloaded. (The intended behavior was for only `text/plain`, `application/pdf`, `image/gif`, `image/jpeg`, and `image/png` to be delivered inline, though adding `save=0` to the document URL could request inline delivery for any document.) This made users who clicked a document link vulnerable to cross-site scripting attacks. An uploaded HTML or SVG document would run in the viewer's browser with access to their HotCRP credentials, and Javascript in that document could eventually make arbitrary calls to HotCRP's API. Malicious documents could be uploaded to submission fields with "file upload" or "attachment" type, or as attachments to comments. PDF upload fields were not vulnerable. A search of documents uploaded to hotcrp.com found no evidence of exploitation. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 (11 October 2025), present in development versions and v3.2, and fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323 and v3.2.1. Additionally, c3d88a7e18d52119c65df31c2cc994edd2beccc5 and v3.2.1 remove support for `save=0`. | 2026-01-30 | 7.3 | CVE-2026-25156 | https://github.com/kohler/hotcrp/security/advisories/GHSA-p88p-2f2p-2476 https://github.com/kohler/hotcrp/commit/8933e86c9f384b356dc4c6e9e2814dee1074b323 https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508 https://github.com/kohler/hotcrp/commit/c3d88a7e18d52119c65df31c2cc994edd2beccc5 |
| Koken--Koken CMS | Koken CMS 0.22.24 contains a file upload vulnerability that allows authenticated attackers to bypass file extension restrictions by renaming malicious PHP files. Attackers can upload PHP files with system command execution capabilities by manipulating the file upload request through a web proxy and changing the file extension. | 2026-01-30 | 8.8 | CVE-2020-37023 | ExploitDB-48706 Koken CMS Official Homepage Softaculous Koken CMS Software Page Researcher PoC VulnCheck Advisory: Koken CMS 0.22.24 - Arbitrary File Upload |
| kyverno--kyverno | Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy's namespace. As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno's admission controller identity, targeting any API path allowed by that ServiceAccount's RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (for example, creating ClusterPolicies) by controlling the urlPath through context variable substitution. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability. | 2026-01-27 | 10 | CVE-2026-22039 | https://github.com/kyverno/kyverno/security/advisories/GHSA-8p9x-46gm-qfx2 https://github.com/kyverno/kyverno/commit/e0ba4de4f1e0ca325066d5095db51aec45b1407b https://github.com/kyverno/kyverno/commit/eba60fa856c781bcb9c3be066061a3df03ae4e3e |
| kyverno--kyverno | Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability. | 2026-01-27 | 7.7 | CVE-2026-23881 | https://github.com/kyverno/kyverno/security/advisories/GHSA-r2rj-wwm5-x6mq https://github.com/kyverno/kyverno/commit/7a651be3a8c78dcabfbf4178b8d89026bf3b850f https://github.com/kyverno/kyverno/commit/f5617f60920568a301740485472bf704892175b7 |
| LibreNMS--LibreNMS | LibreNMS 1.46 contains an authenticated SQL injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. Attackers can exploit the vulnerability by manipulating the 'sort' parameter with crafted SQL injection techniques to retrieve sensitive database contents through time-based blind SQL injection. | 2026-01-27 | 7.1 | CVE-2020-36947 | ExploitDB-49246 LibreNMS Official Website LibreNMS GitHub Repository LibreNMS Community VulnCheck Advisory: LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection |
| loft-sh--loft | vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, when an access key is created with a limited scope, the scope can be bypassed to access resources outside of it. However, the user still cannot access resources beyond what is accessible to the owner of the access key. Versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10 fix the vulnerability. Some other mitigations are available. Users can limit exposure by reviewing access keys which are scoped and ensuring any users with access to them have appropriate permissions set. Creating automation users with very limited permissions and using access keys for these automation users can be used as a temporary workaround where upgrading is not immediately possible but scoped access keys are needed. | 2026-01-29 | 9.1 | CVE-2026-22806 | https://github.com/loft-sh/loft/security/advisories/GHSA-c539-w4ch-7wxq |
| M.J.M Soft--Quick Player | Quick Player 1.3 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting a malicious .m3l file with carefully constructed payload. Attackers can trigger the vulnerability by loading a specially crafted file through the application's file loading mechanism, potentially enabling remote code execution. | 2026-01-30 | 9.8 | CVE-2020-37050 | ExploitDB-48564 Software Download Link Archived Researcher Blog Post Archived Researcher Video PoC VulnCheck Advisory: Quick Player 1.3 - '.m3l' Buffer Overflow |
| maurosoria--dirsearch | Dirsearch 0.4.1 contains a CSV injection vulnerability when using the --csv-report flag that allows attackers to inject formulas through redirected endpoints. Attackers can craft malicious server redirects with comma-separated paths containing Excel formulas to manipulate the generated CSV report. | 2026-01-27 | 9.8 | CVE-2021-47901 | ExploitDB-49370 dirsearch GitHub Repository VulnCheck Advisory: dirsearch 0.4.1 - CSV Injection |
| MedDream--MedDream PACS Server | MedDream PACS Server 6.8.3.751 contains an authenticated remote code execution vulnerability that allows authorized users to upload malicious PHP files. Attackers can exploit the uploadImage.php endpoint by authenticating and uploading a PHP shell to execute arbitrary system commands with elevated privileges. | 2026-01-29 | 8.8 | CVE-2020-37009 | ExploitDB-48853 MedDream PACS Server Product Page VulnCheck Advisory: MedDream PACS Server 6.8.3.751 - Remote Code Execution |
| meshtastic--firmware | Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn't use encryption. An attacker can, as such, forge a NodeInfo on behalf of a victim node advertising that the HAM mode is enabled. This, in turn, will allow the other nodes on the mesh to accept the new information and overwriting the NodeDB. The other nodes will then only be able to send direct messages to the victim by using the shared channel key instead of the PKC. Additionally, because HAM mode by design doesn't provide any confidentiality or authentication of information, the attacker could potentially also be able to change the Node details, like the full name, short code, etc. To keep the attack persistent, it is enough to regularly resend the forged NodeInfo, in particular right after the victim sends their own. A patch is available in version 2.7.6.834c3c5. | 2026-01-27 | 8.2 | CVE-2025-55292 | https://github.com/meshtastic/firmware/security/advisories/GHSA-45vg-3f35-7ch2 https://github.com/meshtastic/firmware/commit/e5e8683cdba133e726033101586c3235a8678893 |
| Microsoft--Microsoft Office 2019 | Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally. | 2026-01-26 | 7.8 | CVE-2026-21509 | Microsoft Office Security Feature Bypass Vulnerability |
| midgetspy--Sickbeard | Sickbeard alpha contains a remote command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands through the extra scripts configuration. Attackers can set malicious commands in the extra scripts field and trigger processing to execute remote code on the vulnerable Sickbeard installation. | 2026-01-30 | 9.8 | CVE-2020-37027 | ExploitDB-48646 Archived Sickbeard Official Homepage Sickbeard GitHub Repository VulnCheck Advisory: Sickbeard 0.1 - Remote Command Injection |
| Mini-stream Software--RM Downloader | RM Downloader 2.50.60 contains a local buffer overflow vulnerability in the 'Load' parameter that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malicious payload with an egg hunter technique to bypass memory protections and execute commands like launching calc.exe. | 2026-01-30 | 8.4 | CVE-2020-37036 | ExploitDB-48628 Software v2.50.60 Archive Software Informer Product Page VulnCheck Advisory: RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow |
| Minitool--MiniTool ShadowMaker | MiniTool ShadowMaker 3.2 contains an unquoted service path vulnerability in the MTAgentService that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\MiniTool ShadowMaker\AgentService.exe' to inject malicious executables and escalate privileges. | 2026-01-26 | 7.8 | CVE-2020-36953 | ExploitDB-49336 Vendor Homepage VulnCheck Advisory: MiniTool ShadowMaker 3.2 - 'MTAgentService' Unquoted Service Path |
| Mintplex-Labs--anything-llm | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.10.0, a critical Path Traversal vulnerability in the DrupalWiki integration allows a malicious admin (or an attacker who can convince an admin to configure a malicious DrupalWiki URL) to write arbitrary files to the server. This can lead to Remote Code Execution (RCE) by overwriting configuration files or writing executable scripts. Version 1.10.0 fixes the issue. | 2026-01-26 | 7.2 | CVE-2026-24478 | https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jp2f-99h9-7vjv |
| MobSF--Mobile-Security-Framework-MobSF | MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The `android:host` attribute from `<data android:scheme="android_secret_code">` elements is rendered in HTML reports without sanitization, enabling session hijacking and account takeover. Version 4.4.5 fixes the issue. | 2026-01-27 | 8.1 | CVE-2026-24490 | https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-8hf7-h89p-3pqj https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/2b08dd050e7685ee2a14fdbb454affab94129eae https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.5 |
| Motorola-Device-Manager--Motorola Device Manager | Motorola Device Manager 2.5.4 contains an unquoted service path vulnerability in the MotoHelperService.exe service that allows local users to potentially inject malicious code. Attackers can exploit the unquoted path in the service configuration to execute arbitrary code with elevated system privileges during service startup. | 2026-01-27 | 7.8 | CVE-2020-36982 | ExploitDB-49012 Motorola Device Manager Vendor Homepage VulnCheck Advisory: Motorola Device Manager 2.5.4 - 'MotoHelperService.exe' Unquoted Service Path |
| n8n--n8n | n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. | 2026-01-27 | 9.9 | CVE-2026-1470 | https://github.com/n8n-io/n8n/commit/aa4d1e5825829182afa0ad5b81f602638f55fa04 https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce/ |
| NaturalIntelligence--fast-xml-parser | fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue. | 2026-01-30 | 7.5 | CVE-2026-25128 | https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-37qj-frw5-hhjh https://github.com/NaturalIntelligence/fast-xml-parser/commit/4e387f61c4a5cef792f6a2f42467013290bf95dc https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.4 |
| Naviwebs S.C.--Navigate CMS | Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the 'sidx' parameter in comments. Attackers can exploit the vulnerability to extract user activation keys by using time-based blind SQL injection techniques, potentially enabling password reset for administrative accounts. | 2026-01-30 | 7.1 | CVE-2020-37053 | ExploitDB-48545 Navigate CMS Official Homepage Navigate CMS SourceForge Page VulnCheck Advisory: Navigate CMS 2.8.7 - ''sidx' SQL Injection |
| NetPCLinker--NetPCLinker | NetPCLinker 1.0.0.0 contains a buffer overflow vulnerability in the Clients Control Panel DNS/IP field that allows attackers to execute arbitrary shellcode. Attackers can craft a malicious payload in the DNS/IP input to overwrite SEH handlers and execute shellcode when adding a new client. | 2026-01-30 | 9.8 | CVE-2019-25232 | ExploitDB-48680 NetPCLinker SourceForge Page VulnCheck Advisory: NetPCLinker 1.0.0.0 - Buffer Overflow |
| neutrinolabs--xrdp | xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system. The vulnerability allows an attacker to overwrite the stack buffer and the return address, which could theoretically be used to redirect the execution flow. The impact of this vulnerability is lessened if a compiler flag has been used to build the xrdp executable with stack canary protection. If this is the case, a second vulnerability would need to be used to leak the stack canary value. Upgrade to version 0.10.5 to receive a patch. Additionally, do not rely on stack canary protection on production systems. | 2026-01-27 | 9.1 | CVE-2025-68670 | https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rwvg-gp87-gh6f https://github.com/neutrinolabs/xrdp/commit/488c8c7d4d189514a366cd8301b6e816c5218ffa https://github.com/neutrinolabs/xrdp/releases/tag/v0.10.5 |
| Nidesoft Studio--Nidesoft DVD Ripper | Nidesoft DVD Ripper 5.2.18 contains a local buffer overflow vulnerability in the License Code registration parameter that allows attackers to execute arbitrary code. Attackers can craft a malicious payload and paste it into the License Code field to trigger a stack-based buffer overflow and execute shellcode. | 2026-01-30 | 8.4 | CVE-2020-37024 | ExploitDB-48687 Nidesoft DVD Ripper Software Download Page VulnCheck Advisory: Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow |
| Nidesoft--Nidesoft 3GP Video Converter | Nidesoft 3GP Video Converter 2.6.18 contains a local stack buffer overflow vulnerability in the license registration parameter. Attackers can craft a malicious payload and paste it into the 'License Code' field to execute arbitrary code on the system. | 2026-01-28 | 8.4 | CVE-2020-36971 | ExploitDB-49034 Archived Software Repository VulnCheck Advisory: Nidesoft 3GP Video Converter 2.6.18 - Local Stack Buffer Overflow |
| nmedia--Frontend File Manager Plugin | The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only. | 2026-01-28 | 7.5 | CVE-2026-1280 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e739e7d3-756a-4c93-9ca7-f7b9f9657033?source=cve https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/trunk/inc/callback-functions.php#L98 https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.5/inc/callback-functions.php#L98 |
| nmedia--Simple User Registration | The Simple User Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7 due to insufficient restriction on the 'profile_save_field' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update. | 2026-01-28 | 8.8 | CVE-2026-0844 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bb0e77e1-7e9f-4f7e-8953-c86ab0e5ae7a?source=cve https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.7/inc/classes/class.profile.php#L401 https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.7/inc/classes/class.user.php#L305 |
| nordvpn--nordvpn | Nord VPN 6.31.13.0 contains an unquoted service path vulnerability in its nordvpn-service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path during system startup or reboot to potentially run malicious code with LocalSystem permissions. | 2026-01-28 | 7.8 | CVE-2020-36992 | ExploitDB-48790 NordVPN Official Homepage VulnCheck Advisory: Nord VPN-6.31.13.0 - 'nordvpn-service' Unquoted Service Path |
| NVIDIA--GeForce | NVIDIA Display Driver for Windows contains a vulnerability where an attacker could trigger a use after free. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure. | 2026-01-28 | 7.8 | CVE-2025-33217 | https://nvd.nist.gov/vuln/detail/CVE-2025-33217 https://www.cve.org/CVERecord?id=CVE-2025-33217 https://nvidia.custhelp.com/app/answers/detail/a_id/5747 |
| NVIDIA--GeForce | NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where an attacker could cause an integer overflow. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure. | 2026-01-28 | 7.8 | CVE-2025-33218 | https://nvd.nist.gov/vuln/detail/CVE-2025-33218 https://www.cve.org/CVERecord?id=CVE-2025-33218 https://nvidia.custhelp.com/app/answers/detail/a_id/5747 |
| NVIDIA--GeForce | NVIDIA Display Driver for Linux contains a vulnerability in the NVIDIA kernel module where an attacker could cause an integer overflow or wraparound. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure. | 2026-01-28 | 7.8 | CVE-2025-33219 | https://nvd.nist.gov/vuln/detail/CVE-2025-33219 https://www.cve.org/CVERecord?id=CVE-2025-33219 https://nvidia.custhelp.com/app/answers/detail/a_id/5747 |
| NVIDIA--GeForce | NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager, where a malicious guest could cause heap memory access after the memory is freed. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure. | 2026-01-28 | 7.8 | CVE-2025-33220 | https://nvd.nist.gov/vuln/detail/CVE-2025-33220 https://www.cve.org/CVERecord?id=CVE-2025-33220 https://nvidia.custhelp.com/app/answers/detail/a_id/5747 |
| NVIDIA--NVIDIA runx | NVIDIA runx contains a vulnerability where an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. | 2026-01-27 | 7.8 | CVE-2025-33234 | https://nvd.nist.gov/vuln/detail/CVE-2025-33234 https://www.cve.org/CVERecord?id=CVE-2025-33234 https://nvidia.custhelp.com/app/answers/detail/a_id/5764 |
| nyariv--SandboxJS | SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to `AsyncFunction` not being isolated in `SandboxFunction`. The library attempts to sandbox code execution by replacing the global `Function` constructor with a safe, sandboxed version (`SandboxFunction`). This is handled in `utils.ts` by mapping `Function` to `sandboxFunction` within a map used for lookups. However, before version 0.8.26, the library did not include mappings for `AsyncFunction`, `GeneratorFunction`, and `AsyncGeneratorFunction`. These constructors are not global properties but can be accessed via the `.constructor` property of an instance (e.g., `(async () => {}).constructor`). In `executor.ts`, property access is handled. When code running inside the sandbox accesses `.constructor` on an async function (which the sandbox allows creating), the `executor` retrieves the property value. Since `AsyncFunction` was not in the safe-replacement map, the `executor` returns the actual native host `AsyncFunction` constructor. Constructors for functions in JavaScript (like `Function`, `AsyncFunction`) create functions that execute in the global scope. By obtaining the host `AsyncFunction` constructor, an attacker can create a new async function that executes entirely outside the sandbox context, bypassing all restrictions and gaining full access to the host environment (Remote Code Execution). Version 0.8.26 patches this vulnerability. | 2026-01-27 | 10 | CVE-2026-23830 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-wxhw-j4hc-fmq6 https://github.com/nyariv/SandboxJS/commit/345aee6566e47979dee5c337b925b141e7f78ccd |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC over UDP, it is believed that DCERPC over TCP and SMB are also vulnerable. DCERPC/TCP in the default configuration should not be vulnerable as the default stream depth is limited to 1MiB. Versions 8.0.3 and 7.0.14 contain a patch. Some workarounds are available. For DCERPC/UDP, disable the parser. For DCERPC/TCP, the `stream.reassembly.depth` setting will limit the amount of data that can be buffered. For DCERPC/SMB, the `stream.reassembly.depth` can be used as well, but is set to unlimited by default. Imposing a limit here may lead to loss of visibility in SMB. | 2026-01-27 | 7.5 | CVE-2026-22258 | https://github.com/OISF/suricata/security/advisories/GHSA-289c-h599-3xcx https://github.com/OISF/suricata/commit/39d8c302af3422a096b75474a4f295a754ec6a74 https://github.com/OISF/suricata/commit/f82a388d0283725cb76782cf64e8341cab370830 https://redmine.openinfosecfoundation.org/issues/8182 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, specially crafted traffic can cause Suricata to consume large amounts of memory while parsing DNP3 traffic. This can lead to the process slowing down and running out of memory, potentially leading to it getting killed by the OOM killer. Versions 8.0.3 or 7.0.14 contain a patch. As a workaround, disable the DNP3 parser in the suricata yaml (disabled by default). | 2026-01-27 | 7.5 | CVE-2026-22259 | https://github.com/OISF/suricata/security/advisories/GHSA-878h-2x6v-84q9 https://github.com/OISF/suricata/commit/50cac2e2465ca211eabfa156623e585e9037bb7e https://github.com/OISF/suricata/commit/63225d5f8ef64cc65164c0bb1800730842d54942 https://redmine.openinfosecfoundation.org/issues/8181 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, Suricata can crash with a stack overflow. Version 8.0.3 patches the issue. As a workaround, use default values for `request-body-limit` and `response-body-limit`. | 2026-01-27 | 7.5 | CVE-2026-22260 | https://github.com/OISF/suricata/security/advisories/GHSA-3gm8-84cm-5x22 https://github.com/OISF/suricata/commit/0dddac7278c8b9cf3c1e4c1c71e620a78ec1c185 https://redmine.openinfosecfoundation.org/issues/8185 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14, an unsigned integer overflow can lead to a heap use-after-free condition when generating excessive amounts of alerts for a single packet. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not run untrusted rulesets or run with less than 65536 signatures that can match on the same packet. | 2026-01-27 | 7.4 | CVE-2026-22264 | https://github.com/OISF/suricata/security/advisories/GHSA-mqr8-m3m4-2hw5 https://github.com/OISF/suricata/commit/549d7bf60616de8e54686a188196453b5b22f715 https://github.com/OISF/suricata/commit/5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2 https://github.com/OISF/suricata/commit/ac1eb394181530430fb7262969f423a1bf8f209b https://redmine.openinfosecfoundation.org/issues/8190 |
| OpenClaw--OpenClaw | OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value. | 2026-02-01 | 8.8 | CVE-2026-25253 | https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq https://openclaw.ai/blog |
| openemr--openemr | OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authenticated normal user can modify the request parameters (pubpid / pid) to reference another user's record; the server accepts the modified IDs and applies the changes to that other user's profile. This allows one user to alter another user's profile data (name, contact info, etc.), and could enable account takeover. Version 7.0.4 fixes the issue. | 2026-01-27 | 8.8 | CVE-2025-67645 | https://github.com/openemr/openemr/security/advisories/GHSA-vjmv-cf46-gffv https://github.com/openemr/openemr/commit/e2a682ee71aac71a9f04ae566f4ffca10052bc4a |
| opf--openproject | OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a shared secret only known to the synchronization server. The frontend hands this encrypted token and the backend URL over to the synchronization server to check user's ability to work on the document and perform intermittent saves while editing. The synchronization server does not properly validate the backend URL and sends a request with the decrypted authentication token to the endpoint that was given to the server. An attacker could use this vulnerability to decrypt a token that he intercepted by other means to gain an access token to interact with OpenProject on the victim's behalf. This vulnerability was introduced with OpenProject 17.0.0 and was fixed in 17.0.2. As a workaround, disable the collaboration feature via Settings -> Documents -> Real time collaboration -> Disable. Additionally the `hocuspocus` container should also be disabled. | 2026-01-28 | 8.9 | CVE-2026-24772 | https://github.com/opf/openproject/security/advisories/GHSA-r854-p5qj-x974 |
| Pablosoftwaresolutions--Quick 'n Easy FTP Service | Quick 'n Easy FTP Service 3.2 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code during service startup. Attackers can exploit the misconfigured service binary path to inject malicious executables with elevated LocalSystem privileges during system boot or service restart. | 2026-01-27 | 7.8 | CVE-2020-36983 | ExploitDB-48983 Vendor Homepage Software Download Page VulnCheck Advisory: Quick 'n Easy FTP Service 3.2 - Unquoted Service Path |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.prototype.then` is not sanitized. The return value of async functions is `globalPromise` object. Version 3.10.2 fixes the issue. | 2026-01-26 | 9.8 | CVE-2026-22709 | https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8 https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29 https://github.com/patriksimek/vm2/releases/tag/v3.10.2 |
| Pdf-Complete--PDF Complete | PDF Complete 3.5.310.2002 contains an unquoted service path vulnerability in its pdfsvc.exe service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges. | 2026-01-26 | 7.8 | CVE-2020-36957 | ExploitDB-49226 PDF Complete Vendor Homepage VulnCheck Advisory: PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path |
| PHPSUGAR--PHP Melody | PHP Melody version 3.0 contains a remote SQL injection vulnerability in the video edit module that allows authenticated attackers to inject malicious SQL commands. Attackers can exploit the unvalidated 'vid' parameter to execute arbitrary database queries and potentially compromise the web application and database management system. | 2026-02-01 | 8.1 | CVE-2021-47915 | Vulnerability Lab Advisory Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: PHP Melody 3.0 SQL Injection Vulnerability via Edit Video Parameter |
| PMB Services--PMB Services | PMB 5.6 contains a local file disclosure vulnerability in getgif.php that allows attackers to read arbitrary system files by manipulating the 'chemin' parameter. Attackers can exploit the unsanitized file path input to access sensitive files like /etc/passwd by sending crafted requests to the getgif.php endpoint. | 2026-01-28 | 8.4 | CVE-2020-36970 | ExploitDB-49054 Vendor Homepage Software Download Repository VulnCheck Advisory: PMB 5.6 - 'chemin' Local File Disclosure |
| polarnl--PolarLearn | PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (`POST /api/v1/forum/vote`) trusts the JSON body's `direction` value without runtime validation. TypeScript types are not enforced at runtime, so an attacker can send arbitrary strings (e.g., `"x"`) as `direction`. Downstream (`VoteServer`) treats any non-`"up"` and non-`null` value as a downvote and persists the invalid value in `votes_data`. This can be exploited to bypass intended business logic. Version 0-PRERELEASE-15 fixes the vulnerability. | 2026-01-29 | 7.1 | CVE-2026-25126 | https://github.com/polarnl/PolarLearn/security/advisories/GHSA-ghpx-5w2p-p3qp https://github.com/polarnl/PolarLearn/commit/e6227d94d0e53e854f6a46480db8cd1051184d41 |
| Preyproject--Prey | Prey 1.9.6 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the CronService to insert malicious code that would execute during application startup or system reboot. | 2026-01-28 | 7.8 | CVE-2020-36986 | ExploitDB-48967 Vendor Homepage VulnCheck Advisory: Prey 1.9.6 - "CronService" Unquoted Service Path |
| ProjectSkyfire--SkyFire_548 | improper pointer arithmetic vulnerability in ProjectSkyfire SkyFire_548. This issue affects SkyFire_548: before 5.4.8-stable5. | 2026-01-27 | 9.8 | CVE-2026-24872 | https://github.com/cadaver/turso3d/pull/11 |
| pytorch--pytorch | PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue. | 2026-01-27 | 8.8 | CVE-2026-24747 | https://github.com/pytorch/pytorch/security/advisories/GHSA-63cw-57p8-fm3p https://github.com/pytorch/pytorch/issues/163105 https://github.com/pytorch/pytorch/163122/commit/954dc5183ee9205cbe79876ad05dd2d9ae752139 https://github.com/pytorch/pytorch/releases/tag/v2.10.0 |
| Raimersoft--TapinRadio | TapinRadio 2.13.7 contains a denial of service vulnerability in the application proxy settings that allows attackers to crash the program by overflowing input fields. Attackers can paste a large buffer of 20,000 characters into the username and address fields to cause the application to become unresponsive and require reinstallation. | 2026-01-27 | 7.5 | CVE-2020-36949 | ExploitDB-49206 Vendor Homepage VulnCheck Advisory: TapinRadio 2.13.7 - Denial of Service |
| Ralim--IronOS | Integer Overflow or Wraparound vulnerability in Ralim IronOS. This issue affects IronOS: before v2.23-rc2. | 2026-01-27 | 9.8 | CVE-2026-24830 | https://github.com/Ralim/IronOS/pull/2083 |
| Realtek--Realtek Andrea RT Filters | Realtek Andrea RT Filters 1.0.64.7 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in 'C:\Program Files\IDT\WDM\AESTSr64.exe' to inject malicious code that would execute during service startup or system reboot. | 2026-01-27 | 7.8 | CVE-2020-36974 | ExploitDB-49158 Realtek Official Homepage VulnCheck Advisory: Realtek Andrea RT Filters 1.0.64.7 - 'AERTSr64.EXE' Unquoted Service Path |
| Red Hat--OpenShift Serverless | A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack. | 2026-01-30 | 7.5 | CVE-2024-4027 | https://access.redhat.com/security/cve/CVE-2024-4027 RHBZ#2276410 |
| Red Hat--osim | The $uri$args concatenation in nginx configuration file present in Open Security Issue Management (OSIM) prior v2025.9.0 allows path traversal attacks via query parameters. | 2026-01-29 | 7.5 | CVE-2026-1616 | https://github.com/RedHatProductSecurity/osim/pull/615 |
| Red Hat--RHEL-9-CNV-4.19 | A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism. | 2026-01-26 | 8.5 | CVE-2025-14459 | RHSA-2026:0950 https://access.redhat.com/security/cve/CVE-2025-14459 RHBZ#2420938 |
| Rinnegatamante--lpp-vita | Out-of-bounds Read vulnerability in Rinnegatamante lpp-vita. This issue affects lpp-vita: before lpp-vita r6. | 2026-01-27 | 7.8 | CVE-2026-24873 | https://github.com/Rinnegatamante/lpp-vita/pull/82 |
| Ruijienetworks--Ruijie Networks Switch eWeb S29_RGOS | Ruijie Networks Switch eWeb S29_RGOS 11.4 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by manipulating file path parameters. Attackers can exploit the /download.do endpoint with '../' sequences to retrieve system configuration files containing credentials and network settings. | 2026-01-29 | 7.5 | CVE-2020-37015 | ExploitDB-48755 Ruijie Networks Official Homepage Directory Traversal Vulnerability Source VulnCheck Advisory: Ruijie Networks Switch eWeb S29_RGOS 11.4 - Directory Traversal |
| runtipi--runtipi | Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN parsing, an attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the operator. Version 4.7.2 fixes the vulnerability. | 2026-01-29 | 7.6 | CVE-2026-25116 | https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6 https://github.com/runtipi/runtipi/releases/tag/v4.7.2 |
| saadiqbal--New User Approve | The New User Approve plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to approve or deny user accounts, retrieve sensitive user information including emails and roles, and force logout of privileged users. | 2026-01-28 | 7.3 | CVE-2026-0832 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f86a69ab-2fc5-4c84-872b-929dbec429cd?source=cve https://plugins.trac.wordpress.org/browser/new-user-approve/trunk/includes/end-points/mobile-api.php#L60 https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.2.1/includes/end-points/mobile-api.php#L60 https://plugins.trac.wordpress.org/browser/new-user-approve/trunk/includes/end-points/mobile-api.php#L24 https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.2.1/includes/end-points/mobile-api.php#L24 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425140%40new-user-approve&new=3425140%40new-user-approve&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442291%40new-user-approve&new=3442291%40new-user-approve&sfp_email=&sfph_mail= |
| Salt Project--Salt | Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process. | 2026-01-30 | 7.8 | CVE-2025-62348 | Salt 3006.17 release notes (fix for CVE-2025-62348) |
| Sangfor--Operation and Maintenance Security Management System | A vulnerability has been found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. The impacted element is an unknown function of the file /fort/audit/get_clip_img of the component HTTP POST Request Handler. Such manipulation of the argument frame/dirno leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2026-01-26 | 7.3 | CVE-2026-1412 | VDB-342801 | Sangfor Operation and Maintenance Security Management System HTTP POST Request get_clip_img command injection VDB-342801 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736513 | Sangfor Operation and Maintenance Security Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) v3.0.12 Command Injectiona https://github.com/LX-LX88/cve/issues/22 |
| Scille--parsec-cloud | Parsec is a cloud-based application for cryptographically secure file sharing. In versions on the 3.x branch prior to 3.6.0, `libparsec_crypto`, a component of the Parsec application, does not check for weak order point of Curve25519 when compiled with its RustCrypto backend. In practice this means an attacker in a man-in-the-middle position would be able to provide weak order points to both parties in the Diffie-Hellman exchange, resulting in a high probability to for both parties to obtain the same shared key (hence leading to a successful SAS code exchange, misleading both parties into thinking no MITM has occurred) which is also known by the attacker. Note only Parsec web is impacted (as Parsec desktop uses `libparsec_crypto` with the libsodium backend). Version 3.6.0 of Parsec patches the issue. | 2026-01-29 | 8.3 | CVE-2025-62514 | https://github.com/Scille/parsec-cloud/security/advisories/GHSA-hrc9-gm58-pgj9 https://github.com/Scille/parsec-cloud/commit/197bb6387b49fec872b5e4a04dcdb82b3d2995b2 https://github.com/Scille/parsec-cloud/blob/e7c5cdbc4234f606ccf3ab2be7e9edc22db16feb/libparsec/crates/crypto/src/rustcrypto/private.rs#L136-L138 https://github.com/dalek-cryptography/curve25519-dalek/blob/8c53a8f10b146a2fd65069437e3576e49b390e7a/curve25519-dalek/src/montgomery.rs#L132-L146 https://github.com/dalek-cryptography/curve25519-dalek/blob/8c53a8f10b146a2fd65069437e3576e49b390e7a/x25519-dalek/src/x25519.rs#L364-L366 |
| script3--soroban-fixed-point-math | soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the `mulDiv(x, y, z)` function incorrectly handled cases where both the intermediate product $x * y$ and the divisor $z$ were negative. The logic assumed that if the intermediate product was negative, the final result must also be negative, neglecting the sign of $z$. This resulted in rounding being applied in the wrong direction for cases where both $x * y$ and $z$ were negative. The functions most at risk are `fixed_div_floor` and `fixed_div_ceil`, as they often use non-constant numbers as the divisor $z$ in `mulDiv`. This error is present in all signed `FixedPoint` and `SorobanFixedPoint` implementations, including `i64`, `i128`, and `I256`. Versions 1.3.1 and 1.4.1 contain a patch. No known workarounds for this issue are available. | 2026-01-27 | 7.5 | CVE-2026-24783 | https://github.com/script3/soroban-fixed-point-math/security/advisories/GHSA-x5m4-43jf-hh65 https://github.com/script3/soroban-fixed-point-math/commit/c9233f7094198a49ed66a4d75786a8a3755c936a https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.3.1 https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.4.1 |
| sebastianbergmann--phpunit | PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled. This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through CI/CD pipeline attacks, the local development environment, and/or compromised dependencies. Rather than just silently sanitizing the input via `['allowed_classes' => false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition. Starting in versions in versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, when a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration, including ephemeral runners, code review enforcement, branch protection, artifact isolation, and access control. | 2026-01-27 | 7.8 | CVE-2026-24765 | https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda https://github.com/sebastianbergmann/phpunit/releases/tag/10.5.63 https://github.com/sebastianbergmann/phpunit/releases/tag/11.5.50 https://github.com/sebastianbergmann/phpunit/releases/tag/12.5.8 https://github.com/sebastianbergmann/phpunit/releases/tag/8.5.52 https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.33 |
| Segurazo--SAntivirus IC | SAntivirus IC 10.0.21.61 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted executable path to inject malicious files in the service binary path, enabling privilege escalation to system-level permissions. | 2026-01-27 | 7.8 | CVE-2020-36980 | ExploitDB-49042 Vendor Homepage VulnCheck Advisory: SAntivirus IC 10.0.21.61 - 'SAntivirusIC' Unquoted Service Path |
| SEIKO EPSON Corp--Status Monitor 3 | EPSON Status Monitor 3 version 8.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. Attackers can leverage the unquoted path in 'C:\Program Files\Common Files\EPSON\EPW!3SSRP\E_S60RPB.EXE' to inject malicious executables and escalate privileges. | 2026-01-27 | 7.8 | CVE-2020-36975 | ExploitDB-49141 Official EPSON Corporate Homepage VulnCheck Advisory: EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path |
| shahrukhlinkgraph--Search Atlas SEO Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization | The Search Atlas SEO - Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to 2.5.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the 'nonce_token' authentication value to log in to the first Administrator's account. | 2026-01-28 | 8.8 | CVE-2025-14386 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6f63d2c4-cbae-4177-8494-daca96449ecc?source=cve https://plugins.trac.wordpress.org/browser/metasync/tags/2.5.12/admin/class-metasync-admin.php#L1042 https://plugins.trac.wordpress.org/browser/metasync/tags/2.5.12/admin/class-metasync-admin.php#L851 https://plugins.trac.wordpress.org/browser/metasync/tags/2.5.12/admin/class-metasync-admin.php#L1141 |
| Sharemouse--ShareMouse | ShareMouse 5.0.43 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the insecure service path configuration by placing malicious executables in specific system directories to gain elevated access during service startup. | 2026-01-28 | 7.8 | CVE-2020-36991 | ExploitDB-48794 ShareMouse Official Vendor Homepage VulnCheck Advisory: ShareMouse 5.0.43 - 'ShareMouse Service' Unquoted Service Path |
| Simplephpscripts--Simple CMS | Simple CMS 2.1 contains a remote SQL injection vulnerability that allows privileged attackers to inject unfiltered SQL commands in the users module. Attackers can exploit unvalidated input parameters in the admin.php file to compromise the database management system and web application. | 2026-02-01 | 8.1 | CVE-2021-47918 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Simple CMS 2.1 SQL Injection Vulnerability via Users Module |
| smartdatasoft--SmartBlog | SmartBlog 2.0.1 contains a blind SQL injection vulnerability in the 'id_post' parameter of the details controller that allows attackers to extract database information. Attackers can systematically test and retrieve database contents by injecting crafted SQL queries that compare character-by-character of database information. | 2026-01-28 | 8.2 | CVE-2020-36972 | ExploitDB-48995 SmartBlog GitHub Repository VulnCheck Advisory: SmartBlog 2.0.1 - 'id_post' Blind SQL injection |
| SOCUSOFT--Photo to Video Converter Professional | Socusoft Photo to Video Converter Professional 8.07 contains a local buffer overflow vulnerability in the 'Output Folder' input field that allows attackers to execute arbitrary code. Attackers can craft a malicious payload and paste it into the output folder field to trigger a stack-based buffer overflow and potentially execute shellcode. | 2026-01-30 | 8.4 | CVE-2020-37028 | ExploitDB-48691 Archived Vendor Homepage VulnCheck Advisory: Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow |
| SolarWinds--Web Help Desk | SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. | 2026-01-28 | 9.8 | CVE-2025-40551 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40551 https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm |
| SolarWinds--Web Help Desk | SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication. | 2026-01-28 | 9.8 | CVE-2025-40552 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40552 https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm |
| SolarWinds--Web Help Desk | SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. | 2026-01-28 | 9.8 | CVE-2025-40553 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40553 https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm |
| SolarWinds--Web Help Desk | SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk. | 2026-01-28 | 9.8 | CVE-2025-40554 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40554 https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm |
| SolarWinds--Web Help Desk | SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality. | 2026-01-28 | 8.1 | CVE-2025-40536 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40536 https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm |
| SolarWinds--Web Help Desk | SolarWinds Web Help Desk was found to be susceptible to a hardcoded credentials vulnerability that, under certain situations, could allow access to administrative functions. | 2026-01-28 | 7.5 | CVE-2025-40537 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40537 https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm |
| Sonarqube--SonarQube | SonarQube 8.3.1 contains an unquoted service path vulnerability that allows local attackers to gain SYSTEM privileges by exploiting the service executable path. Attackers can replace the wrapper.exe in the service path with a malicious executable to execute code with highest system privileges during service restart. | 2026-01-29 | 7.8 | CVE-2020-37020 | ExploitDB-48677 SonarQube Official Homepage VulnCheck Advisory: SonarQube 8.3.1 - Unquoted Service Path |
| Squidex--squidex | Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define "Webhooks" as actions within the Rules engine. The url parameter in the webhook configuration does not appear to validate or restrict destination IP addresses. It accepts local addresses such as 127.0.0.1 or localhost. When a rule is triggered (Either manual trigger by manually calling the trigger endpoint or by a content update or any other triggers), the backend server executes an HTTP request to the user-supplied URL. Crucially, the server logs the full HTTP response in the rule execution log (lastDump field), which is accessible via the API. Which turns a "Blind" SSRF into a "Full Read" SSRF. As of time of publication, no patched versions are available. | 2026-01-27 | 9.1 | CVE-2026-24736 | https://github.com/Squidex/squidex/security/advisories/GHSA-wxg2-953m-fg2w |
| sunnygkp10--Online-Exam-System | Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. Attackers can exploit the 'feed.php' endpoint by crafting malicious payload requests that use time delays to systematically enumerate user password characters. | 2026-01-30 | 8.2 | CVE-2020-37051 | ExploitDB-48560 Software Repository VulnCheck Advisory: Online-Exam-System 2015 - 'feedback' SQL Injection |
| sunnygkp10--Online-Exam-System | Online-Exam-System 2015 contains a SQL injection vulnerability in the feedback module that allows attackers to manipulate database queries through the 'fid' parameter. Attackers can inject malicious SQL code into the 'fid' parameter to potentially extract, modify, or delete database information. | 2026-01-30 | 8.2 | CVE-2020-37057 | ExploitDB-48529 Software Repository VulnCheck Advisory: Online-Exam-System 2015 - 'fid' SQL Injection |
| Techraft--Digital Multivendor Marketplace Online Store | Mult-E-Cart Ultimate 2.4 contains multiple SQL injection vulnerabilities in inventory, customer, vendor, and order modules. Remote attackers with privileged vendor or admin roles can exploit the 'id' parameter to execute malicious SQL commands and compromise the database management system. | 2026-02-01 | 8.1 | CVE-2021-47909 | Vulnerability Lab Advisory Product Homepage Product Homepage VulnCheck Advisory: Mult-E-Cart Ultimate 2.4 SQL Injection via Vulnerable ID Parameters |
| telnet-lite--Mocha Telnet Lite for iOS | Mocha Telnet Lite for iOS 4.2 contains a denial of service vulnerability that allows attackers to crash the application by manipulating the user configuration input. Attackers can overwrite the 'User' field with 350 bytes of repeated characters to trigger an application crash and prevent normal functionality. | 2026-01-29 | 7.5 | CVE-2020-36995 | ExploitDB-48728 Official App Store Page for Mocha Telnet Lite VulnCheck Advisory: Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service |
| Tenda--AC21 | A vulnerability was identified in Tenda AC21 16.03.08.16. The affected element is the function fromAdvSetMacMtuWan of the file /goform/AdvSetMacMtuWan. The manipulation leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2026-01-29 | 8.8 | CVE-2026-1637 | VDB-343416 | Tenda AC21 AdvSetMacMtuWan fromAdvSetMacMtuWan stack-based overflow VDB-343416 | CTI Indicators (IOB, IOC, IOA) Submit #740865 | Tenda AC21 V16.03.08.16 Buffer Overflow https://github.com/LX-LX88/cve/issues/25 https://www.tenda.com.cn/ |
| Tenda--AC23 | A flaw has been found in Tenda AC23 16.03.07.52. This impacts an unknown function of the file /goform/WifiExtraSet. This manipulation of the argument wpapsk_crypto causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-01-26 | 8.8 | CVE-2026-1420 | VDB-342836 | Tenda AC23 WifiExtraSet buffer overflow VDB-342836 | CTI Indicators (IOB, IOC, IOA) Submit #736559 | Tenda AC23 V16.03.07.52 Buffer Overflow https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow_WifiExtraSet/Tenda%20AC23_Buffer_Overflow_WifiExtraSet.md https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow_WifiExtraSet/Tenda%20AC23_Buffer_Overflow_WifiExtraSet.md#poc https://www.tenda.com.cn/ |
| Tenda--AX12 Pro V2 | A vulnerability was found in Tenda AX12 Pro V2 16.03.49.24_cn. Affected by this issue is some unknown functionality of the component Telnet Service. Performing a manipulation results in hard-coded credentials. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been made public and could be used. | 2026-01-29 | 8.1 | CVE-2026-1610 | VDB-343378 | Tenda AX12 Pro V2 Telnet Service hard-coded credentials VDB-343378 | CTI Indicators (IOB, IOC, TTP) Submit #740766 | Tenda AX12 pro V2 V16.03.49.24_cn Hard-coded Credentials https://github.com/QIU-DIE/CVE/issues/49 https://www.tenda.com.cn/ |
| Tenda--HG10 | A weakness has been identified in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. Impacted is an unknown function of the file /boaform/formSamba of the component Boa Webserver. Executing a manipulation of the argument serverString can lead to command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-30 | 7.3 | CVE-2026-1687 | VDB-343481 | Tenda HG10 Boa Webserver formSamba command injection VDB-343481 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741281 | Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon Command Injection https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formSamba-serverString-command.md https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formSamba-serverString-command.md#poc https://www.tenda.com.cn/ |
| Tenda--HG10 | A vulnerability was detected in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. The impacted element is the function checkUserFromLanOrWan of the file /boaform/admin/formLogin of the component Login Interface. The manipulation of the argument Host results in command injection. The attack can be launched remotely. The exploit is now public and may be used. | 2026-01-30 | 7.3 | CVE-2026-1689 | VDB-343483 | Tenda HG10 Login formLogin checkUserFromLanOrWan command injection VDB-343483 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741411 | Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon Command Injection https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formLogin-Host-command.md https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formLogin-Host-command.md#poc https://www.tenda.com.cn/ |
| Tendenci--Tendenci | Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications. | 2026-01-28 | 9.8 | CVE-2020-36962 | ExploitDB-49145 Official Vendor Homepage Tendenci GitHub Repository VulnCheck Advisory: Tendenci 12.3.1 - CSV/ Formula Injection |
| Testa--Testa Online Test Management System | Testa Online Test Management System 3.4.7 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'q' search parameter. Attackers can inject malicious SQL code in the search field to extract database information, potentially accessing sensitive user or system data. | 2026-01-27 | 8.2 | CVE-2021-47902 | ExploitDB-49194 Archived Vendor Homepage VulnCheck Advisory: Testa Online Test Management System 3.4.7 - 'q' SQL Injection |
| themrdemonized--xray-monolith | Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in themrdemonized xray-monolith. This issue affects xray-monolith: before 2025.12.30. | 2026-01-27 | 9.1 | CVE-2026-24874 | https://github.com/themrdemonized/xray-monolith/pull/399 |
| tigroumeow--AI Engine The Chatbot and AI Framework for WordPress | The AI Engine - The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_update_media_metadata` function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The attacker can upload a benign image file, then use the `update_media_metadata` endpoint to rename it to a PHP file, creating an executable PHP file in the uploads directory. | 2026-01-28 | 7.2 | CVE-2026-1400 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d5227269-4406-4fcf-af37-f1db0af857d6?source=cve https://plugins.trac.wordpress.org/browser/ai-engine/tags/3.3.0/classes/rest.php#L1104 https://plugins.trac.wordpress.org/browser/ai-engine/tags/3.3.0/classes/rest.php#L1141 https://plugins.trac.wordpress.org/changeset/3447500/ai-engine/trunk/classes/rest.php |
| Tildeslash Ltd.--M/Monit | M/Monit 3.7.4 contains a privilege escalation vulnerability that allows authenticated users to modify user permissions by manipulating the admin parameter. Attackers can send a POST request to the /api/1/admin/users/update endpoint with a crafted payload to grant administrative access to a standard user account. | 2026-01-28 | 8.8 | CVE-2020-36969 | ExploitDB-49080 M/Monit Official Vendor Homepage VulnCheck Advisory: M/Monit 3.7.4 - Privilege Escalation |
| TimeClock Software--TimeClock Software | TimeClock Software 1.01 contains an authenticated time-based SQL injection vulnerability that allows attackers to enumerate valid usernames by manipulating the 'notes' parameter. Attackers can inject conditional time delays in the add_entry.php endpoint to determine user existence by measuring response time differences. | 2026-01-29 | 7.1 | CVE-2020-37005 | ExploitDB-48874 Archived Product Homepage VulnCheck Advisory: TimeClock Software 1.01 Authenticated Time-Based SQL Injection |
| Totolink--A3600R | A security flaw has been discovered in Totolink A3600R 5.9c.4959. This issue affects the function setAppEasyWizardConfig in the library /lib/cste_modules/app.so. Performing a manipulation of the argument apcliSsid results in buffer overflow. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-30 | 8.8 | CVE-2026-1686 | VDB-343480 | Totolink A3600R app.so setAppEasyWizardConfig buffer overflow VDB-343480 | CTI Indicators (IOB, IOC, IOA) Submit #740888 | TOTOLINK A3600R V5.9c.4959 Buffer Overflow https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A3600R/4959-apcliSsid-setAppEasyWizardConfig.md https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A3600R/4959-apcliSsid-setAppEasyWizardConfig.md#poc https://www.totolink.net/ |
| TrustTunnel--TrustTunnel | TrustTunnel is an open-source VPN protocol with a server-side request forgery and and private network restriction bypass in versions prior to 0.9.114. In `tcp_forwarder.rs`, SSRF protection for `allow_private_network_connections = false` was only applied in the `TcpDestination::HostName(peer)` path. The `TcpDestination::Address(peer) => peer` path proceeded to `TcpStream::connect()` without equivalent checks (for example `is_global_ip`, `is_loopback`), allowing loopback/private targets to be reached by supplying a numeric IP. The vulnerability is fixed in version 0.9.114. | 2026-01-29 | 7.1 | CVE-2026-24902 | https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-hgr9-frvw-5r76 https://github.com/TrustTunnel/TrustTunnel/commit/734bb5cf103b72390a95c853cbf91e699cc01bc0 |
| TryGhost--Ghost | Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially leading to account takeover. Ghost Portal versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0 were vulnerable to this issue. Ghost automatically loads the latest patch of the members Portal component via CDN. For Ghost 5.x users, upgrading to v5.121.0 or later fixes the vulnerability. v5.121.0 loads Portal v2.51.5, which contains the patch. For Ghost 6.x users, upgrading to v6.15.0 or later fixes the vulnerability. v6.15.0 loads Portal v2.57.1, which contains the patch. For Ghost installations using a customized or self-hosted version of Portal, it will be necessary to manually rebuild from or update to the latest patch version. | 2026-01-27 | 8.8 | CVE-2026-24778 | https://github.com/TryGhost/Ghost/security/advisories/GHSA-gv6q-2m97-882h https://github.com/TryGhost/Ghost/commit/da858e640e88e69c1773a7b7ecdc2008fa143849 |
| Tucows Inc.--Audio Playback Recorder | Audio Playback Recorder 3.2.2 contains a local buffer overflow vulnerability in the eject and registration parameters that allows attackers to execute arbitrary code. Attackers can craft malicious payloads and overwrite Structured Exception Handler (SEH) to execute shellcode when pasting specially crafted input into the application's input fields. | 2026-01-29 | 8.4 | CVE-2020-37013 | ExploitDB-48796 Archived Researcher Proof of Concept Video Product Software Archive VulnCheck Advisory: Audio Playback Recorder 3.2.2 - Local Buffer Overflow (SEH) |
| Tucows--Easy CD & DVD Cover Creator | Easy CD & DVD Cover Creator 4.13 contains a buffer overflow vulnerability in the serial number input field that allows attackers to crash the application. Attackers can generate a 6000-byte payload and paste it into the serial number field to trigger an application crash. | 2026-01-27 | 9.8 | CVE-2020-36940 | ExploitDB-49337 VulnCheck Advisory: Easy CD & DVD Cover Creator 4.13 - Denial of Service |
| Ubiquiti, Inc.--AirControl | AirControl 1.4.2 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through malicious Java expression injection. Attackers can exploit the /.seam endpoint by crafting a specially constructed URL with embedded Java expressions to run commands with the application's system privileges. | 2026-01-30 | 9.8 | CVE-2020-37052 | ExploitDB-48541 Vendor Homepage VulnCheck Advisory: AirControl 1.4.2 - PreAuth Remote Code Execution |
| Veritas--NetBackup | Veritas NetBackup 7.0 contains an unquoted service path vulnerability in the NetBackup INET Daemon service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe to inject malicious code that would execute with elevated LocalSystem privileges. | 2026-02-01 | 7.8 | CVE-2020-37045 | ExploitDB-48227 Veritas Official Homepage VulnCheck Advisory: NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path |
| VeryPDF.com, Inc.--docPrint Pro | docPrint Pro 8.0 contains a local buffer overflow vulnerability in the 'Add URL' input field that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malicious payload that triggers a structured exception handler (SEH) overwrite to execute shellcode and gain remote system access. | 2026-01-28 | 8.4 | CVE-2020-36965 | ExploitDB-49100 Vendor Homepage VulnCheck Advisory: docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter) |
| VestaCP--VestaCP | VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper administrative permissions. | 2026-01-27 | 9.8 | CVE-2020-36948 | ExploitDB-49219 VestaCP Official Homepage Vulnerability Lab Advisory Benjamin Kunz Mejri Profile VulnCheck Advisory: VestaCP 0.9.8-26 - 'LoginAs' Insufficient Session Validation |
| VictorAlagwu--CMSsite | Victor CMS 1.0 contains a file upload vulnerability that allows authenticated users to upload malicious PHP files through the profile image upload feature. Attackers can upload a PHP shell to the /img directory and execute system commands by accessing the uploaded file via web browser. | 2026-01-27 | 8.8 | CVE-2020-36942 | ExploitDB-49310 Victor CMS Project Repository VulnCheck Advisory: Victor CMS 1.0 - File Upload To RCE |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods obtain and process media from URLs provided by users, using different Python parsing libraries when restricting the target host. These two parsing libraries have different interpretations of backslashes, which allows the host name restriction to be bypassed. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources. This vulnerability is particularly critical in containerized environments like `llm-d`, where a compromised vLLM pod could be used to scan the internal network, interact with other pods, and potentially cause denial of service or access sensitive data. For example, an attacker could make the vLLM pod send malicious requests to an internal `llm-d` management endpoint, leading to system instability by falsely reporting metrics like the KV cache state. Version 0.14.1 contains a patch for the issue. | 2026-01-27 | 7.1 | CVE-2026-24779 | https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc https://github.com/vllm-project/vllm/pull/32746 https://github.com/vllm-project/vllm/commit/f46d576c54fb8aeec5fc70560e850bed38ef17d7 |
| WEBDAMN.COM--WebDamn User Registration & Login System with User Panel | WebDamn User Registration Login System contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating email credentials. Attackers can inject the payload '<email>' OR '1'='1' in both username and password fields to gain unauthorized access to the user panel. | 2026-01-28 | 8.2 | CVE-2020-36945 | ExploitDB-49170 Vendor Homepage Software Product Page VulnCheck Advisory: WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass |
| Weird Solutions--DHCP Turbo | DHCP Turbo 4.61298 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. Attackers can place malicious executables in the service path to gain elevated privileges when the service starts. | 2026-02-01 | 7.8 | CVE-2020-37062 | ExploitDB-48080 Vendor Homepage VulnCheck Advisory: DHCP Turbo 4.6.1298- 'DHCP Turbo 4' Unquoted Service Path |
| Weird-Solutions--BOOTP Turbo | BOOTP Turbo 2.0.1214 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted executable path to inject malicious code that will be executed when the service starts with LocalSystem permissions. | 2026-02-01 | 7.8 | CVE-2020-37061 | ExploitDB-48078 Vendor Homepage VulnCheck Advisory: BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path |
| Weird-Solutions--TFTP Turbo | TFTP Turbo 4.6.1273 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions. | 2026-02-01 | 7.8 | CVE-2020-37063 | ExploitDB-48085 Vendor Homepage VulnCheck Advisory: TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path |
| WellChoose--Single Sign-On Portal System | Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | 2026-01-26 | 8.8 | CVE-2026-1427 | https://www.twcert.org.tw/tw/cp-132-10654-23f40-1.html https://www.twcert.org.tw/en/cp-139-10655-59160-2.html |
| WellChoose--Single Sign-On Portal System | Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | 2026-01-26 | 8.8 | CVE-2026-1428 | https://www.twcert.org.tw/tw/cp-132-10654-23f40-1.html https://www.twcert.org.tw/en/cp-139-10655-59160-2.html |
| Wibu--CodeMeter | CodeMeter 6.60 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the CodeMeter Runtime Server service to inject malicious code that would execute with LocalSystem permissions. | 2026-01-29 | 7.8 | CVE-2020-37017 | ExploitDB-48735 CodeMeter Runtime Product Homepage VulnCheck Advisory: CodeMeter 6.60 - 'CodeMeter.exe' Unquoted Service Path |
| WinAVR--WinAVR | WinAVR version 20100110 contains an insecure permissions vulnerability that allows authenticated users to modify system files and executables. Attackers can leverage the overly permissive access controls to potentially modify critical DLLs and executable files in the WinAVR installation directory. | 2026-01-27 | 8.8 | CVE-2020-36938 | ExploitDB-49379 WinAVR Official Project Homepage VulnCheck Advisory: WinAVR Version 20100110 - Insecure Folder Permissions |
| WinFrigate--Frigate 2 | Frigate 2.02 contains a denial of service vulnerability that allows attackers to crash the application by sending oversized input to the command line interface. Attackers can generate a payload of 8000 repeated characters and paste it into the application's command line field to trigger an application crash. | 2026-01-30 | 7.5 | CVE-2020-37039 | ExploitDB-48613 Archived Vendor Homepage VulnCheck Advisory: Frigate 2.02 - Denial Of Service |
| WinFrigate--Frigate 3 Professional | Frigate Professional 3.36.0.9 contains a local buffer overflow vulnerability in the 'Find Computer' feature that allows attackers to execute arbitrary code by overflowing the computer name input field. Attackers can craft a malicious payload that triggers a buffer overflow, enabling code execution and launching calculator as a proof of concept. | 2026-01-30 | 8.4 | CVE-2020-37042 | ExploitDB-48579 Archived Vendor Homepage VulnCheck Advisory: Frigate Professional 3.36.0.9 - 'Find Computer' Local Buffer Overflow |
| WinFrigate--Frigate 3 Professional | Frigate 3.36.0.9 contains a local buffer overflow vulnerability in the Command Line input field that allows attackers to execute arbitrary code. Attackers can craft a malicious payload to overflow the buffer, bypass DEP, and execute commands like launching calc.exe through a specially crafted input sequence. | 2026-01-30 | 8.4 | CVE-2020-37049 | ExploitDB-48563 Archived Vendor Homepage VulnCheck Advisory: Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow |
| Wing FTP Server--Wing FTP Server | Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution through the os.execute() function. | 2026-01-30 | 8.8 | CVE-2020-37032 | ExploitDB-48676 Wing FTP Server Official Homepage VulnCheck Advisory: Wing FTP Server 6.3.8 - Remote Code Execution |
| Wondershare--Wondershare Driver Install Service help | Wondershare Driver Install Service contains an unquoted service path vulnerability in the ElevationService executable that allows local attackers to potentially inject malicious code. Attackers can exploit the unquoted path to replace the service binary with a malicious executable, enabling privilege escalation to LocalSystem account. | 2026-01-27 | 7.8 | CVE-2020-36977 | ExploitDB-49101 Vendor Homepage Software Product Page VulnCheck Advisory: Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path |
| wpcreatix--VidShop Shoppable Videos for WooCommerce | The VidShop - Shoppable Videos for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'fields' parameter in all versions up to, and including, 1.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-28 | 7.5 | CVE-2026-0702 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a61d8d2a-742f-45f1-9146-f733b80ef195?source=cve https://plugins.trac.wordpress.org/browser/vidshop-for-woocommerce/trunk/includes/rest-api/v1/class-videos-controller.php#L224 https://plugins.trac.wordpress.org/browser/vidshop-for-woocommerce/trunk/includes/rest-api/v1/class-videos-controller.php#L297 https://plugins.trac.wordpress.org/browser/vidshop-for-woocommerce/trunk/includes/utils/class-query-builder.php#L778 https://plugins.trac.wordpress.org/changeset/3441106/ |
| yoyofr--modizer | Integer Overflow or Wraparound vulnerability in yoyofr modizer. This issue affects modizer: before 4.1.1. | 2026-01-27 | 7.8 | CVE-2026-24875 | https://github.com/yoyofr/modizer/pull/133 |
| zalando--skipper | Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach internal services. Version 0.24.0 disables Kubernetes ExternalName by default. As a workaround, developers can allow list targets of an ExternalName and allow list via regular expressions. | 2026-01-26 | 8.1 | CVE-2026-24470 | https://github.com/zalando/skipper/security/advisories/GHSA-mxxc-p822-2hx9 https://github.com/zalando/skipper/commit/a4c87ce029a58eb8e1c2c1f93049194a39cf6219 https://kubernetes.io/docs/concepts/services-networking/service/#externalname |
| Zortam.com--Zortam Mp3 Media Studio | Zortam Mp3 Media Studio 27.60 contains a buffer overflow vulnerability in the library creation file selection process that allows remote code execution. Attackers can craft a malicious text file with shellcode to trigger a structured exception handler (SEH) overwrite and execute arbitrary commands on the target system. | 2026-01-28 | 9.8 | CVE-2020-36967 | ExploitDB-49084 Zortam Official Homepage Zortam Software Download Page VulnCheck Advisory: Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH) |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 2100 Technology--Official Document Management System | Official Document Management System developed by 2100 Technology has a Incorrect Authorization vulnerability, allowing authenticated remote attackers to modify front-end code to read all official documents. | 2026-01-28 | 6.5 | CVE-2026-1514 | https://www.twcert.org.tw/tw/cp-132-10658-c5a07-1.html https://www.twcert.org.tw/en/cp-139-10659-264cd-2.html |
| Adikiss--Sistem Informasi Pengumuman Kelulusan Online | Sistem Informasi Pengumuman Kelulusan Online 1.0 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized admin users through the tambahuser.php endpoint. Attackers can craft a malicious HTML form to submit admin credentials and create new administrative accounts without the victim's consent. | 2026-01-30 | 5.3 | CVE-2020-37046 | ExploitDB-48571 Vendor Homepage Software Download Page VulnCheck Advisory: Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery |
| ajay138--Knap Advanced PHP Login | Knap Advanced PHP Login 3.1.3 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script code in the name parameter. Attackers can exploit the vulnerability to execute arbitrary scripts in users and activity log backend modules, potentially leading to session hijacking and persistent phishing attacks. | 2026-02-01 | 6.4 | CVE-2022-50940 | Vulnerability Lab Advisory Laravel & Vue.js VulnCheck Advisory: Knap Advanced PHP Login 3.1.3 Persistent Cross-Site Scripting via Name Parameter |
| Akn Software Computer Import Export Industry and Trade Ltd.--QR Menu | Session Fixation vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Session Fixation. This issue affects QR Menu: before s1.05.12. | 2026-01-29 | 5.7 | CVE-2025-7015 | https://www.usom.gov.tr/bildirim/tr-26-0006 |
| Author: Scott Ferreira--Free Photo & Video Vault - WiFi Transfer | Free Photo & Video Vault 0.0.2 contains a directory traversal web vulnerability that allows remote attackers to manipulate application path requests and access sensitive system files. Attackers can exploit the vulnerability without privileges to retrieve environment variables and access unauthorized system paths. | 2026-02-01 | 6.5 | CVE-2021-47921 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Free Photo & Video Vault 0.0.2 Directory Traversal Vulnerability via Web Request |
| ays-pro--Popup Box Create Countdown, Coupon, Video, Contact Form Popups | The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link. | 2026-01-31 | 4.3 | CVE-2026-1165 | https://www.wordfence.com/threat-intel/vulnerabilities/id/585a9eb4-f394-4cb2-9050-659171a994d9?source=cve https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/6.1.0/admin/partials/ays-pb-admin-display.php#L22 https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/6.1.0/includes/lists/class-ays-pb-list-table.php#L701 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3439514@ays-popup-box/tags/6.1.1/&new=3444612@ays-popup-box/tags/6.1.2/ |
| B&R Industrial Automation GmbH--Process Visualization Interface (PVI) | An Insertion of Sensitive Information into Log File vulnerability in B&R PVI client versions prior to 6.5 may be abused by an authenticated local attacker to gather credential information which is processed by the PVI client application. The logging function of the PVI client application is disabled by default and must be explicitly enabled by the user. | 2026-01-29 | 5 | CVE-2026-0936 | https://www.br-automation.com/fileadmin/SA26P001-2862434c.pdf |
| backstage--backstage | Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, a path traversal vulnerability in the TechDocs local generator allows attackers to read arbitrary files from the host filesystem when Backstage is configured with `techdocs.generator.runIn: local`. When processing documentation from untrusted sources, symlinks within the docs directory are followed by MkDocs during the build process. File contents are embedded into generated HTML and exposed to users who can view the documentation. This vulnerability is fixed in` @backstage/plugin-techdocs-node` versions 1.13.11 and 1.14.1. Some workarounds are available. Switch to `runIn: docker` in `app-config.yaml` and/or restrict write access to TechDocs source repositories to trusted users only. | 2026-01-30 | 5.3 | CVE-2026-25152 | https://github.com/backstage/backstage/security/advisories/GHSA-w669-jj7h-88m9 |
| Banco de Guayaquil--Banco Guayaquil | Banco Guayaquil 8.0.0 mobile iOS application contains a persistent cross-site scripting vulnerability in the TextBox Name Profile input. Attackers can inject malicious script code through a POST request that executes on application review without user interaction. | 2026-02-01 | 6.4 | CVE-2022-50952 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Banco Guayaquil 8.0.0 Mobile iOS Cross-Site Scripting via Profile Name Input |
| Bdtask--Bhojon All-In-One Restaurant Management System | A vulnerability was determined in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. The affected element is an unknown function of the file /hungry/placeorder of the component Checkout. Executing a manipulation of the argument orggrandTotal/vat/service_charge/grandtotal can lead to business logic errors. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 4.3 | CVE-2026-1599 | VDB-343361 | Bdtask Bhojon All-In-One Restaurant Management System Checkout placeorder logic error VDB-343361 | CTI Indicators (IOB, IOC, IOA) Submit #740740 | Bdtask Bhojon All-In-One Restaurant Management System latest Business Logic Errors https://github.com/4m3rr0r/PoCVulDb/issues/13 https://www.youtube.com/watch?v=n7xLBAOrKAU |
| Bdtask--Bhojon All-In-One Restaurant Management System | A vulnerability was identified in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. The impacted element is an unknown function of the file /hungry/addtocart of the component Add-to-Cart Submission Endpoint. The manipulation of the argument price/allprice leads to business logic errors. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 4.3 | CVE-2026-1600 | VDB-343362 | Bdtask Bhojon All-In-One Restaurant Management System Add-to-Cart Submission Endpoint addtocart logic error VDB-343362 | CTI Indicators (IOB, IOC, IOA) Submit #740741 | Bdtask Bhojon All-In-One Restaurant Management System latest Business Logic Errors https://github.com/4m3rr0r/PoCVulDb/issues/14 https://www.youtube.com/watch?v=UESZTjVS4Fs |
| Bdtask--SalesERP | A vulnerability has been found in Bdtask SalesERP up to 20260116. This issue affects some unknown processing of the component Administrative Endpoint. Such manipulation of the argument ci_session leads to improper authorization. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 6.3 | CVE-2026-1597 | VDB-343359 | Bdtask SalesERP Administrative Endpoint improper authorization VDB-343359 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740735 | Bdtask SalesERP -- AI-Powered ERP Software For Small Business Unknown Broken Access Control / Privilege Escalation https://github.com/4m3rr0r/PoCVulDb/issues/11 https://www.youtube.com/watch?v=KSducixS3pk |
| Beckhoff Automation--Beckhoff.Device.Manager.XAR | A low privileged remote attacker may be able to disclose confidential information from the memory of a privileged process by sending specially crafted calls to the Device Manager web service that cause an out-of-bounds read operation under certain circumstances due to ASLR and thereby potentially copy confidential information into a response. | 2026-01-27 | 5.3 | CVE-2025-41728 | https://certvde.com/de/advisories/VDE-2025-092 |
| Beetel--777VR1 | A vulnerability was detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. Impacted is an unknown function of the component UART Interface. The manipulation results in missing authentication. An attack on the physical device is feasible. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-26 | 6.4 | CVE-2026-1410 | VDB-342799 | Beetel 777VR1 UART missing authentication VDB-342799 | CTI Indicators (IOB, IOC) Submit #739433 | Beetel Beetel 777VR1 Broadband Router Firmware Versions: V01.00.09 / V01.00.09_55 CWE-306” Missing Authentication for Critical Function https://gist.github.com/raghav20232023/96a6b13ab00c493d21362e744627ea9f |
| Beetel--777VR1 | A flaw has been found in Beetel 777VR1 up to 01.00.09/01.00.09_55. The affected element is an unknown function of the component UART Interface. This manipulation causes improper access controls. It is feasible to perform the attack on the physical device. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-26 | 6.1 | CVE-2026-1411 | VDB-342800 | Beetel 777VR1 UART access control VDB-342800 | CTI Indicators (IOB, IOC, TTP) Submit #740674 | Beetel Beetel 777VR1 Broadband Router Firmware Versions: V01.00.09 / V01.00.09_55 CWE-284” Improper Access Control https://gist.github.com/raghav20232023/ea6adcd6d1eca35683570a1094164bd3 |
| bfintal--Interactions Create Interactive Experiences in the Block Editor | The Interactions - Create Interactive Experiences in the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event selectors in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2025-12709 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ab97f125-3a4a-4293-b218-07586c1c021c?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448073%40interactions&new=3448073%40interactions |
| birkir--prime | birkir prime <= 0.4.0.beta.0 contains a cross-site request forgery vulnerability in its GraphQL endpoint that allows attackers to exploit GET-based query requests. Attackers can craft malicious GET requests to trigger unauthorized actions against privileged users by manipulating GraphQL query parameters. | 2026-01-29 | 5.3 | CVE-2025-15550 | GitHub Issue #547 VulnCheck Advisory: birkir prime <= 0.4.0.beta.0 - Cross-Site Request Forgery in GraphQL |
| bobthecow--psysh | PsySH is a runtime developer console, interactive debugger, and REPL for PHP. Prior to versions 0.11.23 and 0.12.19, PsySH automatically loads and executes a `.psysh.php` file from the Current Working Directory (CWD) on startup. If an attacker can write to a directory that a victim later uses as their CWD when launching PsySH, the attacker can trigger arbitrary code execution in the victim's context. When the victim runs PsySH with elevated privileges (e.g., root), this results in local privilege escalation. This is a CWD configuration poisoning issue leading to arbitrary code execution in the victim user's context. If a privileged user (e.g., root, a CI runner, or an ops/debug account) launches PsySH with CWD set to an attacker-writable directory containing a malicious `.psysh.php`, the attacker can execute commands with that privileged user's permissions, resulting in local privilege escalation. Downstream consumers that embed PsySH inherit this risk. For example, Laravel Tinker (`php artisan tinker`) uses PsySH. If a privileged user runs Tinker while their shell is in an attacker-writable directory, the `.psysh.php` auto-load behavior can be abused in the same way to execute attacker-controlled code under the victim's privileges. Versions 0.11.23 and 0.12.19 patch the issue. | 2026-01-30 | 6.7 | CVE-2026-25129 | https://github.com/bobthecow/psysh/security/advisories/GHSA-4486-gxhx-5mg7 https://github.com/bobthecow/psysh/releases/tag/v0.11.23 https://github.com/bobthecow/psysh/releases/tag/v0.12.19 |
| bolo-solo--bolo-solo | A vulnerability has been found in bolo-solo up to 2.6.4. This impacts the function importMarkdownsSync of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component SnakeYAML. Such manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2026-01-30 | 6.3 | CVE-2026-1691 | VDB-343485 | bolo-solo SnakeYAML BackupService.java importMarkdownsSync deserialization VDB-343485 | CTI Indicators (IOB, IOC, IOA) Submit #741899 | bolo-solo V2.6.4 SnakeYAML deserialization vulnerability https://github.com/bolo-blog/bolo-solo/issues/325 https://github.com/bolo-blog/bolo-solo/issues/325#issue-3828755519 |
| bplugins--Document Embedder Embed PDFs, Word, Excel, and Other Files | The Document Embedder - Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter. | 2026-01-28 | 5.3 | CVE-2026-1389 | https://www.wordfence.com/threat-intel/vulnerabilities/id/59d14f6c-6286-454c-8629-96a0c2de943c?source=cve https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L66 https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L103 https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L159 https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.5/includes/DocumentLibrary/Init-DocumentLibrary.php |
| Broadcom--Symantec Endpoint Protection Windows Client | Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. | 2026-01-28 | 6.7 | CVE-2025-13918 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36774 |
| Broadcom--Symantec Endpoint Protection Windows Client | Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a COM Hijacking vulnerability, which is a type of issue whereby an attacker attempts to establish persistence and evade detection by hijacking COM references in the Windows Registry. | 2026-01-28 | 4.4 | CVE-2025-13919 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36774 |
| Brother Industries, Ltd.--Multiple MFPs | Hidden functionality issue exists in multiple MFPs provided by Brother Industries, Ltd., which may allow an attacker to obtain the logs of the affected product and obtain sensitive information within the logs. | 2026-01-29 | 5.3 | CVE-2025-55704 | https://faq.brother.co.jp/app/answers/detail/a_id/13716 https://www.konicaminolta.com/global-en/security/advisory/pdf/km-2026-0001.pdf https://jvn.jp/en/vu/JVNVU92878805/ |
| Bun--Bun | In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github). | 2026-01-27 | 5.9 | CVE-2026-24910 | https://www.scworld.com/news/six-javascript-zero-day-bugs-lead-to-fears-of-supply-chain-attack https://bun.com/blog/bun-v1.3.5 https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act |
| chainguard-dev--malcontent | malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 0.10.0 and prior to version 1.20.3, malcontent could be made to expose Docker registry credentials if it scanned a specially crafted OCI image reference. malcontent uses google/go-containerregistry for OCI image pulls, which by default uses the Docker credential keychain. A malicious registry could return a `WWW-Authenticate` header redirecting token authentication to an attacker-controlled endpoint, causing credentials to be sent to that endpoint. Version 1.20.3 fixes the issue by defaulting to anonymous auth for OCI pulls. | 2026-01-29 | 6.5 | CVE-2026-24845 | https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-9m43-p3cx-w8j5 https://github.com/chainguard-dev/malcontent/commit/538ed00cdc639d687a4bd1e843a2be0428a3b3e7 |
| chainguard-dev--malcontent | malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory. Version 1.20.3 introduces fixes that swap handleSymlink arguments, validate symlink location, and validate symlink targets that resolve within an extraction directory. | 2026-01-29 | 5.5 | CVE-2026-24846 | https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-923j-vrcg-hxwh https://github.com/chainguard-dev/malcontent/commit/259fca5abc004f3ab238895463ef280a87f30e96 https://github.com/chainguard-dev/malcontent/commit/a7dd8a5328ddbaf235568437813efa7591e00017 |
| chrisnowak--Change WP URL | The Change WP URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'change-wp-url' page. This makes it possible for unauthenticated attackers to change the WP Login URL via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-28 | 4.3 | CVE-2026-1398 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f5dead05-5960-4ccb-89c2-c8bb0cd9c9e9?source=cve https://plugins.trac.wordpress.org/browser/change-wp-url/trunk/change-wp-url.php#L18 https://plugins.trac.wordpress.org/browser/change-wp-url/tags/1.0/change-wp-url.php#L18 https://plugins.trac.wordpress.org/browser/change-wp-url/trunk/change-wp-url.php#L85 https://plugins.trac.wordpress.org/browser/change-wp-url/tags/1.0/change-wp-url.php#L85 |
| code-projects--Online Examination System | A vulnerability was determined in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file /admin_pic.php. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2026-01-26 | 6.3 | CVE-2026-1423 | VDB-342839 | code-projects Online Examination System admin_pic.php unrestricted upload VDB-342839 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736607 | code-projects Online Examination System 1 Unrestricted Upload https://github.com/geo-chen/code-projects/blob/main/Online%20Examination%20System%20In%20PHP%20With%20Source%20Code.md#finding-3-remote-code-execution-via-unsafe-file-upload https://code-projects.org/ |
| code-projects--Online Music Site | A security flaw has been discovered in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Administrator/PHP/AdminAddCategory.php. The manipulation results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. | 2026-01-28 | 4.7 | CVE-2026-1533 | VDB-343219 | code-projects Online Music Site AdminAddCategory.php sql injection VDB-343219 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738704 | Code-Projects ONLINE MUSIC SITE V1.0 SQL injection https://github.com/yuji0903/silver-guide/issues/2 https://code-projects.org/ |
| codeccoop--Forms Bridge Infinite integrations | The Forms Bridge - Infinite integrations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in the 'financoop_campaign' shortcode in all versions up to, and including, 4.2.5. This is due to insufficient input sanitization and output escaping on the user-supplied 'id' parameter in the forms_bridge_financoop_shortcode_error function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2026-1244 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3e047822-5766-4e7f-be89-f4a15f0e6d51?source=cve https://plugins.trac.wordpress.org/browser/forms-bridge/trunk/addons/financoop/shortcodes.php#L389 https://plugins.trac.wordpress.org/browser/forms-bridge/tags/4.2.3/addons/financoop/shortcodes.php#L389 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3446693%40forms-bridge&new=3446693%40forms-bridge&sfp_email=&sfph_mail=#file1 |
| codepeople--Appointment Hour Booking Booking Calendar | The Appointment Hour Booking - Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form field configuration parameters in all versions up to, and including, 1.5.60 due to insufficient input sanitization and output escaping on the 'Min length/characters' and 'Max length/characters' field configuration values. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the form builder interface. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-28 | 4.4 | CVE-2026-1083 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a5cb1fea-134f-4c81-8f2f-76ee42df7f77?source=cve https://plugins.trac.wordpress.org/browser/appointment-hour-booking/trunk/js/fields-admin/01_fbuilder.ftext.js#L64 https://plugins.trac.wordpress.org/browser/appointment-hour-booking/tags/1.5.57/js/fields-admin/01_fbuilder.ftext.js#L64 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442650%40appointment-hour-booking&new=3442650%40appointment-hour-booking&sfp_email=&sfph_mail= |
| CriticalGears--PayPal PRO Payment Terminal | Multiple payment terminal versions contain non-persistent cross-site scripting vulnerabilities in billing and payment information input fields. Attackers can inject malicious script code through vulnerable parameters to manipulate client-side requests and potentially execute session hijacking or phishing attacks. | 2026-02-01 | 6.4 | CVE-2021-47885 | Vulnerability Lab Advisory Product Homepage Product Homepage Product Homepage VulnCheck Advisory: Payment Terminal Multiple Versions Non-Persistent Cross-Site Scripting |
| crmperks--Database for Contact Form 7, WPforms, Elementor forms | The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download sensitive form submission data containing personally identifiable information (PII) by accessing the CSV export endpoint with an export key that is exposed in publicly accessible page source code. The vulnerability is created because while the shortcode properly filters displayed entries by user, the CSV export handler completely bypasses this filtering and exports all entries regardless of user permissions. | 2026-01-28 | 5.3 | CVE-2026-0825 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4048ae11-fece-42aa-baf3-c636c4875635?source=cve https://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/contact-form-entries.php#L76 https://plugins.trac.wordpress.org/browser/contact-form-entries/tags/1.4.5/contact-form-entries.php#L76 https://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/contact-form-entries.php#L301 https://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/templates/leads-table.php#L10 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442962%40contact-form-entries&new=3442962%40contact-form-entries&sfp_email=&sfph_mail= |
| D-Link--DCS700l | A weakness has been identified in D-Link DCS700l 1.03.09. Affected is an unknown function of the file /setDayNightMode of the component Web Form Handler. Executing a manipulation of the argument LightSensorControl can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-26 | 4.7 | CVE-2026-1419 | VDB-342815 | D-Link DCS700l Web Form setDayNightMode command injection VDB-342815 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736554 | D-Link DCS700l v1.03.09 Command Injection https://tzh00203.notion.site/D-Link-DCS700l-v1-03-09-Command-Injection-Vulnerability-in-LightSensorControl-Parameter-2e6b5c52018a80ada0f6d7e72efd7a45?source=copy_link https://www.dlink.com/ |
| D-Link--DIR-823X | A security flaw has been discovered in D-Link DIR-823X 250416. Impacted is the function sub_41E2A0 of the file /goform/set_mode. Performing a manipulation of the argument lan_gateway results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-01-28 | 6.3 | CVE-2026-1544 | VDB-343228 | D-Link DIR-823X set_mode sub_41E2A0 os command injection VDB-343228 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739155 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/16 https://www.dlink.com/ |
| D-Link--DWR-M961 | A flaw has been found in D-Link DWR-M961 1.1.47. This vulnerability affects the function sub_419920 of the file /boafrm/formLtefotaUpgradeQuectel. This manipulation of the argument fota_url causes command injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. | 2026-01-29 | 6.3 | CVE-2026-1596 | VDB-343358 | D-Link DWR-M961 formLtefotaUpgradeQuectel sub_419920 command injection VDB-343358 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740693 | D-Link DWR-M961 V1.1.47 Command Injection https://github.com/QIU-DIE/CVE/issues/48 https://www.dlink.com/ |
| D-Link--DWR-M961 | A security vulnerability has been detected in D-Link DWR-M961 1.1.47. The affected element is an unknown function of the file /boafrm/formLtefotaUpgradeFibocom. Such manipulation of the argument fota_url leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-01-29 | 6.3 | CVE-2026-1624 | VDB-343383 | D-Link DWR-M961 formLtefotaUpgradeFibocom command injection VDB-343383 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740770 | D-Link DWR-M961 V1.1.47 Command Injection https://github.com/QIU-DIE/CVE/issues/50 https://www.dlink.com/ |
| D-Link--DWR-M961 | A vulnerability was detected in D-Link DWR-M961 1.1.47. The impacted element is the function sub_4250E0 of the file /boafrm/formSmsManage of the component SMS Message. Performing a manipulation of the argument action_value results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. | 2026-01-29 | 6.3 | CVE-2026-1625 | VDB-343384 | D-Link DWR-M961 SMS Message formSmsManage sub_4250E0 command injection VDB-343384 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740792 | D-Link DW V1.1.47 Command Injection https://github.com/QIU-DIE/CVE/issues/51 https://www.dlink.com/ |
| dcooney--Ajax Load More Infinite Scroll, Load More, & Lazy Load | The Ajax Load More - Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1. This makes it possible for unauthenticated attackers to expose the titles and excerpts of private, draft, pending, scheduled, and trashed posts. | 2026-01-31 | 5.3 | CVE-2025-15525 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d01f4e67-a463-4973-97b1-41a64398686a?source=cve https://plugins.trac.wordpress.org/browser/ajax-load-more/tags/7.8.1/core/classes/class-alm-queryargs.php#L500 |
| Dell--OpenManage Network Integration | Dell OpenManage Network Integration, versions prior to 3.9, contains an Improper Authentication vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. | 2026-01-29 | 4.3 | CVE-2026-22764 | https://www.dell.com/support/kbdoc/en-us/000420893/dsa-2026-045-security-update-for-dell-openmanage-network-integration-omni-vulnerabilities |
| discourse--discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators with the `moderators_change_post_ownership` setting enabled can change ownership of posts in private messages and restricted categories they cannot access, then export their data to view the content. This is a broken access control vulnerability affecting sites that grant moderators post ownership transfer permissions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The patch adds visibility checks for both the topic and posts before allowing ownership transfer. As a workaround, disable the `moderators_change_post_ownership` site setting to prevent non-admin moderators from using the post ownership transfer feature. | 2026-01-28 | 6.9 | CVE-2025-68933 | https://github.com/discourse/discourse/security/advisories/GHSA-hpxv-mw7v-fqg2 |
| discourse--discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, authenticated users can submit crafted payloads to /drafts.json that cause O(n^2) processing in Base62.decode, tying up workers for 35-60 seconds per request. This affects all users as the shared worker pool becomes exhausted. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. Lowering the max_draft_length site setting reduces attack surface but does not fully mitigate the issue, as payloads under the limit can still trigger the slow code path. | 2026-01-28 | 6.5 | CVE-2025-68934 | https://github.com/discourse/discourse/security/advisories/GHSA-vwjh-vrx9-9849 |
| discourse--discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert some personal messages to public topics when they shouldn't have access. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site admin can temporarily revoke the moderation role from untrusted moderators or remove the moderator group from the "personal message enabled groups" site setting until the Discourse instance has been upgraded to a version that has been patched. | 2026-01-28 | 6.5 | CVE-2026-21865 | https://github.com/discourse/discourse/security/advisories/GHSA-4777-wrv5-3g39 |
| discourse--discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and secrets, API key details, site setting changes, private message content, restricted category names and structures, and private chat channel titles. This allows moderators to bypass intended access controls and extract confidential data by monitoring the staff action logs. With leaked webhook secrets, an attacker could potentially spoof webhook events to integrated services. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site administrators should review and limit moderator appointments to fully trusted users. There is no configuration-based workaround to prevent this access. | 2026-01-28 | 6.5 | CVE-2026-24742 | https://github.com/discourse/discourse/security/advisories/GHSA-hwjv-9gqj-m7h6 |
| discourse--discourse | Discourse is an open source discussion platform. A vulnerability present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 affects anyone who uses S3 for uploads. While scripts may be executed, they will only be run in the context of the S3/CDN domain, with no site credentials. Versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 fix the issue. As a workaround, disallow html or xml files for uploads in authorized_extensions. For existing html xml uploads, site owners can consider deleting them. | 2026-01-28 | 4.6 | CVE-2025-66488 | https://github.com/discourse/discourse/security/advisories/GHSA-68jp-3934-62rx |
| discourse--discourse | Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have a content-security-policy-mitigated cross-site scriptinv vulnerability on the Discourse Math plugin when using its KaTeX variant. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, the Discourse Math plugin can be disabled, or the Mathjax provider can be used instead of KaTeX. | 2026-01-28 | 4.6 | CVE-2025-67723 | https://github.com/discourse/discourse/security/advisories/GHSA-955h-m28g-5379 |
| discourse--discourse | Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and resource exhaustion by sending large JSON payloads to the username preference endpoint PUT /u//preferences/username, resulting in degraded performance for other users and endpoints. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. | 2026-01-28 | 4.3 | CVE-2025-68659 | https://github.com/discourse/discourse/security/advisories/GHSA-rmp6-c9rq-6q7p |
| dnnsoftware--Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a content editor could inject scripts in module headers/footers that would run for other users. Versions 9.13.10 and 10.2.0 contain a fix for the issue. | 2026-01-27 | 6.8 | CVE-2026-24784 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-jjwg-4948-6wxp |
| Dokploy--dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into performing unintended actions. Version 0.26.6 patches the issue. | 2026-01-28 | 4.7 | CVE-2026-24839 | https://github.com/Dokploy/dokploy/security/advisories/GHSA-c94j-8wgf-2q9q https://github.com/Dokploy/dokploy/pull/3500 https://github.com/Dokploy/dokploy/commit/9714695d5a78fe24496f989ab81807ba04699df8 |
| Dolibarr--Dolibarr | Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. Attackers can exploit the host, slave, and port parameters in /dolibarr/admin/ldap.php to execute arbitrary JavaScript and potentially steal user cookie information. | 2026-01-30 | 6.4 | CVE-2020-36966 | ExploitDB-48504 Official Dolibarr Product Homepage VulnCheck Advisory: Dolibarr 11.0.3 - 'ldap.php' - Persistent Cross-Site Scripting |
| Eclipse Foundation--Eclipse ThreadX - USBX | The function _ux_host_class_storage_media_mount() is responsible for mounting partitions on a USB mass storage device. When it encounters an extended partition entry in the partition table, it recursively calls itself to mount the next logical partition. This recursion occurs in _ux_host_class_storage_partition_read(), which parses up to four partition entries. If an extended partition is found (with type UX_HOST_CLASS_STORAGE_PARTITION_EXTENDED or EXTENDED_LBA_MAPPED), the code invokes: _ux_host_class_storage_media_mount(storage, sector + _ux_utility_long_get(...)); There is no limit on the recursion depth or tracking of visited sectors. As a result, a malicious or malformed disk image can include cyclic or excessively deep chains of extended partitions, causing the function to recurse until stack overflow occurs. | 2026-01-27 | 4.2 | CVE-2025-55095 | https://github.com/eclipse-threadx/usbx/security/advisories/GHSA-qfmp-wch9-rpv2 |
| Esri--ArcGIS Pro | There is a Cross Site Scripting issue in Esri ArcGIS Pro versions 3.6.0 and earlier. A local attacker could supply malicious strings into ArcGIS Pro which may execute when a specific dialog is opened. This issue is fixed in ArcGIS Pro 3.6.1. | 2026-01-26 | 5 | CVE-2026-1446 | https://www.esri.com/arcgis-blog/products/arcgis-pro/administration/arcgis-pro-3-6-1-patch |
| EVerest--everest-core | EVerest is an EV charging software stack. In versions up to and including 2025.12.1, it is possible to bypass the sequence state verification including authentication, and send requests that transition to forbidden states relative to the current one, thereby updating the current context with illegitimate data.cThanks to the modular design of EVerest, authorization is handled in a separate module and EVSEManager Charger internal state machine cannot transition out of the `WaitingForAuthentication` state through ISO 15118-2 communication. From this state, it was however possible through ISO 15118-2 messages which are published to the MQTT server to trick it into preparing to charge, and even to prepare to send current. The final requirement to actually send current to the EV was the closure of the contactors, which does not appear to be possible without leaving the `WaitingForAuthentication` state and leveraging ISO 15118-2 messages. As of time of publication, no fixed versions are available. | 2026-01-26 | 4.3 | CVE-2026-24003 | https://github.com/EVerest/everest-core/security/advisories/GHSA-9vv5-67cv-9crq https://github.com/EVerest/everest-core/blob/main/modules/EVSE/EvseV2G/iso_server.cpp#L44 |
| Filigran--OpenCTI | OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. For example, a request to /graphql?'"--></style></scRipt><scRipt>alert('Raif_Berkay')</scRipt> will trigger an alert. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10. | 2026-01-30 | 5.4 | CVE-2020-37044 | ExploitDB-48595 OpenCTI Official Homepage OpenCTI GitHub Repository VulnCheck Advisory: OpenCTI 3.3.1 - Cross Site Scripting |
| forma--E-Learning Suite | Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name, description fields, and email parameter to execute arbitrary JavaScript without proper input sanitization. | 2026-01-30 | 6.4 | CVE-2020-36998 | ExploitDB-48478 Vendor Homepage Software Download Link VulnCheck Advisory: forma.lms The E-Learning Suite 2.3.0.2 - Persistent Cross-Site Scripting |
| Formalms--Forma LMS | Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '<script>alert(document.cookie)</script>' to execute arbitrary JavaScript when the profile is viewed by other users. | 2026-01-26 | 6.4 | CVE-2020-36960 | ExploitDB-49197 Official Product Website VulnCheck Advisory: Forma LMS 2.3 - 'First & Last Name' Stored Cross-Site Scripting |
| Free5GC--SMF | A flaw has been found in Free5GC SMF up to 4.1.0. Affected is the function HandlePfcpAssociationReleaseRequest of the file internal/pfcp/handler/handler.go of the component PFCP UDP Endpoint. Executing a manipulation can lead to null pointer dereference. The attack may be launched remotely. The exploit has been published and may be used. A patch should be applied to remediate this issue. | 2026-01-30 | 5.3 | CVE-2026-1682 | VDB-343475 | Free5GC SMF PFCP UDP Endpoint handler.go HandlePfcpAssociationReleaseRequest null pointer dereference VDB-343475 | CTI Indicators (IOB, IOC, IOA) Submit #739508 | free5gc SMF v4.1.0 Denial of Service https://github.com/free5gc/free5gc/issues/794 https://github.com/free5gc/free5gc/issues/794#issuecomment-3761063382 https://github.com/free5gc/free5gc/issues/794#issue-3811888505 https://github.com/free5gc/smf/pull/188 |
| Free5GC--SMF | A vulnerability has been found in Free5GC SMF up to 4.1.0. Affected by this vulnerability is the function HandlePfcpSessionReportRequest of the file internal/pfcp/handler/handler.go of the component PFCP. The manipulation leads to denial of service. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. To fix this issue, it is recommended to deploy a patch. | 2026-01-30 | 5.3 | CVE-2026-1683 | VDB-343476 | Free5GC SMF PFCP handler.go HandlePfcpSessionReportRequest denial of service VDB-343476 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739653 | free5gc SMF v4.1.0 Denial of Service Submit #739654 | free5gc SMF v4.1.0 Denial of Service (Duplicate) https://github.com/free5gc/free5gc/issues/804 https://github.com/free5gc/free5gc/issues/804#issue-3816086696 https://github.com/free5gc/smf/pull/188 |
| Free5GC--SMF | A vulnerability was found in Free5GC SMF up to 4.1.0. Affected by this issue is the function HandleReports of the file /internal/context/pfcp_reports.go of the component PFCP UDP Endpoint. The manipulation results in denial of service. The attack can be executed remotely. It is advisable to implement a patch to correct this issue. | 2026-01-30 | 5.3 | CVE-2026-1684 | VDB-343477 | Free5GC SMF PFCP UDP Endpoint pfcp_reports.go HandleReports denial of service VDB-343477 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739655 | free5gc SMF v4.1.0 Denial of Service Submit #739656 | free5gc SMF v4.1.0 Denial of Service (Duplicate) https://github.com/free5gc/free5gc/issues/806 https://github.com/free5gc/smf/pull/188 |
| Froxlor--Froxlor Froxlor Server Management Panel | Froxlor Server Management Panel 0.10.16 contains a persistent cross-site scripting vulnerability in customer registration input fields. Attackers can inject malicious scripts through username, name, and firstname parameters to execute code when administrators view customer traffic modules. | 2026-01-27 | 6.4 | CVE-2020-36978 | ExploitDB-49063 Official Froxlor Homepage Froxlor Download Page Vulnerability Lab Advisory Vulnerability Lab Profile Researcher Profile VulnCheck Advisory: Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting |
| Getgrav--Grav CMS Admin Plugin | Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be executed when the page is viewed in the admin panel or on the site. | 2026-01-26 | 6.4 | CVE-2020-36955 | ExploitDB-49264 Grav CMS Official Homepage VulnCheck Advisory: Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting |
| gi-docgen--gi-docgen | A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page - enabling DOM access, session cookie theft and other client-side attacks - via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS). | 2026-01-26 | 6.1 | CVE-2025-11687 | https://access.redhat.com/security/cve/CVE-2025-11687 RHBZ#2403536 https://gitlab.gnome.org/GNOME/gi-docgen/-/issues/228 |
| GitoxideLabs--gitoxide | A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `TimeBuf` component, leading to undefined behavior when these malformed strings are subsequently processed. This could potentially result in application instability or other unforeseen consequences. | 2026-01-26 | 6.8 | CVE-2026-0810 | https://access.redhat.com/security/cve/CVE-2026-0810 RHBZ#2427057 https://crates.io/crates/gix-date https://github.com/GitoxideLabs/gitoxide/issues/2305 https://rustsec.org/advisories/RUSTSEC-2025-0140.html |
| Goautodial--GOautodial | GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through message subjects. Attackers can craft messages with embedded JavaScript that will execute when an administrator reads the message, potentially stealing session cookies or executing client-side attacks. | 2026-01-29 | 6.4 | CVE-2020-37018 | ExploitDB-48690 Official Vendor Homepage VulnCheck Advisory: GOautodial 4.0 - Persistent Cross-Site Scripting |
| GPAc--GPAC | A security vulnerability has been detected in GPAC up to 2.4.0. This affects the function gf_text_import_srt_bifs of the file src/scene_manager/text_to_bifs.c of the component SRT Subtitle Import. Such manipulation leads to out-of-bounds write. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The name of the patch is 10c73b82cf0e367383d091db38566a0e4fe71772. It is best practice to apply a patch to resolve this issue. | 2026-01-26 | 5.3 | CVE-2026-1418 | VDB-342807 | GPAC SRT Subtitle Import text_to_bifs.c gf_text_import_srt_bifs out-of-bounds write VDB-342807 | CTI Indicators (IOB, IOC, IOA) Submit #736544 | gpac v2.4.0 Out-of-bounds Write https://github.com/gpac/gpac/issues/3425 https://github.com/gpac/gpac/issues/3425#issue-3801961068 https://github.com/enocknt/gpac/commit/10c73b82cf0e367383d091db38566a0e4fe71772 |
| GuidoNeele--PDW File Browser | PDW File Browser version 1.3 contains stored and reflected cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through file rename and path parameters. Attackers can craft malicious URLs or rename files with XSS payloads to execute arbitrary JavaScript in victims' browsers when they access the file browser. | 2026-01-28 | 5.4 | CVE-2020-36988 | ExploitDB-48947 PDW File Browser GitHub Repository VulnCheck Advisory: PDW File Browser <= v1.3 - Cross-Site Scripting (XSS) |
| halfdata--Stripe Green Downloads | Stripe Green Downloads Wordpress Plugin 2.03 contains a persistent cross-site scripting vulnerability allowing remote attackers to inject malicious scripts in button label fields. Attackers can exploit input parameters to execute arbitrary scripts, potentially leading to session hijacking and application module manipulation. | 2026-02-01 | 6.4 | CVE-2022-50797 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Stripe Green Downloads Wordpress Plugin 2.03 Persistent XSS via Settings |
| HappyHackingSpace--gakido | Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing `\r\n` (CRLF), `\n` (LF), or `\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. The fix in version 0.1.1 adds a `_sanitize_header()` function that strips `\r`, `\n`, and `\x00` characters from both header names and values before they are included in HTTP requests. | 2026-01-27 | 5.3 | CVE-2026-24489 | https://github.com/HappyHackingSpace/gakido/security/advisories/GHSA-gcgx-chcp-hxp9 https://github.com/HappyHackingSpace/gakido/commit/369c67e67c63da510c8a9ab021e54a92ccf1f788 https://github.com/HappyHackingSpace/gakido/releases/tag/v0.1.1-1bc6019 |
| HCLSoftware--BigFix Compliance | A sensitive information disclosure in HCL BigFix Compliance allows a remote attacker to access files under the WEB-INF directory, which may contain Java class files and configuration information, leading to unauthorized access to application internals. | 2026-01-28 | 5.3 | CVE-2023-37525 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128385 |
| HIKSEMI--HS-AFS-S1H1 | Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization. | 2026-01-30 | 4.3 | CVE-2026-22624 | https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html |
| HIKSEMI--HS-AFS-S1H1 | Improper handling of filenames in certain HIKSEMI NAS products may lead to the exposure of sensitive system files. | 2026-01-30 | 4.6 | CVE-2026-22625 | https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html |
| HIKSEMI--HS-AFS-S1H1 | Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can cause abnormal device behavior by crafting specific messages. | 2026-01-30 | 4.9 | CVE-2026-22626 | https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html |
| honojs--hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as `Cache-Control: private` or `Cache-Control: no-store`, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users. Version 4.11.7 has a patch for the issue. | 2026-01-27 | 5.3 | CVE-2026-24472 | https://github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4 https://github.com/honojs/hono/commit/12c511745b3f1e7a3f863a23ce5f921c7fa805d1 https://github.com/honojs/hono/releases/tag/v4.11.7 |
| honojs--hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts` do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls. Version 4.11.7 contains a patch for the issue. | 2026-01-27 | 4.8 | CVE-2026-24398 | https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh https://github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37 https://github.com/honojs/hono/releases/tag/v4.11.7 |
| honojs--hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser. Version 4.11.7 patches the issue. | 2026-01-27 | 4.7 | CVE-2026-24771 | https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5 https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990 |
| hu_chao--imwptip | The imwptip plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-28 | 4.3 | CVE-2026-1377 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0fe987f0-6887-4ad1-a748-eb987bb574fa?source=cve https://plugins.trac.wordpress.org/browser/imwptip/trunk/classes/imwptipadmin.php#L11 https://plugins.trac.wordpress.org/browser/imwptip/tags/1.1/classes/imwptipadmin.php#L11 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 is vulnerable to a denial of service as the server may crash when an authenticated user creates a specially crafted query. | 2026-01-30 | 6.5 | CVE-2025-2668 | https://www.ibm.com/support/pages/node/7257518 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service using a specially crafted SQL statement including XML that performs uncontrolled recursion. | 2026-01-30 | 6.5 | CVE-2025-36001 | https://www.ibm.com/support/pages/node/7257616 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an unauthenticated user to cause a denial of service due to excessive use of a global variable. | 2026-01-30 | 6.5 | CVE-2025-36009 | https://www.ibm.com/support/pages/node/7257623 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 is vulnerable to a denial of service as a trap may occur when selecting from certain types of tables. | 2026-01-30 | 6.5 | CVE-2025-36070 | https://www.ibm.com/support/pages/node/7257624 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service due to improper allocation of resources. | 2026-01-30 | 6.5 | CVE-2025-36098 | https://www.ibm.com/support/pages/node/7257629 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service when copying large table containing XML data due to improper allocation of system resources. | 2026-01-30 | 6.2 | CVE-2025-36123 | https://www.ibm.com/support/pages/node/7257627 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-01-30 | 6.2 | CVE-2025-36353 | https://www.ibm.com/support/pages/node/7257632 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 under specific configuration of cataloged remote storage aliases could allow an authenticated user to execute unauthorized commands due to an authorization bypass vulnerability using a user-controlled key. | 2026-01-30 | 6.8 | CVE-2025-36365 | https://www.ibm.com/support/pages/node/7257665 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-01-30 | 6.5 | CVE-2025-36366 | https://www.ibm.com/support/pages/node/7257681 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 - 11.5.9 could allow an authenticated user to cause a denial of service when given specially crafted query. | 2026-01-30 | 6.5 | CVE-2025-36387 | https://www.ibm.com/support/pages/node/7257690 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-01-30 | 6.5 | CVE-2025-36407 | https://www.ibm.com/support/pages/node/7257692 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-01-30 | 6.5 | CVE-2025-36423 | https://www.ibm.com/support/pages/node/7257694 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-01-30 | 6.5 | CVE-2025-36424 | https://www.ibm.com/support/pages/node/7257695 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-01-30 | 6.5 | CVE-2025-36427 | https://www.ibm.com/support/pages/node/7257696 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query with XML columns. | 2026-01-30 | 6.5 | CVE-2025-36442 | https://www.ibm.com/support/pages/node/7257698 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic when the RPSCAN feature is enabled. | 2026-01-30 | 5.3 | CVE-2025-36428 | https://www.ibm.com/support/pages/node/7257697 |
| igniterealtime--Openfire | Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' parameter. Attackers can craft a payload with script tags to execute arbitrary JavaScript in the context of administrative users viewing the nodejs configuration page. | 2026-01-26 | 6.4 | CVE-2020-36956 | ExploitDB-49229 Openfire GitHub Repository Openfire Software Downloads VulnCheck Advisory: Openfire 4.6.0 - 'path' Stored XSS |
| iJason-Liu--Books_Manager | A vulnerability was found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This vulnerability affects unknown code of the file controllers/books_center/upload_bookCover.php. Performing a manipulation of the argument book_cover results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. | 2026-01-26 | 4.7 | CVE-2026-1445 | VDB-342874 | iJason-Liu Books_Manager upload_bookCover.php unrestricted upload VDB-342874 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736971 | https://github.com/iJason-Liu/Books_Manager Books_Manager 1.0 File Upload https://blog.y1fan.work/2026/01/13/%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0getshell/ |
| ilias.de--ILIAS Learning Management System | ILIAS Learning Management System 4.3 contains a server-side request forgery vulnerability that allows attackers to read local files through portfolio PDF export functionality. Attackers can inject a script that uses XMLHttpRequest to retrieve local file contents when the portfolio is exported to PDF. | 2026-01-28 | 4 | CVE-2020-36944 | ExploitDB-49148 ILIAS Official Vendor Homepage ILIAS GitHub Repository VulnCheck Advisory: ILIAS Learning Management System 4.3 - SSRF |
| Inciga--Inciga Web | Inciga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. Attackers can exploit the EventListener.handleEvent method to execute arbitrary scripts, potentially leading to session hijacking and non-persistent phishing attacks. | 2026-02-01 | 5.4 | CVE-2022-50942 | Vulnerability Lab Advisory Product Homepage Product Homepage VulnCheck Advisory: Inciga Web 2.8.2 Client-Side Cross-Site Scripting via EventListener |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, a heap buffer over-read when the strlen() function attempts to read a non-null-terminated buffer potentially leaking heap memory contents and causing application termination. This vulnerability affects users of the iccDEV library who process ICC color profiles. ICC Profile Injection vulnerabilities arise when user-controllable input is incorporated into ICC profile data or other structured binary blobs in an unsafe manner. Version 2.3.1.2 contains a fix for the issue. No known workarounds are available. | 2026-01-28 | 6.1 | CVE-2026-24852 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-q8g2-mp32-3j7f https://github.com/InternationalColorConsortium/iccDEV/pull/540 https://github.com/InternationalColorConsortium/iccDEV/commit/3092499cd4d0775f4a716b999899f9c26f9bc614 |
| Is-Daouda--is-Engine | Out-of-bounds Write, Heap-based Buffer Overflow vulnerability in Is-Daouda is-Engine. This issue affects is-Engine: before 3.3.4. | 2026-01-27 | 6.5 | CVE-2026-24829 | https://github.com/Is-Daouda/is-Engine/pull/7 |
| itsourcecode--School Management System | A weakness has been identified in itsourcecode School Management System 1.0. This affects an unknown part of the file /ramonsys/course/controller.php. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-28 | 6.3 | CVE-2026-1551 | VDB-343247 | itsourcecode School Management System controller.php sql injection VDB-343247 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740644 | itsourcecode School Management System V1.0 SQL Injection Submit #740680 | itsourcecode School Management System v1.0 SQL Injection (Duplicate) https://mega.nz/file/6cVwiA5A#BVwaxWlfeQCkkpHnuxPiMDZVb5qcYrsI6ftqdm_8mGk https://itsourcecode.com/ |
| iulia-cazan--Easy Replace Image | The Easy Replace Image plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.5.2. This is due to missing capability checks on the `image_replacement_from_url` function that is hooked to the `eri_from_url` AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to replace arbitrary image attachments on the site with images from external URLs, potentially enabling site defacement, phishing attacks, or content manipulation. | 2026-01-28 | 5.3 | CVE-2026-1298 | https://www.wordfence.com/threat-intel/vulnerabilities/id/27332c13-c25f-47ec-980d-035fc35ce553?source=cve https://plugins.trac.wordpress.org/browser/easy-replace-image/trunk/easy-replace-image.php#L961 https://plugins.trac.wordpress.org/browser/easy-replace-image/tags/3.5.2/easy-replace-image.php#L961 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3447984%40easy-replace-image&new=3447984%40easy-replace-image&sfp_email=&sfph_mail= |
| jdwebdesigner--Affiliate Pro | Affiliate Pro 1.7 contains multiple reflected cross-site scripting vulnerabilities in the index module's input fields. Attackers can inject malicious scripts through fullname, username, and email parameters to execute client-side attacks and manipulate browser requests. | 2026-02-01 | 5.4 | CVE-2021-47911 | Vulnerability Lab Advisory Product Homepage Product Homepage VulnCheck Advisory: Affiliate Pro 1.7 Reflected Cross-Site Scripting via Index Module |
| Jirafeau project--Jirafeau | Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110, CVE-2024-12326 and CVE-2025-7066), video and audio. However, it was possible to bypass this check by sending a manipulated HTTP request with an invalid MIME type like image. When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled by sending the HTTP header X-Content-Type-Options: nosniff. | 2026-01-28 | 6.1 | CVE-2026-1466 | https://gitlab.com/jirafeau/Jirafeau/-/commit/747afb20bfcff14bb67e40e7035d47a6311ba3e1 https://www.cve.org/CVERecord?id=CVE-2022-30110 https://www.cve.org/CVERecord?id=CVE-2024-12326 https://www.cve.org/CVERecord?id=CVE-2025-7066 |
| jishenghua--jshERP | A security vulnerability has been detected in jishenghua jshERP up to 3.6. The impacted element is the function getBillItemByParam of the file /jshERP-boot/depotItem/importItemExcel of the component com.jsh.erp.datasource.mappers.DepotItemMapperEx. The manipulation of the argument barCodes leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-28 | 6.3 | CVE-2026-1546 | VDB-343230 | jishenghua jshERP com.jsh.erp.datasource.mappers.DepotItemMapperEx importItemExcel getBillItemByParam sql injection VDB-343230 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739688 | https://github.com/jishenghua/jshERP jshERP v3.6 SQL Injection https://github.com/jishenghua/jshERP/issues/145 https://github.com/jishenghua/jshERP/issues/145#issue-3816930151 https://github.com/jishenghua/jshERP/ |
| jishenghua--jshERP | A vulnerability was identified in jishenghua jshERP up to 3.6. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/plugin/uploadPluginConfigFile of the component PluginController. Such manipulation of the argument configFile leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-28 | 4.3 | CVE-2026-1549 | VDB-343245 | jishenghua jshERP PluginController uploadPluginConfigFile path traversal VDB-343245 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739805 | https://github.com/jishenghua/jshERP jshERP v3.6 Path Traversal https://github.com/jishenghua/jshERP/issues/146 https://github.com/jishenghua/jshERP/issues/146#issue-3817997461 https://github.com/jishenghua/jshERP/ |
| Laravel Holdings Inc.--Laravel Nova | Laravel Nova 3.7.0 contains a denial of service vulnerability that allows authenticated users to crash the application by manipulating the 'range' parameter. Attackers can send simultaneous requests with an extremely high range value to overwhelm and crash the server. | 2026-01-27 | 6.5 | CVE-2020-36950 | ExploitDB-49198 Laravel Nova Official Homepage Laravel Nova Releases Page VulnCheck Advisory: Laravel Nova 3.7.0 - 'range' DoS |
| libexpat project--libexpat | In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation. | 2026-01-30 | 6.9 | CVE-2026-25210 | https://github.com/libexpat/libexpat/pull/1075 https://github.com/libexpat/libexpat/pull/1075/commits/9c2d990389e6abe2e44527eeaa8b39f16fe859c7 |
| Limesurvey--LimeSurvey | LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in administrative contexts. | 2026-01-28 | 6.4 | CVE-2020-36993 | ExploitDB-48762 LimeSurvey Official Website LimeSurvey Patch Commit VulnCheck Advisory: LimeSurvey <= 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting |
| linknacional--Link Invoice Payment for WooCommerce | The Link Invoice Payment for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the createPartialPayment and cancelPartialPayment functions in all versions up to, and including, 2.8.0. This makes it possible for unauthenticated attackers to create partial payments on any order or cancel any existing partial payment via ID enumeration. | 2026-01-27 | 5.3 | CVE-2025-14971 | https://www.wordfence.com/threat-intel/vulnerabilities/id/96a8fc8b-6f0a-486c-89d1-7211b4ca31bd?source=cve https://plugins.trac.wordpress.org/browser/invoice-payment-for-woocommerce/tags/2.8.0/Includes/WcPaymentInvoiceEndpoint.php#L19 https://plugins.trac.wordpress.org/browser/invoice-payment-for-woocommerce/tags/2.8.0/Includes/WcPaymentInvoiceEndpoint.php#L179 |
| litonice13--WP Adminify White Label WordPress, Admin Menu Editor, Login Customizer | The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs. | 2026-01-28 | 5.3 | CVE-2026-1060 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7ecb4f95-346e-49b3-859f-44f28a72f065?source=cve https://plugins.trac.wordpress.org/browser/adminify/tags/4.0.6.1/Libs/Addons.php#L54 https://plugins.trac.wordpress.org/changeset/3442928/ |
| localsend--localsend | LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a "Share via Link" session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in `app/assets/web/main.js`. Note that at [0], the `handleFilesDisplay` function constructs the HTML for the file list by iterating over the files received from the server. Commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contains a patch. | 2026-01-30 | 6.1 | CVE-2026-25154 | https://github.com/localsend/localsend/security/advisories/GHSA-34v6-52hh-x4r4 https://github.com/localsend/localsend/commit/8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c |
| lxicon--Bitcoin Donate Button | The Bitcoin Donate Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to modify the plugin's settings, including donation addresses and display configurations, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-28 | 4.3 | CVE-2026-1380 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3c973dd9-cfa3-4f06-a25a-c2786e3dca4d?source=cve https://plugins.trac.wordpress.org/browser/bitcoin-donate-button/trunk/btcbutton.php#L1 https://plugins.trac.wordpress.org/browser/bitcoin-donate-button/tags/1.0/btcbutton.php#L1 |
| mamunreza--Vzaar Media Management | The Vzaar Media Management plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on the $_SERVER['PHP_SELF'] variable. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-28 | 5.3 | CVE-2026-1391 | https://www.wordfence.com/threat-intel/vulnerabilities/id/398a75b1-6470-44b3-aaea-d5e8b10db115?source=cve https://plugins.trac.wordpress.org/browser/vzaar-media-management/trunk/admin/vzaar-media-upload.php#L103 https://plugins.trac.wordpress.org/browser/vzaar-media-management/tags/1.2/admin/vzaar-media-upload.php#L103 |
| mapstructure--mapstructure | A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts. | 2026-01-26 | 5.3 | CVE-2025-11065 | https://access.redhat.com/security/cve/CVE-2025-11065 RHBZ#2391829 https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm |
| metagauss--RegistrationMagic Custom Registration Forms, User Registration, Payment, and User Login | The RegistrationMagic plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 6.0.7.4. This is due to missing nonce verification and capability checks on the rm_set_otp AJAX action handler. This makes it possible for unauthenticated attackers to modify arbitrary plugin settings, including reCAPTCHA keys, security settings, and frontend menu titles. | 2026-01-28 | 5.3 | CVE-2026-1054 | https://www.wordfence.com/threat-intel/vulnerabilities/id/daf4d246-85f3-48b3-985f-982fea4772f1?source=cve https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.6.9/admin/controllers/class_rm_options_controller.php#L209 https://plugins.trac.wordpress.org/changeset/3444777/ |
| michalc--PDW File Browser | PDW File Browser 1.3 contains a remote code execution vulnerability that allows authenticated users to upload and rename webshell files to arbitrary web server locations. Attackers can upload a .txt webshell, rename it to .php, and move it to accessible directories using double-encoded path traversal techniques. | 2026-01-28 | 6.5 | CVE-2020-36973 | ExploitDB-48987 PDW File Browser GitHub Repository VulnCheck Advisory: PDW File Browser 1.3 - Remote Code Execution |
| microsoft--maker.js | Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. A patch is available in commit 85e0f12bd868974b891601a141974f929dec36b8, which is expected to be part of version 0.19.2. | 2026-01-28 | 6.5 | CVE-2026-24888 | https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx https://github.com/microsoft/maker.js/commit/85e0f12bd868974b891601a141974f929dec36b8 https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587167/packages/maker.js/src/core/maker.ts#L232-L241 |
| midgetspy--Sickbeard | Sickbeard alpha contains a cross-site request forgery vulnerability that allows attackers to disable authentication by submitting crafted configuration parameters. Attackers can trick users into submitting a malicious form that clears web username and password, effectively removing authentication protection. | 2026-01-30 | 5.3 | CVE-2020-37026 | ExploitDB-48712 Archived Sickbeard Official Homepage Sickbeard GitHub Repository VulnCheck Advisory: Sickbeard 0.1 - Cross-Site Request Forgery |
| migaweb--Simple calendar for Elementor | The Simple calendar for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.6. This is due to missing capability checks on the `miga_ajax_editor_cal_delete` function that is hooked to the `miga_editor_cal_delete` AJAX action with both authenticated and unauthenticated access enabled. This makes it possible for unauthenticated attackers to delete arbitrary calendar entries by sending a request with a valid nonce and the calendar entry ID. | 2026-01-28 | 5.3 | CVE-2026-1310 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e537c56d-7c5e-4f21-b266-ef3d1a87caf2?source=cve https://plugins.trac.wordpress.org/browser/simple-calendar-for-elementor/trunk/widget/includes/backend_functions.php#L3 https://plugins.trac.wordpress.org/browser/simple-calendar-for-elementor/tags/1.6.6/widget/includes/backend_functions.php#L3 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444617%40simple-calendar-for-elementor&new=3444617%40simple-calendar-for-elementor&sfp_email=&sfph_mail= |
| miles99--WP Google Ad Manager Plugin | The WP Google Ad Manager Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-28 | 4.4 | CVE-2026-1399 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f3185d82-a785-4165-8469-abc0be38f852?source=cve https://plugins.trac.wordpress.org/browser/wp-google-ad-manager-plugin/trunk/WP-Google-Ad-Manager.php#L194 https://plugins.trac.wordpress.org/browser/wp-google-ad-manager-plugin/tags/1.1.0/WP-Google-Ad-Manager.php#L194 |
| MongoDB--Mongo-c-driver | User-controlled chunkSize metadata from MongoDB lacks appropriate validation allowing malformed GridFS metadata to overflow the bounding container. | 2026-01-27 | 6.5 | CVE-2025-14911 | https://jira.mongodb.org/browse/CDRIVER-6125 |
| MrPlugins--BootCommerce | BootCommerce 3.2.1 contains persistent input validation vulnerabilities that allow remote attackers to inject malicious script code through guest order checkout input fields. Attackers can exploit unvalidated input parameters to execute arbitrary scripts, potentially leading to session hijacking, phishing attacks, and application module manipulation. | 2026-02-01 | 6.4 | CVE-2022-50941 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: BootCommerce 3.2.1 Persistent Cross-Site Scripting via Order Checkout |
| Naviwebs S.C.--Navigate CMS | Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without additional validation. | 2026-01-30 | 4.3 | CVE-2020-37054 | ExploitDB-48548 Navigate CMS Official Homepage Navigate CMS SourceForge Page VulnCheck Advisory: Navigate CMS 2.8.7 - Cross-Site Request Forgery |
| nebojsadabic--Target Video Easy Publish | The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'placeholder_img' parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2025-8072 | https://www.wordfence.com/threat-intel/vulnerabilities/id/26e16dd3-66bc-4174-acc1-ee22713ae979?source=cve https://plugins.trac.wordpress.org/browser/brid-video-easy-publish/tags/3.8.6/lib/BridShortcode.php#L204 https://wordpress.org/plugins/brid-video-easy-publish/#developers https://plugins.trac.wordpress.org/changeset/3437514/brid-video-easy-publish/trunk/lib/BridShortcode.php |
| NetArt Media--Easy Cart Shopping Cart | Easy Cart Shopping Cart 2021 contains a non-persistent cross-site scripting vulnerability in the search module's keyword parameter. Remote attackers can inject malicious script code through the search input to compromise user sessions and manipulate application content. | 2026-02-01 | 6.4 | CVE-2021-47856 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Easy Cart Shopping Cart 2021 Cross-Site Scripting via Search Parameter |
| nocodb--nocodb | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. Version 0.301.0 patches the issue. | 2026-01-28 | 4.9 | CVE-2026-24766 | https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9 |
| nocodb--nocodb | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a blind Server-Side Request Forgery (SSRF) vulnerability exists in the `uploadViaURL` functionality due to an unprotected `HEAD` request. While the subsequent file retrieval logic correctly enforces SSRF protections, the initial metadata request executes without validation. This allows limited outbound requests to arbitrary URLs before SSRF controls are applied. Version 0.301.0 contains a patch for the issue. | 2026-01-28 | 4.9 | CVE-2026-24767 | https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9 |
| NVIDIA--GeForce | NVIDIA HD Audio Driver for Windows contains a vulnerability where an attacker could exploit a NULL pointer dereference issue. A successful exploit of this vulnerability might lead to a denial of service. | 2026-01-28 | 5.5 | CVE-2025-33237 | https://nvd.nist.gov/vuln/detail/CVE-2025-33237 https://www.cve.org/CVERecord?id=CVE-2025-33237 https://nvidia.custhelp.com/app/answers/detail/a_id/5747 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine. While saving a dataset a stack buffer is used to prepare the data. Prior to versions 8.0.3 and 7.0.14, if the data in the dataset is too large, this can result in a stack overflow. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not use rules with datasets `save` nor `state` options. | 2026-01-27 | 5.9 | CVE-2026-22262 | https://github.com/OISF/suricata/security/advisories/GHSA-9qg5-2gwh-xp86 https://github.com/OISF/suricata/commit/0eff24213763c2aa2bb0957901d5dc1e18414dbf https://github.com/OISF/suricata/commit/27a2180bceaa3477419c78c54fce364398d011f1 https://github.com/OISF/suricata/commit/32609e6896f9079c175665a94005417cec7637eb https://github.com/OISF/suricata/commit/32a1b9ae6aa80a60c073897e38a2ac6ea0f64521 https://github.com/OISF/suricata/commit/d6bc718e303ecbec5999066b8bc88eeeca743658 https://github.com/OISF/suricata/commit/d767dfadcd166f82683757818b9e46943326ac90 https://redmine.openinfosecfoundation.org/issues/8110 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, inefficiency in http1 headers parsing can lead to slowdown over multiple packets. Version 8.0.3 patches the issue. No known workarounds are available. | 2026-01-27 | 5.3 | CVE-2026-22263 | https://github.com/OISF/suricata/security/advisories/GHSA-rwc5-hxj6-hwx7 https://github.com/OISF/suricata/commit/018a377f74e3eb2b042c6f783ad9043060923428 https://redmine.openinfosecfoundation.org/issues/8201 |
| Open5GS--Open5GS | A security flaw has been discovered in Open5GS up to 2.7.6. This affects the function sgwc_s5c_handle_bearer_resource_failure_indication of the file src/sgwc/s5c-handler.c of the component SGWC. Performing a manipulation results in denial of service. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The patch is named 69b53add90a9479d7960b822fc60601d659c328b. It is recommended to apply a patch to fix this issue. | 2026-01-28 | 5.3 | CVE-2026-1521 | VDB-343192 | Open5GS SGWC s5c-handler.c denial of service VDB-343192 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738370 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4268 https://github.com/open5gs/open5gs/issues/4268#event-21989483261 https://github.com/open5gs/open5gs/issues/4268#issue-3795012861 https://github.com/open5gs/open5gs/commit/69b53add90a9479d7960b822fc60601d659c328b |
| Open5GS--Open5GS | A weakness has been identified in Open5GS up to 2.7.6. This vulnerability affects the function sgwc_s5c_handle_modify_bearer_response of the file src/sgwc/s5c-handler.c of the component SGWC. Executing a manipulation can lead to denial of service. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. This patch is called b19cf6a. Applying a patch is advised to resolve this issue. The issue report is flagged as already-fixed. | 2026-01-28 | 5.3 | CVE-2026-1522 | VDB-343193 | Open5GS SGWC s5c-handler.c sgwc_s5c_handle_modify_bearer_response denial of service VDB-343193 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738371 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4266 https://github.com/open5gs/open5gs/issues/4266#event-21968568116 https://github.com/open5gs/open5gs/issues/4266#issue-3794991595 https://github.com/open5gs/open5gs/commit/b19cf6a |
| Open5GS--Open5GS | A flaw has been found in Open5GS up to 2.7.5. Impacted is the function ogs_gtp2_f_teid_to_ip of the file /sgwc/s11-handler.c of the component SGWC. Executing a manipulation can lead to denial of service. The attack may be performed from remote. The exploit has been published and may be used. It is advisable to implement a patch to correct this issue. The issue report is flagged as already-fixed. | 2026-01-29 | 5.3 | CVE-2026-1586 | VDB-343349 | Open5GS SGWC s11-handler.c ogs_gtp2_f_teid_to_ip denial of service VDB-343349 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738375 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4273 https://github.com/open5gs/open5gs/issues/4273#event-21968643659 https://github.com/open5gs/open5gs/issues/4273#issue-3796030721 |
| Open5GS--Open5GS | A vulnerability has been found in Open5GS up to 2.7.6. The affected element is the function sgwc_s11_handle_modify_bearer_request of the file /sgwc/s11-handler.c of the component SGWC. The manipulation leads to denial of service. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Applying a patch is the recommended action to fix this issue. The issue report is flagged as already-fixed. | 2026-01-29 | 5.3 | CVE-2026-1587 | VDB-343350 | Open5GS SGWC s11-handler.c sgwc_s11_handle_modify_bearer_request denial of service VDB-343350 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738376 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4272 https://github.com/open5gs/open5gs/issues/4272#event-21968635948 https://github.com/open5gs/open5gs/issues/4272#issue-3795156752 |
| OpenZ--OpenZ ERP | OpenZ ERP 3.6.60 contains a persistent cross-site scripting vulnerability in the Employee module's name and description parameters. Attackers can inject malicious scripts through POST requests to , enabling session hijacking and manipulation of application modules. | 2026-01-30 | 6.4 | CVE-2020-37022 | ExploitDB-48450 OpenZ Official Website OpenZ Download Page Vulnerability Lab Advisory VulnCheck Advisory: OpenZ ERP 3.6.60 - Persistent Cross-Site Scripting |
| opf--openproject | OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work package details, the editor loads details about the work package via the OpenProject API. For this API call, the extension to the BlockNote editor did not properly validate the given work package ID to be only a number. This allowed an attacker to generate a document with relative links that upon opening could make arbitrary `GET` requests to any URL within the OpenProject instance. This issue was patched in version version 0.0.22 of op-blocknote-extensions, which was shipped with OpenProject 17.0.2. If users cannot update immediately to version 17.0.2 of OpenProject, administrators can disable collaborative document editing in Settings -> Documents -> Real time collaboration -> Disable. | 2026-01-28 | 6.3 | CVE-2026-24775 | https://github.com/opf/openproject/security/advisories/GHSA-35c6-x276-2pvc https://github.com/opf/op-blocknote-extensions/releases/tag/v0.0.22 |
| Orchardcore--Orchard Core | Orchard Core RC1 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts through blog post creation. Attackers can create blog posts with embedded JavaScript in the MarkdownBodyPart.Source parameter to execute arbitrary scripts in victim browsers. | 2026-01-30 | 6.4 | CVE-2020-37019 | ExploitDB-48456 Orchard Core Official Website Orchard Core GitHub Repository GitHub Issue #5802 VulnCheck Advisory: Orchard Core RC1 - Persistent Cross-Site Scripting |
| Php-Fusion--PHPFusion | PHPFusion 9.03.50 contains a persistent cross-site scripting vulnerability in the print.php page that fails to properly sanitize user-submitted message content. Attackers can inject malicious JavaScript through forum messages that will execute when the print page is generated, allowing script execution in victim browsers. | 2026-01-30 | 6.4 | CVE-2020-36996 | ExploitDB-48497 PHPFusion Official Homepage PHPFusion Download Page VulnCheck Advisory: PHPFusion 9.03.50 - Persistent Cross-Site Scripting |
| PHPGurukul--Hospital Management System | A security flaw has been discovered in PHPGurukul Hospital Management System 1.0. Affected by this issue is some unknown functionality of the file /hms/hospital/docappsystem/adminviews.py of the component Admin Dashboard Page. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. | 2026-01-28 | 6.3 | CVE-2026-1550 | VDB-343246 | PHPGurukul Hospital Management System Admin Dashboard adminviews.py improper authorization VDB-343246 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739837 | PHPGurukul Hospital Management System v1.0 Missing Authorization https://github.com/rsecroot/Hospital-Management-System/blob/main/Broken%20Access%20Control.md https://phpgurukul.com/ |
| PHPGurukul--News Portal | A vulnerability was identified in PHPGurukul News Portal 1.0. This affects an unknown part of the component Profile Pic Handler. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2026-01-26 | 4.7 | CVE-2026-1424 | VDB-342840 | PHPGurukul News Portal Profile Pic unrestricted upload VDB-342840 | CTI Indicators (IOB, IOC, TTP) Submit #736637 | PHPGurukul News Portal v1.0 Cross Site Scripting https://github.com/rsecroot/News-Portal/blob/main/Cross%20Site%20Scripting.md https://phpgurukul.com/ |
| PHPSUGAR--PHP Melody | PHP Melody version 3.0 contains multiple non-persistent cross-site scripting vulnerabilities in categories, import, and user import files. Attackers can inject malicious scripts through unvalidated parameters to execute client-side attacks and potentially hijack user sessions. | 2026-02-01 | 6.4 | CVE-2021-47912 | Vulnerability Lab Advisory Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: PHP Melody 3.0 Non-Persistent Cross-Site Scripting via Multiple Parameters |
| PHPSUGAR--PHP Melody | PHP Melody 3.0 contains a persistent cross-site scripting vulnerability in the video editor that allows privileged users to inject malicious scripts. Attackers can exploit the WYSIWYG editor to execute persistent scripts, potentially leading to session hijacking and application manipulation. | 2026-02-01 | 6.4 | CVE-2021-47913 | Vulnerability Lab Advisory Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: PHP Melody 3.0 Persistent Cross-Site Scripting via Video Editor |
| PHPSUGAR--PHP Melody | PHP Melody version 3.0 contains a persistent cross-site scripting vulnerability in the edit-video.php submitted parameter that allows remote attackers to inject malicious script code. Attackers can exploit this vulnerability to execute arbitrary JavaScript, potentially leading to session hijacking, persistent phishing, and manipulation of application modules. | 2026-02-01 | 6.4 | CVE-2021-47914 | Vulnerability Lab Advisory Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: PHP Melody 3.0 Persistent XSS Vulnerability via Edit Video Parameter |
| pnpm--pnpm | pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outside `targetDir`. The issue impacts all pnpm users who install packages with binary assets, users who configure custom Node.js binary locations and CI/CD pipelines that auto-install binary dependencies. It can lead to overwriting config files, scripts, or other sensitive files leading to RCE. Version 10.28.1 contains a patch. | 2026-01-26 | 6.5 | CVE-2026-23888 | https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868 https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5 https://github.com/pnpm/pnpm/releases/tag/v10.28.1 |
| pnpm--pnpm | pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch. | 2026-01-26 | 6.5 | CVE-2026-23889 | https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0 https://github.com/pnpm/pnpm/releases/tag/v10.28.1 |
| pnpm--pnpm | pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch. | 2026-01-26 | 6.5 | CVE-2026-23890 | https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d https://github.com/pnpm/pnpm/releases/tag/v10.28.1 |
| presstigers--Simple Folio | The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_simple_folio_item_client_name' and '_simple_folio_item_link' meta fields in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2025-14039 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c32a71d6-d61c-4f6f-9d35-70140235af7c?source=cve https://plugins.trac.wordpress.org/browser/simple-folio/trunk/templates/single-simple-folio.php#L70 https://plugins.trac.wordpress.org/browser/simple-folio/tags/1.1.1/templates/single-simple-folio.php#L70 https://plugins.trac.wordpress.org/browser/simple-folio/trunk/templates/single-simple-folio.php#L76 https://plugins.trac.wordpress.org/browser/simple-folio/tags/1.1.1/templates/single-simple-folio.php#L76 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442515%40simple-folio&new=3442515%40simple-folio&sfp_email=&sfph_mail= |
| Product Owner: Webile--Webile | Webile 1.0.1 contains a directory traversal vulnerability that allows remote attackers to manipulate file system paths without authentication. Attackers can exploit path manipulation to access sensitive system directories and potentially compromise the mobile device's local file system. | 2026-02-01 | 6.5 | CVE-2022-50950 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Webile 1.0.1 Directory Traversal Vulnerability via Web Application |
| psmplugins--SupportCandy Helpdesk & Customer Support Ticket System | The SupportCandy - Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and including, 3.4.4. This is due to insufficient escaping on the user-supplied operand value when using the equals operator and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above (customers), to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-31 | 6.5 | CVE-2026-0683 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a7856d0f-bc7d-436c-968c-631fd6a686ab?source=cve https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/admin/tickets/class-wpsc-ticket-list.php#L1265 https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/admin/tickets/class-wpsc-ticket-list.php#L1288 https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/custom-field-types/class-wpsc-cf-number.php#L371 https://plugins.trac.wordpress.org/changeset/3448376/ |
| psmplugins--SupportCandy Helpdesk & Customer Support Ticket System | The SupportCandy - Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'add_reply' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to steal file attachments uploaded by other users by specifying arbitrary attachment IDs in the 'description_attachments' parameter, re-associating those files to their own tickets and removing access from the original owners. | 2026-01-31 | 5.4 | CVE-2026-1251 | https://www.wordfence.com/threat-intel/vulnerabilities/id/89df3005-0967-474f-8a4e-3b23273dd1a2?source=cve https://plugins.trac.wordpress.org/browser/supportcandy/trunk/includes/admin/tickets/class-wpsc-individual-ticket.php#L1603 https://plugins.trac.wordpress.org/changeset/3448376/ |
| pymumu--SmartDNS | A security flaw has been discovered in pymumu SmartDNS up to 47.1. This vulnerability affects the function _dns_decode_rr_head/_dns_decode_SVCB_HTTPS of the file src/dns.c of the component SVBC Record Parser. The manipulation results in stack-based buffer overflow. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is stated that the exploitability is difficult. The patch is identified as 2d57c4b4e1add9b4537aeb403f794a084727e1c8. Applying a patch is advised to resolve this issue. | 2026-01-26 | 5.6 | CVE-2026-1425 | VDB-342841 | pymumu SmartDNS SVBC Record dns.c _dns_decode_SVCB_HTTPS stack-based overflow VDB-342841 | CTI Indicators (IOB, IOC, IOA) Submit #736827 | pymumu smartdns 47.1 Stack-based Buffer Overflow https://github.com/pymumu/smartdns/commit/2d57c4b4e1add9b4537aeb403f794a084727e1c8 |
| QlikTech International AB--QlikView | QlikView 12.50.20000.0 contains a denial of service vulnerability in the FTP server address input field that allows local attackers to crash the application. Attackers can paste a 300-character buffer into the FTP server address field to trigger an application crash and prevent normal functionality. | 2026-01-29 | 6.2 | CVE-2020-36994 | ExploitDB-48732 Vendor Homepage VulnCheck Advisory: QlikView 12.50.20000.0 - 'FTP Server Address' Denial of Service |
| QR Menu Pro Smart Menu Systems--Menu Panel | Authorization Bypass Through User-Controlled Key vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Exploitation of Trusted Identifiers. This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 5.7 | CVE-2025-7013 | https://www.usom.gov.tr/bildirim/tr-26-0007 |
| QR Menu Pro Smart Menu Systems--Menu Panel | Session Fixation vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Session Hijacking. This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 5.7 | CVE-2025-7014 | https://www.usom.gov.tr/bildirim/tr-26-0007 |
| QWE Labs--QWE DL | QWE DL 2.0.1 mobile web application contains a persistent input validation vulnerability allowing remote attackers to inject malicious script code through path parameter manipulation. Attackers can exploit the vulnerability to execute persistent cross-site scripting attacks, potentially leading to session hijacking and application module manipulation. | 2026-02-01 | 6.4 | CVE-2023-54343 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: QWE DL 2.0.1 Persistent XSS Vulnerability via Path Parameter |
| recooty--Recooty Job Widget (Old Dashboard) | The Recooty - Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. This makes it possible for unauthenticated attackers to update the recooty_key option and inject malicious content into iframe src attributes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-28 | 4.3 | CVE-2025-14616 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eb14f084-6f36-4702-8a28-b62811739407?source=cve https://plugins.trac.wordpress.org/browser/recooty/trunk/admin/init.php#L72 https://plugins.trac.wordpress.org/browser/recooty/tags/1.0.4/admin/init.php#L72 https://plugins.trac.wordpress.org/browser/recooty/trunk/init.php#L41 https://plugins.trac.wordpress.org/browser/recooty/tags/1.0.4/init.php#L41 |
| Red Hat--Red Hat build of Quarkus | A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client can prematurely close the HTTP connection. This action may lead to leaking connections from the database connection pool, potentially causing a Denial of Service (DoS) by exhausting available database connections. | 2026-01-26 | 4.3 | CVE-2025-14969 | https://access.redhat.com/security/cve/CVE-2025-14969 RHBZ#2423822 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTP proxy is configured and the library improperly handles URL-decoded input used to create the Host header. A remote attacker can exploit this by providing a specially crafted URL containing CRLF sequences, allowing them to inject additional HTTP headers or complete HTTP request bodies. This can lead to unintended or unauthorized HTTP requests being forwarded by the proxy, potentially impacting downstream services. | 2026-01-27 | 5.8 | CVE-2026-1467 | https://access.redhat.com/security/cve/CVE-2026-1467 RHBZ#2433174 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable. | 2026-01-27 | 5.4 | CVE-2026-1489 | https://access.redhat.com/security/cve/CVE-2026-1489 RHBZ#2433348 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary HTTP headers to be injected. This vulnerability can lead to HTTP header injection or HTTP response splitting without requiring authentication or user interaction. | 2026-01-28 | 5.8 | CVE-2026-1536 | https://access.redhat.com/security/cve/CVE-2026-1536 RHBZ#2433834 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Authorization header if the request is redirected to a different host. As a result, sensitive proxy credentials may be leaked to third-party servers. Applications using libsoup for HTTP communication may unintentionally expose proxy authentication data. | 2026-01-28 | 5.8 | CVE-2026-1539 | https://access.redhat.com/security/cve/CVE-2026-1539 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks. | 2026-01-26 | 4 | CVE-2025-9820 | https://access.redhat.com/security/cve/CVE-2025-9820 RHBZ#2392528 https://gitlab.com/gnutls/gnutls/-/commit/1d56f96f6ab5034d677136b9d50b5a75dff0faf5 https://gitlab.com/gnutls/gnutls/-/issues/1732 https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-11-18 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably. | 2026-01-27 | 4.2 | CVE-2026-1484 | https://access.redhat.com/security/cve/CVE-2026-1484 RHBZ#2433259 |
| Red Hat--Red Hat OpenShift Virtualization 4 | A flaw was found in kubevirt. A user within a virtual machine (VM), if the guest agent is active, can exploit this by causing the agent to report an excessive number of network interfaces. This action can overwhelm the system's ability to store VM configuration updates, effectively blocking changes to the Virtual Machine Instance (VMI). This allows the VM user to restrict the VM administrator's ability to manage the VM, leading to a denial of service for administrative operations. | 2026-01-26 | 6.4 | CVE-2025-14525 | https://access.redhat.com/security/cve/CVE-2025-14525 RHBZ#2421360 |
| rupantorpay--Rupantorpay | The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sending crafted requests to the WooCommerce API endpoint. | 2026-01-28 | 5.3 | CVE-2025-15511 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1b21bdfd-42ec-43fe-b581-04276b86c50b?source=cve https://plugins.trac.wordpress.org/browser/rupantorpay/tags/2.0.0/includes/class-wc-rupantorpay-gateway.php#L172 |
| RustCrypto--signatures | The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification implementation in the RustCrypto `ml-dsa` crate incorrectly accepts signatures with repeated (duplicate) hint indices. According to the ML-DSA specification (FIPS 204 / RFC 9881), hint indices within each polynomial must be **strictly increasing**. The current implementation uses a non-strict monotonic check (`<=` instead of `<`), allowing duplicate indices. This is a regression bug. The original implementation was correct, but a commit in version 0.0.4 inadvertently changed the strict `<` comparison to `<=`, introducing the vulnerability. Version 0.1.0-rc.4 fixes the issue. | 2026-01-28 | 5.3 | CVE-2026-24850 | https://github.com/RustCrypto/signatures/security/advisories/GHSA-5x2r-hc65-25f9 https://github.com/RustCrypto/signatures/issues/894 https://github.com/RustCrypto/signatures/pull/895 https://github.com/RustCrypto/signatures/commit/400961412be2e2ab787942cf30e0a9b66b37a54a https://github.com/RustCrypto/signatures/commit/b01c3b73dd08d0094e089aa234f78b6089ec1f38 https://csrc.nist.gov/pubs/fips/204/final https://datatracker.ietf.org/doc/html/rfc9881 https://github.com/C2SP/wycheproof https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_44_verify_test.json https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_65_verify_test.json https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_87_verify_test.json |
| salihciftci--Liman | Liman 0.7 contains a cross-site request forgery vulnerability that allows attackers to manipulate user account settings without proper request validation. Attackers can craft malicious HTML forms to change user passwords or modify account information by tricking logged-in users into submitting unauthorized requests. | 2026-01-29 | 5.3 | CVE-2020-37007 | ExploitDB-48869 Archived Liman GitHub Repository VulnCheck Advisory: Liman 0.7 - Cross-Site Request Forgery (Change Password) |
| Salt Project--Salt | Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues. | 2026-01-30 | 6.2 | CVE-2025-62349 | Salt 3006.17 release notes (fix and minimum_auth_version) Salt 3007.9 release notes (fix and minimum_auth_version) |
| Sangfor--Operation and Maintenance Security Management System | A vulnerability was found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function portValidate of the file /fort/ip_and_port/port_validate of the component HTTP POST Request Handler. Performing a manipulation of the argument port results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2026-01-26 | 6.3 | CVE-2026-1413 | VDB-342802 | Sangfor Operation and Maintenance Security Management System HTTP POST Request port_validate portValidate command injection VDB-342802 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736522 | Sangfor Operation and Maintenance Security Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) v3.0.12 Command Injection https://github.com/LX-LX88/cve/issues/23 |
| Sangfor--Operation and Maintenance Security Management System | A vulnerability was determined in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This impacts the function getInformation of the file /equipment/get_Information of the component HTTP POST Request Handler. Executing a manipulation of the argument fortEquipmentIp can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-26 | 6.3 | CVE-2026-1414 | VDB-342803 | Sangfor Operation and Maintenance Security Management System HTTP POST Request get_Information getInformation command injection VDB-342803 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736524 | Sangfor Operation and Maintenance Security Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) v3.0.12 Command Injection https://github.com/LX-LX88/cve/issues/24 |
| SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) | SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on confidentiality, integrity and availability are not impacted. | 2026-01-27 | 4.3 | CVE-2026-23683 | https://me.sap.com/notes/3122486 https://url.sap/sapsecuritypatchday |
| Sellacious--Sellacious eCommerce | Sellacious eCommerce 4.6 contains a persistent cross-site scripting vulnerability in the Manage Your Addresses module that allows attackers to inject malicious scripts. Attackers can exploit multiple address input fields like full name, company, and address to execute persistent script code that can hijack user sessions and manipulate application modules. | 2026-01-30 | 6.4 | CVE-2020-37003 | ExploitDB-48467 Official Sellacious eCommerce Homepage Sellacious Product Details Vulnerability Lab Advisory VulnCheck Advisory: Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting |
| SEMCMS--SEMCMS | A security vulnerability has been detected in SEMCMS 5.0. This vulnerability affects unknown code of the file /SEMCMS_Info.php. The manipulation of the argument searchml leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 6.3 | CVE-2026-1552 | VDB-343248 | SEMCMS SEMCMS_Info.php sql injection VDB-343248 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740549 | SEMCMS SEMCMS 外贸网站php多è¯è¨€ç‰ˆ V5.0 SQL Injection https://github.com/Sqli22/Sqli/issues/4 |
| seomantis--SEO Links Interlinking | The SEO Links Interlinking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'google_error' parameter in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-28 | 6.1 | CVE-2025-14063 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d71143d6-d477-4a63-8f99-f4cc8a590536?source=cve https://wordpress.org/plugins/seo-links-interlinking/ https://plugins.trac.wordpress.org/browser/seo-links-interlinking/trunk/scdata.php#L504 https://plugins.trac.wordpress.org/browser/seo-links-interlinking/tags/1.7.5/scdata.php#L504 https://plugins.trac.wordpress.org/browser/seo-links-interlinking/trunk/scdata.php#L512 https://plugins.trac.wordpress.org/browser/seo-links-interlinking/tags/1.7.5/scdata.php#L512 |
| Simplephpscripts--Simple CMS | Simple CMS 2.1 contains a persistent cross-site scripting vulnerability in user input parameters that allows remote attackers to inject malicious script code. Attackers can exploit the newUser and editUser modules to inject persistent scripts that execute on user list preview, potentially leading to session hijacking and application manipulation. | 2026-02-01 | 6.4 | CVE-2021-47917 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Simple CMS 2.1 Persistent Cross-Site Scripting via User Input Parameters |
| Simplephpscripts--Simple CMS | Simple CMS 2.1 contains a non-persistent cross-site scripting vulnerability in the preview.php file's id parameter. Attackers can inject malicious script code through a GET request to execute arbitrary scripts and potentially hijack user sessions or perform phishing attacks. | 2026-02-01 | 6.4 | CVE-2021-47919 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Simple CMS 2.1 Non-Persistent Cross-Site Scripting via Preview Parameter |
| smarterDroid--WiFi File Transfer | WiFi File Transfer 1.0.8 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through file and folder names. Attackers can exploit the web server's input validation weakness to execute arbitrary JavaScript when users preview infected file paths, potentially compromising user browser sessions. | 2026-02-01 | 6.4 | CVE-2022-50951 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: WiFi File Transfer 1.0.8 Persistent XSS via Web Server Input Validation |
| SourceCodester--Pet Grooming Management Software | A vulnerability was detected in SourceCodester Pet Grooming Management Software 1.0. Impacted is an unknown function of the file /admin/operation/user.php of the component User Management. Performing a manipulation of the argument group_id results in improper authorization. The attack can be initiated remotely. The exploit is now public and may be used. | 2026-01-30 | 6.3 | CVE-2026-1702 | VDB-343492 | SourceCodester Pet Grooming Management Software User Management user.php improper authorization VDB-343492 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742226 | SourceCodester Pet grooming management software 1.0 Improper Access Controls https://github.com/Asim-QAZi/Improper-Access-Control---in-Pet-Grooming-Management-Software https://www.sourcecodester.com/ |
| stellar--rs-soroban-sdk | soroban-sdk is a Rust SDK for Soroban contracts. Arithmetic overflow can be triggered in the `Bytes::slice`, `Vec::slice`, and `Prng::gen_range` (for `u64`) methods in the `soroban-sdk` in versions up to and including `25.0.1`, `23.5.1`, and `25.0.2`. Contracts that pass user-controlled or computed range bounds to `Bytes::slice`, `Vec::slice`, or `Prng::gen_range` may silently operate on incorrect data ranges or generate random numbers from an unintended range, potentially resulting in corrupted contract state. Note that the best practice when using the `soroban-sdk` and building Soroban contracts is to always enable `overflow-checks = true`. The `stellar contract init` tool that prepares the boiler plate for a Soroban contract, as well as all examples and docs, encourage the use of configuring `overflow-checks = true` on `release` profiles so that these arithmetic operations fail rather than silently wrap. Contracts are only impacted if they use `overflow-checks = false` either explicitly or implicitly. It is anticipated the majority of contracts could not be impacted because the best practice encouraged by tooling is to enable `overflow-checks`. The fix available in `25.0.1`, `23.5.1`, and `25.0.2` replaces bare arithmetic with `checked_add` / `checked_sub`, ensuring overflow traps regardless of the `overflow-checks` profile setting. As a workaround, contract workspaces can be configured with a profile available in the GitHub Securtity Advisory to enable overflow checks on the arithmetic operations. This is the best practice when developing Soroban contracts, and the default if using the contract boilerplate generated using `stellar contract init`. Alternatively, contracts can validate range bounds before passing them to `slice` or `gen_range` to ensure the conversions cannot overflow. | 2026-01-28 | 5.3 | CVE-2026-24889 | https://github.com/stellar/rs-soroban-sdk/security/advisories/GHSA-96xm-fv9w-pf3f https://github.com/stellar/rs-soroban-sdk/pull/1703 https://github.com/stellar/rs-soroban-sdk/commit/3890521426d71bb4d892b21f5a283a1e836cfa38 https://github.com/stellar/rs-soroban-sdk/commit/59fcef437260ed4da42d1efb357137a5c166c02e https://github.com/stellar/rs-soroban-sdk/commit/c2757c6d774dbb28b34a0b77ffe282e59f0f8462 https://github.com/stellar/rs-soroban-sdk/releases/tag/v22.0.9 https://github.com/stellar/rs-soroban-sdk/releases/tag/v23.5.1 https://github.com/stellar/rs-soroban-sdk/releases/tag/v25.0.2 |
| supercleanse--Stripe Payments by Buy Now Plus Best WordPress Stripe Credit Card Payments Plugin | The Buy Now Plus - Buy Now buttons for Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buynowplus' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2026-1295 | https://www.wordfence.com/threat-intel/vulnerabilities/id/87d228bb-eb5b-44ca-91f7-ada730635a3f?source=cve https://plugins.trac.wordpress.org/browser/buy-now-plus/tags/1.0.2/class-bnp-buttons.php#L17 https://plugins.trac.wordpress.org/browser/buy-now-plus/tags/1.0.2/class-bnp-buttons.php#L36 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444416%40buy-now-plus&new=3444416%40buy-now-plus&sfp_email=&sfph_mail= |
| symfony--symfony | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as "special" when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2's argument/path conversion can mis-handle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. `rmdir`, `del`, etc.) with a path argument containing `=`, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). Versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5 contains a patch for the issue. Some workarounds are available. Avoid running PHP/one's own tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing `=` (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via `MSYS2_ARG_CONV_EXCL`), understanding this may affect other tooling behavior. | 2026-01-28 | 6.3 | CVE-2026-24739 | https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6 https://github.com/symfony/symfony/issues/62921 https://github.com/symfony/symfony/pull/63164 https://github.com/symfony/symfony/commit/35203939050e5abd3caf2202113b00cab5d379b3 https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b |
| Tanium--Asset | Tanium addressed a SQL injection vulnerability in Asset. | 2026-01-28 | 6.3 | CVE-2025-15344 | TAN-2025-035 |
| Tanium--Discover | Tanium addressed an uncontrolled resource consumption vulnerability in Discover. | 2026-01-26 | 4.9 | CVE-2026-1224 | TAN-2026-001 |
| Tanium--Tanium Server | Tanium addressed an improper access controls vulnerability in Tanium Server. | 2026-01-30 | 4.3 | CVE-2025-15322 | TAN-2025-028 |
| TeamViewer--DEX | A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause normally encrypted UDP traffic to be sent in cleartext. This can result in disclosure of sensitive information. | 2026-01-29 | 6.5 | CVE-2026-23564 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| TeamViewer--DEX | A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause the NomadBranch.exe process to terminate via crafted requests. This can result in a denial-of-service condition of the Content Distribution Service. | 2026-01-29 | 6.5 | CVE-2026-23565 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| TeamViewer--DEX | A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to inject, tamper with, or forge log entries in \Nomad Branch.log via crafted data sent to the UDP network handler. This can impact log integrity and nonrepudiation. | 2026-01-29 | 6.5 | CVE-2026-23566 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| TeamViewer--DEX | An integer underflow in the UDP command handler of the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an adjacent network attacker to trigger a heap-based buffer overflow and cause a denial-of-service (service crash) via specially crafted UDP packets. | 2026-01-29 | 6.5 | CVE-2026-23567 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| TeamViewer--DEX | An out-of-bounds read vulnerability in the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows a remote attacker to leak stack memory and cause a denial of service via a crafted request. The leaked stack memory could be used to bypass ASLR remotely and facilitate exploitation of other vulnerabilities on the affected system. | 2026-01-29 | 6.5 | CVE-2026-23569 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| TeamViewer--DEX | A missing validation of a user-controlled value in the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an adjacent network attacker to tamper with log timestamps via crafted UDP Sync command. This could result in forged or nonsensical datetime prefixes and compromising log integrity and forensic correlation. | 2026-01-29 | 6.5 | CVE-2026-23570 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| TeamViewer--DEX | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-RunPkgStatusRequest instruction. Improper input validation allows authenticated attackers with actioner privilege to run elevated arbitrary commands on connected hosts via malicious commands injected into the instruction's input field. Users of 1E Client version 24.5 or higher are not affected. | 2026-01-29 | 6.8 | CVE-2026-23571 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1002/ |
| TeamViewer--DEX | Improper Link Resolution Before File Access (invoked by 1E Explorer TachyonCore DeleteFileByPath instruction) in TeamViewer DEX - 1E Client before version 26.1 on Windows allows a low privileged local attacker to delete protected system files via a crafted RPC control junction or symlink that is followed when the delete instruction executes. | 2026-01-29 | 5.7 | CVE-2026-23563 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1002/ |
| TeamViewer--DEX | An out-of-bounds read vulnerability in the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause information disclosure or denial-of-service via a special crafted packet. The leaked memory could be used to bypass ASLR and facilitate further exploitation. | 2026-01-29 | 5.4 | CVE-2026-23568 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| Tenda--AC21 | A security flaw has been discovered in Tenda AC21 1.1.1.1/1.dmzip/16.03.08.16. The impacted element is the function mDMZSetCfg of the file /goform/mDMZSetCfg. The manipulation of the argument dmzIp results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-29 | 6.3 | CVE-2026-1638 | VDB-343417 | Tenda AC21 mDMZSetCfg command injection VDB-343417 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740871 | Tenda AC21 V16.03.08.16 Command Injection https://github.com/LX-LX88/cve/issues/26 https://www.tenda.com.cn/ |
| Tenda--HG10 | A flaw has been found in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. This affects the function system of the file /boaform/formSysCmd. This manipulation of the argument sysCmd causes command injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2026-01-30 | 4.7 | CVE-2026-1690 | VDB-343484 | Tenda HG10 formSysCmd system command injection VDB-343484 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741425 | Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon Command Injection https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formSysCmd-sysCmd-command.md https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formSysCmd-sysCmd-command.md#poc https://www.tenda.com.cn/ |
| theupdateframework--go-tuf | go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application accepts a map file from an untrusted source, an attacker can supply a `repoName` containing traversal (e.g., `../escaped-repo`) and cause go-tuf to create directories and write the root metadata file outside the intended `LocalMetadataDir` cache base, within the running process's filesystem permissions. Version 2.4.1 contains a patch. | 2026-01-27 | 4.7 | CVE-2026-24686 | https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4 https://github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0 |
| thewebfosters-thewebfosters | Ultimate POS 4.4 contains a persistent cross-site scripting vulnerability in the product name parameter that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability through product add or edit functions to execute arbitrary JavaScript and potentially hijack user sessions. | 2026-02-01 | 6.4 | CVE-2021-47908 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Ultimate POS 4.4 Persistent Cross-Site Scripting via Product Name |
| tigroumeow--AI Engine The Chatbot and AI Framework for WordPress | The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.3.2 via the 'get_audio' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services, if "Public API" is enabled in the plugin settings, and 'allow_url_fopen' is set to 'On' on the server. | 2026-01-27 | 6.4 | CVE-2026-0746 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cbba866d-93dd-4ef5-9670-ab958f61f06e?source=cve https://plugins.trac.wordpress.org/browser/ai-engine/tags/3.3.1/classes/engines/chatml.php#L946 https://plugins.trac.wordpress.org/changeset/3447500/ai-engine/trunk/classes/engines/chatml.php |
| Tildeslash Ltd.--M/Monit | M/Monit 3.7.4 contains an authentication vulnerability that allows authenticated attackers to retrieve user password hashes through an administrative API endpoint. Attackers can send requests to the /api/1/admin/users/list and /api/1/admin/users/get endpoints to extract MD5 password hashes for all users. | 2026-01-28 | 6.5 | CVE-2020-36968 | ExploitDB-49081 M/Monit Official Vendor Homepage VulnCheck Advisory: M/Monit 3.7.4 - Password Disclosure |
| Totolink--A7000R | A vulnerability was detected in Totolink A7000R 4.1cu.4154. This affects the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument plugin_name results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used. | 2026-01-28 | 6.3 | CVE-2026-1547 | VDB-343231 | Totolink A7000R cstecgi.cgi setUnloadUserData command injection VDB-343231 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739713 | TOTOLINK A7000R V4.1cu.4154 Command Injection https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/01_RCE_setUnloadUserData_RCE.md https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/01_RCE_setUnloadUserData_RCE.md#poc https://www.totolink.net/ |
| Totolink--A7000R | A flaw has been found in Totolink A7000R 4.1cu.4154. This impacts the function CloudACMunualUpdateUserdata of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument url causes command injection. The attack can be initiated remotely. The exploit has been published and may be used. | 2026-01-28 | 6.3 | CVE-2026-1548 | VDB-343232 | Totolink A7000R cstecgi.cgi CloudACMunualUpdateUserdata command injection VDB-343232 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739715 | TOTOLINK A7000R V4.1cu.4154 Command Injection https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/02_RCE_CloudACMunualUpdateUserdata_RCE.md https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/02_RCE_CloudACMunualUpdateUserdata_RCE.md#poc https://www.totolink.net/ |
| Totolink--A7000R | A weakness has been identified in Totolink A7000R 4.1cu.4154. The impacted element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument FileName can lead to command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-29 | 6.3 | CVE-2026-1601 | VDB-343373 | Totolink A7000R cstecgi.cgi setUploadUserData command injection VDB-343373 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740760 | TOTOLINK A7000R V4.1cu.4154 Command Injection https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/03_RCE_setUploadUserData_RCE.md https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/03_RCE_setUploadUserData_RCE.md#poc https://www.totolink.net/ |
| Totolink--A7000R | A weakness has been identified in Totolink A7000R 4.1cu.4154. Impacted is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument FileName causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-29 | 6.3 | CVE-2026-1623 | VDB-343382 | Totolink A7000R cstecgi.cgi setUpgradeFW command injection VDB-343382 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740767 | TOTOLINK A7000R V4.1cu.4154 Command Injection https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/04_RCE_setUpgradeFW_RCE.md https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/04_RCE_setUpgradeFW_RCE.md#poc https://www.totolink.net/ |
| TrustTunnel--TrustTunnel | TrustTunnel is an open-source VPN protocol with a rule bypass issue in versions prior to 0.9.115. In `tls_listener.rs`, `TlsListener::listen()` peeks 1024 bytes and calls `extract_client_random(...)`. If `parse_tls_plaintext` fails (for example, a fragmented/partial ClientHello split across TCP writes), `extract_client_random` returns `None`. In `rules.rs`, `RulesEngine::evaluate` only evaluates `client_random_prefix` when `client_random` is `Some(...)`. As a result, when extraction fails (`client_random == None`), any rule that relies on `client_random_prefix` matching is skipped and evaluation falls through to later rules. As an important semantics note: `client_random_prefix` is a match condition only. It does not mean "block non-matching prefixes" by itself. A rule with `client_random_prefix = ...` triggers its `action` only when the prefix matches (and the field is available to evaluate). Non-matches (or `None`) simply do not match that rule and continue to fall through. The vulnerability is fixed in version 0.9.115. | 2026-01-29 | 5.3 | CVE-2026-24904 | https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-fqh7-r5gf-3r87 https://github.com/TrustTunnel/TrustTunnel/commit/aa5060145506952b9431b0ed3edb52bb6c08d9a6 |
| Tryton--Tryton | Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by inserting script payloads in the name field, which execute in the frontend and backend user interfaces. | 2026-01-30 | 6.4 | CVE-2020-37014 | ExploitDB-48466 Official Tryton Homepage Tryton Download Page Vulnerability Lab Advisory VulnCheck Advisory: Tryton 5.4 - Persistent Cross-Site Scripting |
| vercel--next | A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications. | 2026-01-26 | 5.9 | CVE-2025-59471 | https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f |
| vercel--next | A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion: 1. **Unbounded request body buffering**: The server buffers the entire POST request body into memory using `Buffer.concat()` without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory. 2. **Unbounded decompression (zipbomb)**: The resume data cache is decompressed using `inflateSync()` without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion. Both attack vectors result in a fatal V8 out-of-memory error (`FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory`) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server. To be affected you must have an application running with `experimental.ppr: true` or `cacheComponents: true` configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable. Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications. | 2026-01-26 | 5.9 | CVE-2025-59472 | https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h |
| vinod-dalvi--Ivory Search WordPress Search Plugin | The Ivory Search - WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.5.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-28 | 4.4 | CVE-2026-1053 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cdc5ef6a-32d8-4c4b-b459-d9b543b56898?source=cve https://plugins.svn.wordpress.org/add-search-to-menu/tags/5.5.13/public/class-is-public.php https://plugins.trac.wordpress.org/browser/add-search-to-menu/tags/5.5.13/public/class-is-public.php#L204 https://plugins.trac.wordpress.org/browser/add-search-to-menu/tags/5.5.13/public/class-is-public.php#L249 https://plugins.trac.wordpress.org/browser/add-search-to-menu/tags/5.5.13/public/partials/is-ajax-results.php#L148 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444659%40add-search-to-menu&new=3444659%40add-search-to-menu&sfp_email=&sfph_mail= |
| vlt--vlt | vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction. | 2026-01-27 | 5.9 | CVE-2026-24909 | https://www.scworld.com/news/six-javascript-zero-day-bugs-lead-to-fears-of-supply-chain-attack https://github.com/vltpkg/vltpkg/releases/tag/v1.0.0-rc.10 https://github.com/vltpkg/vltpkg/pull/1334 https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act |
| webaways--NEX-Forms Ultimate Forms Plugin for WordPress | The NEX-Forms - Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export form configurations, that may include sensitive data, such as email addresses, PayPal API credentials, and third-party integration keys by enumerating the nex_forms_Id parameter. | 2026-01-31 | 5.3 | CVE-2025-15510 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ddfa5a3d-fef2-4049-915c-51c3e28153bf?source=cve https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.7/includes/classes/class.export.php#L11 |
| webguyio--Stop Spammers Classic | The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to the spam allowlist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability was partially patched in version 2026.1. | 2026-01-28 | 4.3 | CVE-2025-14795 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5d6f38d7-a769-422d-ae3f-565cb1cc8a73?source=cve https://plugins.trac.wordpress.org/browser/stop-spammer-registrations-plugin/tags/2025.4/classes/ss_addtoallowlist.php#L21 https://plugins.trac.wordpress.org/changeset/3436357/ https://plugins.trac.wordpress.org/changeset/3440788/ |
| WebMO, LLC--WebMO Job Manager | WebMO Job Manager 20.0 contains a cross-site scripting vulnerability in search parameters that allows remote attackers to inject malicious script code. Attackers can exploit the filterSearch and filterSearchType parameters to perform non-persistent attacks including session hijacking and external redirects. | 2026-02-01 | 5.4 | CVE-2021-47920 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: WebMO Job Manager 20.0 Cross-Site Scripting via Search Parameters |
| WellChoose--Single Sign-On Portal System | Single Sign-On Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing authenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks. | 2026-01-26 | 5.4 | CVE-2026-1429 | https://www.twcert.org.tw/tw/cp-132-10654-23f40-1.html https://www.twcert.org.tw/en/cp-139-10655-59160-2.html |
| withstudiocms--studiocms | StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by Editor/Admin/Owner users. Version 0.2.0 patches the issue. | 2026-01-27 | 6.5 | CVE-2026-24134 | https://github.com/withstudiocms/studiocms/security/advisories/GHSA-8cw6-53m5-4932 https://github.com/withstudiocms/studiocms/commit/efc10bee20db090fdd75463622c30dda390c50ad https://github.com/withstudiocms/studiocms/releases/tag/studiocms%400.2.0 |
| wpbits--WPBITS Addons For Elementor Page Builder | The WPBITS Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget parameters in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping when dynamic content is enabled. This makes it possible for authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2025-9082 | https://www.wordfence.com/threat-intel/vulnerabilities/id/99b47856-502e-4e9d-b0ea-62c57509b46a?source=cve https://plugins.trac.wordpress.org/browser/wpbits-addons-for-elementor/trunk/includes/widgets/image_compare.php#L607 https://plugins.trac.wordpress.org/browser/wpbits-addons-for-elementor/trunk/includes/widgets/tooltip.php#L860 https://plugins.trac.wordpress.org/browser/wpbits-addons-for-elementor/trunk/includes/widgets/text_rotator.php#L369 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442812%40wpbits-addons-for-elementor&new=3442812%40wpbits-addons-for-elementor&sfp_email=&sfph_mail= |
| wpblockart--BlockArt Blocks Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library | The BlockArt Blocks - Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the BlockArt Counter in all versions up to, and including, 2.2.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2025-14283 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d9526a8b-fefe-4ca6-871f-1ead3f498679?source=cve https://plugins.trac.wordpress.org/browser/blockart-blocks/trunk/dist/counter.js |
| wpchill--Passster Password Protect Pages and Content | The Passster - Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including, 4.2.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.2.21. | 2026-01-28 | 6.4 | CVE-2025-14865 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4ea939f5-8b56-44be-bd20-b69e9ded5970?source=cve https://plugins.trac.wordpress.org/browser/content-protector/tags/4.2.20/inc/class-ps-public.php#L136 https://plugins.trac.wordpress.org/changeset/3422595/ https://plugins.trac.wordpress.org/changeset/3439532/ |
| wpcodefactory--Order Minimum/Maximum Amount Limits for WooCommerce | The Order Minimum/Maximum Amount Limits for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-28 | 4.4 | CVE-2026-1381 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3f54f117-0dde-49f9-8014-7650bc1a00ac?source=cve https://plugins.trac.wordpress.org/browser/order-minimum-amount-for-woocommerce/trunk/includes/settings/class-alg-wc-oma-settings-general.php https://plugins.trac.wordpress.org/browser/order-minimum-amount-for-woocommerce/trunk/includes/class-alg-wc-oma-core.php#L86 https://plugins.trac.wordpress.org/browser/order-minimum-amount-for-woocommerce/tags/4.6.8/includes/class-alg-wc-oma-core.php#L86 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3447432%40order-minimum-amount-for-woocommerce&new=3447432%40order-minimum-amount-for-woocommerce&sfp_email=&sfph_mail= |
| wpdevelop--Booking Calendar | The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking information including customer names, phones and emails. | 2026-01-31 | 5.3 | CVE-2026-1431 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0bd92f91-d9b1-4f6f-ac1a-477950ea2e80?source=cve https://plugins.trac.wordpress.org/browser/booking/tags/10.14.13/core/lib/wpbc-ajax.php#L25 |
| Xeroneit--Xeroneit Library Management System | Xeroneit Library Management System 3.1 contains a stored cross-site scripting vulnerability in the Book Category feature that allows administrators to inject malicious scripts. Attackers can insert a payload in the Category Name field to execute arbitrary JavaScript code when the page is loaded. | 2026-01-26 | 6.4 | CVE-2020-36954 | ExploitDB-49292 Vendor Homepage Software Product Page VulnCheck Advisory: Xeroneit Library Management System 3.1 - "Add Book Category " Stored XSS |
| zephyrproject-rtos--Zephyr | A flaw in Zephyr's network stack allows an IPv4 packet containing ICMP type 128 to be misclassified as an ICMPv6 Echo Request. This results in an out-of-bounds memory read and creates a potential information-leak vulnerability in the networking subsystem. | 2026-01-30 | 6.5 | CVE-2025-12899 | https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-c2vg-hj83-c2vg |
| Zhong Bang--CRMEB | A security flaw has been discovered in Zhong Bang CRMEB up to 5.6.3. This vulnerability affects unknown code of the file crmeb/app/api/controller/v1/CrontabController.php of the component crontab Endpoint. The manipulation results in missing authorization. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-01 | 5.3 | CVE-2026-1734 | VDB-343633 | Zhong Bang CRMEB crontab Endpoint CrontabController.php authorization VDB-343633 | CTI Indicators (IOB, IOC, IOA) Submit #736619 | Zhongbang CRMEB v5.6.3 Missing Authorization https://github.com/foeCat/CVE/blob/main/CRMEB/crontab_unauthorized_access.md https://github.com/foeCat/CVE/blob/main/CRMEB/crontab_unauthorized_access.md#proof-of-concept |
| Zhong Bang--CRMEB | A vulnerability was identified in Zhong Bang CRMEB up to 5.6.3. This affects the function detail/tidyOrder of the file /api/store_integral/order/detail/:uni. The manipulation of the argument order_id leads to improper authorization. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-01 | 4.3 | CVE-2026-1733 | VDB-343632 | Zhong Bang CRMEB :uni tidyOrder improper authorization VDB-343632 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736558 | Zhongbang CRMEB v5.6.3 Improper Access Controls https://github.com/foeCat/CVE/blob/main/CRMEB/integral_order_detail_idor.md https://github.com/foeCat/CVE/blob/main/CRMEB/integral_order_detail_idor.md#%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0 |
| Zohocorp--ManageEngine OpManager | Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to 128582 are affected by a stored cross-site scripting vulnerability in the Subnet Details. | 2026-01-30 | 4.6 | CVE-2025-9226 | https://www.manageengine.com/itom/advisory/cve-2025-9226.html |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Bdtask--Bhojon All-In-One Restaurant Management System | A vulnerability was found in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. Impacted is an unknown function of the file /dashboard/home/profile of the component User Information Module. Performing a manipulation of the argument fullname results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 3.5 | CVE-2026-1598 | VDB-343360 | Bdtask Bhojon All-In-One Restaurant Management System User Information profile cross site scripting VDB-343360 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740738 | Bdtask Bhojon All-In-One Restaurant Management System Latest Stored Cross-Site Scripting https://github.com/4m3rr0r/PoCVulDb/issues/12 |
| Brother Industries, Ltd.--Multiple MFPs | Multiple MFPs provided by Brother Industries, Ltd. does not properly validate server certificates, which may allow a man-in-the-middle attacker to replace the set of root certificates used by the product with a set of arbitrary certificates. | 2026-01-29 | 3.7 | CVE-2025-53869 | https://faq.brother.co.jp/app/answers/detail/a_id/13716 https://www.konicaminolta.com/global-en/security/advisory/pdf/km-2026-0001.pdf https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2026-000001 https://jvn.jp/en/vu/JVNVU92878805/ |
| code-projects--Online Examination System | A vulnerability has been found in code-projects Online Examination System 1.0. Affected is an unknown function of the component Add Pages. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2026-01-26 | 3.5 | CVE-2026-1421 | VDB-342837 | code-projects Online Examination System Add Pages cross site scripting VDB-342837 | CTI Indicators (IOB, IOC, TTP) Submit #736605 | code-projects Online Examination System 1 Cross Site Scripting https://github.com/geo-chen/code-projects/blob/main/Online%20Examination%20System%20In%20PHP%20With%20Source%20Code.md#finding-1-stored-xss-in-all-add-pages https://code-projects.org/ |
| D-Link--DCS-700L | A vulnerability was identified in D-Link DCS-700L 1.03.09. The affected element is the function uploadmusic of the file /setUploadMusic of the component Music File Upload Service. The manipulation of the argument UploadMusic leads to path traversal. The attack can only be initiated within the local network. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-01-28 | 2.4 | CVE-2026-1532 | VDB-343218 | D-Link DCS-700L Music File Upload Service setUploadMusic uploadmusic path traversal VDB-343218 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738693 | D-Link DCS700l v1.03.09 Absolute Path Traversal https://tzh00203.notion.site/D-Link-DCS700l-v1-03-09-Path-Traversal-Vulnerability-in-Music-File-Upload-2e8b5c52018a80369553f07ab91aabe2?source=copy_link https://www.dlink.com/ |
| D-Link--DIR-823X | A vulnerability was identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_40AC74 of the component Login. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from remote. This attack is characterized by high complexity. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. | 2026-01-30 | 3.7 | CVE-2026-1685 | VDB-343479 | D-Link DIR-823X Login sub_40AC74 excessive authentication VDB-343479 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740886 | D-Link dir-823X 250416 A logical flaw in the authentication mechanism exists https://github.com/master-abc/cve/issues/17 https://www.dlink.com/ |
| D-Link--DSL-6641K | A vulnerability was detected in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function ad_virtual_server_vdsl of the component Web Interface. Performing a manipulation of the argument Name results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-01-30 | 2.4 | CVE-2026-1705 | VDB-343510 | D-Link DSL-6641K Web ad_virtual_server_vdsl cross site scripting VDB-343510 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742421 | D-Link DSL6641K version N8.TR069.20131126 Cross Site Scripting https://tzh00203.notion.site/D-Link-DSL6641K-version-N8-TR069-20131126-XSS-via-ad_virtual_server_vdsl-Configuration-2eeb5c52018a805d97adfb23dfec39c9?source=copy_link https://www.dlink.com/ |
| GnuPG--GnuPG | In GnuPG before 2.5.17, a long signature packet length causes parse_signature to return success with sig->data[] set to a NULL value, leading to a denial of service (application crash). | 2026-01-27 | 3.7 | CVE-2026-24883 | https://www.openwall.com/lists/oss-security/2026/01/27/8 https://dev.gnupg.org/T8049 |
| GPAC--GPAC | A vulnerability was identified in GPAC up to 2.4.0. Affected is the function gf_media_export_webvtt_metadata of the file src/media_tools/media_export.c. The manipulation of the argument Name leads to null pointer dereference. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is af951b892dfbaaa38336ba2eba6d6a42c25810fd. To fix this issue, it is recommended to deploy a patch. | 2026-01-26 | 3.3 | CVE-2026-1415 | VDB-342804 | GPAC media_export.c gf_media_export_webvtt_metadata null pointer dereference VDB-342804 | CTI Indicators (IOB, IOC, IOA) Submit #736541 | gpac v2.4.0 NULL Pointer Dereference https://github.com/gpac/gpac/issues/3428 https://github.com/gpac/gpac/issues/3428#issue-3802223345 https://github.com/enocknt/gpac/commit/af951b892dfbaaa38336ba2eba6d6a42c25810fd |
| GPAC--GPAC | A security flaw has been discovered in GPAC up to 2.4.0. Affected by this vulnerability is the function DumpMovieInfo of the file applications/mp4box/filedump.c. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as d45c264c20addf0c1cc05124ede33f8ffa800e68. It is advisable to implement a patch to correct this issue. | 2026-01-26 | 3.3 | CVE-2026-1416 | VDB-342805 | GPAC filedump.c DumpMovieInfo null pointer dereference VDB-342805 | CTI Indicators (IOB, IOC, IOA) Submit #736542 | gpac v2.4.0 NULL Pointer Dereference https://github.com/gpac/gpac/issues/3427 https://github.com/gpac/gpac/issues/3427#issue-3802197432 https://github.com/enocknt/gpac/commit/d45c264c20addf0c1cc05124ede33f8ffa800e68 |
| GPAC--GPAC | A weakness has been identified in GPAC up to 2.4.0. Affected by this issue is the function dump_isom_rtp of the file applications/mp4box/filedump.c. This manipulation causes null pointer dereference. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Patch name: f96bd57c3ccdcde4335a0be28cd3e8fe296993de. Applying a patch is the recommended action to fix this issue. | 2026-01-26 | 3.3 | CVE-2026-1417 | VDB-342806 | GPAC filedump.c dump_isom_rtp null pointer dereference VDB-342806 | CTI Indicators (IOB, IOC, IOA) Submit #736543 | gpac v2.4.0 NULL Pointer Dereference https://github.com/gpac/gpac/issues/3426 https://github.com/gpac/gpac/issues/3426#issue-3802172856 https://github.com/enocknt/gpac/commit/f96bd57c3ccdcde4335a0be28cd3e8fe296993de |
| iJason-Liu--Books_Manager | A vulnerability has been found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This affects an unknown part of the file controllers/books_center/add_book_check.php. Such manipulation of the argument mark leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | 2026-01-26 | 2.4 | CVE-2026-1444 | VDB-342873 | iJason-Liu Books_Manager add_book_check.php cross site scripting VDB-342873 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736968 | https://github.com/iJason-Liu/Books_Manager Books_Manager 1.0 Stored XSS https://blog.y1fan.work/2026/01/13/%E5%AD%98%E5%82%A8%E5%9E%8Bxss/ |
| ixray-team--ixray-1.6-stcop | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ixray-team ixray-1.6-stcop. This issue affects ixray-1.6-stcop: before 1.3. | 2026-01-27 | 3.7 | CVE-2026-24870 | https://github.com/ixray-team/ixray-1.6-stcop/pull/258 |
| jishenghua--jshERP | A vulnerability was found in jishenghua jshERP up to 3.6. The impacted element is the function install of the file /jshERP-boot/plugin/installByPath of the component com.gitee.starblues.integration.operator.DefaultPluginOperator. The manipulation of the argument path results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-29 | 2.7 | CVE-2026-1588 | VDB-343351 | jishenghua jshERP installByPath install path traversal VDB-343351 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740649 | https://github.com/jishenghua/jshERP jshERP v3.6 Path Traversal https://github.com/jishenghua/jshERP/issues/147 https://github.com/jishenghua/jshERP/ |
| llamastack--Llama Stack | Llama Stack (aka llama-stack) before 0.4.0rc3 does not censor the pgvector password in the initialization log. | 2026-01-30 | 3.2 | CVE-2026-25211 | https://github.com/llamastack/llama-stack/pull/4439 https://github.com/llamastack/llama-stack/compare/v0.4.0rc2...v0.4.0rc3 |
| MoonshotAI--kimi-agent-sdk | Kimi Agent SDK is a set of libraries that expose the Kimi Code (Kimi CLI) agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync() as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $(cmd) could execute arbitrary commands. Note: This vulnerability exists only in the repository's development scripts. The published VSCode extension does not include these files and end users are not affected. This is fixed in version 0.1.6 by replacing execSync with execFileSync using array arguments. As a workaround, ensure .vsix files in the project directory have safe filenames before running publish scripts. | 2026-01-29 | 2.9 | CVE-2026-25046 | https://github.com/MoonshotAI/kimi-agent-sdk/security/advisories/GHSA-mv58-gxx5-8hj3 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, various inefficiencies in xff handling, especially for alerts not triggered in a tx, can lead to severe slowdowns. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, disable XFF support in the eve configuration. The setting is disabled by default. | 2026-01-27 | 3.7 | CVE-2026-22261 | https://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf https://github.com/OISF/suricata/commit/3f0725b34c7871c2de4346c8af872f10f4501e44 https://github.com/OISF/suricata/commit/af246ae7ab1b70c09f83c0619b253095ccc18667 https://redmine.openinfosecfoundation.org/issues/8156 |
| projectworlds--House Rental and Property Listing | A weakness has been identified in projectworlds House Rental and Property Listing 1.0. This vulnerability affects unknown code of the file /app/sms.php. This manipulation of the argument Message causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-30 | 3.5 | CVE-2026-1700 | VDB-343490 | projectworlds House Rental and Property Listing sms.php cross site scripting VDB-343490 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741977 | projectworlds.com House rental And Property Listing Project V1.0 cross site scripting https://github.com/jiahao412/CVE/issues/3 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption. | 2026-01-26 | 3.1 | CVE-2026-1190 | https://access.redhat.com/security/cve/CVE-2026-1190 RHBZ#2430835 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability. | 2026-01-27 | 2.8 | CVE-2026-1485 | https://access.redhat.com/security/cve/CVE-2026-1485 RHBZ#2433325 |
| rethinkdb--rethinkdb | A vulnerability was identified in rethinkdb up to 2.4.3. Affected by this issue is some unknown functionality of the component Secondary Index Handler. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-28 | 2.4 | CVE-2026-1520 | VDB-343191 | rethinkdb Secondary Index cross site scripting VDB-343191 | CTI Indicators (IOB, IOC, TTP) Submit #738312 | rethinkdb V2.4.3(latest) cross-site scripting(XSS) https://github.com/59lab/dbdb/blob/main/There%20is%20a%20cross-site%20scripting(XSS)%20vulnerability%20in%20the%20rethinkdb%20database.md https://github.com/59lab/dbdb/blob/main/There%20is%20a%20cross-site%20scripting(XSS)%20vulnerability%20in%20the%20rethinkdb%20database.md#poc |
| Tanium--Discover | Tanium addressed an improper input validation vulnerability in Discover. | 2026-01-26 | 2.7 | CVE-2026-0925 | TAN-2026-002 |
| Tanium--Interact | Tanium addressed an improper access controls vulnerability in Interact. | 2026-01-29 | 3.1 | CVE-2025-15288 | TAN-2025-034 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| aangine--aangine | An issue in continuous.software aangine v.2025.2 allows a remote attacker to obtain sensitive information via the excel-integration-service template download module, integration-persistence-service job listing module, portfolio-item-service data retrieval module endpoints | 2026-01-26 | not yet calculated | CVE-2025-67274 | https://aangine.com https://continuous.software/products https://gist.github.com/c4m0uflag3/26fec868b764c4e7314ad246bab01c88 |
| abcz316--SKRoot-linuxKernelRoot | NULL Pointer Dereference vulnerability in abcz316 SKRoot-linuxKernelRoot (testRoot/jni/utils modules). This vulnerability is associated with program files cJSON.Cpp. This issue affects SKRoot-linuxKernelRoot. | 2026-01-27 | not yet calculated | CVE-2026-24813 | https://github.com/abcz316/SKRoot-linuxKernelRoot/pull/116 |
| Acronis--Acronis Cloud Manager | Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cloud Manager (Windows) before build 6.4.25342.354. | 2026-01-27 | not yet calculated | CVE-2026-0705 | SEC-7316 |
| AhaChat--AhaChat Messenger Marketing | The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 2026-01-26 | not yet calculated | CVE-2025-14316 | https://wpscan.com/vulnerability/7d69ebec-f940-4491-a51e-70a9e1bf8a4c/ |
| akuity--kargo | Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue. | 2026-01-27 | not yet calculated | CVE-2026-24748 | https://github.com/akuity/kargo/security/advisories/GHSA-w5wv-wvrp-v5m5 https://github.com/akuity/kargo/commit/23646eaefb449a6cc2e76a8033e8a57f71369772 https://github.com/akuity/kargo/commit/aa28f81ac15ad871c6eba329fc2f0417a08c39d7 https://github.com/akuity/kargo/commit/b3297ace0d3b9e7f7128858c5c4288d77f072b8c |
| ALSA Project--alsa-lib | alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash. | 2026-01-29 | not yet calculated | CVE-2026-25068 | https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40 https://www.vulncheck.com/advisories/alsa-lib-topology-decoder-heap-based-buffer-overflow |
| Altitude--Altitude Communication Server | Illegal HTTP request traffic vulnerability (CL.0) in Altitude Communication Server, caused by inconsistent analysis of multiple HTTP requests over a single Keep-Alive connection using Content-Length headers. This can cause a desynchronization of requests between frontend and backend servers, which could allow request hiding, cache poisoning or security bypass. | 2026-01-26 | not yet calculated | CVE-2025-41082 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-altitude-communication-server |
| Altitude--Altitude Communication Server | Vulnerability in Altitude Authentication Service and Altitude Communication Server v8.5.3290.0 by Altitude, where manipulation of Host header in HTTP requests allows redirection to an arbitrary URL or modification of the base URL to trick the victim into sending login credentials to a malicious website. This behavior can be used to redirect clients to endpoints controlled by the attacker. | 2026-01-26 | not yet calculated | CVE-2025-41083 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-altitude-communication-server |
| AltumCode--AltumCode | A directory traversal (Zip Slip) vulnerability exists in the "Static Sites" feature of 66biolinks v44.0.0 by AltumCode. Uploaded ZIP archives are automatically extracted without validating or sanitizing file paths. An attacker can include traversal sequences (e.g., ../) in ZIP entries to write files outside the intended extraction directory. This allows static files (html, js, css, images) file write to unintended locations, or overwriting existing HTML files, potentially leading to content defacement and, in certain deployments, further impact if sensitive files are overwritten. | 2026-01-28 | not yet calculated | CVE-2025-69601 | https://gist.github.com/Waqar-Arain/9cd59aa74de540eeb3b09d15bac35e36 |
| AltumCode--AltumCode | A session fixation vulnerability exists in 66biolinks v62.0.0 by AltumCode, where the application does not regenerate the session identifier after successful authentication. As a result, the same session cookie value is reused for users logging in from the same browser, allowing an attacker who can set or predict a session ID to potentially hijack an authenticated session. | 2026-01-28 | not yet calculated | CVE-2025-69602 | https://gist.github.com/Waqar-Arain/c8117308325a91b8f3b7829646915275 |
| Amidaware--Amidaware | A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or earlier than v1.3.1, allows low-privileged users with Report Viewer or Report Manager permissions to achieve remote command execution on the server. This occurs due to improper sanitization of the template_md parameter, enabling direct injection of Jinja2 templates. This occurs due to misuse of the generate_html() function, the user-controlled value is inserted into `env.from_string`, a function that processes Jinja2 templates arbitrarily, making an SSTI possible. | 2026-01-29 | not yet calculated | CVE-2025-69516 | https://github.com/amidaware/tacticalrmm https://www.amidaware.com/ https://gist.github.com/NtGabrielGomes/7c424367cc316fd7527f668ff076fece |
| Amidaware--Amidaware | An HTML injection vulnerability in Amidaware Inc Tactical RMM v1.3.1 and earlier allows authenticated users to inject arbitrary HTML content during the creation of a new agent via the POST /api/v3/newagent/ endpoint. The agent_id parameter accepts up to 255 characters and is improperly sanitized using DOMPurify.sanitize() with the html: true option enabled, which fails to adequately filter HTML input. The injected HTML is rendered in the Tactical RMM management panel when an administrator attempts to remove or shut down the affected agent, potentially leading to client-side attacks such as UI manipulation or phishing. NOTE: the Supplier's position is that this has incorrect information. | 2026-01-28 | not yet calculated | CVE-2025-69517 | https://github.com/amidaware/tacticalrmm https://www.amidaware.com/ https://gist.github.com/NtGabrielGomes/fdabcd9e85d841c5490739686e0f8b72 |
| amir20--dozzle | Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle's agent-backed shell endpoints allows a user restricted by label filters (for example, `label=env=dev`) to obtain an interactive root shell in out of scope containers (for example, `env=prod`) on the same agent host by directly targeting their container IDs. Version 9.0.3 contains a patch for the issue. | 2026-01-27 | not yet calculated | CVE-2026-24740 | https://github.com/amir20/dozzle/security/advisories/GHSA-m855-r557-5rc5 https://github.com/amir20/dozzle/commit/620e59aa246347ba8a27e68c532853b8a5137bc1 https://github.com/amir20/dozzle/releases/tag/v9.0.3 |
| anyrtcIO-Community--anyRTC-RTMP-OpenSource | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in anyrtcIO-Community anyRTC-RTMP-OpenSource (third_party/faad2-2.7/libfaad modules). This vulnerability is associated with program files bits.C, syntax.C. This issue affects anyRTC-RTMP-OpenSource: before 1.0. | 2026-01-27 | not yet calculated | CVE-2026-1465 | https://github.com/anyrtcIO-Community/anyRTC-RTMP-OpenSource/pull/166 |
| Apache Software Foundation--Apache Karaf | Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed. It means that the log socket collector is vulnerable to deserialization of untrusted data, eventually causing DoS. NB: Decanter log socket collector is not installed by default. Users who have not installed Decanter log socket are not impacted by this issue. This issue affects Apache Karaf Decanter before 2.12.0. Users are recommended to upgrade to version 2.12.0, which fixes the issue. | 2026-01-26 | not yet calculated | CVE-2026-24656 | https://lists.apache.org/thread/dc5wmdn6hyc992olntkl75kk04ndzx34 |
| Apache Software Foundation--HDFS native client | Out-of-bounds Write vulnerability in Apache Hadoop HDFS native client. This issue affects Apache Hadoop: from 3.2.0 before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. | 2026-01-26 | not yet calculated | CVE-2025-27821 | https://lists.apache.org/thread/kwjhyyx0wl2z9b0mw0styjk0hhdbyplh |
| Apple--iOS and iPadOS | The issue was addressed with improved bounds checks. This issue is fixed in macOS Tahoe 26, Keynote 15.1, iOS 26 and iPadOS 26. Processing a maliciously crafted Keynote file may disclose memory contents. | 2026-01-28 | not yet calculated | CVE-2025-46306 | https://support.apple.com/en-us/125108 https://support.apple.com/en-us/126254 https://support.apple.com/en-us/125110 |
| Apple--macOS | An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 26.1 and iPadOS 26.1, Pages 15.1, macOS Tahoe 26.1. Processing a maliciously crafted Pages document may result in unexpected termination or disclosure of process memory. | 2026-01-28 | not yet calculated | CVE-2025-46316 | https://support.apple.com/en-us/125634 https://support.apple.com/en-us/126255 https://support.apple.com/en-us/125632 |
| askbot--askbot | All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users. This issue affects askbot: 0.12.2. | 2026-01-27 | not yet calculated | CVE-2026-1213 | https://fluidattacks.com/advisories/ghost https://askbot.com/ https://github.com/ASKBOT/askbot-devel/commit/3da3d75f35204aa71633c7a315327ba39cb6295d |
| assertj--assertj | AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement. | 2026-01-26 | not yet calculated | CVE-2026-24400 | https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7 |
| Atlassian--Crowd Data Center | This High severity XXE (XML External Entity Injection) vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. This XXE (XML External Entity Injection) vulnerability, with a CVSS Score of 7.9, allows an authenticated attacker to access local and remote content which has high impact to confidentiality, low impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Crowd Data Center and Server 7.1: Upgrade to a release greater than or equal to 7.1.3 See the release notes (https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html). You can download the latest version of Crowd Data Center and Server from the download center (https://www.atlassian.com/software/crowd/download-archive). This vulnerability was reported via our Atlassian (Internal) program. | 2026-01-28 | not yet calculated | CVE-2026-21569 | https://confluence.atlassian.com/pages/viewpage.action?pageId=1712324819 https://jira.atlassian.com/browse/CWD-6453 |
| azerothcore--azerothcore-wotlk | Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in azerothcore azerothcore-wotlk (deps/zlib modules). This vulnerability is associated with program files inflate.C. This issue affects azerothcore-wotlk: through v4.0.0. | 2026-01-27 | not yet calculated | CVE-2026-24793 | https://github.com/azerothcore/azerothcore-wotlk/pull/21599 |
| briandilley--jsonrpc4j | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in briandilley jsonrpc4j (src/main/java/com/googlecode/jsonrpc4j modules). This vulnerability is associated with program files NoCloseOutputStream.Java. This issue affects jsonrpc4j: through 1.6.0. | 2026-01-27 | not yet calculated | CVE-2026-24802 | https://github.com/briandilley/jsonrpc4j/pull/333 |
| Budibase--budibase | Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including Admin, Creator, or App Viewer, and assign them to any group in the organization. This allows full privilege escalation, bypassing UI restrictions, and can lead to complete takeover of the workspace or organization. As of time of publication, no known fixed versions are available. | 2026-01-29 | not yet calculated | CVE-2026-25040 | https://github.com/Budibase/budibase/security/advisories/GHSA-4wfw-r86x-qxrm https://drive.google.com/file/d/1Dtn1WLJILRYUeoMjEbUfCbqQ3g2AW2Qz/view?usp=sharing https://github.com/user-attachments/files/22066135/budibase-privileged-esc-poc.txt |
| bytecodealliance--wasmtime | Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it's not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime. | 2026-01-27 | not yet calculated | CVE-2026-24116 | https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vc8c-j3xm-xj73 https://github.com/bytecodealliance/wasmtime/commit/728fa07184f8da2a046f48ef9b61f869dce133a6 https://github.com/bytecodealliance/wasmtime/commit/799585fc362fcb991de147dd1a9f2ba0861ed440 https://github.com/bytecodealliance/wasmtime/commit/ac92d9bb729ad3a6d93f0724c4c33a0c4a9c0227 https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.memory_guard_size https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps https://docs.wasmtime.dev/stability-release.html https://rustsec.org/advisories/RUSTSEC-2026-0006.html |
| Cacti--Cacti | A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject arbitrary HTML elements (e.g., <h1>, <b>, <svg>) into the rendered page. | 2026-01-29 | not yet calculated | CVE-2025-45160 | https://github.com/Cacti/cacti https://gist.github.com/BEND0US/49d76897a5bb676d8c3f51425553cc32 |
| cadaver--turso3d | Out-of-bounds Write, Divide By Zero, NULL Pointer Dereference, Use of Uninitialized Resource, Out-of-bounds Read, Reachable Assertion vulnerability in cadaver turso3d. This issue affects . | 2026-01-27 | not yet calculated | CVE-2026-24826 | https://github.com/cadaver/turso3d/pull/11 |
| Canonical--juju | Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing. | 2026-01-28 | not yet calculated | CVE-2026-1237 | https://github.com/juju/juju/security/advisories/GHSA-j477-6vpg-6c8x |
| CardboardPowered--cardboard | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in CardboardPowered cardboard (src/main/java/org/cardboardpowered/impl/world modules). This vulnerability is associated with program files WorldImpl.Java. This issue affects cardboard: before 1.21.4. | 2026-01-27 | not yet calculated | CVE-2026-24794 | https://github.com/CardboardPowered/cardboard/pull/506 |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in the database, and when other users view that event (including the admin), the payload is triggered, leading to account takeover. Version 6.7.2 fixes the vulnerability. | 2026-01-30 | not yet calculated | CVE-2026-24855 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-49qp-cfqx-c767 https://github.com/ChurchCRM/CRM/commit/0cd0d211459b8c19509d36b3c1dfcd7f8c10d914 https://github.com/ChurchCRM/CRM/commit/ec4b16e9a3ca09c8a01a712bcb90579c42f2ba28 |
| CloverHackyColor--CloverBootloader | Out-of-bounds Write vulnerability in CloverHackyColor CloverBootloader (MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma modules). This vulnerability is associated with program files regcomp.C. This issue affects CloverBootloader: before 5162. | 2026-01-27 | not yet calculated | CVE-2026-24795 | https://github.com/CloverHackyColor/CloverBootloader/pull/733 |
| CloverHackyColor--CloverBootloader | Out-of-bounds Read vulnerability in CloverHackyColor CloverBootloader (MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma modules). This vulnerability is associated with program files regparse.C. This issue affects CloverBootloader: before 5162. | 2026-01-27 | not yet calculated | CVE-2026-24796 | https://github.com/CloverHackyColor/CloverBootloader/pull/732 |
| code-projects--code-projects | code-projects Computer Book Store 1.0 is vulnerable to File Upload in admin_add.php. | 2026-01-27 | not yet calculated | CVE-2025-69559 | https://gitee.com/Z_180yc/zyy/issues/IDBY27 https://gist.github.com/lih28984-commits/cd3a275dfd9c92a79b6a4a0e8801f4fa |
| code-projects--code-projects | code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /insertmessage.php via the userid parameter. | 2026-01-27 | not yet calculated | CVE-2025-69562 | https://gitee.com/Z_180yc/zyy/issues/IDC5FU https://gist.github.com/lih28984-commits/a847a034c3bb626904dcc6ab7576257f |
| code-projects--code-projects | code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /ExLogin.php via the Password parameter. | 2026-01-27 | not yet calculated | CVE-2025-69563 | https://gitee.com/Z_180yc/zyy/issues/IDC3IB https://gist.github.com/lih28984-commits/544eaaca3ea58563a807c43b521d76e6 |
| code-projects--code-projects | code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /ExAddNewUser.php via the Name, Address, email, UserName, Password, confirm_password, Role, Branch, and Activate parameters. | 2026-01-27 | not yet calculated | CVE-2025-69564 | https://gitee.com/Z_180yc/zyy/issues/IDCEJP https://gist.github.com/lih28984-commits/87eacfc32186020a04e03a2af448723f |
| code-projects--code-projects | code-projects Mobile Shop Management System 1.0 is vulnerable to File Upload in /ExAddProduct.php. | 2026-01-27 | not yet calculated | CVE-2025-69565 | https://gitee.com/Z_180yc/zyy/issues/IDCFAQ https://gist.github.com/lih28984-commits/81d523afde3b122c652f652bab808e33 |
| coolsnowwolf--lede | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in coolsnowwolf lede (package/lean/mt/drivers/mt7615d/src/mt_wifi/embedded/security modules). This vulnerability is associated with program files bn_lib.C. This issue affects lede: through r25.10.1. | 2026-01-27 | not yet calculated | CVE-2026-24803 | https://github.com/coolsnowwolf/lede/pull/13346 |
| coolsnowwolf--lede | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in coolsnowwolf lede (package/lean/mt/drivers/mt7603e/src/mt7603_wifi/common modules). This vulnerability is associated with program files bn_lib.C. This issue affects lede: through r25.10.1. | 2026-01-27 | not yet calculated | CVE-2026-24804 | https://github.com/coolsnowwolf/lede/pull/13368 |
| CPU-Z--CPU-Z | The kernel driver of CPUID CPU-Z v2.17 and earlier does not validate user-supplied values passed via its IOCTL interface, allowing an attacker to access sensitive information via a crafted request. | 2026-01-27 | not yet calculated | CVE-2025-65264 | https://www.cpuid.com/softwares/cpu-z.html https://github.com/cwjchoi01/CVE-2025-65264 |
| datavane--tis | Unrestricted Upload of File with Dangerous Type, Deserialization of Untrusted Data vulnerability in datavane tis (tis-plugin/src/main/java/com/qlangtech/tis/extension/impl modules). This vulnerability is associated with program files XmlFile.Java. This issue affects tis: before v4.3.0. | 2026-01-27 | not yet calculated | CVE-2026-24815 | https://github.com/datavane/tis/pull/443 |
| datavane--tis | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in datavane tis (tis-console/src/main/java/com/qlangtech/tis/runtime/module/action modules). This vulnerability is associated with program files ChangeDomainAction.Java. This issue affects tis: before v4.3.0. | 2026-01-27 | not yet calculated | CVE-2026-24816 | https://github.com/datavane/tis/pull/444 |
| davisking--dlib | Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in davisking dlib (dlib/external/zlib modules). This vulnerability is associated with program files inflate.C. This issue affects dlib: before v19.24.9. | 2026-01-27 | not yet calculated | CVE-2026-24799 | https://github.com/davisking/dlib/pull/3063 |
| Delinea Inc.--Secret Server On-Prem | Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules). This issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25. A secret with "change password on check in" enabled automatically checks in even when the password change fails after reaching its retry limit. This leaves the secret in an inconsistent state with the wrong password. Remediation: Upgrade to 11.9.47 or later. The secret will remain checked out when the password change fails. | 2026-01-27 | not yet calculated | CVE-2025-12810 | https://docs.delinea.com/online-help/secret-server/release-notes/ss-rn-11-9-000047.htm https://trust.delinea.com/?tcuUid=48260de9-954d-45c2-9c66-2c9510798a0b |
| discourse--discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, an endpoint lets any authenticated user bypass the ai_discover_persona access controls and gain ongoing DM access to personas that may be wired to staff-only categories, RAG document sets, or automated tooling, enabling unauthorized data disclosure. Because the controller also accepts arbitrary user_id, an attacker can impersonate other accounts to trigger unwanted AI conversations on their behalf, generating confusing or abusive PM traffic. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. | 2026-01-28 | not yet calculated | CVE-2025-68660 | https://github.com/discourse/discourse/security/advisories/GHSA-mrvm-rprq-jqqh |
| discourse--discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, users archives are viewable by users with moderation privileges even though moderators should not have access to the archives. Private topic/post content made by the users are leaked through the archives leading to a breach of confidentiality. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. To work around this problem, a site admin can temporarily revoke the moderation role from all moderators until the Discourse instance has been upgraded to a version that has been patched. | 2026-01-28 | not yet calculated | CVE-2025-68666 | https://github.com/discourse/discourse/security/advisories/GHSA-xmvw-jjqq-25mv |
| discourse--discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can access the `top_uploads` admin report which should be restricted to admins only. This report displays direct URLs to all uploaded files on the site, including sensitive content such as user data exports, admin backups, and other private attachments that moderators should not have access to. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. There is no workaround. Limit moderator privileges to trusted users until the patch is applied. | 2026-01-28 | not yet calculated | CVE-2025-69218 | https://github.com/discourse/discourse/security/advisories/GHSA-79f9-j8h4-3w6w |
| discourse--discourse | Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, ensure moderators are trusted or enable the "require_change_email_confirmation" setting. | 2026-01-28 | not yet calculated | CVE-2025-69289 | https://github.com/discourse/discourse/security/advisories/GHSA-p39j-x54c-rwqq |
| discourse--discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources (private topics, categories, posts, or hidden tags) were redirecting users to URLs containing the resource slug, even when the user didn't have access to view the resource. This leaked potentially sensitive information (e.g., private topic titles) via the redirect Location header and the 404 page's search box. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. | 2026-01-28 | not yet calculated | CVE-2026-23743 | https://github.com/discourse/discourse/security/advisories/GHSA-v5jw-rxc6-4cvv |
| DokuWiki--DokuWiki | aelsantex runcommand 2014-04-01, a plugin for DokuWiki, allows unauthenticated attackers to execute arbitrary system commands via lib/plugins/runcommand/postaction.php. | 2026-01-30 | not yet calculated | CVE-2025-51958 | https://www.dokuwiki.org/plugin:runcommand https://github.com/aelsantex/runcommand https://gist.github.com/NtustLin/f64528002e4f61874045799127dc49a4 |
| dormakaba--Access Manager 92xx-k5 | The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the selected Access Manager via SOAP. The SOAP request is sent without any prior authentication or authorization by default. Though authentication and authorization can be configured using IPsec for 92xx-K5 devices and mTLS for 92xx-K7 devices, it is not enabled by default and must therefore be activated with additional steps. This insecure default allows an attacker with network level access to completely control the whole environment. An attacker is for example easily able to conduct the following tasks without prior authentication: - Re-configure Access Managers (e.g. remove alarming system requirements) - Freely re-configure the inputs and outputs - Open all connected doors permanently - Open all doors for a defined time interval - Change the admin password - and many more Network level access can be gained due to an insufficient network segmentation as well as missing LAN firewalls. Devices with an insecure configuration have been identified to be directly exposed to the internet. | 2026-01-26 | not yet calculated | CVE-2025-59097 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k5 | The Access Manager is offering a trace functionality to debug errors and issues with the device. The trace functionality is implemented as a simple TCP socket. A tool called TraceClient.exe, provided by dormakaba via the Access Manager web interface, is used to connect to the socket and receive debug information. The data is permanently broadcasted on the TCP socket. The socket can be accessed without any authentication or encryption. The transmitted data is based on the set verbosity level. The verbosity level can be set using the http(s) endpoint with the service interface password or with the guessable identifier of the device via the SOAP interface. The transmitted data contains sensitive data like the Card ID as well as all button presses on Registration units. This allows an attacker with network level access to retrieve all entered PINs on a registration unit. | 2026-01-26 | not yet calculated | CVE-2025-59098 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k5 | The Access Manager is using the open source web server CompactWebServer written in C#. This web server is affected by a path traversal vulnerability, which allows an attacker to directly access files via simple GET requests without prior authentication. Hence, it is possible to retrieve all files stored on the file system, including the SQLite database Database.sq3, containing badge information and the corresponding PIN codes. Additionally, when trying to access certain files, the web server crashes and becomes unreachable for about 60 seconds. This can be abused to continuously send the request and cause denial of service. | 2026-01-26 | not yet calculated | CVE-2025-59099 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k5 | The web interface offers a functionality to export the internal SQLite database. After executing the database export, an automatic download is started and the device reboots. After rebooting, the exported database is deleted and cannot be accessed anymore. However, it was noticed that sometimes the device does not reboot and therefore the exported database is not deleted, or the device reboots and the export is not deleted for unknown reasons. The path where the database export is located can be accessed without prior authentication. This leads to the fact that an attacker might be able to get access to the exported database without prior authentication. The database includes sensitive data like passwords, card pins, encrypted Mifare sitekeys and much more. | 2026-01-26 | not yet calculated | CVE-2025-59100 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k5 | Instead of typical session tokens or cookies, it is verified on a per-request basis if the originating IP address has once successfully logged in. As soon as an authentication request from a certain source IP is successful, the IP address is handled as authenticated. No other session information is stored. Therefore, it is possible to spoof the IP address of a logged-in user to gain access to the Access Manager web interface. | 2026-01-26 | not yet calculated | CVE-2025-59101 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k5 | The web server of the Access Manager offers a functionality to download a backup of the local database stored on the device. This database contains the whole configuration. This includes encrypted MIFARE keys, card data, user PINs and much more. The PINs are even stored unencrypted. Combined with the fact that an attacker can easily get access to the backup functionality by abusing the session management issue (CVE-2025-59101), or by exploiting the weak default password (CVE-2025-59108), or by simply setting a new password without prior authentication via the SOAP API (CVE-2025-59097), it is easily possible to access the sensitive data on the device. | 2026-01-26 | not yet calculated | CVE-2025-59102 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k5 | The Access Manager 92xx in hardware revision K7 is based on Linux instead of Windows CE embedded in older hardware revisions. In this new hardware revision it was noticed that an SSH service is exposed on port 22. By analyzing the firmware of the devices, it was noticed that there are two users with hardcoded and weak passwords that can be used to access the devices via SSH. The passwords can be also guessed very easily. The password of at least one user is set to a random value after the first deployment, with the restriction that the password is only randomized if the configured date is prior to 2022. Therefore, under certain circumstances, the passwords are not randomized. For example, if the clock is never set on the device, the battery of the clock module has been changed, the Access Manager has been factory reset and has not received a time yet. | 2026-01-26 | not yet calculated | CVE-2025-59103 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k5 | With physical access to the device and enough time an attacker can desolder the flash memory, modify it and then reinstall it because of missing encryption. Thus, essential files, such as "/etc/passwd", as well as stored certificates, cryptographic keys, stored PINs and so on can be modified and read, in order to gain SSH root access on the Linux-based K7 model. On the Windows CE based K5 model, the password for the Access Manager can additionally be read in plain text from the stored SQLite database. | 2026-01-26 | not yet calculated | CVE-2025-59105 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k5 | Dormakaba provides the software FWServiceTool to update the firmware version of the Access Managers via the network. The firmware in some instances is provided in an encrypted ZIP file. Within this tool, the password used to decrypt the ZIP and extract the firmware is set statically and can be extracted. This password was valid for multiple observed firmware versions. | 2026-01-26 | not yet calculated | CVE-2025-59107 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k5 | By default, the password for the Access Manager's web interface, is set to 'admin'. In the tested version changing the password was not enforced. | 2026-01-26 | not yet calculated | CVE-2025-59108 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k7 | With physical access to the device and enough time an attacker is able to solder test leads to the debug footprint (or use the 6-Pin tag-connect cable). Thus, the attacker gains access to the bootloader, where the kernel command line can be changed. An attacker is able to gain a root shell through this vulnerability. | 2026-01-26 | not yet calculated | CVE-2025-59104 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k7 | The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. If an attacker is able to execute code on the system via other vulnerabilities it is possible to directly execute commands with highest privileges. | 2026-01-26 | not yet calculated | CVE-2025-59106 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--dormakaba registration unit 9002 | The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi). | 2026-01-26 | not yet calculated | CVE-2025-59109 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Kaba exos 9300 | On the exos 9300 server, a SOAP API is reachable on port 8002. This API does not require any authentication prior to sending requests. Therefore, network access to the exos server allows e.g. the creation of arbitrary access log events as well as querying the 2FA PINs associated with the enrolled chip cards. | 2026-01-26 | not yet calculated | CVE-2025-59090 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Kaba exos 9300 | Multiple hardcoded credentials have been identified, which are allowed to sign-in to the exos 9300 datapoint server running on port 1004 and 1005. This server is used for relaying status information from and to the Access Managers. This information, among other things, is used to graphically visualize open doors and alerts. However, controlling the Access Managers via this interface is also possible. To send and receive status information, authentication is necessary. The Kaba exos 9300 application contains hard-coded credentials for four different users, which are allowed to login to the datapoint server and receive as well as send information, including commands to open arbitrary doors. | 2026-01-26 | not yet calculated | CVE-2025-59091 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Kaba exos 9300 | An RPC service, which is part of exos 9300, is reachable on port 4000, run by the process FSMobilePhoneInterface.exe. This service is used for interprocess communication between services and the Kaba exos 9300 GUI, containing status information about the Access Managers. Interacting with the service does not require any authentication. Therefore, it is possible to send arbitrary status information about door contacts etc. without prior authentication. | 2026-01-26 | not yet calculated | CVE-2025-59092 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Kaba exos 9300 | Exos 9300 instances are using a randomly generated database password to connect to the configured MSSQL server. The password is derived from static random values, which are concatenated to the hostname and a random string that can be read by every user from the registry. This allows an attacker to derive the database password and get authenticated access to the central exos 9300 database as the user Exos9300Common. The user has the roles ExosDialog and ExosDialogDotNet assigned, which are able to read most tables of the database as well as update and insert into many tables. | 2026-01-26 | not yet calculated | CVE-2025-59093 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Kaba exos 9300 | A local privilege escalation vulnerability has been identified in the Kaba exos 9300 System management application (d9sysdef.exe). Within this application it is possible to specify an arbitrary executable as well as the weekday and start time, when the specified executable should be run with SYSTEM privileges. | 2026-01-26 | not yet calculated | CVE-2025-59094 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Kaba exos 9300 | The program libraries (DLL) and binaries used by exos 9300 contain multiple hard-coded secrets. One notable example is the function "EncryptAndDecrypt" in the library Kaba.EXOS.common.dll. This algorithm uses a simple XOR encryption technique combined with a cryptographic key (cryptoKey) to transform each character of the input string. However, it's important to note that this implementation does not provide strong encryption and should not be considered secure for sensitive data. It's more of a custom encryption approach rather than a common algorithm used in cryptographic applications. The key itself is static and based on the founder's name of the company. The functionality is for example used to encrypt the user PINs before storing them in the MSSQL database. | 2026-01-26 | not yet calculated | CVE-2025-59095 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Kaba exos 9300 | The default password for the extended admin user mode in the application U9ExosAdmin.exe ("Kaba 9300 Administration") is hard-coded in multiple locations as well as documented in the locally stored user documentation. | 2026-01-26 | not yet calculated | CVE-2025-59096 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| Drupal--Acquia Content Hub | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery. This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3. | 2026-01-28 | not yet calculated | CVE-2025-14472 | https://www.drupal.org/sa-contrib-2025-125 |
| Drupal--AI (Artificial Intelligence) | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS). This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4. | 2026-01-28 | not yet calculated | CVE-2025-13981 | https://www.drupal.org/sa-contrib-2025-119 |
| Drupal--CKEditor 5 Premium Features | Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass. This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4. | 2026-01-28 | not yet calculated | CVE-2025-13980 | https://www.drupal.org/sa-contrib-2025-118 |
| Drupal--Disable Login Page | Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass. This issue affects Disable Login Page: from 0.0.0 before 1.1.3. | 2026-01-28 | not yet calculated | CVE-2025-13986 | https://www.drupal.org/sa-contrib-2025-124 |
| Drupal--Drupal | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS). This issue affects Drupal: from 7.X-1.0 through 7.X-1.22. | 2026-01-28 | not yet calculated | CVE-2026-0749 | https://www.herodevs.com/vulnerability-directory/cve-2026-0749 https://d7es.tag1.com/security-advisories/form-builder-less-critical-cross-site-scripting |
| Drupal--Drupal Commerce Paybox | Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass. This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5. | 2026-01-28 | not yet calculated | CVE-2026-0750 | https://www.herodevs.com/vulnerability-directory/cve-2026-0750 https://d7es.tag1.com/security-advisories/commerce-paybox-moderately-critical-payment-bypass-vulnerability |
| Drupal--Entity Share | Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing. This issue affects Entity Share: from 0.0.0 before 3.13.0. | 2026-01-28 | not yet calculated | CVE-2025-13985 | https://www.drupal.org/sa-contrib-2025-123 |
| Drupal--HTTP Client Manager | Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing. This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1. | 2026-01-28 | not yet calculated | CVE-2025-14840 | https://www.drupal.org/sa-contrib-2025-126 |
| Drupal--Login Time Restriction | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Login Time Restriction allows Cross Site Request Forgery. This issue affects Login Time Restriction: from 0.0.0 before 1.0.3. | 2026-01-28 | not yet calculated | CVE-2025-13982 | https://www.drupal.org/sa-contrib-2025-120 |
| Drupal--Mini site | Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS. This issue affects Mini site: from 0.0.0 before 3.0.2. | 2026-01-28 | not yet calculated | CVE-2025-13979 | https://www.drupal.org/sa-contrib-2025-117 |
| Drupal--Next.js | Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS). This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1. | 2026-01-28 | not yet calculated | CVE-2025-13984 | https://www.drupal.org/sa-contrib-2025-122 |
| Drupal--Tagify | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS). This issue affects Tagify: from 0.0.0 before 1.2.44. | 2026-01-28 | not yet calculated | CVE-2025-13983 | https://www.drupal.org/sa-contrib-2025-121 |
| Eclipse Foundation--Eclipse OMR | In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of all supported processor features was not accounting for the separator inserted between processor features. If the output buffer supplied to this function was incorrectly sized, failing to account for the separator when determining when a write to the buffer was safe could lead to a buffer overflow. This issue is fixed in Eclipse OMR version 0.8.0. | 2026-01-29 | not yet calculated | CVE-2026-1188 | https://github.com/eclipse-omr/omr/pull/8082 |
| Eclipse Foundation--Eclipse ThreadX - NetX Duo | A denial-of-service vulnerability exists in the NetX IPv6 component functionality of Eclipse ThreadX NetX Duo. A specially crafted network packet of "Packet Too Big" with more than 15 different source address can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability. | 2026-01-27 | not yet calculated | CVE-2025-55102 | https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-f3rx-xrwm-q2rf |
| Edgemo (Danoffice IT)--Local Admin Service | Improper access control in the WCF endpoint in Edgemo (now owned by Danoffice IT) Local Admin Service 1.2.7.23180 on Windows allows a local user to escalate their privileges to local administrator via direct communication with the LocalAdminService.exe named pipe, bypassing client-side group membership restrictions. | 2026-01-30 | not yet calculated | CVE-2026-1680 | https://retest.dk/local-privilege-escalation-vulnerability-found-in-local-admin-service/ https://www.danofficeit.com/howwedoit/workplace/management/ |
| EGroupware--egroupware | EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability. | 2026-01-28 | not yet calculated | CVE-2026-22243 | https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113 https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113 |
| ESET, spol. s.r.o--ESET Inspect Connector | Planting a custom configuration file in ESET Inspect Connector allow load a malicious DLL. | 2026-01-30 | not yet calculated | CVE-2025-13176 | https://support.eset.com/en/ca8910-eset-customer-advisory-local-privilege-escalation-vulnerability-fixed-in-eset-inspect-connector-for-windows |
| eslint--eslint | Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ultimately causing a stack overflow. | 2026-01-26 | not yet calculated | CVE-2025-50537 | https://github.com/eslint/eslint/issues/19646 https://gist.github.com/lyyffee/2ee1815e5c2da82c05e9838b9bfefbbc |
| Explorance--Blue | Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user input in a web application endpoint. An attacker can supply crafted input that is executed as part of backend database queries. The issue is exploitable without authentication, significantly raising the risk. | 2026-01-28 | not yet calculated | CVE-2025-57792 | https://www.explorance.com/products/blue https://online-help.explorance.com/blue/articles/security-advisories-(january-2026) https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57792 https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0001.md |
| Explorance--Blue | Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user-supplied input in a web application component. Crafted input can be executed as part of backend database queries. The issue is exploitable without authentication, significantly elevating the risk. | 2026-01-28 | not yet calculated | CVE-2025-57793 | https://www.explorance.com/products/blue https://online-help.explorance.com/blue/articles/security-advisories-(january-2026) https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57793 https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0002.md |
| Explorance--Blue | Explorance Blue versions prior to 8.14.9 contain an authenticated unrestricted file upload vulnerability in the administrative interface. The application does not adequately restrict uploaded file types, allowing malicious files to be uploaded and executed by the server. This condition enables remote code execution under default configurations. | 2026-01-28 | not yet calculated | CVE-2025-57794 | https://www.explorance.com/products/blue https://online-help.explorance.com/blue/articles/security-advisories-(january-2026) https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57794 https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0003.md |
| Explorance--Blue | Explorance Blue versions prior to 8.14.13 contain an authenticated remote file download vulnerability in a web service component. In default configurations, this flaw can be leveraged to achieve remote code execution. | 2026-01-28 | not yet calculated | CVE-2025-57795 | https://www.explorance.com/products/blue https://online-help.explorance.com/blue/articles/security-advisories-(january-2026) https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57795 https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0004.md |
| Explorance--Blue | Explorance Blue versions prior to 8.14.12 use reversible symmetric encryption with a hardcoded static key to protect sensitive data, including user passwords and system configurations. This approach allows stored values to be decrypted offline if the encrypted data are obtained. | 2026-01-28 | not yet calculated | CVE-2025-57796 | https://www.explorance.com/products/blue https://online-help.explorance.com/blue/articles/security-advisories-(january-2026) https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57796 https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0005.md |
| ExpressionEngine--ExpressionEngine | SQL Injection vulnerability in the Structure for Admin authenticated user | 2026-01-26 | not yet calculated | CVE-2025-59473 | https://hackerone.com/reports/3249794 |
| EZCast--EZCast Pro II | Multiple Buffer Overflows in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to cause a program crash and potential remote code execution | 2026-01-27 | not yet calculated | CVE-2026-24344 | https://hub.ntc.swiss/ntcf-2025-68873 |
| EZCast--EZCast Pro II | Cross-Site Request Forgery in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to bypass authorization checks and gain full access to the admin UI | 2026-01-27 | not yet calculated | CVE-2026-24345 | https://hub.ntc.swiss/ntcf-2025-32832 |
| EZCast--EZCast Pro II | Use of well-known default credentials in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to access protected areas in the web application | 2026-01-27 | not yet calculated | CVE-2026-24346 | https://hub.ntc.swiss/ntcf-2025-13993 |
| EZCast--EZCast Pro II | Improper input validation in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to manipulate files in the /tmp directory | 2026-01-27 | not yet calculated | CVE-2026-24347 | https://hub.ntc.swiss/ntcf-2025-32806 |
| EZCast--EZCast Pro II | Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to execute arbitrary JavaScript code in the browser of other Admin UI users. | 2026-01-27 | not yet calculated | CVE-2026-24348 | https://hub.ntc.swiss/ntcf-2025-145332 |
| FASTSHIFT--X-TRACK | Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in FASTSHIFT X-TRACK (Software/X-Track/USER/App/Utils/lv_img_png/PNGdec/src modules). This vulnerability is associated with program files inflate.C. This issue affects X-TRACK: through v2.7. | 2026-01-27 | not yet calculated | CVE-2026-24823 | https://github.com/FASTSHIFT/X-TRACK/pull/120 |
| Flexense--Sync Breeze Enterprise Server | Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to change a user's password or create users via '/setup_login?sid=', affecting the 'username', 'password', and 'cpassword' parameters. | 2026-01-28 | not yet calculated | CVE-2025-59891 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense--Sync Breeze Enterprise Server | Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to delete commands individually via '/delete_command?sid=', using the 'cid' parameter. | 2026-01-28 | not yet calculated | CVE-2025-59892 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense--Sync Breeze Enterprise Server | Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to rename commands via '/rename_command?sid=', affecting the 'command_name' parameter. | 2026-01-28 | not yet calculated | CVE-2025-59893 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense--Sync Breeze Enterprise Server | Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to delete all commands via '/delete_all_commands?sid='. | 2026-01-28 | not yet calculated | CVE-2025-59894 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense--Sync Breeze Enterprise Server | Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a remote denial-of-service (DoS) vulnerability in the configuration restore functionality. The issue is due to insufficient validation of user-supplied data during this process. An attacker could send malicious requests to alter the configuration file, causing the application to become unresponsive. In a successful scenario, the service may not recover on its own and require a complete reinstallation, as the configuration becomes corrupted and prevents the service from restarting, even manually. | 2026-01-28 | not yet calculated | CVE-2025-59895 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense--Sync Breeze Enterprise Server | Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in '/add_command?sid=', affecting the 'command_name' parameter. | 2026-01-28 | not yet calculated | CVE-2025-59896 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense--Sync Breeze Enterprise Server | Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in '/edit_command?sid=', affecting the 'source_dir' and 'dest_dir' parameters. | 2026-01-28 | not yet calculated | CVE-2025-59897 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense--Sync Breeze Enterprise Server | Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in '/add_exclude_dir?sid=', affecting the 'exclude_dir' parameter. | 2026-01-28 | not yet calculated | CVE-2025-59898 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense--Sync Breeze Enterprise Server | Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in '/server_options?sid=', affecting the 'tasks_logs_dir', 'errors_logs_dir', 'error_notifications_address', 'status_notifications_address', and 'status_reports_address' parameters. | 2026-01-28 | not yet calculated | CVE-2025-59899 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense--Sync Breeze Enterprise Server | Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in '/server_options?sid=', affecting the 'tasks_logs_dir', 'errors_logs_dir', 'error_notifications_address', 'status_notifications_address', and 'status_reports_address' parameters. | 2026-01-28 | not yet calculated | CVE-2025-59900 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense--Sync Breeze Enterprise Server | Disk Pulse Enterprise v10.4.18 has an authenticated reflected XSS vulnerability in the '/monitor_directory?sid=' endpoint, caused by insufficient validation of the 'monitor_directory' parameter sent by POST. An attacker could exploit this weakness to send malicious content to an authenticated user and steal information from their session. | 2026-01-28 | not yet calculated | CVE-2025-59901 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| FluentCMS--FluentCMS | FluentCMS 2026 contains a stored cross-site scripting vulnerability that allows authenticated administrators to upload SVG files with embedded JavaScript via the File Management module. Attackers can upload malicious SVG files that execute JavaScript in the browser of any user accessing the uploaded file URL. | 2026-01-29 | not yet calculated | CVE-2025-15549 | GitHub Issue #2404 VulnCheck Advisory: FluentCMS 2026 Stored XSS via SVG Upload in File Management |
| foxinmy--weixin4j | Improperly Controlled Sequential Memory Allocation vulnerability in foxinmy weixin4j (weixin4j-base/src/main/java/com/foxinmy/weixin4j/util modules). This vulnerability is associated with program files CharArrayBuffer.Java, ClassUtil.Java. This issue affects weixin4j. | 2026-01-27 | not yet calculated | CVE-2026-24819 | https://github.com/foxinmy/weixin4j/pull/229 |
| FUJIFILM Business Innovation Corp.--beat-access for Windows | beat-access for Windows version 3.0.3 and prior contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with SYSTEM privileges. | 2026-01-27 | not yet calculated | CVE-2026-21408 | https://www.fujifilm.com/fbglobal/eng/company/news/notice/2026/0127_announce.html https://jvn.jp/en/jp/JVN03776126/ |
| Funambol--Cloud Server | Vulnerability that allows a Padding Oracle Attack to be performed on the Funambol v30.0.0.20 cloud server. The thumbnail display URL allows an attacker to decrypt and encrypt the parameters used by the application to generate 'self-signed' access URLs. | 2026-01-28 | not yet calculated | CVE-2025-41351 | https://www.incibe.es/en/incibe-cert/notices/aviso/weak-encryption-funambols-cloud-server |
| FunJSO--FunJSO | FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, exposes an HTTP server over the LAN interface of affected devices. This interface is vulnerable to unauthenticated arbitrary command injection through the funjsq_access_token parameter. This affects R6230 before 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 before 1.0.5.42, and XR300 before 1.0.3.72 and Orbi RBR20 before 2.7.2.26, RBR50 before 2.7.4.26, RBS20 before 2.7.2.26, and RBS50 before 2.7.4.26. | 2026-01-28 | not yet calculated | CVE-2022-40619 | https://kb.netgear.com/000065132/Security-Advisory-for-Vulnerabilities-in-FunJSQ-on-Some-Routers-and-Orbi-WiFi-Systems-PSV-2022-0117 https://www.onekey.com/resource/security-advisory-netgear-routers-funjsq-vulnerabilities |
| FunJSO--FunJSO | FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, does not properly validate TLS certificates when downloading update packages through its auto-update mechanism. An attacker (suitably positioned on the network) could intercept the update request and deliver a malicious update package in order to gain arbitrary code execution on affected devices. This affects R6230 before 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 before 1.0.5.42, and XR300 before 1.0.3.72 and Orbi RBR20 before 2.7.2.26, RBR50 before 2.7.4.26, RBS20 before 2.7.2.26, and RBS50 before 2.7.4.26. | 2026-01-28 | not yet calculated | CVE-2022-40620 | https://kb.netgear.com/000065132/Security-Advisory-for-Vulnerabilities-in-FunJSQ-on-Some-Routers-and-Orbi-WiFi-Systems-PSV-2022-0117 https://www.onekey.com/resource/security-advisory-netgear-routers-funjsq-vulnerabilities |
| GaijinEntertainment--DagorEngine | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in GaijinEntertainment DagorEngine (prog/3rdPartyLibs/miniupnpc modules). This vulnerability is associated with program files upnpreplyparse.C. This issue affects DagorEngine: through dagor_2025_01_15. | 2026-01-27 | not yet calculated | CVE-2026-24798 | https://github.com/GaijinEntertainment/DagorEngine/pull/136 |
| geopandas--geopandas | SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database. | 2026-01-30 | not yet calculated | CVE-2025-69662 | https://aydinnyunus.github.io/2025/12/27/sql-injection-geopandas/ https://github.com/geopandas/geopandas/pull/3681 |
| gmrtd--gmrtd | gmrtd is a Go library for reading Machine Readable Travel Documents (MRTDs). Prior to version 0.17.2, ReadFile accepts TLVs with lengths that can range up to 4GB, which can cause unconstrained resource consumption in both memory and cpu cycles. ReadFile can consume an extended TLV with lengths well outside what would be available in ICs. It can accept something all the way up to 4GB which would take too many iterations in 256 byte chunks, and would also try to allocate memory that might not be available in constrained environments like phones. Or if an API sends data to ReadFile, the same problem applies. The very small chunked read also locks the goroutine in accepting data for a very large number of iterations. projects using the gmrtd library to read files from NFCs can experience extreme slowdowns or memory consumption. A malicious NFC can just behave like the mock transceiver described above and by just sending dummy bytes as each chunk to be read, can make the receiving thread unresponsive and fill up memory on the host system. Version 0.17.2 patches the issue. | 2026-01-27 | not yet calculated | CVE-2026-24738 | https://github.com/gmrtd/gmrtd/security/advisories/GHSA-j49h-6577-5xwq https://github.com/gmrtd/gmrtd/commit/54469a95e5a20a8602ac1457b2110bfeb80c8891 https://github.com/gmrtd/gmrtd/releases/tag/v0.17.2 |
| Go standard library--archive/zip | archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. | 2026-01-28 | not yet calculated | CVE-2025-61728 | https://go.dev/cl/736713 https://go.dev/issue/77102 https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc https://pkg.go.dev/vuln/GO-2026-4342 |
| Go standard library--crypto/tls | During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. | 2026-01-28 | not yet calculated | CVE-2025-61730 | https://go.dev/cl/724120 https://go.dev/issue/76443 https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc https://pkg.go.dev/vuln/GO-2026-4340 |
| Go standard library--net/url | The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. | 2026-01-28 | not yet calculated | CVE-2025-61726 | https://go.dev/cl/736712 https://go.dev/issue/77101 https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc https://pkg.go.dev/vuln/GO-2026-4341 |
| Go toolchain--cmd/go | Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location. | 2026-01-28 | not yet calculated | CVE-2025-61731 | https://go.dev/cl/736711 https://go.dev/issue/77100 https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc https://pkg.go.dev/vuln/GO-2026-4339 |
| Go toolchain--cmd/go | Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths. | 2026-01-28 | not yet calculated | CVE-2025-68119 | https://go.dev/cl/736710 https://go.dev/issue/77099 https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc https://pkg.go.dev/vuln/GO-2026-4338 |
| Google--Chrome | Inappropriate implementation in Background Fetch API in Google Chrome prior to 144.0.7559.110 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-01-27 | not yet calculated | CVE-2026-1504 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_27.html https://issues.chromium.org/issues/474435504 |
| gradle--gradle-completion | gradle-completion provides Bash and Zsh completion support for Gradle. A command injection vulnerability was found in gradle-completion up to and including 9.3.0 that allows arbitrary code execution when a user triggers Bash tab completion in a project containing a malicious Gradle build file. The `gradle-completion` script for Bash fails to adequately sanitize Gradle task names and task descriptions, allowing command injection via a malicious Gradle build file when the user completes a command in Bash (without them explicitly running any task in the build). For example, given a task description that includes a string between backticks, then that string would be evaluated as a command when presenting the task description in the completion list. While task execution is the core feature of Gradle, this inherent execution may lead to unexpected outcomes. The vulnerability does not affect zsh completion. The first patched version is 9.3.1. As a workaround, it is possible and effective to temporarily disable bash completion for Gradle by removing `gradle-completion` from `.bashrc` or `.bash_profile`. | 2026-01-29 | not yet calculated | CVE-2026-25063 | https://github.com/gradle/gradle-completion/security/advisories/GHSA-qggc-44r3-cjgv https://github.com/gradle/gradle-completion/commit/ecacc32bb882210e5d37cd79a74de1af0d0ccad7 |
| Hiawatha--Hiawatha Web server | Improper header parsing may lead to request smuggling has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to access restricted resources managed by Hiawatha webserver. | 2026-01-26 | not yet calculated | CVE-2025-57783 | https://gitlab.com/hsleisink/hiawatha/-/blame/master/src/http.c?ref_type=heads#L205 |
| Hiawatha--Hiawatha Web server | Tomahawk auth timing attack due to usage of `strcmp` has been identified in Hiawatha webserver version 11.7 which allows a local attacker to access the management client. | 2026-01-26 | not yet calculated | CVE-2025-57784 | https://gitlab.com/hsleisink/hiawatha/-/blame/master/src/tomahawk.c?ref_type=heads#L429 |
| Hiawatha--Hiawatha Web server | A Double Free in XSLT `show_index` has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to corrupt data which may lead to arbitrary code execution. | 2026-01-26 | not yet calculated | CVE-2025-57785 | https://gitlab.com/hsleisink/hiawatha/-/blame/master/src/xslt.c?ref_type=heads#L675 |
| Hitachi Energy--SuprOS | Default credentials vulnerability exists in SuprOS product. If exploited, this could allow an authenticated local attacker to use an admin account created during product deployment. | 2026-01-28 | not yet calculated | CVE-2025-7740 | https://publisher.hitachienergy.com/preview?DocumentID=8DBD000223&LanguageCode=en&DocumentPartId=&Action=launch |
| honojs--hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys. Version 4.11.7 contains a patch for the issue. | 2026-01-27 | not yet calculated | CVE-2026-24473 | https://github.com/honojs/hono/security/advisories/GHSA-w332-q679-j88p https://github.com/honojs/hono/commit/cf9a78db4d0a19b117aee399cbe9d3a6d9bfd817 https://github.com/honojs/hono/releases/tag/v4.11.7 |
| iba Systems--ibaPDA | A security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain conditions. This may impact the confidentiality, integrity, or availability of the system. | 2026-01-27 | not yet calculated | CVE-2025-14988 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-01 |
| Icinga--icinga-powershell-framework | The Icinga PowerShell Framework provides configuration and check possibilities to ensure integration and monitoring of Windows environments. In versions prior to 1.13.4, 1.12.4, and 1.11.2, permissions of the Icinga for Windows `certificate` directory grant every user read access, which results in the exposure of private key of the Icinga certificate for the given host. All installations are affected. Versions 1.13.4, 1.12.4, and 1.11.2 contains a patch. Please note that upgrading to a fixed version of Icinga for Windows will also automatically fix a similar issue present in Icinga 2, CVE-2026-24413. As a workaround, the permissions can be restricted manually by updating the ACL for the given folder `C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate` (and `C:\ProgramData\icinga2\var` to fix the issue for the Icinga 2 agent as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access. | 2026-01-29 | not yet calculated | CVE-2026-24414 | https://github.com/Icinga/icinga-powershell-framework/security/advisories/GHSA-88h5-rrm6-5973 https://github.com/Icinga/icinga2/security/advisories/GHSA-vfjg-6fpv-4mmr https://icinga.com/blog/releasing-icinga-2-v2-15-2-v2-14-8-v2-13-14-and-icinga-for-windows-v1-13-4-v1-12-4-v1-11-2 |
| Icinga--icinga2 | Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%\icinga2\var` folder on Windows. This resulted in the its contents - including the private key of the user and synced configuration - being readable by all local users. All installations on Windows are affected. Versions 2.13.14, 2.14.8, and 2.15.2 contains a fix. There are two possibilities to work around the issue without upgrading Icinga 2. Upgrade Icinga for Windows to at least version v1.13.4, v1.12.4, or v1.11.2. These version will automatically fix the ACLs for the Icinga 2 agent as well. Alternatively, manually update the ACL for the given folder `C:\ProgramData\icinga2\var` (and `C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate` to fix the issue for the Icinga for Windows as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access. | 2026-01-29 | not yet calculated | CVE-2026-24413 | https://github.com/Icinga/icinga2/security/advisories/GHSA-vfjg-6fpv-4mmr https://github.com/Icinga/icinga-powershell-framework/security/advisories/GHSA-88h5-rrm6-5973 https://icinga.com/blog/releasing-icinga-2-v2-15-2-v2-14-8-v2-13-14-and-icinga-for-windows-v1-13-4-v1-12-4-v1-11-2 |
| inspektor-gadget--inspektor-gadget | Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. The `ig` binary provides a subcommand for image building, used to generate custom gadget OCI images. A part of this functionality is implemented in the file `inspektor-gadget/cmd/common/image/build.go`. The `Makefile.build` file is the Makefile template employed during the building process. This file includes user-controlled data in an unsafe fashion, specifically some parameters are embedded without an adequate escaping in the commands inside the Makefile. Prior to version 0.48.1, this implementation is vulnerable to command injection: an attacker able to control values in the `buildOptions` structure would be able to execute arbitrary commands during the building process. An attacker able to exploit this vulnerability would be able to execute arbitrary command on the Linux host where the `ig` command is launched, if images are built with the `--local` flag or on the build container invoked by `ig`, if the `--local` flag is not provided. The `buildOptions` structure is extracted from the YAML gadget manifest passed to the `ig image build` command. Therefore, the attacker would need a way to control either the full `build.yml` file passed to the `ig image build` command, or one of its options. Typically, this could happen in a CI/CD scenario that builds untrusted gadgets to verify correctness. Version 0.48.1 fixes the issue. | 2026-01-29 | not yet calculated | CVE-2026-24905 | https://github.com/inspektor-gadget/inspektor-gadget/security/advisories/GHSA-79qw-g77v-2vfh https://github.com/inspektor-gadget/inspektor-gadget/commit/7c83ad84ff7a68565655253e2cf1c5d2da695c1a |
| Internet Information Co., Ltd--DreamMaker | A missing authentication for critical function vulnerability in the /servlet/baServer3 endpoint of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to access exposed administrative functionality without prior authentication. | 2026-01-30 | not yet calculated | CVE-2026-24728 | https://zuso.ai/advisory/za-2026-01 |
| Internet Information Co., Ltd--DreamMaker | An unrestricted upload of file with dangerous type vulnerability in the file upload function of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to execute arbitrary system commands via a malicious class file. | 2026-01-30 | not yet calculated | CVE-2026-24729 | https://zuso.ai/advisory/za-2026-02 |
| jmlepisto--clatter | Clatter is a no_std compatible, pure Rust implementation of the Noise protocol framework with post-quantum support. Versiosn prior to2.2.0 have a protocol compliance vulnerability. The library allowed post-quantum handshake patterns that violated the PSK validity rule (Noise Protocol Framework Section 9.3). This could allow PSK-derived keys to be used for encryption without proper randomization by self-chosen ephemeral randomness, weakening security guarantees and potentially allowing catastrophic key reuse. Affected default patterns include `noise_pqkk_psk0`, `noise_pqkn_psk0`, `noise_pqnk_psk0`, `noise_pqnn_psk0``, and some hybrid variants. Users of these patterns may have been using handshakes that do not meet the intended security properties. The issue is fully patched and released in Clatter v2.2.0. The fixed version includes runtime checks to detect offending handshake patterns. As a workaround, avoid using offending `*_psk0` variants of post-quantum patterns. Review custom handshake patterns carefully. | 2026-01-27 | not yet calculated | CVE-2026-24785 | https://github.com/jmlepisto/clatter/security/advisories/GHSA-253q-9q78-63x4 https://github.com/jmlepisto/clatter/commit/b65ae6e9b8019bed5407771e21f89ddff17c5a71 https://noiseprotocol.org/noise.html#validity-rule |
| Johnson Controls--iSTAR Configuration Utility (ICU) | Johnson Controls iSTAR Configuration Utility (ICU) has Stack-based Buffer Overflow vulnerability. This issue affects iSTAR Configuration Utility (ICU) version 6.9.7 and prior. Successful exploitation of this vulnerability could result in failure within the operating system of the machine hosting the ICU tool. | 2026-01-28 | not yet calculated | CVE-2025-26386 | https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-04 |
| Johnson Controls--Metasys | Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects * Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation, * Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation, * LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1, * System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior, * Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior. | 2026-01-30 | not yet calculated | CVE-2025-26385 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-04 https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories |
| json--json | The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution. | 2026-01-28 | not yet calculated | CVE-2025-61140 | https://github.com/dchester/jsonpath https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d |
| kata-containers--kata-containers | Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.26.0, when a container image is malformed or contains no layers, containerd falls back to bind-mounting an empty snapshotter directory for the container rootfs. When the Kata runtime attempts to mount the container rootfs, the bind mount causes the rootfs to be detected as a block device, leading to the underlying device being hotplugged to the guest. This can cause filesystem-level errors on the host due to double inode allocation, and may lead to the host's block device being mounted as read-only. Version 3.26.0 contains a patch for the issue. | 2026-01-29 | not yet calculated | CVE-2026-24054 | https://github.com/kata-containers/kata-containers/security/advisories/GHSA-5fc8-gg7w-3g5c https://github.com/kata-containers/kata-containers/commit/20ca4d2d79aa5bf63aa1254f08915da84f19e92a https://github.com/containerd/containerd/blob/d939b6af5f8536c2cae85e919e7c40070557df0e/plugins/snapshots/overlay/overlay.go#L564-L581 https://github.com/kata-containers/kata-containers/blob/a164693e1afead84cd01d5bc3575e2cbfe64ce35/src/runtime/virtcontainers/container.go#L1122-L1126 https://github.com/kata-containers/kata-containers/blob/c7d0c270ee7dfaa6d978e6e07b99dabdaf2b9fda/src/runtime/virtcontainers/container.go#L1616-L1623 |
| libpng--libpng | Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via the pngimage with AddressSanitizer (ASan), the program leaks memory in various locations, eventually leading to high memory usage and causing the program to become unresponsive | 2026-01-27 | not yet calculated | CVE-2025-28162 | https://github.com/pnggroup/libpng/issues/656 https://gist.github.com/kittener/fbfdb9b5610c6b3db0d5dea045a07c60 |
| libpng--libpng | Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via png_create_read_struct() function. | 2026-01-27 | not yet calculated | CVE-2025-28164 | https://github.com/pnggroup/libpng/issues/655 https://gist.github.com/kittener/506516f8c22178005b4379c8b2a7de20 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: counter: interrupt-cnt: Drop IRQF_NO_THREAD flag An IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as CONFIG_PROVE_RAW_LOCK_NESTING warns: ============================= [ BUG: Invalid wait context ] 6.18.0-rc1+git... #1 ----------------------------- some-user-space-process/1251 is trying to lock: (&counter->events_list_lock){....}-{3:3}, at: counter_push_event [counter] other info that might help us debug this: context-{2:2} no locks held by some-user-space-process/.... stack backtrace: CPU: 0 UID: 0 PID: 1251 Comm: some-user-space-process 6.18.0-rc1+git... #1 PREEMPT Call trace: show_stack (C) dump_stack_lvl dump_stack __lock_acquire lock_acquire _raw_spin_lock_irqsave counter_push_event [counter] interrupt_cnt_isr [interrupt_cnt] __handle_irq_event_percpu handle_irq_event handle_simple_irq handle_irq_desc generic_handle_domain_irq gpio_irq_handler handle_irq_desc generic_handle_domain_irq gic_handle_irq call_on_irq_stack do_interrupt_handler el0_interrupt __el0_irq_handler_common el0t_64_irq_handler el0t_64_irq ... and Sebastian correctly points out. Remove IRQF_NO_THREAD as an alternative to switching to raw_spinlock_t, because the latter would limit all potential nested locks to raw_spinlock_t only. | 2026-01-31 | not yet calculated | CVE-2025-71180 | https://git.kernel.org/stable/c/ef668c9a2261ec9287faba6e6ef05a98b391aa2b https://git.kernel.org/stable/c/51d2e5d6491447258cb39ff1deb93df15d3c23cb https://git.kernel.org/stable/c/1c5a3175aecf82cd86dfcbef2a23e8b26d8d8e7c https://git.kernel.org/stable/c/49a66829dd3653695e60d7cae13521d131362fcd https://git.kernel.org/stable/c/425886b1f8304621b3f16632b274357067d5f13f https://git.kernel.org/stable/c/23f9485510c338476b9735d516c1d4aacb810d46 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rust_binder: remove spin_lock() in rust_shrink_free_page() When forward-porting Rust Binder to 6.18, I neglected to take commit fb56fdf8b9a2 ("mm/list_lru: split the lock to per-cgroup scope") into account, and apparently I did not end up running the shrinker callback when I sanity tested the driver before submission. This leads to crashes like the following: ============================================ WARNING: possible recursive locking detected 6.18.0-mainline-maybe-dirty #1 Tainted: G IO -------------------------------------------- kswapd0/68 is trying to acquire lock: ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: lock_list_lru_of_memcg+0x128/0x230 but task is already holding lock: ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: rust_helper_spin_lock+0xd/0x20 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&l->lock); lock(&l->lock); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by kswapd0/68: #0: ffffffff90d2e260 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x597/0x1160 #1: ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: rust_helper_spin_lock+0xd/0x20 #2: ffffffff90cf3680 (rcu_read_lock){....}-{1:2}, at: lock_list_lru_of_memcg+0x2d/0x230 To fix this, remove the spin_lock() call from rust_shrink_free_page(). | 2026-01-31 | not yet calculated | CVE-2025-71181 | https://git.kernel.org/stable/c/30a98c97f7874031f2e1de19c777ce011143cba4 https://git.kernel.org/stable/c/361e0ff456a8daf9753c18030533256e4133ce7a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: j1939: make j1939_session_activate() fail if device is no longer registered syzbot is still reporting unregister_netdevice: waiting for vcan0 to become free. Usage count = 2 even after commit 93a27b5891b8 ("can: j1939: add missing calls in NETDEV_UNREGISTER notification handler") was added. A debug printk() patch found that j1939_session_activate() can succeed even after j1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNREGISTER) has completed. Since j1939_cancel_active_session() is processed with the session list lock held, checking ndev->reg_state in j1939_session_activate() with the session list lock held can reliably close the race window. | 2026-01-31 | not yet calculated | CVE-2025-71182 | https://git.kernel.org/stable/c/ebb0dfd718dd31c8d3600612ca4b7207ec3d923a https://git.kernel.org/stable/c/c3a4316e3c746af415c0fd6c6d489ad13f53714d https://git.kernel.org/stable/c/46ca9dc978923c5e1247a9e9519240ba7ace413c https://git.kernel.org/stable/c/78d87b72cebe2a993fd5b017e9f14fb6278f2eae https://git.kernel.org/stable/c/ba6f0d1832eeb5eb3a6dc5cb30e0f720b3cb3536 https://git.kernel.org/stable/c/79dd3f1d9dd310c2af89b09c71f34d93973b200f https://git.kernel.org/stable/c/5d5602236f5db19e8b337a2cd87a90ace5ea776d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: always detect conflicting inodes when logging inode refs After rename exchanging (either with the rename exchange operation or regular renames in multiple non-atomic steps) two inodes and at least one of them is a directory, we can end up with a log tree that contains only of the inodes and after a power failure that can result in an attempt to delete the other inode when it should not because it was not deleted before the power failure. In some case that delete attempt fails when the target inode is a directory that contains a subvolume inside it, since the log replay code is not prepared to deal with directory entries that point to root items (only inode items). 1) We have directories "dir1" (inode A) and "dir2" (inode B) under the same parent directory; 2) We have a file (inode C) under directory "dir1" (inode A); 3) We have a subvolume inside directory "dir2" (inode B); 4) All these inodes were persisted in a past transaction and we are currently at transaction N; 5) We rename the file (inode C), so at btrfs_log_new_name() we update inode C's last_unlink_trans to N; 6) We get a rename exchange for "dir1" (inode A) and "dir2" (inode B), so after the exchange "dir1" is inode B and "dir2" is inode A. During the rename exchange we call btrfs_log_new_name() for inodes A and B, but because they are directories, we don't update their last_unlink_trans to N; 7) An fsync against the file (inode C) is done, and because its inode has a last_unlink_trans with a value of N we log its parent directory (inode A) (through btrfs_log_all_parents(), called from btrfs_log_inode_parent()). 8) So we end up with inode B not logged, which now has the old name of inode A. At copy_inode_items_to_log(), when logging inode A, we did not check if we had any conflicting inode to log because inode A has a generation lower than the current transaction (created in a past transaction); 9) After a power failure, when replaying the log tree, since we find that inode A has a new name that conflicts with the name of inode B in the fs tree, we attempt to delete inode B... this is wrong since that directory was never deleted before the power failure, and because there is a subvolume inside that directory, attempting to delete it will fail since replay_dir_deletes() and btrfs_unlink_inode() are not prepared to deal with dir items that point to roots instead of inodes. When that happens the mount fails and we get a stack trace like the following: [87.2314] BTRFS info (device dm-0): start tree-log replay [87.2318] BTRFS critical (device dm-0): failed to delete reference to subvol, root 5 inode 256 parent 259 [87.2332] ------------[ cut here ]------------ [87.2338] BTRFS: Transaction aborted (error -2) [87.2346] WARNING: CPU: 1 PID: 638968 at fs/btrfs/inode.c:4345 __btrfs_unlink_inode+0x416/0x440 [btrfs] [87.2368] Modules linked in: btrfs loop dm_thin_pool (...) [87.2470] CPU: 1 UID: 0 PID: 638968 Comm: mount Tainted: G W 6.18.0-rc7-btrfs-next-218+ #2 PREEMPT(full) [87.2489] Tainted: [W]=WARN [87.2494] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [87.2514] RIP: 0010:__btrfs_unlink_inode+0x416/0x440 [btrfs] [87.2538] Code: c0 89 04 24 (...) [87.2568] RSP: 0018:ffffc0e741f4b9b8 EFLAGS: 00010286 [87.2574] RAX: 0000000000000000 RBX: ffff9d3ec8a6cf60 RCX: 0000000000000000 [87.2582] RDX: 0000000000000002 RSI: ffffffff84ab45a1 RDI: 00000000ffffffff [87.2591] RBP: ffff9d3ec8a6ef20 R08: 0000000000000000 R09: ffffc0e741f4b840 [87.2599] R10: ffff9d45dc1fffa8 R11: 0000000000000003 R12: ffff9d3ee26d77e0 [87.2608] R13: ffffc0e741f4ba98 R14: ffff9d4458040800 R15: ffff9d44b6b7ca10 [87.2618] FS: 00007f7b9603a840(0000) GS:ffff9d4658982000(0000) knlGS:0000000000000000 [87. ---truncated--- | 2026-01-31 | not yet calculated | CVE-2025-71183 | https://git.kernel.org/stable/c/c7f0207db68d5a1b4af23acbef1a8e8ddc431ebb https://git.kernel.org/stable/c/a63998cd6687c14b160dccb0bbcf281b2eb0dab3 https://git.kernel.org/stable/c/0c2413c69129f6ce60157f7b53d9ba880260400b https://git.kernel.org/stable/c/d52af58dd463821c5c516aebb031a58934f696ea https://git.kernel.org/stable/c/7ba0b6461bc4edb3005ea6e00cdae189bcf908a5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL dereference on root when tracing inode eviction When evicting an inode the first thing we do is to setup tracing for it, which implies fetching the root's id. But in btrfs_evict_inode() the root might be NULL, as implied in the next check that we do in btrfs_evict_inode(). Hence, we either should set the ->root_objectid to 0 in case the root is NULL, or we move tracing setup after checking that the root is not NULL. Setting the rootid to 0 at least gives us the possibility to trace this call even in the case when the root is NULL, so that's the solution taken here. | 2026-01-31 | not yet calculated | CVE-2025-71184 | https://git.kernel.org/stable/c/582ba48e4a4c06fef6bdcf4e57b7b9af660bbd0c https://git.kernel.org/stable/c/99e057f3d3ef24b99a7b1d84e01dd1bd890098da https://git.kernel.org/stable/c/f157dd661339fc6f5f2b574fe2429c43bd309534 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation Make sure to drop the reference taken when looking up the crossbar platform device during am335x route allocation. | 2026-01-31 | not yet calculated | CVE-2025-71185 | https://git.kernel.org/stable/c/6fdf168f57e331e148a1177a9b590a845c21b315 https://git.kernel.org/stable/c/f810132e825588fbad3cba940458c58bb7ec4d84 https://git.kernel.org/stable/c/30352277d8e09c972436f883a5efd1f1b763ac14 https://git.kernel.org/stable/c/4fc17b1c6d2e04ad13fd6c21cfbac68043ec03f9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: stm32: dmamux: fix device leak on route allocation Make sure to drop the reference taken when looking up the DMA mux platform device during route allocation. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. | 2026-01-31 | not yet calculated | CVE-2025-71186 | https://git.kernel.org/stable/c/1a179ac01ff3993ab97e33cc77c316ed7415cda1 https://git.kernel.org/stable/c/2fb10259d4efb4367787b5ae9c94192e8a91c648 https://git.kernel.org/stable/c/3ef52d31cce8ba816739085a61efe07b63c6cf27 https://git.kernel.org/stable/c/dd6e4943889fb354efa3f700e42739da9bddb6ef |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: sh: rz-dmac: fix device leak on probe failure Make sure to drop the reference taken when looking up the ICU device during probe also on probe failures (e.g. probe deferral). | 2026-01-31 | not yet calculated | CVE-2025-71187 | https://git.kernel.org/stable/c/926d1666420c227eab50962a8622c1b8444720e8 https://git.kernel.org/stable/c/9fb490323997dcb6f749cd2660a17a39854600cd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: lpc18xx-dmamux: fix device leak on route allocation Make sure to drop the reference taken when looking up the DMA mux platform device during route allocation. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. | 2026-01-31 | not yet calculated | CVE-2025-71188 | https://git.kernel.org/stable/c/9fba97baa520c9446df51a64708daf27c5a7ed32 https://git.kernel.org/stable/c/992eb8055a6e5dbb808672d20d68e60d5a89b12b https://git.kernel.org/stable/c/1e47d80f6720f0224efd19bcf081d39637569c10 https://git.kernel.org/stable/c/d4d63059dee7e7cae0c4d9a532ed558bc90efb55 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: dw: dmamux: fix OF node leak on route allocation failure Make sure to drop the reference taken to the DMA master OF node also on late route allocation failures. | 2026-01-31 | not yet calculated | CVE-2025-71189 | https://git.kernel.org/stable/c/db7c79c1bbfb1b0184e78a17ac2bd0f2bc3134d1 https://git.kernel.org/stable/c/8f7a391211381ed2f6802032c78c7820d166bc49 https://git.kernel.org/stable/c/eabe40f8a53c29f531e92778ea243e379f4f7978 https://git.kernel.org/stable/c/ec25e60f9f95464aa11411db31d0906b3fb7b9f2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: bcm-sba-raid: fix device leak on probe Make sure to drop the reference taken when looking up the mailbox device during probe on probe failures and on driver unbind. | 2026-01-31 | not yet calculated | CVE-2025-71190 | https://git.kernel.org/stable/c/c80ca7bdff158401440741bdcf9175bd8608580b https://git.kernel.org/stable/c/db6f1d6d31711e73e6a214c73e6a8fb4cda0483d https://git.kernel.org/stable/c/2ed1a9de1f2d727ccae5bc9cc7c63ee3519c0c8b https://git.kernel.org/stable/c/7c3a46ebf15a9796b763a54272407fdbf945bed8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: at_hdmac: fix device leak on of_dma_xlate() Make sure to drop the reference taken when looking up the DMA platform device during of_dma_xlate() when releasing channel resources. Note that commit 3832b78b3ec2 ("dmaengine: at_hdmac: add missing put_device() call in at_dma_xlate()") fixed the leak in a couple of error paths but the reference is still leaking on successful allocation. | 2026-01-31 | not yet calculated | CVE-2025-71191 | https://git.kernel.org/stable/c/987c71671367f42460689b78244d7b894c50999a https://git.kernel.org/stable/c/6a86cf2c09e149d5718a5b7090545f7566da9334 https://git.kernel.org/stable/c/f3c23b7e941349505c3d40de2cc0acd93d9ac057 https://git.kernel.org/stable/c/b9074b2d7a230b6e28caa23165e9d8bc0677d333 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf: Ensure swevent hrtimer is properly destroyed With the change to hrtimer_try_to_cancel() in perf_swevent_cancel_hrtimer() it appears possible for the hrtimer to still be active by the time the event gets freed. Make sure the event does a full hrtimer_cancel() on the free path by installing a perf_event::destroy handler. | 2026-01-28 | not yet calculated | CVE-2026-23014 | https://git.kernel.org/stable/c/deee9dfb111ab00f9dfd46c0c7e36656b80f5235 https://git.kernel.org/stable/c/ff5860f5088e9076ebcccf05a6ca709d5935cfa9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths The reference obtained by calling usb_get_dev() is not released in the gpio_mpsse_probe() error paths. Fix that by using device managed helper functions. Also remove the usb_put_dev() call in the disconnect function since now it will be released automatically. | 2026-01-31 | not yet calculated | CVE-2026-23015 | https://git.kernel.org/stable/c/7ea26e6dcabc270433b6ded2a1aee85b215d1b28 https://git.kernel.org/stable/c/1e876e5a0875e71e34148c9feb2eedd3bf6b2b43 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: inet: frags: drop fraglist conntrack references Jakub added a warning in nf_conntrack_cleanup_net_list() to make debugging leaked skbs/conntrack references more obvious. syzbot reports this as triggering, and I can also reproduce this via ip_defrag.sh selftest: conntrack cleanup blocked for 60s WARNING: net/netfilter/nf_conntrack_core.c:2512 [..] conntrack clenups gets stuck because there are skbs with still hold nf_conn references via their frag_list. net.core.skb_defer_max=0 makes the hang disappear. Eric Dumazet points out that skb_release_head_state() doesn't follow the fraglist. ip_defrag.sh can only reproduce this problem since commit 6471658dc66c ("udp: use skb_attempt_defer_free()"), but AFAICS this problem could happen with TCP as well if pmtu discovery is off. The relevant problem path for udp is: 1. netns emits fragmented packets 2. nf_defrag_v6_hook reassembles them (in output hook) 3. reassembled skb is tracked (skb owns nf_conn reference) 4. ip6_output refragments 5. refragmented packets also own nf_conn reference (ip6_fragment calls ip6_copy_metadata()) 6. on input path, nf_defrag_v6_hook skips defragmentation: the fragments already have skb->nf_conn attached 7. skbs are reassembled via ipv6_frag_rcv() 8. skb_consume_udp -> skb_attempt_defer_free() -> skb ends up in pcpu freelist, but still has nf_conn reference. Possible solutions: 1 let defrag engine drop nf_conn entry, OR 2 export kick_defer_list_purge() and call it from the conntrack netns exit callback, OR 3 add skb_has_frag_list() check to skb_attempt_defer_free() 2 & 3 also solve ip_defrag.sh hang but share same drawback: Such reassembled skbs, queued to socket, can prevent conntrack module removal until userspace has consumed the packet. While both tcp and udp stack do call nf_reset_ct() before placing skb on socket queue, that function doesn't iterate frag_list skbs. Therefore drop nf_conn entries when they are placed in defrag queue. Keep the nf_conn entry of the first (offset 0) skb so that reassembled skb retains nf_conn entry for sake of TX path. Note that fixes tag is incorrect; it points to the commit introducing the 'ip_defrag.sh reproducible problem': no need to backport this patch to every stable kernel. | 2026-01-31 | not yet calculated | CVE-2026-23016 | https://git.kernel.org/stable/c/088ca99dbb039c444c3ff987c5412a73f4f0cbf8 https://git.kernel.org/stable/c/2ef02ac38d3c17f34a00c4b267d961a8d4b45d1a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: fix error handling in the init_task on load If the init_task fails during a driver load, we end up without vports and netdevs, effectively failing the entire process. In that state a subsequent reset will result in a crash as the service task attempts to access uninitialized resources. Following trace is from an error in the init_task where the CREATE_VPORT (op 501) is rejected by the FW: [40922.763136] idpf 0000:83:00.0: Device HW Reset initiated [40924.449797] idpf 0000:83:00.0: Transaction failed (op 501) [40958.148190] idpf 0000:83:00.0: HW reset detected [40958.161202] BUG: kernel NULL pointer dereference, address: 00000000000000a8 ... [40958.168094] Workqueue: idpf-0000:83:00.0-vc_event idpf_vc_event_task [idpf] [40958.168865] RIP: 0010:idpf_vc_event_task+0x9b/0x350 [idpf] ... [40958.177932] Call Trace: [40958.178491] <TASK> [40958.179040] process_one_work+0x226/0x6d0 [40958.179609] worker_thread+0x19e/0x340 [40958.180158] ? __pfx_worker_thread+0x10/0x10 [40958.180702] kthread+0x10f/0x250 [40958.181238] ? __pfx_kthread+0x10/0x10 [40958.181774] ret_from_fork+0x251/0x2b0 [40958.182307] ? __pfx_kthread+0x10/0x10 [40958.182834] ret_from_fork_asm+0x1a/0x30 [40958.183370] </TASK> Fix the error handling in the init_task to make sure the service and mailbox tasks are disabled if the error happens during load. These are started in idpf_vc_core_init(), which spawns the init_task and has no way of knowing if it failed. If the error happens on reset, following successful driver load, the tasks can still run, as that will allow the netdevs to attempt recovery through another reset. Stop the PTP callbacks either way as those will be restarted by the call to idpf_vc_core_init() during a successful reset. | 2026-01-31 | not yet calculated | CVE-2026-23017 | https://git.kernel.org/stable/c/a514c374edcd33581cdcccf8faa7cc606a600319 https://git.kernel.org/stable/c/4d792219fe6f891b5b557a607ac8a0a14eda6e38 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before initializing extent tree in btrfs_read_locked_inode() In btrfs_read_locked_inode() we are calling btrfs_init_file_extent_tree() while holding a path with a read locked leaf from a subvolume tree, and btrfs_init_file_extent_tree() may do a GFP_KERNEL allocation, which can trigger reclaim. This can create a circular lock dependency which lockdep warns about with the following splat: [6.1433] ====================================================== [6.1574] WARNING: possible circular locking dependency detected [6.1583] 6.18.0+ #4 Tainted: G U [6.1591] ------------------------------------------------------ [6.1599] kswapd0/117 is trying to acquire lock: [6.1606] ffff8d9b6333c5b8 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x39/0x2f0 [6.1625] but task is already holding lock: [6.1633] ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x195/0xc60 [6.1646] which lock already depends on the new lock. [6.1657] the existing dependency chain (in reverse order) is: [6.1667] -> #2 (fs_reclaim){+.+.}-{0:0}: [6.1677] fs_reclaim_acquire+0x9d/0xd0 [6.1685] __kmalloc_cache_noprof+0x59/0x750 [6.1694] btrfs_init_file_extent_tree+0x90/0x100 [6.1702] btrfs_read_locked_inode+0xc3/0x6b0 [6.1710] btrfs_iget+0xbb/0xf0 [6.1716] btrfs_lookup_dentry+0x3c5/0x8e0 [6.1724] btrfs_lookup+0x12/0x30 [6.1731] lookup_open.isra.0+0x1aa/0x6a0 [6.1739] path_openat+0x5f7/0xc60 [6.1746] do_filp_open+0xd6/0x180 [6.1753] do_sys_openat2+0x8b/0xe0 [6.1760] __x64_sys_openat+0x54/0xa0 [6.1768] do_syscall_64+0x97/0x3e0 [6.1776] entry_SYSCALL_64_after_hwframe+0x76/0x7e [6.1784] -> #1 (btrfs-tree-00){++++}-{3:3}: [6.1794] lock_release+0x127/0x2a0 [6.1801] up_read+0x1b/0x30 [6.1808] btrfs_search_slot+0x8e0/0xff0 [6.1817] btrfs_lookup_inode+0x52/0xd0 [6.1825] __btrfs_update_delayed_inode+0x73/0x520 [6.1833] btrfs_commit_inode_delayed_inode+0x11a/0x120 [6.1842] btrfs_log_inode+0x608/0x1aa0 [6.1849] btrfs_log_inode_parent+0x249/0xf80 [6.1857] btrfs_log_dentry_safe+0x3e/0x60 [6.1865] btrfs_sync_file+0x431/0x690 [6.1872] do_fsync+0x39/0x80 [6.1879] __x64_sys_fsync+0x13/0x20 [6.1887] do_syscall_64+0x97/0x3e0 [6.1894] entry_SYSCALL_64_after_hwframe+0x76/0x7e [6.1903] -> #0 (&delayed_node->mutex){+.+.}-{3:3}: [6.1913] __lock_acquire+0x15e9/0x2820 [6.1920] lock_acquire+0xc9/0x2d0 [6.1927] __mutex_lock+0xcc/0x10a0 [6.1934] __btrfs_release_delayed_node.part.0+0x39/0x2f0 [6.1944] btrfs_evict_inode+0x20b/0x4b0 [6.1952] evict+0x15a/0x2f0 [6.1958] prune_icache_sb+0x91/0xd0 [6.1966] super_cache_scan+0x150/0x1d0 [6.1974] do_shrink_slab+0x155/0x6f0 [6.1981] shrink_slab+0x48e/0x890 [6.1988] shrink_one+0x11a/0x1f0 [6.1995] shrink_node+0xbfd/0x1320 [6.1002] balance_pgdat+0x67f/0xc60 [6.1321] kswapd+0x1dc/0x3e0 [6.1643] kthread+0xff/0x240 [6.1965] ret_from_fork+0x223/0x280 [6.1287] ret_from_fork_asm+0x1a/0x30 [6.1616] other info that might help us debug this: [6.1561] Chain exists of: &delayed_node->mutex --> btrfs-tree-00 --> fs_reclaim [6.1503] Possible unsafe locking scenario: [6.1110] CPU0 CPU1 [6.1411] ---- ---- [6.1707] lock(fs_reclaim); [6.1998] lock(btrfs-tree-00); [6.1291] lock(fs_reclaim); [6.1581] lock(&del ---truncated--- | 2026-01-31 | not yet calculated | CVE-2026-23018 | https://git.kernel.org/stable/c/92a5590851144f034adc51fee55e6878ccac716e https://git.kernel.org/stable/c/8731f2c50b0b1d2b58ed5b9671ef2c4bdc2f8347 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: fix NULL dereference on devlink_alloc() failure devlink_alloc() may return NULL on allocation failure, but prestera_devlink_alloc() unconditionally calls devlink_priv() on the returned pointer. This leads to a NULL pointer dereference if devlink allocation fails. Add a check for a NULL devlink pointer and return NULL early to avoid the crash. | 2026-01-31 | not yet calculated | CVE-2026-23019 | https://git.kernel.org/stable/c/8a4333b2818f0d853b43e139936c20659366e4a0 https://git.kernel.org/stable/c/325aea74be7e192b5c947c782da23b0d19a5fda2 https://git.kernel.org/stable/c/94e070cd50790317fba7787ae6006934b7edcb6f https://git.kernel.org/stable/c/3950054c9512add0cc79ab7e72b6d2f9f675e25b https://git.kernel.org/stable/c/326a4b7e61d01db3507f71c8bb5e85362f607064 https://git.kernel.org/stable/c/a428e0da1248c353557970848994f35fd3f005e2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: 3com: 3c59x: fix possible null dereference in vortex_probe1() pdev can be null and free_ring: can be called in 1297 with a null pdev. | 2026-01-31 | not yet calculated | CVE-2026-23020 | https://git.kernel.org/stable/c/053ac9e37eee435e999277c0f1ef890dad6064bf https://git.kernel.org/stable/c/6cff14b831dbdb32675b4c7904dcc3eeeaf47e9d https://git.kernel.org/stable/c/606872c8e8bf96066730f6a2317502c5633c37f1 https://git.kernel.org/stable/c/28b2a805609699be7b90020ae7dccfb234be1ceb https://git.kernel.org/stable/c/2f05f7737e16d9a40038cc1c38a96a3f7964898b https://git.kernel.org/stable/c/d82796a57cc0dac1dbef19d913c8f02a8cc7b1a7 https://git.kernel.org/stable/c/a4e305ed60f7c41bbf9aabc16dd75267194e0de3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: fix memory leak in update_eth_regs_async() When asynchronously writing to the device registers and if usb_submit_urb() fail, the code fail to release allocated to this point resources. | 2026-01-31 | not yet calculated | CVE-2026-23021 | https://git.kernel.org/stable/c/5397ea6d21c35a17707e201a60761bdee00bcc4e https://git.kernel.org/stable/c/a40af9a2904a1ab8ce61866ebe2a894ef30754ba https://git.kernel.org/stable/c/ac5d92d2826dec51e5d4c6854865bc5817277452 https://git.kernel.org/stable/c/93f18eaa190374e0f2d253e3b1a65cee19a7abe6 https://git.kernel.org/stable/c/471dfb97599eec74e0476046b3ef8e7037f27b34 https://git.kernel.org/stable/c/ce6eef731aba23a988decea1df3b08cf978f7b01 https://git.kernel.org/stable/c/afa27621a28af317523e0836dad430bec551eb54 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: fix memory leak in idpf_vc_core_deinit() Make sure to free hw->lan_regs. Reported by kmemleak during reset: unreferenced object 0xff1b913d02a936c0 (size 96): comm "kworker/u258:14", pid 2174, jiffies 4294958305 hex dump (first 32 bytes): 00 00 00 c0 a8 ba 2d ff 00 00 00 00 00 00 00 00 ......-......... 00 00 40 08 00 00 00 00 00 00 25 b3 a8 ba 2d ff ..@.......%...-. backtrace (crc 36063c4f): __kmalloc_noprof+0x48f/0x890 idpf_vc_core_init+0x6ce/0x9b0 [idpf] idpf_vc_event_task+0x1fb/0x350 [idpf] process_one_work+0x226/0x6d0 worker_thread+0x19e/0x340 kthread+0x10f/0x250 ret_from_fork+0x251/0x2b0 ret_from_fork_asm+0x1a/0x30 | 2026-01-31 | not yet calculated | CVE-2026-23022 | https://git.kernel.org/stable/c/23391db8a00c23854915b8b72ec1aa10080aa540 https://git.kernel.org/stable/c/e111cbc4adf9f9974eed040aeece7e17460f6bff |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: fix memory leak in idpf_vport_rel() Free vport->rx_ptype_lkup in idpf_vport_rel() to avoid leaking memory during a reset. Reported by kmemleak: unreferenced object 0xff450acac838a000 (size 4096): comm "kworker/u258:5", pid 7732, jiffies 4296830044 hex dump (first 32 bytes): 00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 ................ backtrace (crc 3da81902): __kmalloc_cache_noprof+0x469/0x7a0 idpf_send_get_rx_ptype_msg+0x90/0x570 [idpf] idpf_init_task+0x1ec/0x8d0 [idpf] process_one_work+0x226/0x6d0 worker_thread+0x19e/0x340 kthread+0x10f/0x250 ret_from_fork+0x251/0x2b0 ret_from_fork_asm+0x1a/0x30 | 2026-01-31 | not yet calculated | CVE-2026-23023 | https://git.kernel.org/stable/c/a4212d6732e3f674c6cc7d0b642f276d827e8f94 https://git.kernel.org/stable/c/ec602a2a4071eb956d656ba968c58fee09f0622d https://git.kernel.org/stable/c/f6242b354605faff263ca45882b148200915a3f6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: fix memory leak of flow steer list on rmmod The flow steering list maintains entries that are added and removed as ethtool creates and deletes flow steering rules. Module removal with active entries causes memory leak as the list is not properly cleaned up. Prevent this by iterating through the remaining entries in the list and freeing the associated memory during module removal. Add a spinlock (flow_steer_list_lock) to protect the list access from multiple threads. | 2026-01-31 | not yet calculated | CVE-2026-23024 | https://git.kernel.org/stable/c/1aedff70a5e97628eaaf17b169774cb6a45a1dc5 https://git.kernel.org/stable/c/f9841bd28b600526ca4f6713b0ca49bf7bb98452 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: prevent pcp corruption with SMP=n The kernel test robot has reported: BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28 lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .owner_cpu: 0 CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga06157804399 #1 PREEMPT 8cc09ef94dcec767faa911515ce9e609c45db470 Call Trace: <IRQ> __dump_stack (lib/dump_stack.c:95) dump_stack_lvl (lib/dump_stack.c:123) dump_stack (lib/dump_stack.c:130) spin_dump (kernel/locking/spinlock_debug.c:71) do_raw_spin_trylock (kernel/locking/spinlock_debug.c:?) _raw_spin_trylock (include/linux/spinlock_api_smp.h:89 kernel/locking/spinlock.c:138) __free_frozen_pages (mm/page_alloc.c:2973) ___free_pages (mm/page_alloc.c:5295) __free_pages (mm/page_alloc.c:5334) tlb_remove_table_rcu (include/linux/mm.h:? include/linux/mm.h:3122 include/asm-generic/tlb.h:220 mm/mmu_gather.c:227 mm/mmu_gather.c:290) ? __cfi_tlb_remove_table_rcu (mm/mmu_gather.c:289) ? rcu_core (kernel/rcu/tree.c:?) rcu_core (include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861) rcu_core_si (kernel/rcu/tree.c:2879) handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623) __irq_exit_rcu (arch/x86/include/asm/jump_label.h:36 kernel/softirq.c:725) irq_exit_rcu (kernel/softirq.c:741) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1052) </IRQ> <TASK> RIP: 0010:_raw_spin_unlock_irqrestore (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194) free_pcppages_bulk (mm/page_alloc.c:1494) drain_pages_zone (include/linux/spinlock.h:391 mm/page_alloc.c:2632) __drain_all_pages (mm/page_alloc.c:2731) drain_all_pages (mm/page_alloc.c:2747) kcompactd (mm/compaction.c:3115) kthread (kernel/kthread.c:465) ? __cfi_kcompactd (mm/compaction.c:3166) ? __cfi_kthread (kernel/kthread.c:412) ret_from_fork (arch/x86/kernel/process.c:164) ? __cfi_kthread (kernel/kthread.c:412) ret_from_fork_asm (arch/x86/entry/entry_64.S:255) </TASK> Matthew has analyzed the report and identified that in drain_page_zone() we are in a section protected by spin_lock(&pcp->lock) and then get an interrupt that attempts spin_trylock() on the same lock. The code is designed to work this way without disabling IRQs and occasionally fail the trylock with a fallback. However, the SMP=n spinlock implementation assumes spin_trylock() will always succeed, and thus it's normally a no-op. Here the enabled lock debugging catches the problem, but otherwise it could cause a corruption of the pcp structure. The problem has been introduced by commit 574907741599 ("mm/page_alloc: leave IRQs enabled for per-cpu page allocations"). The pcp locking scheme recognizes the need for disabling IRQs to prevent nesting spin_trylock() sections on SMP=n, but the need to prevent the nesting in spin_lock() has not been recognized. Fix it by introducing local wrappers that change the spin_lock() to spin_lock_iqsave() with SMP=n and use them in all places that do spin_lock(&pcp->lock). [vbabka@suse.cz: add pcp_ prefix to the spin_lock_irqsave wrappers, per Steven] | 2026-01-31 | not yet calculated | CVE-2026-23025 | https://git.kernel.org/stable/c/4a04ff9cd816e7346fcc8126f00ed80481f6569d https://git.kernel.org/stable/c/df63d31e9ae02e2f6cd96147779e4ed7cd0e75f6 https://git.kernel.org/stable/c/3098f8f7c7b0686c74827aec42a2c45e69801ff8 https://git.kernel.org/stable/c/038a102535eb49e10e93eafac54352fcc5d78847 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config() Fix a memory leak in gpi_peripheral_config() where the original memory pointed to by gchan->config could be lost if krealloc() fails. The issue occurs when: 1. gchan->config points to previously allocated memory 2. krealloc() fails and returns NULL 3. The function directly assigns NULL to gchan->config, losing the reference to the original memory 4. The original memory becomes unreachable and cannot be freed Fix this by using a temporary variable to hold the krealloc() result and only updating gchan->config when the allocation succeeds. Found via static analysis and code review. | 2026-01-31 | not yet calculated | CVE-2026-23026 | https://git.kernel.org/stable/c/6bf4ef078fd11910988889a6c0b3698d2e0c89af https://git.kernel.org/stable/c/01b1d781394fc9b83015e3a3cd46b17bda842bd8 https://git.kernel.org/stable/c/55a67ba5ac4cebfd54cc8305d4d57a0f1dfe6a85 https://git.kernel.org/stable/c/3f747004bbd641131d9396d87b5d2d3d1e182728 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy() In kvm_ioctl_create_device(), kvm_device has allocated memory, kvm_device->destroy() seems to be supposed to free its kvm_device struct, but kvm_pch_pic_destroy() is not currently doing this, that would lead to a memory leak. So, fix it. | 2026-01-31 | not yet calculated | CVE-2026-23027 | https://git.kernel.org/stable/c/fc53a66227af08d868face4b33fa8b2e1ba187ed https://git.kernel.org/stable/c/1cf342a7c3adc5877837b53bbceb5cc9eff60bbf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy() In kvm_ioctl_create_device(), kvm_device has allocated memory, kvm_device->destroy() seems to be supposed to free its kvm_device struct, but kvm_ipi_destroy() is not currently doing this, that would lead to a memory leak. So, fix it. | 2026-01-31 | not yet calculated | CVE-2026-23028 | https://git.kernel.org/stable/c/5defcc2f9c22e6e09b5be68234ad10f4ba0292b7 https://git.kernel.org/stable/c/0bf58cb7288a4d3de6d8ecbb3a65928a9362bf21 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Fix kvm_device leak in kvm_eiointc_destroy() In kvm_ioctl_create_device(), kvm_device has allocated memory, kvm_device->destroy() seems to be supposed to free its kvm_device struct, but kvm_eiointc_destroy() is not currently doing this, that would lead to a memory leak. So, fix it. | 2026-01-31 | not yet calculated | CVE-2026-23029 | https://git.kernel.org/stable/c/e94ec9661c5820d157d2cc4b6cf4a6ab656a7b4d https://git.kernel.org/stable/c/7d8553fc75aefa7ec936af0cf8443ff90b51732e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe() The for_each_available_child_of_node() calls of_node_put() to release child_np in each success loop. After breaking from the loop with the child_np has been released, the code will jump to the put_child label and will call the of_node_put() again if the devm_request_threaded_irq() fails. These cause a double free bug. Fix by returning directly to avoid the duplicate of_node_put(). | 2026-01-31 | not yet calculated | CVE-2026-23030 | https://git.kernel.org/stable/c/ebae26dd15140b840cf65be5e1c0daee949ba70b https://git.kernel.org/stable/c/027d42b97e6eb827c3438ebc09bab7efaee9270d https://git.kernel.org/stable/c/efe92ee7a111fe0f4d75f3ed6b7e3f86322279d5 https://git.kernel.org/stable/c/e07dea3de508cd6950c937cec42de7603190e1ca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak In gs_can_open(), the URBs for USB-in transfers are allocated, added to the parent->rx_submitted anchor and submitted. In the complete callback gs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In gs_can_close() the URBs are freed by calling usb_kill_anchored_urbs(parent->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in gs_can_close(). Fix the memory leak by anchoring the URB in the gs_usb_receive_bulk_callback() to the parent->rx_submitted anchor. | 2026-01-31 | not yet calculated | CVE-2026-23031 | https://git.kernel.org/stable/c/f905bcfa971edb89e398c98957838d8c6381c0c7 https://git.kernel.org/stable/c/08624b7206ddb9148eeffc2384ebda2c47b6d1e9 https://git.kernel.org/stable/c/9f669a38ca70839229b7ba0f851820850a2fe1f7 https://git.kernel.org/stable/c/7352e1d5932a0e777e39fa4b619801191f57e603 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: null_blk: fix kmemleak by releasing references to fault configfs items When CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blk driver sets up fault injection support by creating the timeout_inject, requeue_inject, and init_hctx_fault_inject configfs items as children of the top-level nullbX configfs group. However, when the nullbX device is removed, the references taken to these fault-config configfs items are not released. As a result, kmemleak reports a memory leak, for example: unreferenced object 0xc00000021ff25c40 (size 32): comm "mkdir", pid 10665, jiffies 4322121578 hex dump (first 32 bytes): 69 6e 69 74 5f 68 63 74 78 5f 66 61 75 6c 74 5f init_hctx_fault_ 69 6e 6a 65 63 74 00 88 00 00 00 00 00 00 00 00 inject.......... backtrace (crc 1a018c86): __kmalloc_node_track_caller_noprof+0x494/0xbd8 kvasprintf+0x74/0xf4 config_item_set_name+0xf0/0x104 config_group_init_type_name+0x48/0xfc fault_config_init+0x48/0xf0 0xc0080000180559e4 configfs_mkdir+0x304/0x814 vfs_mkdir+0x49c/0x604 do_mkdirat+0x314/0x3d0 sys_mkdir+0xa0/0xd8 system_call_exception+0x1b0/0x4f0 system_call_vectored_common+0x15c/0x2ec Fix this by explicitly releasing the references to the fault-config configfs items when dropping the reference to the top-level nullbX configfs group. | 2026-01-31 | not yet calculated | CVE-2026-23032 | https://git.kernel.org/stable/c/1a3286edf4d48ce37f8982ff3c3b65159a5ecbb2 https://git.kernel.org/stable/c/d59ba448ccd595d5d65e197216cf781a87db2b28 https://git.kernel.org/stable/c/f1718da051282698aa8fa150bebb9724f6389fda https://git.kernel.org/stable/c/40b94ec7edbbb867c4e26a1a43d2b898f04b93c5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: omap-dma: fix dma_pool resource leak in error paths The dma_pool created by dma_pool_create() is not destroyed when dma_async_device_register() or of_dma_controller_register() fails, causing a resource leak in the probe error paths. Add dma_pool_destroy() in both error paths to properly release the allocated dma_pool resource. | 2026-01-31 | not yet calculated | CVE-2026-23033 | https://git.kernel.org/stable/c/88a9483f093bbb9263dcf21bc7fdb5132e5de88d https://git.kernel.org/stable/c/4b93712e96be17029bd22787f2e39feb0e73272c https://git.kernel.org/stable/c/829b00481734dd54e72f755fd6584bce6fbffbb0 https://git.kernel.org/stable/c/2e1136acf8a8887c29f52e35a77b537309af321f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/userq: Fix fence reference leak on queue teardown v2 The user mode queue keeps a pointer to the most recent fence in userq->last_fence. This pointer holds an extra dma_fence reference. When the queue is destroyed, we free the fence driver and its xarray, but we forgot to drop the last_fence reference. Because of the missing dma_fence_put(), the last fence object can stay alive when the driver unloads. This leaves an allocated object in the amdgpu_userq_fence slab cache and triggers This is visible during driver unload as: BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown() kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects Call Trace: kmem_cache_destroy amdgpu_userq_fence_slab_fini amdgpu_exit __do_sys_delete_module Fix this by putting userq->last_fence and clearing the pointer during amdgpu_userq_fence_driver_free(). This makes sure the fence reference is released and the slab cache is empty when the module exits. v2: Update to only release userq->last_fence with dma_fence_put() (Christian) (cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb) | 2026-01-31 | not yet calculated | CVE-2026-23034 | https://git.kernel.org/stable/c/e1a30e1ab33fc522785d04bbf7e1b13a5c5c9175 https://git.kernel.org/stable/c/b2426a211dba6432e32a2e70e9183c6e134475c6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails. Pass netdev to mlx5e_destroy_netdev() to guarantee it will work on a valid netdev. On mlx5e_remove: Check validity of priv->profile, before attempting to cleanup any resources that might be not there. This fixes a kernel oops in mlx5e_remove when switchdev mode fails due to change profile failure. $ devlink dev eswitch set pci/0000:00:03.0 mode switchdev Error: mlx5_core: Failed setting eswitch to offloads. dmesg: workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 $ devlink dev reload pci/0000:00:03.0 ==> oops BUG: kernel NULL pointer dereference, address: 0000000000000370 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 15 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc5+ #115 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_dcbnl_dscp_app+0x23/0x100 RSP: 0018:ffffc9000083f8b8 EFLAGS: 00010286 RAX: ffff8881126fc380 RBX: ffff8881015ac400 RCX: ffffffff826ffc45 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8881035109c0 RBP: ffff8881035109c0 R08: ffff888101e3e838 R09: ffff888100264e10 R10: ffffc9000083f898 R11: ffffc9000083f8a0 R12: ffff888101b921a0 R13: ffff888101b921a0 R14: ffff8881015ac9a0 R15: ffff8881015ac400 FS: 00007f789a3c8740(0000) GS:ffff88856aa59000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000370 CR3: 000000010b6c0001 CR4: 0000000000370ef0 Call Trace: <TASK> mlx5e_remove+0x57/0x110 device_release_driver_internal+0x19c/0x200 bus_remove_device+0xc6/0x130 device_del+0x160/0x3d0 ? devl_param_driverinit_value_get+0x2d/0x90 mlx5_detach_device+0x89/0xe0 mlx5_unload_one_devl_locked+0x3a/0x70 mlx5_devlink_reload_down+0xc8/0x220 devlink_reload+0x7d/0x260 devlink_nl_reload_doit+0x45b/0x5a0 genl_family_rcv_msg_doit+0xe8/0x140 | 2026-01-31 | not yet calculated | CVE-2026-23035 | https://git.kernel.org/stable/c/a7625bacaa8c8c2bfcde6dd6d1397bd63ad82b02 https://git.kernel.org/stable/c/66a25f6b7c0bfd84e6d27b536f5d24116dbd52da https://git.kernel.org/stable/c/4ef8512e1427111f7ba92b4a847d181ff0aeec42 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before iget_failed() in btrfs_read_locked_inode() In btrfs_read_locked_inode() if we fail to lookup the inode, we jump to the 'out' label with a path that has a read locked leaf and then we call iget_failed(). This can result in a ABBA deadlock, since iget_failed() triggers inode eviction and that causes the release of the delayed inode, which must lock the delayed inode's mutex, and a task updating a delayed inode starts by taking the node's mutex and then modifying the inode's subvolume btree. Syzbot reported the following lockdep splat for this: ====================================================== WARNING: possible circular locking dependency detected syzkaller #0 Not tainted ------------------------------------------------------ btrfs-cleaner/8725 is trying to acquire lock: ffff0000d6826a48 (&delayed_node->mutex){+.+.}-{4:4}, at: __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290 but task is already holding lock: ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (btrfs-tree-00){++++}-{4:4}: __lock_release kernel/locking/lockdep.c:5574 [inline] lock_release+0x198/0x39c kernel/locking/lockdep.c:5889 up_read+0x24/0x3c kernel/locking/rwsem.c:1632 btrfs_tree_read_unlock+0xdc/0x298 fs/btrfs/locking.c:169 btrfs_tree_unlock_rw fs/btrfs/locking.h:218 [inline] btrfs_search_slot+0xa6c/0x223c fs/btrfs/ctree.c:2133 btrfs_lookup_inode+0xd8/0x38c fs/btrfs/inode-item.c:395 __btrfs_update_delayed_inode+0x124/0xed0 fs/btrfs/delayed-inode.c:1032 btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1118 [inline] __btrfs_commit_inode_delayed_items+0x15f8/0x1748 fs/btrfs/delayed-inode.c:1141 __btrfs_run_delayed_items+0x1ac/0x514 fs/btrfs/delayed-inode.c:1176 btrfs_run_delayed_items_nr+0x28/0x38 fs/btrfs/delayed-inode.c:1219 flush_space+0x26c/0xb68 fs/btrfs/space-info.c:828 do_async_reclaim_metadata_space+0x110/0x364 fs/btrfs/space-info.c:1158 btrfs_async_reclaim_metadata_space+0x90/0xd8 fs/btrfs/space-info.c:1226 process_one_work+0x7e8/0x155c kernel/workqueue.c:3263 process_scheduled_works kernel/workqueue.c:3346 [inline] worker_thread+0x958/0xed8 kernel/workqueue.c:3427 kthread+0x5fc/0x75c kernel/kthread.c:463 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844 -> #0 (&delayed_node->mutex){+.+.}-{4:4}: check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain kernel/locking/lockdep.c:3908 [inline] __lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237 lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868 __mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598 __mutex_lock kernel/locking/mutex.c:760 [inline] mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812 __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290 btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline] btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326 btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587 evict+0x414/0x928 fs/inode.c:810 iput_final fs/inode.c:1914 [inline] iput+0x95c/0xad4 fs/inode.c:1966 iget_failed+0xec/0x134 fs/bad_inode.c:248 btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101 btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837 btrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline] btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrf ---truncated--- | 2026-01-31 | not yet calculated | CVE-2026-23036 | https://git.kernel.org/stable/c/65241e3ddda60b53a4ee3ae12721fc9ee21d5827 https://git.kernel.org/stable/c/1e1f2055ad5a7a5d548789b334a4473a7665c418 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: etas_es58x: allow partial RX URB allocation to succeed When es58x_alloc_rx_urbs() fails to allocate the requested number of URBs but succeeds in allocating some, it returns an error code. This causes es58x_open() to return early, skipping the cleanup label 'free_urbs', which leads to the anchored URBs being leaked. As pointed out by maintainer Vincent Mailhol, the driver is designed to handle partial URB allocation gracefully. Therefore, partial allocation should not be treated as a fatal error. Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been allocated, restoring the intended behavior and preventing the leak in es58x_open(). | 2026-01-31 | not yet calculated | CVE-2026-23037 | https://git.kernel.org/stable/c/611e839d2d552416b498ed5593e10670f61fcd4d https://git.kernel.org/stable/c/ba45e3d6b02c97dbb4578fbae7027fd66f3caa10 https://git.kernel.org/stable/c/6c5124a60989051799037834f0a1a4b428718157 https://git.kernel.org/stable/c/b1979778e98569c1e78c2c7f16bb24d76541ab00 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails, the function jumps to the out_scratch label without freeing the already allocated dsaddrs list, leading to a memory leak. Fix this by jumping to the out_err_drain_dsaddrs label, which properly frees the dsaddrs list before cleaning up other resources. | 2026-01-31 | not yet calculated | CVE-2026-23038 | https://git.kernel.org/stable/c/869862056e100973e76ce9f5f1b01837771b7722 https://git.kernel.org/stable/c/86da7efd12295a7e2b4abde5e5984c821edd938f https://git.kernel.org/stable/c/ed5d3f2f6885eb99f729e6ffd946e3aa058bd3eb https://git.kernel.org/stable/c/0c728083654f0066f5e10a1d2b0bd0907af19a58 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/gud: fix NULL fb and crtc dereferences on USB disconnect On disconnect drm_atomic_helper_disable_all() is called which sets both the fb and crtc for a plane to NULL before invoking a commit. This causes a kernel oops on every display disconnect. Add guards for those dereferences. | 2026-01-31 | not yet calculated | CVE-2026-23039 | https://git.kernel.org/stable/c/a255ec07f91d4c73a361a28b7a3d82f5710245f1 https://git.kernel.org/stable/c/dc2d5ddb193e363187bae2ad358245642d2721fb |
| liuyueyi--quick-media | Improper Control of Generation of Code ('Code Injection') vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/png modules). This vulnerability is associated with program files PNGImageEncoder.Java. This issue affects quick-media: before v1.0. | 2026-01-27 | not yet calculated | CVE-2026-24806 | https://github.com/liuyueyi/quick-media/pull/122 |
| liuyueyi--quick-media | Improper Verification of Cryptographic Signature vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/util modules). This vulnerability is associated with program files SeekableOutputStream.Java. This issue affects quick-media: before v1.0. | 2026-01-27 | not yet calculated | CVE-2026-24807 | https://github.com/liuyueyi/quick-media/pull/123 |
| LiveHelperChat--LiveHelperChat | Stored Cross-Site Scripting (XSS) vulnerability in the PDF file upload functionality of Live Helper Chat, versions prior to 4.72. An attacker can upload a malicious PDF file containing an XSS payload, which will be executed in the user's context when they download and open the file via the link generated by the application. The vulnerability allows arbitrary JavaScript code to be executed in the user's local context. | 2026-01-28 | not yet calculated | CVE-2026-0483 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-vulnerability-livehelperchat |
| lobehub--lobe-chat | LobeHub is an open source human-and-AI-agent network. Prior to version 1.143.3, the file upload feature in `Knowledge Base > File Upload` does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitrary files in abnormal or unintended paths. In addition, since `lobechat.com` relies on the size parameter from the request to calculate file usage, an attacker can manipulate this value to misrepresent the actual file size, such as uploading a `1 GB` file while reporting it as `10 MB`, or falsely declaring a `10 MB` file as a `1 GB` file. By manipulating the size value provided in the client upload request, it is possible to bypass the monthly upload quota enforced by the server and continuously upload files beyond the intended storage and traffic limits. This abuse can result in a discrepancy between actual resource consumption and billing calculations, causing direct financial impact to the service operator. Additionally, exhaustion of storage or related resources may lead to degraded service availability, including failed uploads, delayed content delivery, or temporary suspension of upload functionality for legitimate users. A single malicious user can also negatively affect other users or projects sharing the same subscription plan, effectively causing an indirect denial of service (DoS). Furthermore, excessive and unaccounted-for uploads can distort monitoring metrics and overload downstream systems such as backup processes, malware scanning, and media processing pipelines, ultimately undermining overall operational stability and service reliability. Version 1.143.3 contains a patch for the issue. | 2026-01-30 | not yet calculated | CVE-2026-23835 | https://github.com/lobehub/lobehub/security/advisories/GHSA-wrrr-8jcv-wjf5 |
| Meta--react-server-dom-webpack | Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components. | 2026-01-26 | not yet calculated | CVE-2026-23864 | https://www.facebook.com/security/advisories/cve-2026-23864 |
| Micron Technology, Inc.--Crucial Storage Executive | Crucial Storage Executive installer versions prior to 11.08.082025.00 contain a DLL preloading vulnerability. During installation, the installer runs with elevated privileges and loads Windows DLLs using an uncontrolled search path, which can cause a malicious DLL placed alongside the installer to be loaded instead of the intended system library. A local attacker who can convince a victim to run the installer from a directory containing the attacker-supplied DLL can achieve arbitrary code execution with administrator privileges. | 2026-01-26 | not yet calculated | CVE-2025-71178 | https://eu.crucial.com/support/storage-executive https://www.vulncheck.com/advisories/crucial-storage-executive-installer-dll-preloading-lpe |
| Mintplex-Labs--anything-llm | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. Leakage of QdrantApiKey allows an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM. Since Qdrant often stores the core knowledge base for RAG in AnythingLLM, this can lead to complete compromise of the semantic search / retrieval functionality and indirect leakage of confidential uploaded documents. Version 1.10.0 patches the issue. | 2026-01-26 | not yet calculated | CVE-2026-24477 | https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-gm94-qc2p-xcwf |
| monkey--monkey | An out-of-bounds read in the http_parser_transfer_encoding_chunked function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted POST request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63649 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey--monkey | An out-of-bounds read in the mk_ptr_to_buf in mk_core function (mk_memory.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63650 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey--monkey | A use-after-free in the mk_string_char_search function (mk_core/mk_string.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63651 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey--monkey | A use-after-free in the mk_http_request_end function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63652 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey--monkey | An out-of-bounds read in the mk_vhost_fdt_close function (mk_server/mk_vhost.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63653 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey--monkey | A NULL pointer dereference in the mk_http_range_parse function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63655 | https://github.com/monkey/monkey/issues/427 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey--monkey | An out-of-bounds read in the header_cmp function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63656 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey--monkey | An out-of-bounds read in the mk_mimetype_find function (mk_server/mk_mimetype.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63657 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey--monkey | A stack overflow in the mk_http_index_lookup function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63658 | https://github.com/monkey/monkey/issues/427 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| Mozilla--Firefox | Mitigation bypass in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 147.0.2. | 2026-01-27 | not yet calculated | CVE-2026-24868 | https://bugzilla.mozilla.org/show_bug.cgi?id=2007302 https://www.mozilla.org/security/advisories/mfsa2026-06/ |
| Mozilla--Firefox | Use-after-free in the Layout: Scrolling and Overflow component. This vulnerability affects Firefox < 147.0.2. | 2026-01-27 | not yet calculated | CVE-2026-24869 | https://bugzilla.mozilla.org/show_bug.cgi?id=2008698 https://www.mozilla.org/security/advisories/mfsa2026-06/ |
| Mozilla--Thunderbird | When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, then it was possible to extract the secret contents of the email. This vulnerability affects Thunderbird < 147.0.1 and Thunderbird < 140.7.1. | 2026-01-28 | not yet calculated | CVE-2026-0818 | https://bugzilla.mozilla.org/show_bug.cgi?id=1881530 https://www.mozilla.org/security/advisories/mfsa2026-07/ https://www.mozilla.org/security/advisories/mfsa2026-08/ |
| MuntashirAkon--AppManager | Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager (app/src/main/java/org/apache/commons/compress/archivers/tar modules). This vulnerability is associated with program files TarUtils.Java. This issue affects AppManager: before 4.0.4. | 2026-01-27 | not yet calculated | CVE-2026-1464 | https://github.com/MuntashirAkon/AppManager/pull/1598 |
| N3uron--N3uron | An issue in N3uron Web User Interface v.1.21.7-240207.1047 allows a remote attacker to escalate privileges via the password hashing on the client side using the MD5 algorithm over a predictable string format | 2026-01-29 | not yet calculated | CVE-2025-69929 | http://n3uron.com https://www.linkedin.com/in/joselabreu https://gist.github.com/JoseAbreu28/67f5d8bfc7ba1def526efeda5771a244 |
| NAVER--billboard.js | billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding. | 2026-01-28 | not yet calculated | CVE-2026-1513 | https://cve.naver.com/detail/cve-2026-1513.html |
| neka-nat--cupoch | Out-of-bounds Write vulnerability in neka-nat cupoch (third_party/libjpeg-turbo/libjpeg-turbo modules). This vulnerability is associated with program files tjbench.C. This issue affects cupoch. | 2026-01-27 | not yet calculated | CVE-2026-24797 | https://github.com/neka-nat/cupoch/pull/138 |
| NETGEAR--NETGEAR products | Some end of service NETGEAR products provide "TelnetEnable" functionality, which allows a magic packet to activate telnet service on the box. | 2026-01-30 | not yet calculated | CVE-2026-24714 | https://www.netgear.com/about/eos/ https://jvn.jp/en/jp/JVN46722282/ |
| nocodb--nocodb | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an unvalidated redirect (open redirect) vulnerability exists in NocoDB's login flow due to missing validation of the `continueAfterSignIn` parameter. During authentication, NocoDB processes a user-controlled redirect value and conditionally performs client-side navigation without enforcing any restrictions on the destination's origin, domain or protocol. This allows attackers to redirect authenticated users to arbitrary external websites after login. This vulnerability enables phishing attacks by leveraging user trust in the legitimate NocoDB login flow. While it does not directly expose credentials or bypass authentication, it increases the likelihood of credential theft through social engineering. The issue does not allow arbitrary code execution or privilege escalation, but it undermines authentication integrity. Version 0.301.0 fixes the issue. | 2026-01-28 | not yet calculated | CVE-2026-24768 | https://github.com/nocodb/nocodb/security/advisories/GHSA-3hmw-8mw3-rmpj |
| nocodb--nocodb | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB's attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment. Because the malicious payload is stored server-side and executed under the application's origin, successful exploitation can lead to account compromise, data exfiltration and unauthorized actions performed on behalf of affected users. Version 0.301.0 patches the issue. | 2026-01-28 | not yet calculated | CVE-2026-24769 | https://github.com/nocodb/nocodb/security/advisories/GHSA-q5c6-h22r-qpwr |
| Node.js--Node.js | The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js. | 2026-01-28 | not yet calculated | CVE-2025-57283 | https://www.npmjs.com https://gist.github.com/Dremig/b639c61541dd1482007dc7a5cd7fefb1 |
| nvm-sh--nvm | A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'. | 2026-01-29 | not yet calculated | CVE-2026-1665 | Fix commit Release v0.40.4 nvm GitHub repository https://github.com/nvm-sh/nvm/pull/3380 |
| OctoPrint--OctoPrint | OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up to and including 1.11.5 are affected by a (theoretical) timing attack vulnerability that allows API key extraction over the network. Due to using character based comparison that short-circuits on the first mismatched character during API key validation, rather than a cryptographical method with static runtime regardless of the point of mismatch, an attacker with network based access to an affected OctoPrint could extract API keys valid on the instance by measuring the response times of the denied access responses and guess an API key character by character. The vulnerability is patched in version 1.11.6. The likelihood of this attack actually working is highly dependent on the network's latency, noise and similar parameters. An actual proof of concept was not achieved so far. Still, as always administrators are advised to not expose their OctoPrint instance on hostile networks, especially not on the public Internet. | 2026-01-27 | not yet calculated | CVE-2026-23892 | https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-xg4x-w2j3-57h6 https://github.com/OctoPrint/OctoPrint/commit/249fd80ab01bc4b7dabedff768230a0fb5d01a8c https://github.com/OctoPrint/OctoPrint/releases/tag/1.11.6 |
| OneFlow--OneFlow | A shape mismatch vulnerability in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via supplying crafted tensor shapes. | 2026-01-28 | not yet calculated | CVE-2025-65886 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow https://github.com/Oneflow-Inc/oneflow/issues/10666 |
| OneFlow--OneFlow | A division-by-zero vulnerability in the flow.floor_divide() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input tensor with zero. | 2026-01-28 | not yet calculated | CVE-2025-65887 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow https://github.com/Oneflow-Inc/oneflow/issues/10665 |
| OneFlow--OneFlow | A dimension validation flaw in the flow.empty() component of OneFlow 0.9.0 allows attackers to cause a Denial of Service (DoS) via a negative or excessively large dimension value. | 2026-01-28 | not yet calculated | CVE-2025-65888 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow https://github.com/Oneflow-Inc/oneflow/issues/10664 |
| OneFlow--OneFlow | A type validation flaw in the flow.dstack() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-65889 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow https://github.com/Oneflow-Inc/oneflow/issues/10663 |
| OneFlow--OneFlow | A device-ID validation flaw in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) by calling flow.cuda.synchronize() with an invalid or out-of-range GPU device index. | 2026-01-28 | not yet calculated | CVE-2025-65890 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow https://github.com/Oneflow-Inc/oneflow/issues/10662 |
| OneFlow--OneFlow | A GPU device-ID validation flaw in OneFlow v0.9.0 allows attackers to trigger a Denial of Dervice (DoS) by invoking flow.cuda.get_device_properties() with an invalid or negative device index. | 2026-01-28 | not yet calculated | CVE-2025-65891 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow https://github.com/Oneflow-Inc/oneflow/issues/10661 |
| OneFlow--OneFlow | A GPU device-ID validation flaw in the flow.cuda.get_device_capability() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted device ID. | 2026-01-28 | not yet calculated | CVE-2025-70999 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow/issues/10660 |
| OneFlow--OneFlow | An issue in the flow.cuda.BoolTensor component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71000 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow/issues/10659 |
| OneFlow--OneFlow | A segmentation violation in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71001 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow/issues/10658 |
| OneFlow--OneFlow | A floating-point exception (FPE) in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71002 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10657 |
| OneFlow--OneFlow | An input validation vulnerability in the flow.arange() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71003 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10656 |
| OneFlow--OneFlow | A segmentation violation in the oneflow.logical_or component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71004 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10655 |
| OneFlow--OneFlow | A floating point exception (FPE) in the oneflow.view component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71005 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10654 |
| OneFlow--OneFlow | A floating point exception (FPE) in the oneflow.reshape component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71006 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10653 |
| OneFlow--OneFlow | An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71007 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10652 |
| OneFlow--OneFlow | A segmentation violation in the oneflow._oneflow_internal.autograd.Function.FunctionCtx.mark_non_differentiable component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-29 | not yet calculated | CVE-2025-71008 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10651 |
| OneFlow--OneFlow | An input validation vulnerability in the flow.scatter/flow.scatter_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted indices. | 2026-01-29 | not yet calculated | CVE-2025-71009 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10649 |
| OneFlow--OneFlow | An input validation vulnerability in the flow.Tensor.new_empty/flow.Tensor.new_ones/flow.Tensor.new_zeros component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-29 | not yet calculated | CVE-2025-71011 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10648 |
| openemr--openemr | OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a vulnerability where sensitive data is unintentionally revealed to unauthorized parties. Contents of Clinical Notes and Care Plan, where an encounter has Sensitivity=high, can be viewed and changed by users who do not have Sensitivities=high privilege. Version 7.0.4 fixes the issue. | 2026-01-27 | not yet calculated | CVE-2025-54373 | https://github.com/openemr/openemr/security/advisories/GHSA-739g-6m63-p7fr https://github.com/openemr/openemr/commit/aef3d1c85d9ff2f28d3d361d2818aee79b6dcd33 |
| OpenSSL--OpenSSL | Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash leading to Denial of Service for an application that parses untrusted PKCS#12 files. The buffer overflow may also potentially enable code execution depending on platform mitigations. When verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2 salt and keylength parameters from the file are used without validation. If the value of keylength exceeds the size of the fixed stack buffer used for the derived key (64 bytes), the key derivation will overflow the buffer. The overflow length is attacker-controlled. Also, if the salt parameter is not an OCTET STRING type this can lead to invalid or NULL pointer dereference. Exploiting this issue requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For this reason the issue was assessed as Moderate severity. The FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as PKCS#12 processing is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue. OpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do not support PBMAC1 in PKCS#12. | 2026-01-27 | not yet calculated | CVE-2025-11187 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit |
| OpenSSL--OpenSSL | Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-15467 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL--OpenSSL | Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service. Some applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointer dereference will happen if the examined cipher ID is unknown or unsupported. As it is not very common to call this function in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue was assessed as Low severity. The vulnerable code was introduced in the 3.2 version with the addition of the QUIC protocol support. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the QUIC implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-15468 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit |
| OpenSSL--OpenSSL | Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. Impact summary: A user signing or verifying files larger than 16MB with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16MB remains unauthenticated. When the 'openssl dgst' command is used with algorithms that only support one-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input is buffered with a 16MB limit. If the input exceeds this limit, the tool silently truncates to the first 16MB and continues without signaling an error, contrary to what the documentation states. This creates an integrity gap where trailing bytes can be modified without detection if both signing and verification are performed using the same affected codepath. The issue affects only the command-line tool behavior. Verifiers that process the full message using library APIs will reject the signature, so the risk primarily affects workflows that both sign and verify with the affected 'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and library users are unaffected. The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the command-line tools are outside the OpenSSL FIPS module boundary. OpenSSL 3.5 and 3.6 are vulnerable to this issue. OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-15469 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit |
| OpenSSL--OpenSSL | Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. Impact summary: An attacker can cause per-connection memory allocations of up to approximately 22 MiB and extra CPU work, potentially leading to service degradation or resource exhaustion (Denial of Service). In affected configurations, the peer-supplied uncompressed certificate length from a CompressedCertificate message is used to grow a heap buffer prior to decompression. This length is not bounded by the max_cert_list setting, which otherwise constrains certificate message sizes. An attacker can exploit this to cause large per-connection allocations followed by handshake failure. No memory corruption or information disclosure occurs. This issue only affects builds where TLS 1.3 certificate compression is compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression algorithm (brotli, zlib, or zstd) is available, and where the compression extension is negotiated. Both clients receiving a server CompressedCertificate and servers in mutual TLS scenarios receiving a client CompressedCertificate are affected. Servers that do not request client certificates are not vulnerable to client-initiated attacks. Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION to disable receiving compressed certificates. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the TLS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-66199 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit |
| OpenSSL--OpenSSL | Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. | 2026-01-27 | not yet calculated | CVE-2025-68160 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL--OpenSSL | Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-69418 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL--OpenSSL | Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-69419 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL--OpenSSL | Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-69420 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL--OpenSSL | Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. | 2026-01-27 | not yet calculated | CVE-2025-69421 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL--OpenSSL | Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2026-22795 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL--OpenSSL | Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. | 2026-01-27 | not yet calculated | CVE-2026-22796 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenText--Vertica | Cleartext Storage of Sensitive Information vulnerability in OpenTextâ„¢ Vertica allows Retrieve Embedded Sensitive Data. The vulnerability could read Vertica agent plaintext apikey. This issue affects Vertica versions: 23.X, 24.X, 25.X. | 2026-01-30 | not yet calculated | CVE-2024-9432 | https://portal.microfocus.com/s/article/KM000044937?language=en_US |
| OpenVPN--OpenVPN | Insufficient epoch key slot processing in OpenVPN 2.7_alpha1 through 2.7_rc5 allows remote authenticated users to trigger an assert resulting in a denial of service | 2026-01-30 | not yet calculated | CVE-2025-15497 | https://community.openvpn.net/Security%20Announcements/CVE-2025-15497 https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00156.html |
| opf--openproject | OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject's repository diff download endpoint (`/projects/:project_id/repository/diff.diff`) when rendering a single revision via git show. By supplying a specially crafted rev value (for example, `rev=--output=/tmp/poc.txt)`, an attacker can inject git show command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the `:browse_repository` permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git show output (commit metadata and patch), but overwriting application or configuration files still leads to data loss and denial of service, impacting integrity and availability. The issue has been fixed in OpenProject 17.0.2 and 16.6.6. | 2026-01-28 | not yet calculated | CVE-2026-24685 | https://github.com/opf/openproject/security/advisories/GHSA-74p5-9pr3-r6pw |
| orval-labs--orval | Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('), double quotes (") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix. | 2026-01-30 | not yet calculated | CVE-2026-25141 | https://github.com/orval-labs/orval/security/advisories/GHSA-gch2-phqh-fg9q https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv https://github.com/orval-labs/orval/blob/02211fc413524be340ba9ace866a2ef68845ca7c/packages/core/src/utils/string.ts#L227 https://github.com/orval-labs/orval/releases/tag/v7.21.0 https://github.com/orval-labs/orval/releases/tag/v8.2.0 |
| Phala-Network--dcap-qvl | dcap-qvl implements the quote verification logic for DCAP (Data Center Attestation Primitives). A vulnerability present in versions prior to 0.3.9 involves a critical gap in the cryptographic verification process within the dcap-qvl. The library fetches QE Identity collateral (including qe_identity, qe_identity_signature, and qe_identity_issuer_chain) from the PCCS. However, it skips to verify the QE Identity signature against its certificate chain and does not enforce policy constraints on the QE Report. An attacker can forge the QE Identity data to whitelist a malicious or non-Intel Quoting Enclave. This allows the attacker to forge the QE and sign untrusted quotes that the verifier will accept as valid. Effectively, this bypasses the entire remote attestation security model, as the verifier can no longer trust the entity responsible for signing the quotes. All deployments utilizing the dcap-qvl library for SGX or TDX quote verification are affected. The vulnerability has been patched in dcap-qvl version 0.3.9. The fix implements the missing cryptographic verification for the QE Identity signature and enforces the required checks for MRSIGNER, ISVPRODID, and ISVSVN against the QE Report. Users of the `@phala/dcap-qvl-node` and `@phala/dcap-qvl-web` packages should switch to the pure JavaScript implementation, `@phala/dcap-qvl`. There are no known workarounds for this vulnerability. Users must upgrade to the patched version to ensure that QE Identity collateral is properly verified. | 2026-01-26 | not yet calculated | CVE-2026-22696 | https://github.com/Phala-Network/dcap-qvl/security/advisories/GHSA-796p-j2gh-9m2q |
| pilgrimage233--Minecraft-Rcon-Manage | Improper Control of Generation of Code ('Code Injection') vulnerability in pilgrimage233 Minecraft-Rcon-Manage. This issue affects Minecraft-Rcon-Manage: before 3.0. | 2026-01-27 | not yet calculated | CVE-2026-24871 | https://github.com/pilgrimage233/Minecraft-Rcon-Manage/pull/13 |
| Pix-Link--LV-WR21Q | Pix-Link LV-WR21Q does not enforce any form of authentication for endpoint /goform/getHomePageInfo. Remote unauthenticated attacker is able to use this endpoint to e.g: retrieve cleartext password to the access point. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-01-27 | not yet calculated | CVE-2025-12386 | https://cert.pl/en/posts/2026/01/CVE-2025-12386 https://www.pix-link.com/lv-wr21q https://github.com/wcyb/security_research |
| Pix-Link--LV-WR21Q | A vulnerability in the Pix-Link LV-WR21Q router's language module allows remote attackers to trigger a denial of service (DoS) by sending a specially crafted HTTP POST request containing non-existing language parameter. This renders the server unable to serve correct lang.js file, which causes administrator panel to not work, resulting in DoS until the language settings is reverted to a correct value. The Denial of Service affects only the administrator panel and does not affect other router functionalities. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-01-27 | not yet calculated | CVE-2025-12387 | https://cert.pl/en/posts/2026/01/CVE-2025-12386 https://www.pix-link.com/lv-wr21q https://github.com/wcyb/security_research |
| pnpm--pnpm | pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. The vulnerability only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected. The issue impacts developers installing local/file dependencies andCI/CD pipelines installing git dependencies. It can lead to credential theft via symlinks to `~/.aws/credentials`, `~/.npmrc`, `~/.ssh/id_rsa`. Version 10.28.2 contains a patch. | 2026-01-26 | not yet calculated | CVE-2026-24056 | https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f https://github.com/pnpm/pnpm/releases/tag/v10.28.2 |
| pnpm--pnpm | pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). Version 10.28.2 contains a patch. | 2026-01-26 | not yet calculated | CVE-2026-24131 | https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943 https://github.com/pnpm/pnpm/releases/tag/v10.28.2 |
| PodcastGenerator--PodcastGenerator | A Stored cross-site scripting (XSS) vulnerability in 'Create New Live Item' in PodcastGenerator 3.2.9 allows remote attackers to inject arbitrary script or HTML via the 'TITLE', 'SHORT DESCRIPTION' and 'LONG DESCRIPTION' parameters. The saved payload gets executed on 'View All Live Items' and 'Live Stream' pages. | 2026-01-28 | not yet calculated | CVE-2025-70336 | https://github.com/PodcastGenerator/PodcastGenerator https://github.com/aryasahil96-manu/CVE-Disclosures/blob/main/CVE-2025-70336 |
| podman-desktop--podman-desktop | Podman Desktop is a graphical tool for developing on containers and Kubernetes. A critical authentication bypass vulnerability in Podman Desktop prior to version 1.25.1 allows any extension to completely circumvent permission checks and gain unauthorized access to all authentication sessions. The `isAccessAllowed()` function unconditionally returns `true`, enabling malicious extensions to impersonate any user, hijack authentication sessions, and access sensitive resources without authorization. This vulnerability affects all versions of Podman Desktop. Version 1.25.1 contains a patch for the issue. | 2026-01-28 | not yet calculated | CVE-2026-24835 | https://github.com/podman-desktop/podman-desktop/security/advisories/GHSA-v3fx-qg34-6g9m https://drive.google.com/file/d/1ib4RG34mGHDlXeyib8L2j9L5rEDxuDM5/view?usp=sharing |
| praydog--REFramework | An issue from the component luaG_runerror in dependencies/lua/src/ldebug.c in praydog/REFramework version before 1.5.5 leads to a heap-buffer overflow when a recursive error occurs. | 2026-01-27 | not yet calculated | CVE-2026-24809 | https://github.com/praydog/REFramework/pull/1320 |
| praydog--UEVR | Out-of-bounds Write vulnerability in praydog UEVR (dependencies/lua/src modules). This vulnerability is associated with program files ldebug.C, lvm.C. This issue affects UEVR: before 1.05. | 2026-01-27 | not yet calculated | CVE-2026-24817 | https://github.com/praydog/UEVR/pull/336 |
| praydog--UEVR | Out-of-bounds Read vulnerability in praydog UEVR (dependencies/lua/src modules). This vulnerability is associated with program files lparser.C. This issue affects UEVR: before 1.05. | 2026-01-27 | not yet calculated | CVE-2026-24818 | https://github.com/praydog/UEVR/pull/337 |
| Progress Software--Chef Inspec | Chef InSpec up to version 5.23 creates named pipes with overly permissive default Windows access controls. A local attacker may interfere with the pipe connection process and exploit the insufficient access restrictions to assume the InSpec execution context, potentially resulting in elevated privileges or operational disruption. This issue affects Chef Inspec: through 5.23. | 2026-01-30 | not yet calculated | CVE-2025-6723 | https://docs.chef.io/inspec/ |
| pwncollege--dojo | pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit e33da14449a5abcff507e554f66e2141d6683b0a, missing sandboxing on `/workspace/*` routes allows challenge authors to inject arbitrary javascript which runs on the same origin as `http[:]//dojo[.]website`. This is a sandbox escape leading to arbitrary javascript execution as the dojo's origin. A challenge author can craft a page that executes any dangerous actions that the user could. Version e33da14449a5abcff507e554f66e2141d6683b0a patches the issue. | 2026-01-29 | not yet calculated | CVE-2026-25117 | https://github.com/pwncollege/dojo/security/advisories/GHSA-wvcf-9xm8-7mrg https://github.com/pwncollege/dojo/commit/e33da14449a5abcff507e554f66e2141d6683b0a |
| py-pdf--pypdf | pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.6.2. If projects cannot upgrade yet, consider applying the changes from PR #3610 manually. | 2026-01-27 | not yet calculated | CVE-2026-24688 | https://github.com/py-pdf/pypdf/security/advisories/GHSA-2q4j-m29v-hq73 https://github.com/py-pdf/pypdf/pull/3610 https://github.com/py-pdf/pypdf/commit/b1282f8dcdc1a7b41ceab6740ffddfdf31b1fec1 https://github.com/py-pdf/pypdf/releases/tag/6.6.2 |
| qgis--QGIS | QGIS is a free, open source, cross platform geographical information system (GIS) The repository contains a GitHub Actions workflow called "pre-commit checks" that, before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, was vulnerable to remote code execution and repository compromise because it used the `pull_request_target` trigger and then checked out and executed untrusted pull request code in a privileged context. Workflows triggered by `pull_request_target` ran with the base repository's credentials and access to secrets. If these workflows then checked out and executed code from the head of an external pull request (which could have been attacker controlled), the attacker could have executed arbitrary commands with elevated privileges. This insecure pattern has been documented as a security risk by GitHub and security researchers. Commit 76a693cd91650f9b4e83edac525e5e4f90d954e9 removed the vulnerable code. | 2026-01-27 | not yet calculated | CVE-2026-24480 | https://github.com/qgis/QGIS/security/advisories/GHSA-7h99-4f97-h6rw https://github.com/qgis/QGIS/commit/76a693cd91650f9b4e83edac525e5e4f90d954e9 |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'txAny' in '/evaluacion_competencias_autoeval_list.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1472 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_competencias_evalua.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1473 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion' en '/evaluacion_inicio.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1474 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_acciones_evalua.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1475 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_acciones_ver_auto.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1476 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion' in '/evaluacion_competencias_evalua_old.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1477 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion' in '/evaluacion_hca_evalua.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1478 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameters 'Id_usuario' and 'Id_evaluacion' in '/evaluacion_hca_ver_auto.asp', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1479 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_objetivos_anyo_sig_evalua.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1480 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_objetivos_anyo_sig_ver_auto.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1481 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_evaluacion' in '/evaluacion_objetivos_evalua_definido.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1482 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_objetivos_ver_auto.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1483 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Rails--activestorage | # Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) for reporting this! | 2026-01-30 | not yet calculated | CVE-2025-24293 | https://github.com/advisories/GHSA-r4mg-4433-c7g3 |
| Ralim--IronOS | Vulnerability in Ralim IronOS (source/Core/BSP/Pinecilv2/bl_mcu_sdk/components/ble/ble_stack/common/tinycrypt/source modules). This vulnerability is associated with program files ecc_dsa.C. This issue affects IronOS: before v2.23-rc3. | 2026-01-27 | not yet calculated | CVE-2026-24801 | https://github.com/Ralim/IronOS/pull/2087 |
| RawTherapee--RawTherapee | Integer Overflow or Wraparound vulnerability in RawTherapee (rtengine modules). This vulnerability is associated with program files dcraw.Cc. This issue affects RawTherapee: through 5.11. | 2026-01-27 | not yet calculated | CVE-2026-24808 | https://github.com/RawTherapee/RawTherapee/pull/7359 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection. | 2026-01-26 | not yet calculated | CVE-2025-9615 | https://access.redhat.com/security/cve/CVE-2025-9615 RHBZ#2391503 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1809 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2324 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2327 |
| rethinkdb--rethinkdb | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in rethinkdb (src/cjson modules). This vulnerability is associated with program files cJSON.Cc. This issue affects rethinkdb: through v2.4.4. | 2026-01-27 | not yet calculated | CVE-2026-24810 | https://github.com/rethinkdb/rethinkdb/pull/7163 |
| RLE NOVA--PlanManager | Stored Cross-Site Scripting (XSS) in RLE NOVA's PlanManager. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by injecting malicious payload through the 'comment' and 'brand' parameters in '/index.php'. The payload is stored by the application and subsequently displayed without proper sanitization when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | 2026-01-29 | not yet calculated | CVE-2026-1469 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-rle-novas-planmanager |
| root-project--root | Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inffast.C. This issue affects root. | 2026-01-27 | not yet calculated | CVE-2026-24811 | https://github.com/root-project/root/pull/18526 |
| root-project--root | Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inftrees.C. This issue affects root: through 6.36.00-rc1. | 2026-01-27 | not yet calculated | CVE-2026-24812 | https://github.com/root-project/root/pull/18527 |
| Schneider Electric--EcoStruxure Process Expert | CWE-276: Incorrect Default Permissions vulnerability exists that could cause privilege escalation through the reverse shell when one or more executable service binaries are modified in the installation folder by a local user with normal privilege upon service restart. | 2026-01-29 | not yet calculated | CVE-2025-13905 | https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-02.pdf |
| shaarli--Shaarli | Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `"` prematurely ends the `<input>` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue. | 2026-01-26 | not yet calculated | CVE-2026-24476 | https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063 |
| sharpred--deepHas | deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8. | 2026-01-29 | not yet calculated | CVE-2026-25047 | https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27 https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465 |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain an authorization flaw in the user management API that allows a low-privileged authenticated user to change the administrator account password. By sending a crafted request directly to the backend endpoint, an attacker can bypass role-based restrictions enforced by the web interface and obtain full administrative privileges. | 2026-01-26 | not yet calculated | CVE-2026-24428 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-incorrect-authorization-allows-administrator-password-change |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) ship with a predefined default password for a built-in authentication account that is not required to be changed during initial configuration. An attacker can leverage these default credentials to gain authenticated access to the management interface. | 2026-01-26 | not yet calculated | CVE-2026-24429 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-hardcoded-default-password-for-built-in-account |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management interface is accessible over unencrypted HTTP by default, credentials may be exposed to network-based interception. | 2026-01-26 | not yet calculated | CVE-2026-24430 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-http-responses-expose-plaintext-credentials |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) display stored user account passwords in plaintext within the administrative web interface. Any user with access to the affected management pages can directly view credentials. | 2026-01-26 | not yet calculated | CVE-2026-24431 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-missing-csrf-protections-for-administrative-actions |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) lack cross-site request forgery (CSRF) protections on administrative endpoints, including those used to change administrator account credentials. As a result, an attacker can craft malicious requests that, when triggered by an authenticated user's browser, modify administrative passwords and other configuration settings. | 2026-01-26 | not yet calculated | CVE-2026-24432 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-missing-csrf-protections-for-administrative-actions |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation allows attacker-controlled script content to be stored and later executed when administrative users access the affected management pages. | 2026-01-26 | not yet calculated | CVE-2026-24433 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-stored-xss-via-user-name-field |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) implement an insecure Cross-Origin Resource Sharing (CORS) policy on authenticated administrative endpoints. The device sets Access-Control-Allow-Origin: * in combination with Access-Control-Allow-Credentials: true, allowing attacker-controlled origins to issue credentialed cross-origin requests. | 2026-01-26 | not yet calculated | CVE-2026-24435 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-permissive-cors-allows-cross-origin-data-access |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) do not enforce rate limiting or account lockout mechanisms on authentication endpoints. This allows attackers to perform unrestricted brute-force attempts against administrative credentials. | 2026-01-26 | not yet calculated | CVE-2026-24436 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-lacks-rate-limiting-on-authentication |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) serve sensitive administrative content without appropriate cache-control directives. As a result, browsers may store credential-bearing responses locally, exposing them to subsequent unauthorized access. | 2026-01-26 | not yet calculated | CVE-2026-24437 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-missing-cache-controls-for-credential-bearing-pages |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) fail to include the X-Content-Type-Options: nosniff response header on web management interfaces. As a result, browsers that perform MIME sniffing may incorrectly interpret attacker-influenced responses as executable script. | 2026-01-26 | not yet calculated | CVE-2026-24439 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-lacks-x-content-type-options-header |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) allow account passwords to be changed through the maintenance interface without requiring verification of the existing password. This enables unauthorized password changes when access to the affected endpoint is obtained. | 2026-01-26 | not yet calculated | CVE-2026-24440 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-allows-password-change-without-verifying-current-password |
| Significant-Gravitas--AutoGPT | AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the `disabled` flag. Any authenticated user can execute the disabled `BlockInstallationBlock`, which writes arbitrary Python code to the server filesystem and executes it via `__import__()`, achieving Remote Code Execution. In default self-hosted deployments where Supabase signup is enabled, an attacker can self-register; if signup is disabled (e.g., hosted), the attacker needs an existing account. autogpt-platform-beta-v0.6.44 contains a fix. | 2026-01-29 | not yet calculated | CVE-2026-24780 | https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-r277-3xc5-c79v https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/external/v1/routes.py#L79-L93 https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/features/v1.py#L1408-L1424 https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/features/v1.py#L355-L395 https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/blocks/block.py#L15-L78 https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/data/block.py#L459 |
| sigstore--sigstore-python | sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue. | 2026-01-26 | not yet calculated | CVE-2026-24408 | https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0 |
| silabs.com--Silicon Labs Zigbee Stack | After receiving a malformed 802.15.4 MAC Data Request the Zigbee Coordinator sends a 'network leave' request to Zigbee router resulting in the Zigbee Router getting stuck in a non-rejoinable state. If a suitable parent is not available, the end devices will be unable to rejoin. A manual recommissioning is required to recover the Zigbee Router. | 2026-01-30 | not yet calculated | CVE-2025-7964 | https://community.silabs.com/068Vm00000dspiL |
| simsong--bulk_extractor | `bulk_extractor` is a digital forensics exploitation tool. Starting in version 1.4, `bulk_extractor`'s embedded unrar code has a heap buffer overflow in the RAR PPM LZ decoding path. A crafted RAR inside a disk image causes an out of bounds write in `Unpack::CopyString`, leading to a crash under ASAN (and likely a crash or memory corruption in production builds). There's potential for using this for RCE. As of time of publication, no known patches are available. | 2026-01-28 | not yet calculated | CVE-2026-24857 | https://github.com/simsong/bulk_extractor/security/advisories/GHSA-rh8m-9xrx-q64q |
| simsong--tcpflow | tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available. | 2026-01-29 | not yet calculated | CVE-2026-25061 | https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6 |
| SmarterTools--SmarterMail | SmarterTools SmarterMail versions prior to build 9518 contain an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication. | 2026-01-29 | not yet calculated | CVE-2026-25067 | https://www.smartertools.com/smartermail/release-notes/current https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-background-of-the-day-path-coercion |
| SpringBlade--SpringBlade | Incorrect access control in the importUser function of SpringBlade v4.5.0 allows attackers with low-level privileges to arbitrarily import sensitive user data. | 2026-01-26 | not yet calculated | CVE-2025-70982 | https://github.com/chillzhuang/SpringBlade https://github.com/chillzhuang/SpringBlade/issues/34 https://gist.github.com/old6ma/ea60151aa40ddc1cfb51fbaa0c173117 |
| SunFounder--Pironman Dashboard (pm_dashboard) | SunFounder Pironman Dashboard (pm_dashboard) version 1.3.13 and prior contain a path traversal vulnerability in the log file API endpoints. An unauthenticated remote attacker can supply traversal sequences via the filename parameter to read and delete arbitrary files. Successful exploitation can disclose sensitive information and delete critical system files, resulting in data loss and potential system compromise or denial of service. | 2026-01-31 | not yet calculated | CVE-2026-25069 | https://github.com/sunfounder/pm_dashboard https://github.com/sunfounder/pm_dashboard/blob/main/pm_dashboard/pm_dashboard.py#L62 https://github.com/sunfounder/pm_dashboard/blob/main/pm_dashboard/pm_dashboard.py#L440 https://www.vulncheck.com/advisories/sunfounder-pironman-dashboard-path-traversal-arbitrary-file-read-deletion https://gist.github.com/chapochapo/5db8702ede862af5c59a28b5d5a0aba3 |
| SuperDuper!--Super-Duper! | An issue in Shirt Pocket's SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell scripts with root privileges and Full Disk Access, thus bypassing macOS privacy controls. | 2026-01-29 | not yet calculated | CVE-2025-69604 | http://shirt.com https://shirt-pocket.com/SuperDuper/SuperDuperDescription.html https://www.shirtpocket.com/blog/index.php/shadedgrey/comments/superduper_v312_now_available |
| swoole--swoole-src | Integer Overflow or Wraparound vulnerability in swoole swoole-src (thirdparty/hiredis modules). This vulnerability is associated with program files sds.C. This issue affects swoole-src: before 6.0.2. | 2026-01-27 | not yet calculated | CVE-2026-24814 | https://github.com/swoole/swoole-src/pull/5698 |
| tale--tale | Cross Site Scripting vulnerability in tale v.2.0.5 allows an attacker to execute arbitrary code. | 2026-01-29 | not yet calculated | CVE-2025-69749 | https://github.com/otale/tale https://github.com/milantgh/otalexss |
| The Wikimedia Foundation--Mediawiki - DiscussionTools Extension | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup. This issue affects Mediawiki - DiscussionTools Extension: 1.44, 1.43. | 2026-01-30 | not yet calculated | CVE-2025-11175 | https://phabricator.wikimedia.org/T396248 https://gerrit.wikimedia.org/r/q/I563219f3298a8740e158d130492bf3d2897784d7 https://phabricator.wikimedia.org/T364910 https://gerrit.wikimedia.org/r/q/I126203ab1d3ec8c1719cbb5460a887e4d0c2cc6d |
| tildearrow--furnace | Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in tildearrow furnace (extern/zlib modules). This vulnerability is associated with program files inflate.C. | 2026-01-27 | not yet calculated | CVE-2026-24800 | https://github.com/tildearrow/furnace/pull/2471 |
| TOTOLINK--X6000R | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection. This issue affects X6000R: through V9.4.0cu.1498_B20250826. | 2026-01-30 | not yet calculated | CVE-2026-1723 | https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/247/ids/36.html https://github.com/PaloAltoNetworks/u42-vulnerability-disclosures/blob/main/2025/PANW-2026-0001/PANW-2026-0001.md |
| TP-Link Systems Inc.--Archer MR600 v5.0 | Command injection vulnerability was found in the admin interface component of TP-Link Archer MR600 v5 firmware, allowing authenticated attackers to execute system commands with a limited character length via crafted input in the browser developer console, possibly leading to service disruption or full compromise. | 2026-01-26 | not yet calculated | CVE-2025-14756 | https://www.tp-link.com/jp/support/download/archer-mr600/#Firmware https://www.tp-link.com/en/support/download/archer-mr600/#Firmware https://www.tp-link.com/us/support/faq/4916/ https://jvn.jp/en/vu/JVNVU94651499/ https://jvn.jp/vu/JVNVU94651499/ |
| TP-Link Systems Inc.--Archer RE605X | The backup restore function does not properly validate unexpected or unrecognized tags within the backup file. When such a crafted file is restored, the injected tag is interpreted by a shell, allowing execution of arbitrary commands with root privileges. Successful exploitation allows the attacker to gain root-level command execution, compromising confidentiality, integrity and availability. | 2026-01-29 | not yet calculated | CVE-2025-15545 | https://www.tp-link.com/en/support/download/re605x/v3/#Firmware https://www.tp-link.com/us/support/download/re605x/v3/#Firmware https://www.tp-link.com/us/support/faq/4929/ https://nico-security.com/posts/cve-2025-15545 |
| TP-Link Systems Inc.--Omada Controller | An IDOR vulnerability exists in Omada Controllers that allows an attacker with Administrator permissions to manipulate requests and potentially hijack the Owner account. | 2026-01-26 | not yet calculated | CVE-2025-9520 | https://support.omadanetworks.com/us/document/115200/ https://support.omadanetworks.com/us/download/software/omada-controller/ |
| TP-Link Systems Inc.--Omada Controller | Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user's password without proper confirmation, leading to weakened account security. | 2026-01-26 | not yet calculated | CVE-2025-9521 | https://support.omadanetworks.com/us/document/115200/ https://support.omadanetworks.com/us/download/software/omada-controller/ |
| TP-Link Systems Inc.--Omada Controller | Blind Server-Side Request Forgery (SSRF) in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information. | 2026-01-26 | not yet calculated | CVE-2025-9522 | https://support.omadanetworks.com/us/document/115200/ https://https://support.omadanetworks.com/us/download/software/omada-controller/ |
| TP-Link Systems Inc.--Tapo C220 v1 | The Tapo C220 v1 and C520WS v2 cameras' HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable. | 2026-01-27 | not yet calculated | CVE-2026-0918 | https://www.tp-link.com/us/support/download/tapo-c220/v1.60/ https://www.tp-link.com/en/support/download/tapo-c220/v1/ https://www.tp-link.com/us/support/download/tapo-c520ws/v2/ https://www.tp-link.com/en/support/download/tapo-c520ws/v2/ https://www.tp-link.com/us/support/faq/4923/ |
| TP-Link Systems Inc.--Tapo C220 v1 | The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart. An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service. | 2026-01-27 | not yet calculated | CVE-2026-0919 | https://www.tp-link.com/us/support/download/tapo-c220/v1.60/ https://www.tp-link.com/en/support/download/tapo-c220/v1/ https://www.tp-link.com/us/support/download/tapo-c520ws/v2/ https://www.tp-link.com/en/support/download/tapo-c520ws/v2/ https://www.tp-link.com/us/support/faq/4923/ |
| TP-Link Systems Inc.--Tapo C220 v1 | By sending crafted files to the firmware update endpoint of Tapo C220 v1 and C520WS v2, the device terminates core system services before verifying authentication or firmware integrity. An unauthenticated attacker can trigger a persistent denial of service, requiring a manual reboot or application initiated restart to restore normal device operation. | 2026-01-27 | not yet calculated | CVE-2026-1315 | https://www.tp-link.com/us/support/download/tapo-c220/v1.60/ https://www.tp-link.com/en/support/download/tapo-c220/v1/ https://www.tp-link.com/us/support/download/tapo-c520ws/v2/ https://www.tp-link.com/en/support/download/tapo-c520ws/v2/ https://www.tp-link.com/us/support/faq/4923/ |
| TP-Link Systems Inc.--VIGI C485 V1 | An authenticated buffer handling flaw in TP-Link VIGI C385 V1 Web API lacking input sanitization, may allow memory corruption leading to remote code execution. Authenticated attackers may trigger buffer overflow and potentially execute arbitrary code with elevated privileges. | 2026-01-29 | not yet calculated | CVE-2026-1457 | https://www.tp-link.com/en/support/download/vigi-c385/v1/#Firmware https://www.tp-link.com/kr/support/download/vigi-c385/v1/#Firmware https://www.tp-link.com/us/support/faq/4931/ |
| TP-Link Systems Inc.--VX800v v1.0 | A weakness in the web interface's application layer encryption in VX800v v1.0 allows an adjacent attacker to brute force the weak AES key and decrypt intercepted traffic. Successful exploitation requires network proximity but no authentication, and may result in high impact to confidentiality, integrity, and availability of transmitted data. | 2026-01-29 | not yet calculated | CVE-2025-13399 | https://www.tp-link.com/de/support/download/vx800v/#Firmware https://www.tp-link.com/us/support/faq/4930/ |
| TP-Link Systems Inc.--VX800v v1.0 | Improper link resolution in the VX800v v1.0 SFTP service allows authenticated adjacent attackers to use crafted symbolic links to access system files, resulting in high confidentiality impact and limited integrity risk. | 2026-01-29 | not yet calculated | CVE-2025-15541 | https://www.tp-link.com/de/support/download/vx800v/#Firmware https://www.tp-link.com/us/support/faq/4930/ |
| TP-Link Systems Inc.--VX800v v1.0 | Improper handling of exceptional conditions in VX800v v1.0 in SIP processing allows an attacker to flood the device with crafted INVITE messages, blocking all voice lines and causing a denial of service on incoming calls. | 2026-01-29 | not yet calculated | CVE-2025-15542 | https://www.tp-link.com/de/support/download/vx800v/#Firmware https://www.tp-link.com/us/support/faq/4930/ |
| TP-Link Systems Inc.--VX800v v1.0 | Improper link resolution in USB HTTP access path in VX800v v1.0 allows a crafted USB device to expose root filesystem contents, giving an attacker with physical access read only access to system files. | 2026-01-29 | not yet calculated | CVE-2025-15543 | https://www.tp-link.com/de/support/download/vx800v/#Firmware https://www.tp-link.com/us/support/faq/4930/ |
| TP-Link Systems Inc.--VX800v v1.0 | Some VX800v v1.0 web interface endpoints transmit sensitive information over unencrypted HTTP due to missing application layer encryption, allowing a network adjacent attacker to intercept this traffic and compromise its confidentiality. | 2026-01-29 | not yet calculated | CVE-2025-15548 | https://www.tp-link.com/de/support/download/vx800v/#Firmware https://www.tp-link.com/us/support/faq/4930/ |
| ttttupup--wxhelper | Out-of-bounds Write, Heap-based Buffer Overflow vulnerability in ttttupup wxhelper (src modules). This vulnerability is associated with program files mongoose.C. This issue affects wxhelper: through 3.9.10.19-v1. | 2026-01-27 | not yet calculated | CVE-2026-24822 | https://github.com/ttttupup/wxhelper/pull/515 |
| turanszkij--WickedEngine | Out-of-bounds Read vulnerability in turanszkij WickedEngine (WickedEngine/LUA modules). This vulnerability is associated with program files ldebug.C. This issue affects WickedEngine: before 0.71.705. | 2026-01-27 | not yet calculated | CVE-2026-24820 | https://github.com/turanszkij/WickedEngine/pull/1054 |
| turanszkij--WickedEngine | Out-of-bounds Read vulnerability in turanszkij WickedEngine (WickedEngine/LUA modules). This vulnerability is associated with program files lparser.C. This issue affects WickedEngine: through 0.71.727. | 2026-01-27 | not yet calculated | CVE-2026-24821 | https://github.com/turanszkij/WickedEngine/pull/1095 |
| umbraco--Umbraco.Forms.Issues | Umbraco Forms is a form builder that integrates with the Umbraco content management system. It's possible for an authenticated backoffice-user to enumerate and traverse paths/files on the systems filesystem and read their contents, on Mac/Linux Umbraco installations using Forms. As Umbraco Cloud runs in a Windows environment, Cloud users aren't affected. This issue affects versions 16 and 17 of Umbraco Forms and is patched in 16.4.1 and 17.1.1. If upgrading is not immediately possible, users can mitigate this vulnerability by configuring a WAF or reverse proxy to block requests containing path traversal sequences (`../`, `..\`) in the `fileName` parameter of the export endpoint, restricting network access to the Umbraco backoffice to trusted IP ranges, and/or blocking the `/umbraco/forms/api/v1/export` endpoint entirely if the export feature is not required. However, upgrading to the patched version is strongly recommended. | 2026-01-29 | not yet calculated | CVE-2026-24687 | https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-hm5p-82g6-m3xh |
| vendurehq--vendure | Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found. The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts. Version 3.5.3 fixes the issue. | 2026-01-30 | not yet calculated | CVE-2026-25050 | https://github.com/vendurehq/vendure/security/advisories/GHSA-6f65-4fv2-wwch https://github.com/vendurehq/vendure/releases/tag/v3.5.3 |
| visualfc--liteide | NULL Pointer Dereference vulnerability in visualfc liteide (liteidex/src/3rdparty/libvterm/src modules). This vulnerability is associated with program files screen.C, state.C, vterm.C. This issue affects liteide: before x38.4. | 2026-01-27 | not yet calculated | CVE-2026-24805 | https://github.com/visualfc/liteide/pull/1326 |
| WatchGuard--Fireware OS | An LDAP Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from a connected LDAP authentication server through an exposed authentication or management web interface. This vulnerability may also allow a remote attacker to authenticate as an LDAP user with a partial identifier if they additionally have that user's valid passphrase. This issue affects Fireware OS: from 12.0 through 12.11.6, from 12.5 through 12.5.15, from 2025.1 through 2026.0. | 2026-01-30 | not yet calculated | CVE-2026-1498 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00001 |
| Western Digital--WD Discovery | DLL hijacking in the WD Discovery Installer in Western Digital WD Discovery 5.2.730 on Windows allows a local attacker to execute arbitrary code via placement of a crafted dll in the installer's search path. | 2026-01-26 | not yet calculated | CVE-2025-30248 | https://www.westerndigital.com/support/product-security/wdc-25008-wd-discovery-desktop-app-version-5-3 |
| WordPress--Custom Login Page Customizer | The Custom Login Page Customizer WordPress plugin before 2.5.4 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account | 2026-01-29 | not yet calculated | CVE-2025-14975 | https://wpscan.com/vulnerability/a1403186-51aa-4eae-a3fe-0c559570eb93/ |
| WordPress--Recipe Card Blocks Lite | The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks. | 2026-01-26 | not yet calculated | CVE-2025-14973 | https://wpscan.com/vulnerability/76f7d5d4-ba45-4bfd-bda9-ab0769e81107/ |
| WordPress--User Activity Log | The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off) | 2026-01-28 | not yet calculated | CVE-2025-13471 | https://wpscan.com/vulnerability/cc8743f5-b1b9-4f88-b440-db044034bbfc/ |
| Worklenz--Worklenz | Worklenz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field which is then rendered in the reporting view without proper sanitization. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2026-01-26 | not yet calculated | CVE-2025-70368 | https://github.com/Worklenz/worklenz https://github.com/Stolichnayer/CVE-2025-70368 |
| Xen--Xen | Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing. | 2026-01-28 | not yet calculated | CVE-2025-58150 | https://xenbits.xenproject.org/xsa/advisory-477.html |
| Xen--Xen | In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB. | 2026-01-28 | not yet calculated | CVE-2026-23553 | https://xenbits.xenproject.org/xsa/advisory-479.html |
| yacy--yacy_search_server | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in yacy yacy_search_server (source/net/yacy/http/servlets modules). This vulnerability is associated with program files YaCyDefaultServlet.Java. This issue affects yacy_search_server. | 2026-01-27 | not yet calculated | CVE-2026-24824 | https://github.com/yacy/yacy_search_server/pull/722 |
| ydb-platform--ydb | Missing Release of Memory after Effective Lifetime vulnerability in ydb-platform ydb (contrib/libs/yajl modules). This vulnerability is associated with program files yail_tree.C. This issue affects ydb: through 24.4.4.2. | 2026-01-27 | not yet calculated | CVE-2026-24825 | https://github.com/ydb-platform/ydb/pull/17570 |
| zhblue--hustoj | HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules fail to properly sanitize filenames within uploaded ZIP archives. Attackers can craft a malicious ZIP file containing files with path traversal sequences (e.g., ../../shell.php). When extracted by the server, this allows writing files to arbitrary locations in the web root, leading to Remote Code Execution (RCE). Version 26.01.24 contains a fix for the issue. | 2026-01-27 | not yet calculated | CVE-2026-24479 | https://github.com/zhblue/hustoj/security/advisories/GHSA-xmgg-2rw4-7fxj https://github.com/zhblue/hustoj/commit/902bd09e6d0011fe89cd84d4236899314b33101f |
Vulnerability Summary for the Week of January 19, 2026
Posted on Monday January 26, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Agatasoft--AgataSoft PingMaster Pro | AgataSoft PingMaster Pro 2.1 contains a denial of service vulnerability in the Trace Route feature that allows attackers to crash the application by overflowing the host name input field. Attackers can generate a 10,000-character buffer and paste it into the host name field to trigger an application crash and potential system instability. | 2026-01-23 | 7.5 | CVE-2021-47893 | ExploitDB-49567 Vendor Homepage VulnCheck Advisory: AgataSoft PingMaster Pro 2.1 - Denial of Service |
| Aida Computer Information Technology Inc.--Hotel Guest Hotspot | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows SQL Injection. This issue affects Hotel Guest Hotspot: through 22012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-22 | 8 | CVE-2025-4764 | https://www.usom.gov.tr/bildirim/tr-26-0001 |
| Altium--AES | AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries. | 2026-01-22 | 8.6 | CVE-2025-27378 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--AES | HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim's browser via crafted HTML content. | 2026-01-22 | 7.6 | CVE-2025-27380 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--Altium 365 | Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could access authenticated workspace APIs in the context of a logged-in user. When chained with vulnerabilities in those external applications, this misconfiguration enables unauthorized access to workspace data, administrative actions, and bypass of IP allowlisting controls, including in GovCloud environments. | 2026-01-19 | 9 | CVE-2026-1181 | https://www.altium.com/platform/security-compliance/security-advisories |
| AMASTAR Technology--MeetingHub | MeetingHub developed by HAMASTAR Technology has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2026-01-22 | 9.8 | CVE-2026-1331 | https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html |
| appsmithorg--appsmith | Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit‑mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication. | 2026-01-22 | 9.4 | CVE-2026-24042 | https://github.com/appsmithorg/appsmith/security/advisories/GHSA-j9qq-4fj9-9883 |
| Autodesk--Fusion | A maliciously crafted HTML payload in a design name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. | 2026-01-22 | 7.1 | CVE-2026-0533 | https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001 |
| Autodesk--Fusion | A maliciously crafted HTML payload, stored in a part's attribute and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. | 2026-01-22 | 7.1 | CVE-2026-0534 | https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001 |
| Autodesk--Fusion | A maliciously crafted HTML payload, stored in a component's description and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. | 2026-01-22 | 7.1 | CVE-2026-0535 | https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001 |
| Autonomy--OpenPLC | OpenPLC v3 contains an authenticated remote code execution vulnerability that allows attackers with valid credentials to inject malicious code through the hardware configuration interface. Attackers can upload a custom hardware layer with embedded reverse shell code that establishes a network connection to a specified IP and port, enabling remote command execution. | 2026-01-21 | 8.8 | CVE-2021-47770 | ExploitDB-49803 OpenPLC Project Official Homepage OpenPLC v3 GitHub Repository VulnCheck Advisory: OpenPLC 3 - Remote Code Execution |
| B&R Industrial Automation GmbH--B&R Automation Studio | An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions before 6.5 could allow an unauthenticated attacker on the network to position themselves to intercept and interfere with data exchanges. | 2026-01-19 | 7.4 | CVE-2025-11043 | https://www.br-automation.com/fileadmin/SA25P004-4f45197f.pdf |
| backstage--backstage | Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets); delete arbitrary files via the `fs:delete` action by creating symlinks pointing outside the workspace, and write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks. This affects any Backstage deployment where users can create or execute Scaffolder templates. This vulnerability is fixed in `@backstage/backend-defaults` versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; `@backstage/plugin-scaffolder-backend` versions 2.2.2, 3.0.2, and 3.1.1; and `@backstage/plugin-scaffolder-node` versions 0.11.2 and 0.12.3. Users should upgrade to these versions or later. Some workarounds are available. Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates, restrict who can create and execute Scaffolder templates using the permissions framework, audit existing templates for symlink usage, and/or run Backstage in a containerized environment with limited filesystem access. | 2026-01-21 | 7.1 | CVE-2026-24046 | https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d |
| baptisteArno--typebot.io | Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue. | 2026-01-22 | 7.4 | CVE-2025-65098 | https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47 |
| Birebirsoft Software and Technology Solutions--Sufirmam | Authentication Bypass by Primary Weakness, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Authentication Bypass, Password Recovery Exploitation. This issue affects Sufirmam: through 23012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-23 | 10 | CVE-2025-4320 | https://www.usom.gov.tr/bildirim/tr-26-0005 |
| Birebirsoft Software and Technology Solutions--Sufirmam | Improper Restriction of Excessive Authentication Attempts, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Brute Force, Password Recovery Exploitation. This issue affects Sufirmam: through 23012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-23 | 9.4 | CVE-2025-4319 | https://www.usom.gov.tr/bildirim/tr-26-0005 |
| Brother Industries, Ltd.--BRAdmin Professional | Brother BRAdmin Professional 3.75 contains an unquoted service path vulnerability in the BRA_Scheduler service that allows local users to potentially execute arbitrary code. Attackers can place a malicious executable named 'BRAdmin' in the C:\Program Files (x86)\Brother\ directory to gain local system privileges. | 2026-01-21 | 7.8 | CVE-2021-47869 | ExploitDB-49671 Brother Global Homepage Brother Software Download Page Vulnerability Technical Details VulnCheck Advisory: BRAdmin Professional 3.75 - 'BRA_Scheduler' Unquoted Service Path |
| BROWAN COMMUNICATIONS--PrismX MX100 AP controller | PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to the database using hardcoded database credentials stored in the firmware. | 2026-01-20 | 9.8 | CVE-2026-1221 | https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html |
| BROWAN COMMUNICATIONS--PrismX MX100 AP controller | PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2026-01-20 | 7.2 | CVE-2026-1222 | https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html |
| buddypress--BuddyPress | The The BuddyPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 14.3.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | 2026-01-23 | 7.3 | CVE-2024-11976 | https://www.wordfence.com/threat-intel/vulnerabilities/id/34c627c1-7838-468e-acb7-eb84ad1b4949?source=cve https://plugins.trac.wordpress.org/browser/buddypress/tags/14.3.1/bp-templates/bp-nouveau/includes/messages/ajax.php#L232 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3259392%40buddypress%2Ftrunk&old=3199645%40buddypress%2Ftrunk&sfp_email=&sfph_mail= |
| chattermate--chattermate.chat | ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an <iframe> payload containing a javascript: URI can be processed and executed in the browser context. This allows access to sensitive client-side data such as localStorage tokens and cookies, resulting in client-side injection. This issue has been fixed in version 1.0.9. | 2026-01-24 | 9.3 | CVE-2026-24399 | https://github.com/chattermate/chattermate.chat/security/advisories/GHSA-72p3-w95w-q3j4 https://github.com/chattermate/chattermate.chat/commit/ff3398031abb97ae28546eaf993fed3619eaffdd https://github.com/chattermate/chattermate.chat/releases/tag/v1.0.9 |
| choijun--LA-Studio Element Kit for Elementor | The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site. | 2026-01-22 | 9.8 | CVE-2026-0920 | https://www.wordfence.com/threat-intel/vulnerabilities/id/65ebc744-6cc2-47ce-b225-81820e49d59c?source=cve https://plugins.trac.wordpress.org/browser/lastudio-element-kit/tags/1.5.6.3/includes/integrations/override.php#L301 https://plugins.trac.wordpress.org/changeset/3439121/lastudio-element-kit |
| Cisco--Cisco Unified Communications Manager | A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root. | 2026-01-21 | 8.2 | CVE-2026-20045 | cisco-sa-voice-rce-mORhqY4b |
| CRMEB--CRMEB | A security flaw has been discovered in CRMEB up to 5.6.3. The affected element is the function appleLogin of the file crmeb/app/api/controller/v1/LoginController.php. Performing a manipulation of the argument openId results in improper authentication. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 7.3 | CVE-2026-1202 | VDB-341788 | CRMEB LoginController.php appleLogin improper authentication VDB-341788 | CTI Indicators (IOB, IOC, IOA) Submit #734711 | Zhongbang CRMEB v5.6.3 Improper Authentication https://github.com/foeCat/CVE/blob/main/CRMEB/apple_login_auth_bypass.md |
| Data Device Corporation--dataSIMS Avionics ARINC | dataSIMS Avionics ARINC 664-1 version 4.5.3 contains a local buffer overflow vulnerability that allows attackers to overwrite memory by manipulating the milstd1553result.txt file. Attackers can craft a malicious file with carefully constructed payload and alignment sections to potentially execute arbitrary code on the Windows system. | 2026-01-23 | 8.4 | CVE-2021-47881 | ExploitDB-49577 Vendor Homepage Software Product Page VulnCheck Advisory: dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow |
| Deepinstinct--Deep Instinct Windows Agent | Deep Instinct Windows Agent 1.2.24.0 contains an unquoted service path vulnerability in the DeepNetworkService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files\HP Sure Sense\DeepNetworkService.exe to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-25 | 7.8 | CVE-2020-36934 | ExploitDB-49020 Deep Instinct Official Homepage HP Collaboration Announcement VulnCheck Advisory: Deep Instinct Windows Agent 1.2.24.0 - 'DeepNetworkService' Unquoted Service Path |
| Dell--ObjectScale | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Use of Default Credentials vulnerability in the OS. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. | 2026-01-23 | 8.8 | CVE-2026-22273 | https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities |
| Dell--ObjectScale | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information exposure. | 2026-01-23 | 7.5 | CVE-2026-22271 | https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities |
| Dell--PowerScale OneFS | Dell PowerScale OneFS versions prior to 9.13.0.0 contains an improper restriction of excessive authentication attempts vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access. | 2026-01-22 | 8.1 | CVE-2026-22278 | https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| Dell--Unisphere for PowerMax | Dell Unisphere for PowerMax, version(s) 10.2.0.x, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution. | 2026-01-22 | 8.8 | CVE-2025-36588 | https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities |
| docling-project--docling-core | Docling Core (or docling-core) is a library that defines core data types and transformations in the document processing application Docling. A PyYAML-related Remote Code Execution (RCE) vulnerability, namely CVE-2020-14343, is exposed in docling-core starting in version 2.21.0 and prior to version 2.48.4, specifically only if the application uses pyyaml prior to version 5.4 and invokes `docling_core.types.doc.DoclingDocument.load_from_yaml()` passing it untrusted YAML data. The vulnerability has been patched in docling-core version 2.48.4. The fix mitigates the issue by switching `PyYAML` deserialization from `yaml.FullLoader` to `yaml.SafeLoader`, ensuring that untrusted data cannot trigger code execution. Users who cannot immediately upgrade docling-core can alternatively ensure that the installed version of PyYAML is 5.4 or greater. | 2026-01-22 | 8.1 | CVE-2026-24009 | https://github.com/docling-project/docling-core/security/advisories/GHSA-vqxf-v2gg-x3hc https://github.com/docling-project/docling-core/issues/482 https://github.com/docling-project/docling-core/commit/3e8d628eeeae50f0f8f239c8c7fea773d065d80c https://github.com/advisories/GHSA-8q59-q68h-6hv4 https://github.com/docling-project/docling-core/releases/tag/v2.48.4 |
| dokaninc--Dokan: AI Powered WooCommerce Multivendor Marketplace Solution Build Your Own Amazon, eBay, Etsy | The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution - Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. This makes it possible for authenticated attackers, with customer-level permissions and above, to read or modify other vendors' store settings including sensitive payment information (PayPal email, bank account details, routing numbers, IBAN, SWIFT codes), phone numbers, and addresses, and change PayPal email addresses to attacker-controlled addresses, enabling financial theft when the marketplace processes payouts. | 2026-01-20 | 8.1 | CVE-2025-14977 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4ab9d7e9-9a81-48f8-bc37-ad6de43a566f?source=cve https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L131 https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L152 https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L109 https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L85 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432750%40dokan-lite%2Ftrunk&old=3427612%40dokan-lite%2Ftrunk&sfp_email=&sfph_mail=#file7 |
| embeDD GmbH--DD-WRT | DD-WRT version 45723 contains a buffer overflow vulnerability in the UPNP network discovery service that allows remote attackers to potentially execute arbitrary code. Attackers can send crafted M-SEARCH packets with oversized UUID payloads to trigger buffer overflow conditions on the target device. | 2026-01-21 | 9.8 | CVE-2021-47854 | ExploitDB-49730 DD-WRT Official Vendor Homepage DD-WRT Software Download Repository SSD Security Advisory for DD-WRT UPNP Buffer Overflow VulnCheck Advisory: DD-WRT 45723 - UPNP Buffer Overflow |
| Epiphany--Epiphany | A flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction. This design can be misused to exploit vulnerabilities within those handlers, making them appear remotely exploitable. The browser fails to properly warn or gate this action, resulting in potential code execution on the client device via trusted UI behavior. | 2026-01-23 | 8 | CVE-2025-3839 | https://access.redhat.com/security/cve/CVE-2025-3839 RHBZ#2361430 |
| Epson America, Inc.--Epson USB Display | Epson USB Display 1.6.0.0 contains an unquoted service path vulnerability in the EMP_UDSA service running with LocalSystem privileges. Attackers can exploit the unquoted path by placing malicious executables in intermediate directories to gain elevated system access. | 2026-01-23 | 7.8 | CVE-2021-47898 | ExploitDB-49548 Epson Official Homepage VulnCheck Advisory: Epson USB Display 1.6.0.0 Unquoted Service Path Vulnerability |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.10.0, an integer overflow occurring in `SdpPacket::parse_header()` allows the current buffer length to be set to 7 after a complete header of size 8 has been read. The remaining length to read is computed using the current length subtracted by the header length which results in a negative value. This value is then interpreted as `SIZE_MAX` (or slightly less) because the expected type of the argument is `size_t`. Depending on whether the server is plain TCP or TLS, this leads to either an infinite loop or a stack buffer overflow. Version 2025.10.0 fixes the issue. | 2026-01-21 | 8.4 | CVE-2025-68137 | https://github.com/EVerest/everest-core/security/advisories/GHSA-7qq4-q9r8-wc7w |
| EVerest--everest-core | EVerest is an EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system's memory and cause the module to terminate by initiating an unlimited number of TCP connections that never proceed to ISO 15118-2 communication. This is possible because a new thread is started for each incoming plain TCP or TLS socket connection before any verification occurs, and the verification performed is too permissive. The EVerest processes and all its modules shut down, affecting all EVSE functionality. This issue is fixed in version 2025.10.0. | 2026-01-21 | 7.4 | CVE-2025-68133 | https://github.com/EVerest/everest-core/security/advisories/GHSA-mv3w-pp85-5h7c https://github.com/EVerest/everest-core/commit/8127b8c54b296c4dd01b356ac26763f81f76a8fd https://github.com/EVerest/everest-core/commit/de504f0c11069010d26767b0952739e9a400cef3 |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.10.0, the use of the `assert` function to handle errors frequently causes the module to crash. This is particularly critical because the manager shuts down all other modules and exits when any one of them terminates, leading to a denial of service. In a context where a manager handles multiple EVSE, this would also impact other users. Version 2025.10.0 fixes the issue. | 2026-01-21 | 7.4 | CVE-2025-68134 | https://github.com/EVerest/everest-core/security/advisories/GHSA-cxc5-rrj5-8pf3 |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates a whole new set of objects like `Session`, `IConnection` which open new TCP socket for the ISO15118-20 communications and registers callbacks for the created file descriptor, without closing and destroying the previous ones. Previous `Session` is not saved and the usage of an `unique_ptr` is lost, destroying connection data. Latter, if the used socket and therefore file descriptor is not the last one, it will lead to a null pointer dereference. Version 2025.10.0 fixes the issue. | 2026-01-21 | 7.4 | CVE-2025-68136 | https://github.com/EVerest/everest-core/security/advisories/GHSA-4h8h-x5cp-g22r |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.10.0, during the deserialization of a `DC_ChargeLoopRes` message that includes Receipt as well as TaxCosts, the vector `<DetailedTax>tax_costs` in the target `Receipt` structure is accessed out of bounds. This occurs in the method `template <> void convert(const struct iso20_dc_DetailedTaxType& in, datatypes::DetailedTax& out)` which leads to a null pointer dereference and causes the module to terminate. The EVerest processes and all its modules shut down, affecting all EVSE. Version 2025.10.0 fixes the issue. | 2026-01-21 | 7.4 | CVE-2025-68141 | https://github.com/EVerest/everest-core/security/advisories/GHSA-ph4w-r9q8-vm9h |
| EVMAPA--EVMAPA | This vulnerability occurs when a WebSocket endpoint does not enforce proper authentication mechanisms, allowing unauthorized users to establish connections. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system. | 2026-01-22 | 9.4 | CVE-2025-54816 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json |
| EVMAPA--EVMAPA | This vulnerability arises because there are no limitations on the number of authentication attempts a user can make. An attacker can exploit this weakness by continuously sending authentication requests, leading to a denial-of-service (DoS) condition. This can overwhelm the authentication system, rendering it unavailable to legitimate users and potentially causing service disruption. This can also allow attackers to conduct brute-force attacks to gain unauthorized access. | 2026-01-22 | 7.5 | CVE-2025-53968 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json |
| EVMAPA--EVMAPA | This vulnerability occurs when the system permits multiple simultaneous connections to the backend using the same charging station ID. This can result in unauthorized access, data inconsistency, or potential manipulation of charging sessions. The lack of proper session management and expiration control allows attackers to exploit this weakness by reusing valid charging station IDs to establish multiple sessions concurrently. | 2026-01-22 | 7.3 | CVE-2025-55705 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json |
| EXERT Computer Technologies Software Ltd. Co.--Education Management System | Authorization Bypass Through User-Controlled Key vulnerability in EXERT Computer Technologies Software Ltd. Co. Education Management System allows Parameter Injection. This issue affects Education Management System: through 23.09.2025. | 2026-01-22 | 7.5 | CVE-2025-10024 | https://www.usom.gov.tr/bildirim/tr-26-0002 |
| fastify--fastify-express | The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. The vulnerability is caused by how @fastify/express matches requests against registered middleware paths. This vulnerability is similar to, but differs from, CVE-2026-22031 because this is a different npm module with its own code. Version 4.0.3 of @fastify/express contains a patch fort the issue. | 2026-01-19 | 8.4 | CVE-2026-22037 | https://github.com/fastify/fastify-express/security/advisories/GHSA-g6q3-96cp-5r5m https://github.com/fastify/fastify-express/commit/dc02a3fe1387f945143f22597baa42557d549a40 |
| fastify--middie | @fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. Version 9.1.0 fixes the issue. | 2026-01-19 | 8.4 | CVE-2026-22031 | https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p https://github.com/fastify/middie/pull/245 https://github.com/fastify/middie/commit/d44cd56eb724490babf7b452fdbbdd37ea2effba https://github.com/fastify/middie/releases/tag/v9.1.0 |
| FOGProject--fogproject | FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1754 and below contain an unauthenticated SSRF vulnerability in getversion.php which can be triggered by providing a user-controlled url parameter. It can be used to fetch both internal websites and files on the machine running FOG. This appears to be reachable without an authenticated web session when the request includes newService=1. The issue does not have a fixed release version at the time of publication. | 2026-01-23 | 7.5 | CVE-2026-24138 | https://github.com/FOGProject/fogproject/security/advisories/GHSA-79xw-c2qx-g7xj |
| franklioxygen--MyTube | MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandatory authentication check in the roleBasedAuthMiddleware. By simply not providing an authentication cookie (making req.user undefined), a request is incorrectly passed through to downstream handlers. All users running MyTube with loginEnabled: true are impacted. This flaw allows an attacker to access and modify application settings via /api/settings, change administrative and visitor passwords, and access other protected routes that rely on this specific middleware. The problem is patched in v1.7.66. MyTube maintainers recommend all users upgrade to at least version v1.7.64 immediately to secure their instances. The fix ensures that the middleware explicitly blocks requests if a user is not authenticated, rather than defaulting to next(). Those who cannot upgrade immediately can mitigate risk by restricting network access by usi a firewall or reverse proxy (like Nginx) to restrict access to the /api/ endpoints to trusted IP addresses only or, if they are comfortable editing the source code, manually patch by locating roleBasedAuthMiddleware and ensuring that the logic defaults to an error (401 Unauthorized) when req.user is undefined, instead of calling next(). | 2026-01-19 | 9.8 | CVE-2026-23837 | https://github.com/franklioxygen/MyTube/security/advisories/GHSA-cmvj-g69f-8664 https://github.com/franklioxygen/MyTube/commit/f85ae9b0d6e4a6480c6af5b675a99069d08d496e |
| FreeLAN--FreeLAN | FreeLAN 2.2 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with elevated LocalSystem privileges during service startup. | 2026-01-21 | 7.8 | CVE-2021-47882 | ExploitDB-49630 FreeLAN GitHub Repository VulnCheck Advisory: FreeLAN 2.2 - 'FreeLAN Service' Unquoted Service Path |
| frustratedProton--http-server | C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files from the server's filesystem by crafting a malicious HTTP GET request containing ../ sequences. The application fails to sanitize the filename variable derived from the user-controlled URL path, directly concatenating it to the files_directory base path and enabling traversal outside the intended root. No patch was available at the time of publication. | 2026-01-24 | 7.5 | CVE-2026-24469 | https://github.com/frustratedProton/http-server/security/advisories/GHSA-qp54-6gfq-3gff |
| FSPro Labs--Event Log Explorer | Event Log Explorer 4.9.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific file system locations that will be executed with LocalSystem account privileges during service startup. | 2026-01-21 | 7.8 | CVE-2021-47861 | ExploitDB-49704 Vendor Homepage VulnCheck Advisory: Event Log Explorer 4.9.3 - 'ElodeaEventCollectorService' Unquoted Service Path |
| Fyrolabs LLC.--Pingzapper | Pingzapper 2.3.1 contains an unquoted service path vulnerability in the PingzapperSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Pingzapper\PZService.exe' to inject malicious executables and escalate privileges. | 2026-01-21 | 7.8 | CVE-2021-47886 | ExploitDB-49626 Vendor Homepage Software Download Page VulnCheck Advisory: Pingzapper 2.3.1 - 'PingzapperSvc' Unquoted Service Path |
| Genexis--Platinum-4410 | Genexis Platinum-4410 P4410-V2-1.31A contains a stored cross-site scripting vulnerability in the 'start_addr' parameter of the Security Management interface. Attackers can inject malicious scripts through the start source address field that will persist and trigger for privileged users when they access the security management page. | 2026-01-21 | 7.2 | CVE-2021-47858 | ExploitDB-49709 Genexis Product Page VulnCheck Advisory: Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting |
| GeoGebra--CAS Calculator | GeoGebra CAS Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the application by generating a large buffer overflow. Attackers can create a payload with 8000 repeated characters and paste it into the calculator's input field to trigger an application crash. | 2026-01-21 | 9.8 | CVE-2021-47875 | ExploitDB-49655 GeoGebra Official Homepage VulnCheck Advisory: GeoGebra CAS Calculator 6.0.631.0 - Denial of Service |
| GeoGebra--GeoGebra Classic | GeoGebra Classic 5.0.631.0-d contains a denial of service vulnerability in the input field that allows attackers to crash the application by sending oversized buffer content. Attackers can generate a large buffer of 800,000 repeated characters and paste it into the 'Entrada:' input field to trigger an application crash. | 2026-01-21 | 7.5 | CVE-2021-47876 | ExploitDB-49654 Official Vendor Homepage VulnCheck Advisory: GeoGebra Classic 5.0.631.0-d - Denial of Service |
| GeoGebra--GeoGebra Graphing Calculator | GeoGebra Graphing Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the application by inputting an oversized buffer. Attackers can generate a payload of 8000 repeated characters to overwhelm the input field and cause the application to become unresponsive. | 2026-01-21 | 7.5 | CVE-2021-47877 | ExploitDB-49653 GeoGebra Official Homepage VulnCheck Advisory: GeoGebra Graphing Calculato‪r‬ 6.0.631.0 - Denial Of Service |
| getwpfunnels--Creator LMS The LMS for Creators, Coaches, and Trainers | The Creator LMS - The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. This makes it possible for authenticated attackers, with contributor level access and above, to update arbitrary WordPress options. | 2026-01-20 | 8.8 | CVE-2025-15347 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4bddaefc-9ddc-4798-acb6-7b87f7c924a1?source=cve https://plugins.trac.wordpress.org/changeset/3433193/creatorlms/tags/1.1.13/includes/Rest/V1/SettingsController.php |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted requests with malformed authentication data. | 2026-01-22 | 7.5 | CVE-2025-13927 | GitLab Issue #582737 HackerOne Bug Bounty Report #3439683 https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints. | 2026-01-22 | 7.5 | CVE-2025-13928 | GitLab Issue #582736 HackerOne Bug Bounty Report #3439441 https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an individual with existing knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses. | 2026-01-22 | 7.4 | CVE-2026-0723 | GitLab Issue #585333 HackerOne Bug Bounty Report #3476052 https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/ |
| GNU--Inetutils | telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable. | 2026-01-21 | 9.8 | CVE-2026-24061 | https://www.openwall.com/lists/oss-security/2026/01/20/2 https://www.openwall.com/lists/oss-security/2026/01/20/8 https://www.gnu.org/software/inetutils/ |
| gristlabs--grist-core | Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox barrier. If a user of Grist sets `GRIST_SANDBOX_FLAVOR` to `pyodide` and opens a malicious document, that document could run arbitrary processes on the server hosting Grist. The problem has been addressed in Grist version 1.7.9 and up, by running pyodide under deno. As a workaround, a user can use the gvisor-based sandbox by setting `GRIST_SANDBOX_FLAVOR` to `gvisor`. | 2026-01-22 | 9.1 | CVE-2026-24002 | https://github.com/gristlabs/grist-core/security/advisories/GHSA-7xvx-8pf2-pv5g https://support.getgrist.com/self-managed/#how-do-i-sandbox-documents |
| gunthercox--ChatterBot | ChatterBot is a machine learning, conversational dialog engine for creating chat bots. ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaust the underlying SQLAlchemy connection pool, resulting in persistent service unavailability and requiring a manual restart to recover. Version 1.2.11 fixes the issue. | 2026-01-19 | 7.5 | CVE-2026-23842 | https://github.com/gunthercox/ChatterBot/security/advisories/GHSA-v4w8-49pv-mf72 https://github.com/gunthercox/ChatterBot/pull/2432 https://github.com/gunthercox/ChatterBot/commit/de89fe648139f8eeacc998ad4524fab291a378cf https://github.com/gunthercox/ChatterBot/releases/tag/1.2.11 https://github.com/user-attachments/assets/4ee845c4-b847-4854-84ec-4b2fb2f7090f |
| h2o--quicly | Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using Quicly. Commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e fixes the issue. | 2026-01-19 | 7.5 | CVE-2025-61684 | https://github.com/h2o/quicly/security/advisories/GHSA-wr3c-345m-43v9 https://github.com/h2o/quicly/commit/d9d3df6a8530a102b57d840e39b0311ce5c9e14e |
| HackUCF--OnboardLite | OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when they attempt to migrate a user's discord account in the dashboard. Commit 1d32081a66f21bcf41df1ecb672490b13f6e429f patches the issue. | 2026-01-19 | 7.3 | CVE-2026-23880 | https://github.com/HackUCF/OnboardLite/security/advisories/GHSA-93w8-83cg-h89g https://github.com/HackUCF/OnboardLite/commit/1d32081a66f21bcf41df1ecb672490b13f6e429f |
| HAMASTAR Technology--MeetingHub | MeetingHub developed by HAMASTAR Technology has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files. | 2026-01-22 | 7.5 | CVE-2026-1330 | https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html |
| Hasura--GraphQL | Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the run_sql endpoint by crafting malicious GraphQL queries that execute system commands through PostgreSQL's COPY FROM PROGRAM functionality. | 2026-01-21 | 9.8 | CVE-2021-47748 | ExploitDB-49802 Hasura GraphQL Engine GitHub Repository VulnCheck Advisory: Hasura GraphQL 1.3.3 - Remote Code Execution |
| Hestia Control Panel--Hestia Control Panel | Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the server. | 2026-01-21 | 8.8 | CVE-2021-47871 | ExploitDB-49667 Hestia Control Panel Official Homepage Hestia Control Panel GitHub Repository VulnCheck Advisory: Hestia Control Panel 1.3.2 - Arbitrary File Write |
| HI-REZ STUDIOS--HiPatchService | Hi-Rez Studios 5.1.6.3 contains an unquoted service path vulnerability in the HiPatchService that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. | 2026-01-21 | 7.8 | CVE-2021-47862 | ExploitDB-49701 Hi-Rez Studios Official Homepage VulnCheck Advisory: Hi-Rez Studios 5.1.6.3 - 'HiPatchService' Unquoted Service Path |
| Hibernate--Hibernate | A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service. | 2026-01-23 | 8.3 | CVE-2026-0603 | https://access.redhat.com/security/cve/CVE-2026-0603 RHBZ#2427147 |
| HID Global--ActivIdentity | ActivIdentity 8.2 contains an unquoted service path vulnerability in the ac.sharedstore service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path in C:\Program Files\Common Files\ActivIdentity\ to inject malicious executables and escalate privileges. | 2026-01-21 | 7.8 | CVE-2021-47859 | ExploitDB-49703 HID Global Official Website VulnCheck Advisory: ActivIdentity 8.2 - 'ac.sharedstore' Unquoted Service Path |
| Honeywell--WIN-PACK PRO | WIN-PACK PRO 4.8 contains an unquoted service path vulnerability in the GuardTourService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in C:\Program Files <x86>\WINPAKPRO\WP GuardTour Service.exe to inject malicious code that would execute during service startup. | 2026-01-21 | 7.8 | CVE-2021-47866 | ExploitDB-49690 Honeywell Product Webpage VulnCheck Advisory: WIN-PACK PRO 4.8 - 'GuardTourService' Unquoted Service Path |
| Honeywell--WIN-PACK PRO | WIN-PACK PRO 4.8 contains an unquoted service path vulnerability in the WPCommandFileService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files <x86>\WINPAKPRO\WPCommandFileService Service.exe to inject malicious code that would execute with LocalSystem permissions. | 2026-01-21 | 7.8 | CVE-2021-47868 | ExploitDB-49692 Honeywell Product Webpage VulnCheck Advisory: WIN-PACK PRO 4.8 - 'WPCommandFileService' Unquoted Service Path |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits the otp field from their POST request, the user-supplied OTP is also None, causing the comparison user_otp == otp to pass. This allows an attacker to bypass two-factor authentication entirely without ever providing a valid OTP. If administrative accounts are targeted, it could lead to compromise of sensitive HR data, manipulation of employee records, and further system-wide abuse. This issue has been fixed in version 1.5.0. | 2026-01-22 | 8.1 | CVE-2026-24038 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-hqpv-ff5v-3hwf https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| HTC--IPTInstaller | HTC IPTInstaller 4.0.9 contains an unquoted service path vulnerability in the PassThru Service configuration. Attackers can exploit the unquoted binary path to inject and execute malicious code with elevated LocalSystem privileges. | 2026-01-25 | 7.8 | CVE-2020-36933 | ExploitDB-49006 HTC Official Latin America Homepage VulnCheck Advisory: IPTInstaller 4.0.9 - 'PassThru Service' Unquoted Service Path |
| hwk-fr--Advanced Custom Fields: Extended | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field. | 2026-01-20 | 9.8 | CVE-2025-14533 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d44f8af2-3525-4b00-afa8-a908250cc838?source=cve https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.1/includes/modules/form/module-form-action-user.php#L636 https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/fields/field-user-roles.php#L437 https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/modules/form/module-form-action-user.php#L356 |
| I Want Source Codes--Digital Crime Report Management System | Digital Crime Report Management System 1.0 contains a critical SQL injection vulnerability affecting multiple login pages that allows unauthenticated attackers to bypass authentication. Attackers can exploit the vulnerability by sending crafted SQL injection payloads in email and password parameters across police, incharge, user, and HQ login endpoints. | 2026-01-21 | 8.2 | CVE-2021-47846 | ExploitDB-49761 Vendor Homepage Software Download Link VulnCheck Advisory: Digital Crime Report Management System 1.0 - SQL Injection |
| ibericode--koko-analytics | Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path (`pa`) and referrer (`r`) values to the public tracking endpoint in src/Resources/functions/collect.php, which stores those strings verbatim in the analytics tables. The admin export logic in src/Admin/Data_Export.php writes these stored values directly into SQL INSERT statements without escaping. A crafted path such as "),('999','x');DROP TABLE wp_users;-- breaks out of the value list. When an administrator later imports that export file, the import handler in src/Admin/Data_Import.php reads the uploaded SQL with file_get_contents, performs only a superficial header check, splits on semicolons, and executes each statement via $wpdb->query with no validation of table names or statement types. Additionally, any authenticated user with manage_koko_analytics can upload an arbitrary .sql file and have it executed in the same permissive way. Combined, attacker-controlled input flows from the tracking endpoint into exported SQL and through the import execution sink, or directly via malicious uploads, enabling arbitrary SQL execution. In a worst-case scenario, attackers can achieve arbitrary SQL execution on the WordPress database, allowing deletion of core tables (e.g., wp_users), insertion of backdoor administrator accounts, or other destructive/privilege-escalating actions. Version 2.1.3 patches the issue. | 2026-01-19 | 8.4 | CVE-2026-22850 | https://github.com/ibericode/koko-analytics/security/advisories/GHSA-jgfh-264m-xh3q https://github.com/ibericode/koko-analytics/commit/7b7d58f4a1838c8203cf4e7bb59847c982432119 https://drive.google.com/file/d/1HdQKf42prwrBUUG2CwbIkccTp2i6HR6d/view?usp=sharing |
| IBM--ApplinX | IBM ApplinX 11.1 is vulnerable due to a privilege escalation vulnerability due to improper verification of JWT tokens. An attacker may be able to craft or modify a JSON web token in order to impersonate another user or to elevate their privileges. | 2026-01-20 | 7.3 | CVE-2025-36418 | https://www.ibm.com/support/pages/node/7257446 |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 is vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. | 2026-01-20 | 8.8 | CVE-2025-33015 | https://www.ibm.com/support/pages/node/7257006 |
| IBM--IBM Licensing Operator | IBM Licensing Operator incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Licensing Operator image. | 2026-01-20 | 8.4 | CVE-2025-12985 | https://www.ibm.com/support/pages/license-service-privilege-escalation-vulnerability |
| IBM--Sterling Connect:Direct for UNIX Container | IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 through 6.3.0.6 Interim Fix 016, and 6.4.0.0 through 6.4.0.3 Interim Fix 019 IBM® Sterling Connect:Direct for UNIX contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | 2026-01-20 | 8.4 | CVE-2025-14115 | https://www.ibm.com/support/pages/node/7257143 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipelines. Versions 7.1.2-13 and 6.9.13-38 fix the issue. | 2026-01-20 | 8.1 | CVE-2026-23876 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r49w-jqq3-3gx8 https://github.com/ImageMagick/ImageMagick/commit/2fae24192b78fdfdd27d766fd21d90aeac6ea8b8 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccMpeCalculator::Read(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 8.8 | CVE-2026-24405 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-2r5c-5w66-47vv https://github.com/InternationalColorConsortium/iccDEV/issues/479 https://github.com/InternationalColorConsortium/iccDEV/commit/d22fc174866e2521f8a5f9393fab5be306329f62 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccTagNamedColor2::SetSize(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 8.8 | CVE-2026-24406 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-h9h3-45cm-j95f https://github.com/InternationalColorConsortium/iccDEV/issues/480 https://github.com/InternationalColorConsortium/iccDEV/commit/90c71cba2c563b1f5dc84197f827540d1baaea67 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have aHeap Buffer Overflow vulnerability in the CIccTagXmlSegmentedCurve::ToXml() function. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 8.8 | CVE-2026-24412 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-6rf4-63j2-cfrf https://github.com/InternationalColorConsortium/iccDEV/issues/518 https://github.com/InternationalColorConsortium/iccDEV/commit/2be3b125933a57fe8b6624e9dfd69d8e5360bf70 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, an integer overflow vulnerability exists in icValidateStatus CIccProfile::CheckHeader() when user-controllable input is incorporated into profile data unsafely. Tampering with tag tables, offsets, or size fields can trigger parsing errors, memory corruption, or DoS, potentially enabling arbitrary Code Execution or bypassing application logic. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24403 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-ph33-qp8j-5q34 https://github.com/InternationalColorConsortium/iccDEV/issues/505 https://github.com/InternationalColorConsortium/iccDEV/commits/d993997005449a0a6958e65b057bd25e17dff89 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, CIccXmlArrayType() contains a Null Pointer Dereference and Undefined Behavior vulnerability. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24404 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-hqfg-45jp-hp9f https://github.com/InternationalColorConsortium/iccDEV/issues/488 https://github.com/InternationalColorConsortium/iccDEV/commit/cd637eb33f0c8055fa54d8776e00555d3d39ef0c |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in icSigCalcOp(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24407 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-m6gx-93cp-4855 https://github.com/InternationalColorConsortium/iccDEV/issues/481 https://github.com/InternationalColorConsortium/iccDEV/commit/881802931a71c4b0dfc28bc80ee55b2cb84dab90 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccTagXmlFloatNum<>::ParseXml(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24409 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-398v-jvcg-p8f3 https://github.com/InternationalColorConsortium/iccDEV/issues/484 https://github.com/InternationalColorConsortium/iccDEV/commit/9f134c44895edd2edca4bcb97e15c0ba9aa77382 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccProfileXml::ParseBasic(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24410 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-398q-4rpv-3v9r https://github.com/InternationalColorConsortium/iccDEV/issues/507 https://github.com/InternationalColorConsortium/iccDEV/commit/3cf522b13832692b107322cd51c4ae5c3a21f366 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in CIccTagXmlSegmentedCurve::ToXml(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24411 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-x53f-7h27-9fc8 https://github.com/InternationalColorConsortium/iccDEV/issues/499 https://github.com/InternationalColorConsortium/iccDEV/commit/d6d6f51a999d4266ec09347cac7e0930d6e02eec |
| irisideatechsolutions--Kalrav AI Agent | The Kalrav AI Agent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the kalrav_upload_file AJAX action in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2026-01-24 | 9.8 | CVE-2025-13374 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5dc8feae-fc89-4152-b9b2-2b70e6ccb30b?source=cve https://plugins.trac.wordpress.org/browser/kalrav-ai-agent/trunk/kalrav-ai-agent.php#L967 https://plugins.trac.wordpress.org/browser/kalrav-ai-agent/tags/2.3.3/kalrav-ai-agent.php#L967 https://github.com/d0n601/CVE-2025-13374 https://ryankozak.com/posts/cve-2025-13374 |
| isaacs--node-tar | node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue. | 2026-01-20 | 8.8 | CVE-2026-23950 | https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6 |
| ISC--BIND 9 | Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1. | 2026-01-21 | 7.5 | CVE-2025-13878 | CVE-2025-13878 https://downloads.isc.org/isc/bind9/9.18.44 https://downloads.isc.org/isc/bind9/9.20.18 https://downloads.isc.org/isc/bind9/9.21.17 |
| itsourcecode--Online Frozen Foods Ordering System | A weakness has been identified in itsourcecode Online Frozen Foods Ordering System 1.0. This issue affects some unknown processing of the file /order_online.php. Executing a manipulation of the argument product_name can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-19 | 7.3 | CVE-2026-1159 | VDB-341753 | itsourcecode Online Frozen Foods Ordering System order_online.php sql injection VDB-341753 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736332 | itsourcecode Online Frozen Foods Ordering System V1.0 SQL Injection https://github.com/YouSeeYouOneDayDayDe/Nick_1321_vuls/issues/1 https://itsourcecode.com/ |
| itsourcecode--School Management System | A security flaw has been discovered in itsourcecode School Management System 1.0. Affected is an unknown function of the file /subject/index.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-19 | 7.3 | CVE-2026-1176 | VDB-341770 | itsourcecode School Management System index.php sql injection VDB-341770 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736477 | itsourcecode School Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/32 https://itsourcecode.com/ |
| jaraco--jaraco.context | jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed. The strip_first_component filter splits the path on the first `/` and extracts the second component, while allowing `../` sequences. Paths like `dummy_dir/../../etc/passwd` become `../../etc/passwd`. Note that this suffers from a nested tarball attack as well with multi-level tar files such as `dummy_dir/inner.tar.gz`, where the inner.tar.gz includes a traversal `dummy_dir/../../config/.env` that also gets translated to `../../config/.env`. Version 6.1.0 contains a patch for the issue. | 2026-01-20 | 8.6 | CVE-2026-23949 | https://github.com/jaraco/jaraco.context/security/advisories/GHSA-58pv-8j8x-9vj2 https://github.com/jaraco/jaraco.context/commit/7b26a42b525735e4085d2e994e13802ea339d5f9 https://github.com/jaraco/jaraco.context/blob/main/jaraco/context/__init__.py#L74-L91 https://github.com/pypa/setuptools/blob/main/setuptools/_vendor/jaraco/context.py#L55-L76 |
| JNC--IAQS | IAQS and I6 developed by JNC has a Client-Side Enforcement of Server-Side Security vulnerability, allowing unauthenticated remote attackers to gain administrator privileges by manipulating the web front-end. | 2026-01-23 | 9.8 | CVE-2026-1363 | https://www.twcert.org.tw/tw/cp-132-10652-4cdca-1.html https://www.twcert.org.tw/en/cp-139-10653-117a1-2.html |
| JNC--IAQS | IAQS and I6 developed by JNC has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly operate system administrative functionalities. | 2026-01-23 | 9.8 | CVE-2026-1364 | https://www.twcert.org.tw/tw/cp-132-10652-4cdca-1.html https://www.twcert.org.tw/en/cp-139-10653-117a1-2.html |
| JuneAndGreen--sm-crypto | sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A private key recovery vulnerability exists in the SM2 decryption logic of sm-crypto prior to version 0.3.14. By interacting with the SM2 decryption interface multiple times, an attacker can fully recover the private key within approximately several hundred interactions. Version 0.3.14 patches the issue. | 2026-01-22 | 9.1 | CVE-2026-23966 | https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-pgx9-497m-6c4v https://github.com/JuneAndGreen/sm-crypto/commit/b1c824e58fdf1eaa73692c124a095819a8c45707 |
| JuneAndGreen--sm-crypto | sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto prior to version 0.4.0. Under default configurations, an attacker can forge valid signatures for arbitrary public keys. If the message space contains sufficient redundancy, the attacker can fix the prefix of the message associated with the forged signature to satisfy specific formatting requirements. Version 0.4.0 patches the issue. | 2026-01-22 | 7.5 | CVE-2026-23965 | https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-hpwg-xg7m-3p6m https://github.com/JuneAndGreen/sm-crypto/commit/85295a859d0766222d12ce2be3e6fce7b438b510 |
| JuneAndGreen--sm-crypto | sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature malleability vulnerability exists in the SM2 signature verification logic of the sm-crypto library prior to version 0.3.14. An attacker can derive a new valid signature for a previously signed message from an existing signature. Version 0.3.14 patches the issue. | 2026-01-22 | 7.5 | CVE-2026-23967 | https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-qv7w-v773-3xqm |
| KMSpico--Service KMSELDI | KMSpico 17.1.0.0 contains an unquoted service path vulnerability in the Service KMSELDI configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path in C:\Program Files\KMSpico\Service_KMS.exe to inject malicious executables and escalate privileges. | 2026-01-25 | 7.8 | CVE-2020-36935 | ExploitDB-49003 Official KMSpico Homepage VulnCheck Advisory: KMSpico 17.1.0.0 - 'Service KMSELDI' Unquoted Service Path |
| kodezen--Academy LMS WordPress LMS Plugin for Complete eLearning Solution | The Academy LMS - WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account. | 2026-01-21 | 9.8 | CVE-2025-15521 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6687ebbe-fdf4-4ecb-bf59-034bb4b0104c?source=cve https://plugins.trac.wordpress.org/browser/academy/tags/3.5.0/includes/functions.php#L1581 |
| kohler--hotcrp | HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2. | 2026-01-19 | 10 | CVE-2026-23836 | https://github.com/kohler/hotcrp/security/advisories/GHSA-hpqh-j6qx-x57h https://github.com/kohler/hotcrp/commit/4674fcfbb76511072a1145dad620756fc1d4b4e9 https://github.com/kohler/hotcrp/commit/bfc7e0db15df6ed6d544a639020d2ce05a5f0834 |
| Kozea--WeasyPrint | WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) protection bypass exists in WeasyPrint's `default_url_fetcher`. The vulnerability allows attackers to access internal network resources (such as `localhost` services or cloud metadata endpoints) even when a developer has implemented a custom `url_fetcher` to block such access. This occurs because the underlying `urllib` library follows HTTP redirects automatically without re-validating the new destination against the developer's security policy. Version 68.0 contains a patch for the issue. | 2026-01-19 | 7.5 | CVE-2025-68616 | https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmv https://github.com/Kozea/WeasyPrint/commit/b6a14f0f3f4ce9c0c75c1a2d73cb1c5d43f0e565 |
| laravel--reverb | Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP's unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node). | 2026-01-21 | 9.8 | CVE-2026-23524 | https://github.com/laravel/reverb/security/advisories/GHSA-m27r-m6rx-mhm4 https://github.com/laravel/reverb/commit/9ec26f8ffbb701f84920dd0bb9781a1797591f1a https://cwe.mitre.org/data/definitions/502.html https://github.com/laravel/reverb/releases/tag/v1.7.0 https://laravel.com/docs/12.x/reverb#scaling |
| leepeuker--movary | Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryUpdated=`. Version 0.70.0 fixes the issue. | 2026-01-19 | 9.3 | CVE-2026-23839 | https://github.com/leepeuker/movary/security/advisories/GHSA-v32w-5qx7-p3vq https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L237 https://github.com/leepeuker/movary/releases/tag/0.70.0 |
| leepeuker--movary | Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryDeleted=`. Version 0.70.0 fixes the issue. | 2026-01-19 | 9.3 | CVE-2026-23840 | https://github.com/leepeuker/movary/security/advisories/GHSA-pj3m-gmq8-2r57 https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L204 https://github.com/leepeuker/movary/releases/tag/0.70.0 |
| leepeuker--movary | Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryCreated=`. Version 0.70.0 fixes the issue. | 2026-01-19 | 9.3 | CVE-2026-23841 | https://github.com/leepeuker/movary/security/advisories/GHSA-v877-x568-4v5v https://github.com/leepeuker/movary/releases/tag/0.70.0 |
| LiteSpeed Technologies Inc--LiteSpeed Web Server Enterprise | LiteSpeed Web Server Enterprise 5.4.11 contains an authenticated command injection vulnerability in the external app configuration interface. Authenticated administrators can inject shell commands through the 'Command' parameter in the server configuration, allowing remote code execution via path traversal and bash command injection. | 2026-01-23 | 8.8 | CVE-2021-47903 | ExploitDB-49523 LiteSpeed Technologies Official Homepage LiteSpeed Web Server Product Page VulnCheck Advisory: LiteSpeed Web Server Enterprise 5.4.11 - Command Injection |
| LiteSpeed Technologies--OpenLiteSpeed | Openlitespeed 1.7.9 contains a stored cross-site scripting vulnerability in the dashboard's Notes parameter that allows administrators to inject malicious scripts. Attackers can craft a payload in the Notes field during listener configuration that will execute when an administrator clicks on the Default Icon. | 2026-01-21 | 7.2 | CVE-2021-47855 | ExploitDB-49727 OpenLiteSpeed Vendor Homepage VulnCheck Advisory: Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting |
| Luidia--eBeam Education Suite | eBeam Education Suite 2.5.0.9 contains an unquoted service path vulnerability in the eBeam Device Service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem privileges during service startup. | 2026-01-21 | 7.8 | CVE-2021-47878 | ExploitDB-49647 Software Download Page VulnCheck Advisory: eBeam Education Suite 2.5.0.9 - 'eBeam Device Service' Unquoted Service Path |
| Luidia--eBeam Interactive Suite | eBeam Interactive Suite 3.6 contains an unquoted service path vulnerability in the eBeam Stylus Driver service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Luidia\eBeam Stylus Driver\ to inject malicious executables that would run with LocalSystem permissions. | 2026-01-21 | 7.8 | CVE-2021-47879 | ExploitDB-49648 Software Download Page VulnCheck Advisory: eBeam Interactive Suite 3.6 - 'eBeam Stylus Driver' Unquoted Service Path |
| lxc--incus | Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the 'incus' group) can create an environment variable containing newlines, which can be used to add additional configuration items in the container's lxc.conf due to newline injection. This can allow adding arbitrary lifecycle hooks, ultimately resulting in arbitrary command execution on the host. Exploiting this issue on IncusOS requires a slight modification of the payload to change to a different writable directory for the validation step (e.g /tmp). This can be confirmed with a second container with /tmp mounted from the host (A privileged action for validation only). A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication. | 2026-01-22 | 8.7 | CVE-2026-23953 | https://github.com/lxc/incus/security/advisories/GHSA-x6jc-phwx-hp32 https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L1081 https://github.com/user-attachments/files/24473682/environment_newline_injection.sh https://github.com/user-attachments/files/24473685/environment_newline_injection.patch |
| lxc--incus | Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the 'incus' group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication. | 2026-01-22 | 8.7 | CVE-2026-23954 | https://github.com/lxc/incus/security/advisories/GHSA-7f67-crqm-jgh7 https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7215 https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7294 https://github.com/user-attachments/files/24473599/template_arbitrary_write.sh https://github.com/user-attachments/files/24473601/templates_arbitrary_write.patch |
| lxsmnsyc--seroval | seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality. This issue is fixed in version 1.4.1. | 2026-01-21 | 7.3 | CVE-2026-23736 | https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4 https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 |
| lxsmnsyc--seroval | seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constant value and error deserialization, allowing indirect access to unsafe JS evaluation. At minimum, attackers need the ability to perform 4 separate requests on the same function, and partial knowledge of how the serialized data is used during later runtime processing. This vulnerability affects the fromJSON and fromCrossJSON functions in a client-to-server transmission scenario. This issue has been fixed in version 1.4.0. | 2026-01-21 | 7.5 | CVE-2026-23737 | https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3rxj-6cgf-8cfw https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 |
| lxsmnsyc--seroval | seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1. | 2026-01-22 | 7.5 | CVE-2026-23956 | https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hx9m-jf43-8ffr https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 |
| lxsmnsyc--seroval | seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time. This issue has been fixed in version 1.4.1. | 2026-01-22 | 7.5 | CVE-2026-23957 | https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-66fc-rw6m-c2q6 https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 |
| lxsmnsyc--seroval | Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached. | 2026-01-22 | 7.5 | CVE-2026-24006 | https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3j22-8qj3-26mx https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 |
| MacPaw Way Ltd.--Encrypto | MacPaw Encrypto 1.0.1 contains an unquoted service path vulnerability in its Encrypto Service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files\Encrypto\ to inject malicious executables and escalate privileges on Windows systems. | 2026-01-21 | 7.8 | CVE-2021-47863 | ExploitDB-49694 MacPaw Encrypto Official Homepage VulnCheck Advisory: MacPaw Encrypto 1.0.1 - 'Encrypto Service' Unquoted Service Path |
| Magic Utilities--Magic Mouse 2 utilities | Magic Mouse 2 Utilities 2.20 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path to inject malicious executables and gain elevated system privileges by placing a malicious file in the service path. | 2026-01-25 | 7.8 | CVE-2020-36936 | ExploitDB-49017 Magic Utilities Vendor Homepage VulnCheck Advisory: Magic Mouse 2 utilities 2.20 - 'magicmouse2service' Unquoted Service Path |
| mastodon--mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing resource consumption. Depending on the number of poll options, an attacker can cause disproportionate resource usage in both Mastodon servers and clients, potentially causing Denial of Service either server-side or client-side. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched. | 2026-01-22 | 7.5 | CVE-2026-23962 | https://github.com/mastodon/mastodon/security/advisories/GHSA-gg8q-rcg7-p79g https://github.com/mastodon/mastodon/releases/tag/v4.3.18 https://github.com/mastodon/mastodon/releases/tag/v4.4.12 https://github.com/mastodon/mastodon/releases/tag/v4.5.5 |
| MedDream--MedDream PACS Premium | An arbitrary file read vulnerability exists in the encapsulatedDoc functionality of MedDream PACS Premium 7.3.6.870. A specially crafted HTTP request can lead to an arbitrary file read. An attacker can send http request to trigger this vulnerability. | 2026-01-20 | 9.6 | CVE-2025-53912 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2273 |
| melapress--Melapress Role Editor | The Melapress Role Editor plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.1. This is due to a misconfigured capability check on the 'save_secondary_roles_field' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to assign themselves additional roles including Administrator. | 2026-01-23 | 8.8 | CVE-2025-14866 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0509aaf1-8aae-42e5-84d3-ea9b431703f3?source=cve https://plugins.trac.wordpress.org/browser/melapress-role-editor/tags/1.1.0/classes/admin/ajax/class-admin-ajax.php https://plugins.trac.wordpress.org/browser/melapress-role-editor/tags/1.1.0/classes/admin/additional-form-fields/class-user-profile.php#L103 https://plugins.trac.wordpress.org/changeset/3439348/ |
| Microsoft--Azure Data Explorer | Exposure of sensitive information to an unauthorized actor in Azure Data Explorer allows an unauthorized attacker to disclose information over a network. | 2026-01-22 | 7.4 | CVE-2026-21524 | Azure Data Explorer Information Disclosure Vulnerability |
| Microsoft--Azure Front Door | Improper access control in Azure Front Door (AFD) allows an unauthorized attacker to elevate privileges over a network. | 2026-01-22 | 9.8 | CVE-2026-24306 | Azure Front Door Elevation of Privilege Vulnerability |
| Microsoft--Azure Logic Apps | Improper limitation of a pathname to a restricted directory ('path traversal') in Azure Logic Apps allows an unauthorized attacker to elevate privileges over a network. | 2026-01-22 | 8.2 | CVE-2026-21227 | Azure Logic Apps Elevation of Privilege Vulnerability |
| Microsoft--Azure Resource Manager | Improper access control in Azure Resource Manager allows an authorized attacker to elevate privileges over a network. | 2026-01-23 | 9.9 | CVE-2026-24304 | Azure Resource Manager Elevation of Privilege Vulnerability |
| Microsoft--Microsoft 365 Copilot | Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to disclose information over a network. | 2026-01-22 | 9.3 | CVE-2026-24307 | M365 Copilot Information Disclosure Vulnerability |
| Microsoft--Microsoft 365 Word Copilot | Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network. | 2026-01-22 | 7.4 | CVE-2026-21521 | Word Copilot Information Disclosure Vulnerability |
| Microsoft--Microsoft Account | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Account allows an unauthorized attacker to perform spoofing over a network. | 2026-01-22 | 9.3 | CVE-2026-21264 | Microsoft Account Spoofing Vulnerability |
| Microsoft--Microsoft Copilot Studio | Exposure of Sensitive Information to an Unauthorized Actor in Copilot Studio allows a unauthenticated attacker to view sensitive information through network attack vector | 2026-01-22 | 7.5 | CVE-2026-21520 | Copilot Studio Information Disclosure Vulnerability |
| Microsoft--Microsoft Entra | Azure Entra ID Elevation of Privilege Vulnerability | 2026-01-22 | 9.3 | CVE-2026-24305 | Azure Entra ID Elevation of Privilege Vulnerability |
| Microvirt--MEMU PLAY | Microvirt MEMU Play 3.7.0 contains an unquoted service path vulnerability in the MEmusvc Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with elevated LocalSystem privileges. | 2026-01-25 | 7.8 | CVE-2020-36937 | ExploitDB-49016 Official MEMU Play Product Homepage VulnCheck Advisory: MEMU PLAY 3.7.0 - 'MEmusvc' Unquoted Service Path |
| Moodle--Moodle | A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation could result in a full compromise of the Moodle application. | 2026-01-23 | 8.8 | CVE-2025-67847 | https://access.redhat.com/security/cve/CVE-2025-67847 |
| Moodle--Moodle | Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when users view the event. | 2026-01-21 | 7.2 | CVE-2021-47857 | ExploitDB-49714 Official Moodle Project Homepage VulnCheck Advisory: Moodle 3.10.3 - 'label' Persistent Cross Site Scripting |
| nanbingxyz--5ire | 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe HTML rendering permits untrusted HTML (including on* event attributes) to execute in the renderer context. An attacker can inject an `<img onerror=...>` payload to run arbitrary JavaScript in the renderer, which can call exposed bridge APIs such as `window.bridge.mcpServersManager.createServer`. This enables unauthorized creation of MCP servers and lead to remote command execution. Version 0.15.3 fixes the issue. | 2026-01-21 | 9.7 | CVE-2026-22792 | https://github.com/nanbingxyz/5ire/security/advisories/GHSA-p5fm-wm8g-rffx https://github.com/nanbingxyz/5ire/releases/tag/v0.15.3 |
| nanbingxyz--5ire | 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe option parsing vulnerability in the ECharts Markdown plugin allows any user able to submit ECharts code blocks to execute arbitrary JavaScript code in the renderer context. This can lead to Remote Code Execution (RCE) in environments where privileged APIs (such as Electron's electron.mcp) are exposed, resulting in full compromise of the host system. Version 0.15.3 patches the issue. | 2026-01-21 | 9.7 | CVE-2026-22793 | https://github.com/nanbingxyz/5ire/security/advisories/GHSA-wg3x-7c26-97wj https://github.com/nanbingxyz/5ire/releases/tag/v0.15.3 |
| NodeBB--NodeBB Plugin Emoji | NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write vulnerability that allows administrative users to write files to arbitrary system locations through the emoji upload API. Attackers with admin access can craft file upload requests with directory traversal to overwrite system files by manipulating the file path parameter. | 2026-01-21 | 7.5 | CVE-2021-47746 | ExploitDB-49813 Official NodeBB Homepage NodeBB Emoji Plugin GitHub Repository VulnCheck Advisory: NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write |
| Northwest Performance Software, Inc.--Managed Switch Port Mapping Tool | Managed Switch Port Mapping Tool 2.85.2 contains a denial of service vulnerability that allows attackers to crash the application by creating an oversized buffer. Attackers can generate a 10,000-character buffer and paste it into the IP Address and SNMP Community Name fields to trigger the application crash. | 2026-01-23 | 7.5 | CVE-2021-47894 | ExploitDB-49566 Vendor Homepage Software Download Page VulnCheck Advisory: Managed Switch Port Mapping Tool 2.85.2 - Denial of Service |
| Nsauditor--Nsauditor | Nsauditor 3.2.2.0 contains a denial of service vulnerability that allows attackers to crash the application by overwriting the Event Description field with a large buffer. Attackers can generate a 10,000-character 'U' buffer and paste it into the Event Description field to trigger an application crash. | 2026-01-23 | 7.5 | CVE-2021-47895 | ExploitDB-49568 Official Vendor Homepage VulnCheck Advisory: Nsauditor 3.2.2.0 - 'Event Description' Denial of Service |
| NVIDIA--CUDA Toolkit | NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli.py script if the script is invoked manually. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure. | 2026-01-20 | 7.3 | CVE-2025-33228 | https://nvd.nist.gov/vuln/detail/CVE-2025-33228 https://www.cve.org/CVERecord?id=CVE-2025-33228 https://nvidia.custhelp.com/app/answers/detail/a_id/5755 |
| NVIDIA--CUDA Toolkit | NVIDIA Nsight Visual Studio for Windows contains a vulnerability in Nsight Monitor where an attacker can execute arbitrary code with the same privileges as the NVIDIA Nsight Visual Studio Edition Monitor application. A successful exploit of this vulnerability may lead to escalation of privileges, code execution, data tampering, denial of service, and information disclosure. | 2026-01-20 | 7.3 | CVE-2025-33229 | https://nvd.nist.gov/vuln/detail/CVE-2025-33229 https://www.cve.org/CVERecord?id=CVE-2025-33229 https://nvidia.custhelp.com/app/answers/detail/a_id/5755 |
| NVIDIA--CUDA Toolkit | NVIDIA Nsight Systems for Linux contains a vulnerability in the .run installer, where an attacker could cause an OS command injection by supplying a malicious string to the installation path. A successful exploit of this vulnerability might lead to escalation of privileges, code execution, data tampering, denial of service, and information disclosure. | 2026-01-20 | 7.3 | CVE-2025-33230 | https://nvd.nist.gov/vuln/detail/CVE-2025-33230 https://www.cve.org/CVERecord?id=CVE-2025-33230 https://nvidia.custhelp.com/app/answers/detail/a_id/5755 |
| NVIDIA--Merlin Transformers4Rec | NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2026-01-20 | 7.8 | CVE-2025-33233 | https://nvd.nist.gov/vuln/detail/CVE-2025-33233 https://www.cve.org/CVERecord?id=CVE-2025-33233 https://nvidia.custhelp.com/app/answers/detail/a_id/5761 |
| OKI--Configuration Tool | OKI Configuration Tool 1.6.53 contains an unquoted service path vulnerability in the OKI Local Port Manager service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Okidata\Common\extend3\portmgrsrv.exe' to inject malicious executables and escalate privileges. | 2026-01-21 | 7.8 | CVE-2021-47884 | ExploitDB-49624 Archived OKI Product Webpage VulnCheck Advisory: Configuration Tool 1.6.53 - 'OpLclSrv' Unquoted Service Path |
| OKI--Print Job Accounting | OKI Print Job Accounting 4.4.10 contains an unquoted service path vulnerability in the OkiJaSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Okidata\Print Job Accounting\' to inject malicious executables and escalate privileges. | 2026-01-21 | 7.8 | CVE-2021-47887 | ExploitDB-49623 Archived OKI Product Webpage VulnCheck Advisory: Print Job Accounting 4.4.10 - 'OkiJaSvc' Unquoted Service Path |
| OpenStack--keystonemiddleware | An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected. | 2026-01-19 | 9.9 | CVE-2026-22797 | https://launchpad.net/bugs/2129018 https://www.openwall.com/lists/oss-security/2026/01/16/9 |
| opf--openproject | OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject's roadmap view renders the "Related work packages" list for each version. When a version contains work packages from a different project (e.g., a subproject), the helper link_to_work_package prepends package.project.to_s to the link and returns the entire string with .html_safe. Because project names are user-controlled and no escaping happens before calling html_safe, any HTML placed in a subproject name is injected verbatim into the page. The underlying issue is mitigated in versions 16.6.5 and 17.0.0 by setting a `X-Content-Type-Options: nosniff` header, which was in place until a refactoring move to Rails standard content-security policy, which did not properly apply this header in the new configuration since OpenProject 16.3.0. Those who cannot upgrade their installations should ensure that they add a X-Content-Type-Options: nosniff header in their proxying web application server. | 2026-01-19 | 8.7 | CVE-2026-23625 | https://github.com/opf/openproject/security/advisories/GHSA-cvpq-cc56-gwxx https://github.com/opf/openproject/releases/tag/v16.6.5 https://github.com/opf/openproject/releases/tag/v17.0.0 |
| Oracle Corporation--Oracle Agile PLM | Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: User and User Group). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | 2026-01-20 | 7.5 | CVE-2026-21940 | Oracle Advisory |
| Oracle Corporation--Oracle Agile Product Lifecycle Management for Process | Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Supplier Portal). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in takeover of Oracle Agile Product Lifecycle Management for Process. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-01-20 | 9.8 | CVE-2026-21969 | Oracle Advisory |
| Oracle Corporation--Oracle Business Intelligence Enterprise Edition | Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Oracle Analytics Cloud). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Business Intelligence Enterprise Edition executes to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | 2026-01-20 | 7.1 | CVE-2026-21976 | Oracle Advisory |
| Oracle Corporation--Oracle Database Server | Vulnerability in the SQLcl component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.0. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where SQLcl executes to compromise SQLcl. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of SQLcl. CVSS 3.1 Base Score 7.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). | 2026-01-20 | 7 | CVE-2026-21939 | Oracle Advisory |
| Oracle Corporation--Oracle FLEXCUBE Investor Servicing | Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Oracle Financial Services Applications (component: Security Management System). Supported versions that are affected are 14.5.0.15.0, 14.7.0.8.0 and 14.8.0.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Investor Servicing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle FLEXCUBE Investor Servicing accessible data as well as unauthorized access to critical data or complete access to all Oracle FLEXCUBE Investor Servicing accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | 2026-01-20 | 8.1 | CVE-2026-21973 | Oracle Advisory |
| Oracle Corporation--Oracle Hospitality OPERA 5 | Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet). Supported versions that are affected are 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.6.27.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 accessible data as well as unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hospitality OPERA 5. CVSS 3.1 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L). | 2026-01-20 | 8.6 | CVE-2026-21967 | Oracle Advisory |
| Oracle Corporation--Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in | Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). | 2026-01-20 | 10 | CVE-2026-21962 | Oracle Advisory |
| Oracle Corporation--Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N). | 2026-01-20 | 7.4 | CVE-2026-21932 | Oracle Advisory |
| Oracle Corporation--Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 7.5 | CVE-2026-21945 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 8.2 | CVE-2026-21955 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 8.2 | CVE-2026-21956 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 8.2 | CVE-2026-21987 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 8.2 | CVE-2026-21988 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L). | 2026-01-20 | 8.1 | CVE-2026-21989 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 8.2 | CVE-2026-21990 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 7.5 | CVE-2026-21957 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows unauthenticated attacker with access to the physical communication segment attached to the hardware where the Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-01-20 | 7.5 | CVE-2026-21982 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 7.5 | CVE-2026-21983 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 7.5 | CVE-2026-21984 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. Note: This vulnerability applies to Windows VMs only. CVSS 3.1 Base Score 7.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). | 2026-01-20 | 7.1 | CVE-2026-21986 | Oracle Advisory |
| Oracle Corporation--Siebel CRM Deployment | Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Server Infrastructure). Supported versions that are affected are 17.0-25.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Siebel CRM Deployment. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel CRM Deployment. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 7.5 | CVE-2026-21926 | Oracle Advisory |
| OSAS--OSAS Traverse Extension | OSAS Traverse Extension 11 contains an unquoted service path vulnerability in the TravExtensionHostSvc service running with LocalSystem privileges. Attackers can exploit the unquoted path to inject and execute malicious code by placing executable files in the service's path, potentially gaining elevated system access. | 2026-01-21 | 7.8 | CVE-2021-47864 | ExploitDB-49698 Archived Vendor Homepage VulnCheck Advisory: OSAS Traverse Extension 11 - 'travextensionhostsvc' Unquoted Service Path |
| pbatard--rufus | Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA. | 2026-01-22 | 7.3 | CVE-2026-23988 | https://github.com/pbatard/rufus/security/advisories/GHSA-hcx5-hrhj-xhq9 https://github.com/pbatard/rufus/commit/460cc5768aa45be07941b9e4ebc9bee02d282873 https://github.com/pbatard/rufus/releases/tag/v4.12_BETA |
| PDF Complete, Inc.--PDFCOMPLETE Corporate Edition | PDF Complete Corporate Edition 4.1.45 contains an unquoted service path vulnerability in the pdfcDispatcher service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in the service binary location to inject malicious executables that will be run with elevated LocalSystem privileges. | 2026-01-23 | 7.8 | CVE-2021-47896 | ExploitDB-49558 Vendor Homepage Software Download Page VulnCheck Advisory: PDFCOMPLETE Corporate Edition 4.1.45 - 'pdfcDispatcher' Unquoted Service Path |
| PEEL eCommerce--PEEL Shopping | PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the 'Comments / Special Instructions' parameter of the purchase page. Attackers can inject malicious JavaScript payloads that will execute when the page is refreshed, potentially allowing client-side script execution. | 2026-01-23 | 7.2 | CVE-2021-47892 | ExploitDB-49574 Archived Vendor Homepage VulnCheck Advisory: PEEL Shopping 9.3.0 - 'Comments/Special Instructions' Stored Cross-Site Scripting |
| PEEL eCommerce--PEEL Shopping | PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the address parameter of the change_params.php script. Attackers can inject malicious JavaScript payloads that execute when users interact with the address text box, potentially enabling client-side script execution. | 2026-01-23 | 7.2 | CVE-2021-47897 | ExploitDB-49553 Archived Vendor Homepage VulnCheck Advisory: PEEL Shopping 9.3.0 - 'address' Stored Cross-Site Scripting |
| PHPGurukul--Directory Management System | A security vulnerability has been detected in PHPGurukul Directory Management System 1.0. Impacted is an unknown function of the file /index.php of the component Search. The manipulation of the argument searchdata leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-01-19 | 7.3 | CVE-2026-1160 | VDB-341754 | PHPGurukul Directory Management System Search index.php sql injection VDB-341754 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736333 | itsourcecode Directory Management System V1.0 SQL Injection https://github.com/YouSeeYouOneDayDayDe/Nick_1321_vuls/issues/2 https://phpgurukul.com/ |
| phppgadmin--phpPgAdmin | phpPgAdmin 7.13.0 contains a remote command execution vulnerability that allows authenticated attackers to execute arbitrary system commands through SQL query manipulation. Attackers can create a custom table, upload a malicious .txt file, and use the COPY FROM PROGRAM command to execute operating system commands with the application's privileges. | 2026-01-21 | 8.8 | CVE-2021-47853 | ExploitDB-49736 phpPgAdmin Official Release Page VulnCheck Advisory: phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution |
| Phreesoft--PhreeBooks | PhreeBooks 5.2.3 contains an authenticated file upload vulnerability in the Image Manager that allows remote code execution. Attackers can upload a malicious PHP web shell by exploiting unrestricted file type uploads to gain command execution on the server. | 2026-01-23 | 8.8 | CVE-2021-47904 | ExploitDB-49524 Official Vendor Homepage ExploitDB-46645 Web Shell Payload Gist VulnCheck Advisory: PhreeBooks 5.2.3 - Remote Code Execution |
| posimyththemes--Nexter Extension Site Enhancements Toolkit | The Nexter Extension - Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.6 via deserialization of untrusted input in the 'nxt_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | 2026-01-20 | 8.1 | CVE-2026-0726 | https://www.wordfence.com/threat-intel/vulnerabilities/id/02de9287-68e4-46ce-a491-3f6cbb7fc0ed?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/nexter-extension/tags/4.4.6/include/panel-settings/extensions/nexter-ext-replace-url.php&new_path=/nexter-extension/tags/4.4.7/include/panel-settings/extensions/nexter-ext-replace-url.php |
| ProFTPD--ProFTPD | ProFTPD 1.3.7a contains a denial of service vulnerability that allows attackers to overwhelm the server by creating multiple simultaneous FTP connections. Attackers can repeatedly establish connections using threading to exhaust server connection limits and block legitimate user access. | 2026-01-21 | 7.5 | CVE-2021-47865 | ExploitDB-49697 ProFTPD Official Website ProFTPD GitHub Repository VulnCheck Advisory: ProFTPD 1.3.7a - Remote Denial of Service |
| pypa--wheel | wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2. | 2026-01-22 | 7.1 | CVE-2026-24049 | https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef https://github.com/pypa/wheel/releases/tag/0.46.2 |
| Quenary--tugtainer | Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially exposed through browser history, Referer headers, and proxy logs. Version 1.16.1 patches the issue. | 2026-01-19 | 8.1 | CVE-2026-23846 | https://github.com/Quenary/tugtainer/security/advisories/GHSA-f2qf-f544-xm4p https://github.com/Quenary/tugtainer/commit/9d23bf40ac1d39005582abfcf0a84753a4e29d52 |
| Realtek Semiconductor Corp.--Realtek Wireless LAN Utility | Realtek Wireless LAN Utility 700.1631 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted service path by inserting malicious code in the system root path that would execute during application startup or system reboot. | 2026-01-21 | 7.8 | CVE-2021-47880 | ExploitDB-49646 Realtek Official Homepage VulnCheck Advisory: Realtek Wireless LAN Utility 700.1631 - 'Realtek11nSU' Unquoted Service Path |
| Rockstar Games--Rockstar Games Launcher | Rockstar Games Launcher 1.0.37.349 contains a privilege escalation vulnerability that allows authenticated users to modify the service executable with weak permissions. Attackers can replace the RockstarService.exe with a malicious binary to create a new administrator user and gain elevated system access. | 2026-01-21 | 8.8 | CVE-2021-47852 | ExploitDB-49739 Rockstar Games Launcher Official Site VulnCheck Advisory: Rockstar Service - Insecure File Permissions |
| runtipi--runtipi | Runtipi is a Docker-based, personal homeserver orchestrator that facilitates multiple services on a single server. Versions 3.7.0 and above allow an authenticated user to execute arbitrary system commands on the host server by injecting shell metacharacters into backup filenames. The BackupManager fails to sanitize the filenames of uploaded backups. The system persists user-uploaded files directly to the host filesystem using the raw originalname provided in the request. This allows an attacker to stage a file containing shell metacharacters (e.g., $(id).tar.gz) at a predictable path, which is later referenced during the restore process. The successful storage of the file is what allows the subsequent restore command to reference and execute it. This issue has been fixed in version 4.7.0. | 2026-01-22 | 8.1 | CVE-2026-24129 | https://github.com/runtipi/runtipi/security/advisories/GHSA-vrgf-rcj5-6gv9 https://github.com/runtipi/runtipi/commit/c3aa948885554a370d374692158a3bfe1cfdc85a https://github.com/runtipi/runtipi/releases/tag/v4.7.0 |
| Sandboxie-Plus--Sandboxie Plus | Sandboxie Plus 0.7.2 contains an unquoted service path vulnerability in the SbieSvc service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem permissions during service startup. | 2026-01-21 | 7.8 | CVE-2021-47883 | ExploitDB-49631 Vendor Homepage VulnCheck Advisory: Sandboxie Plus v0.7.2 - 'SbieSvc' Unquoted Service Path |
| Sangfor--Operation and Maintenance Management System | A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3.0.12. Affected by this issue is the function SessionController of the file /isomp-protocol/protocol/session of the component SSH Protocol Handler. The manipulation of the argument keypassword leads to os command injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-22 | 8.8 | CVE-2026-1324 | VDB-342300 | Sangfor Operation and Maintenance Management System SSH Protocol session SessionController os command injection VDB-342300 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735716 | Sangfor Operation and Maintenance Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) 3.0.8 OS Command Injection https://github.com/LX-LX88/cve/issues/20 |
| satndy--Aplikasi-Biro-Travel | Blitar Tourism 1.0 contains an authentication bypass vulnerability that allows attackers to bypass login by injecting SQL code through the username parameter. Attackers can manipulate the login request by sending a crafted username with SQL injection techniques to gain unauthorized administrative access. | 2026-01-21 | 8.2 | CVE-2021-47848 | ExploitDB-49759 Aplikasi Biro Travel GitHub Repository VulnCheck Advisory: Blitar Tourism 1.0 - Authentication Bypass SQLi |
| Security--Winpakpro | WIN-PACK PRO4.8 contains an unquoted service path vulnerability in the ScheduleService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in 'C:\Program Files <x86>\WINPAKPRO\ScheduleService Service.exe' to inject malicious code that would execute during service startup. | 2026-01-21 | 7.8 | CVE-2021-47867 | ExploitDB-49691 Honeywell Product Webpage VulnCheck Advisory: WIN-PACK PRO 4.8 - 'ScheduleService' Unquoted Service Path |
| SEO Panel--SEO Panel | SEO Panel versions prior to 4.9.0 contain a blind SQL injection vulnerability in the archive.php page that allows authenticated attackers to manipulate database queries through the 'order_col' parameter. Attackers can use sqlmap to exploit the vulnerability and extract database information by injecting malicious SQL code into the order column parameter. | 2026-01-21 | 7.1 | CVE-2021-47872 | ExploitDB-49666 Official SEO Panel Homepage SEO Panel 4.9.0 Release GitHub Issue #209 VulnCheck Advisory: SEO Panel < 4.9.0 - 'order_col' Blind SQL Injection |
| shazdeh--Administrative Shortcodes | The Administrative Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.3.4 via the 'slug' attribute of the 'get_template' shortcode. This is due to insufficient path validation on user-supplied input passed to the get_template_part() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. | 2026-01-24 | 7.5 | CVE-2026-1257 | https://www.wordfence.com/threat-intel/vulnerabilities/id/119fe499-88c4-413f-a44a-2b3acfdbdeb5?source=cve https://plugins.trac.wordpress.org/browser/administrative-shortcodes/trunk/administrative-shortcodes.php#L144 https://wordpress.org/plugins/administrative-shortcodes https://plugins.trac.wordpress.org/browser/administrative-shortcodes/tags/0.3.4/administrative-shortcodes.php#L144 |
| Shenzhen Tenda Technology Co.,Ltd.--Tenda D151 & D301 | Tenda D151 and D301 routers contain an unauthenticated configuration download vulnerability that allows remote attackers to retrieve router configuration files. Attackers can send a request to /goform/getimage endpoint to download configuration data including admin credentials without authentication. | 2026-01-21 | 7.5 | CVE-2021-47802 | ExploitDB-49782 Tenda Official Vendor Homepage VulnCheck Advisory: Tenda D151 & D301 - Configuration Download |
| sibercii6-crypto--teklifolustur_app | teklifolustur_app is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference (IDOR) vulnerability exists in the offer view functionality. Authenticated users can manipulate the offer_id parameter to access offers belonging to other users. The issue is caused by missing authorization checks ensuring that the requested offer belonged to the currently authenticated user. Commit dd082a134a225b8dcd401b6224eead4fb183ea1c contains a patch. | 2026-01-19 | 7.1 | CVE-2026-23843 | https://github.com/sibercii6-crypto/teklifolustur_app/security/advisories/GHSA-6h9r-mmg3-cg7m https://github.com/sibercii6-crypto/teklifolustur_app/commit/dd082a134a225b8dcd401b6224eead4fb183ea1c |
| SIPp--SIPp | A flaw was found in SIPp. A remote attacker could exploit this by sending specially crafted Session Initiation Protocol (SIP) messages during an active call. This vulnerability, a NULL pointer dereference, can cause the application to crash, leading to a denial of service. Under specific conditions, it may also allow an attacker to execute unauthorized code, compromising the system's integrity and availability. | 2026-01-23 | 8.4 | CVE-2026-0710 | https://access.redhat.com/security/cve/CVE-2026-0710 RHBZ#2427788 |
| Softros Systems--LAN Messenger | Softros LAN Messenger 9.6.4 contains an unquoted service path vulnerability in the SoftrosSpellChecker service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\' to inject malicious executables and escalate privileges. | 2026-01-23 | 7.8 | CVE-2021-47889 | ExploitDB-49588 Vendor Homepage VulnCheck Advisory: Softros LAN Messenger 9.6.4 - 'SoftrosSpellChecker' Unquoted Service Path |
| Softros Systems--LogonExpert | LogonExpert 8.1 contains an unquoted service path vulnerability in the LogonExpertSvc service running with LocalSystem privileges. Attackers can exploit the unquoted path to place malicious executables in intermediate directories, potentially gaining elevated system access during service startup. | 2026-01-23 | 7.8 | CVE-2021-47890 | ExploitDB-49586 Vendor Homepage Software Download Link VulnCheck Advisory: LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path |
| Solvera Software Services Trade Inc.--Teknoera | Unrestricted Upload of File with Dangerous Type vulnerability in Solvera Software Services Trade Inc. Teknoera allows File Content Injection. This issue affects Teknoera: through 01102025. | 2026-01-22 | 8.1 | CVE-2025-10856 | https://www.usom.gov.tr/bildirim/tr-26-0003 |
| Solvera Software Services Trade Inc.--Teknoera | Authorization Bypass Through User-Controlled Key vulnerability in Solvera Software Services Trade Inc. Teknoera allows Exploitation of Trusted Identifiers. This issue affects Teknoera: through 01102025. | 2026-01-22 | 7.5 | CVE-2025-10855 | https://www.usom.gov.tr/bildirim/tr-26-0003 |
| specialk--User Submitted Posts Enable Users to Submit Posts from the Front End | The User Submitted Posts - Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom fields in all versions up to, and including, 20251210 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 7.2 | CVE-2026-0800 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1ec907bc-bd10-4dc5-be35-4f2aaf5ef444?source=cve https://plugins.trac.wordpress.org/changeset/3436859/user-submitted-posts |
| Tenda--AX1803 | A flaw has been found in Tenda AX1803 1.0.0.1. The affected element is the function fromGetWifiGuestBasic of the file /goform/WifiGuestSet. Executing a manipulation of the argument guestWrlPwd/guestEn/guestSsid/hideSsid/guestSecurity can lead to stack-based buffer overflow. The attack may be launched remotely. The exploit has been published and may be used. | 2026-01-22 | 8.8 | CVE-2026-1329 | VDB-342305 | Tenda AX1803 WifiGuestSet fromGetWifiGuestBasic stack-based overflow VDB-342305 | CTI Indicators (IOB, IOC, IOA) Submit #736063 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow Submit #736064 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow (Duplicate) Submit #736065 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow (Duplicate) Submit #736066 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow (Duplicate) Submit #736067 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow (Duplicate) https://river-brow-763.notion.site/Tenda-AX1803-Buffer-Overflow-in-fromGetWifiGusetBasic-2e3a595a7aef80a78225db34317daa40#2e3a595a7aef801ab517e4af5631227a https://www.tenda.com.cn/ |
| The Textpattern Development Team--Textpattern | Textpattern versions prior to 4.8.3 contain an authenticated remote code execution vulnerability that allows logged-in users to upload malicious PHP files. Attackers can upload a PHP file with a shell command execution payload and execute arbitrary commands by accessing the uploaded file through a specific URL parameter. | 2026-01-23 | 8.8 | CVE-2021-47888 | ExploitDB-49620 Official Vendor Homepage Textpattern Software Download Page VulnCheck Advisory: Textpattern 4.8.3 - Remote code execution |
| Tosei--Online Store Management System | A vulnerability was determined in Tosei Online Store Management System ãƒãƒƒãƒˆåº—舗管ç†ã‚·ã‚¹ãƒ†ãƒ 1.01. The affected element is an unknown function of the file /cgi-bin/imode_alldata.php. Executing a manipulation of the argument DevId can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1192 | VDB-341777 | Tosei Online Store Management System ãƒãƒƒãƒˆåº—舗管ç†ã‚·ã‚¹ãƒ†ãƒ imode_alldata.php command injection VDB-341777 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734205 | Tosei Tosei Online Store Management System ãƒãƒƒãƒˆåº—舗管ç†ã‚·ã‚¹ãƒ†ãƒ 1.01 Command Injection https://www.yuque.com/yuqueyonghuexlgkz/zepczx/keenhf9u2bnw5o6g |
| TOTOLINK--A3700R | A weakness has been identified in TOTOLINK A3700R 9.1.2u.5822_B20200513. This affects the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument ssid can lead to buffer overflow. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-19 | 8.8 | CVE-2026-1143 | VDB-341735 | TOTOLINK A3700R cstecgi.cgi setWiFiEasyGuestCfg buffer overflow VDB-341735 | CTI Indicators (IOB, IOC, IOA) Submit #735502 | TOTOLINK A3700R V9.1.2u.5822_B20200513 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-A3700R-setWiFiEasyGuestCfg-2e353a41781f8057a244ead07d5eaaff?source=copy_link https://www.totolink.net/ |
| Totolink--LR350 | A vulnerability was found in Totolink LR350 9.3.5u.6369_B20220309. Affected by this vulnerability is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ssid results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used. | 2026-01-19 | 8.8 | CVE-2026-1155 | VDB-341749 | Totolink LR350 cstecgi.cgi setWiFiEasyGuestCfg buffer overflow VDB-341749 | CTI Indicators (IOB, IOC, IOA) Submit #735718 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiEasyGuestCfg-2e453a41781f8034bae3d1a11066a8fb?source=copy_link https://www.totolink.net/ |
| Totolink--LR350 | A vulnerability was determined in Totolink LR350 9.3.5u.6369_B20220309. Affected by this issue is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument ssid causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-19 | 8.8 | CVE-2026-1156 | VDB-341750 | Totolink LR350 cstecgi.cgi setWiFiBasicCfg buffer overflow VDB-341750 | CTI Indicators (IOB, IOC, IOA) Submit #735722 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiBasicCfg-2e453a41781f80a2ad43e85bf5d46659?source=copy_link https://www.totolink.net/ |
| Totolink--LR350 | A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This affects the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ssid leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2026-01-19 | 8.8 | CVE-2026-1157 | VDB-341751 | Totolink LR350 cstecgi.cgi setWiFiEasyCfg buffer overflow VDB-341751 | CTI Indicators (IOB, IOC, IOA) Submit #735726 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiEasyCfg-2e453a41781f80b7b53cef33c6a782aa?source=copy_link https://www.totolink.net/ |
| Totolink--LR350 | A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. This vulnerability affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-19 | 8.8 | CVE-2026-1158 | VDB-341752 | Totolink LR350 POST Request cstecgi.cgi setWizardCfg buffer overflow VDB-341752 | CTI Indicators (IOB, IOC, IOA) Submit #735728 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWizardCfg-2e453a41781f80ce89cfc1d25049e279?source=copy_link https://www.totolink.net/ |
| Totolink--NR1800X | A vulnerability was detected in Totolink NR1800X 9.1.0u.6279_B20210910. Impacted is the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. | 2026-01-22 | 8.8 | CVE-2026-1328 | VDB-342304 | Totolink NR1800X POST Request cstecgi.cgi setWizardCfg buffer overflow VDB-342304 | CTI Indicators (IOB, IOC, IOA) Submit #735792 | TOTOLINK NR1800X NR1800X_Firmware V9.1.0u.6279_B20210910 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-NR1800X-setWizardCfg-2e453a41781f80568a54c9368082fbe9?source=copy_link https://www.totolink.net/ |
| Unified Intents AB--Unified Remote | Unified Remote 3.9.0.2463 contains a remote code execution vulnerability that allows attackers to send crafted network packets to execute arbitrary commands. Attackers can exploit the service by connecting to port 9512 and sending specially crafted packets to open a command prompt and download and execute malicious payloads. | 2026-01-23 | 9.8 | CVE-2021-47891 | ExploitDB-49587 Unified Remote Official Homepage Unified Remote Download Page VulnCheck Advisory: Unified Remote 3.9.0.2463 - Remote Code Execution |
| UTT-- 520W | A vulnerability was detected in UTT è¿›å– 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formWebAuthGlobalConfig. Performing a manipulation results in buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 8.8 | CVE-2026-1137 | VDB-341728 | UTT è¿›å– 520W formWebAuthGlobalConfig strcpy buffer overflow VDB-341728 | CTI Indicators (IOB, IOC, IOA) Submit #735296 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/32.md |
| UTT-- 520W | A flaw has been found in UTT è¿›å– 520W 1.7.7-180627. This affects the function strcpy of the file /goform/ConfigExceptQQ. Executing a manipulation can lead to buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 8.8 | CVE-2026-1138 | VDB-341729 | UTT è¿›å– 520W ConfigExceptQQ strcpy buffer overflow VDB-341729 | CTI Indicators (IOB, IOC, IOA) Submit #735298 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/33.md |
| UTT-- 520W | A vulnerability has been found in UTT è¿›å– 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/ConfigExceptMSN. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 8.8 | CVE-2026-1139 | VDB-341730 | UTT è¿›å– 520W ConfigExceptMSN strcpy buffer overflow VDB-341730 | CTI Indicators (IOB, IOC, IOA) Submit #735299 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/34.md |
| UTT-- 520W | A vulnerability was found in UTT è¿›å– 520W 1.7.7-180627. This issue affects the function strcpy of the file /goform/ConfigExceptAli. The manipulation results in buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 8.8 | CVE-2026-1140 | VDB-341731 | UTT è¿›å– 520W ConfigExceptAli strcpy buffer overflow VDB-341731 | CTI Indicators (IOB, IOC, IOA) Submit #735300 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/35.md |
| UTT--HiPER 810 | A flaw has been found in UTT HiPER 810 1.7.4-141218. The impacted element is the function strcpy of the file /goform/setSysAdm. This manipulation of the argument passwd1 causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-01-19 | 9.8 | CVE-2026-1162 | VDB-341756 | UTT HiPER 810 setSysAdm strcpy buffer overflow VDB-341756 | CTI Indicators (IOB, IOC, IOA) Submit #736511 | UTT HiPER 810 / nv810v4 nv810v4v1.7.4-141218 Buffer Overflow https://github.com/cha0yang1/UTT810/blob/main/1.md https://github.com/cha0yang1/UTT810/blob/main/1.md#poc |
| VestaCP--VestaCP | VestaCP versions prior to 0.9.8-25 contain a cross-site scripting vulnerability in the IP interface configuration that allows attackers to inject malicious scripts. Attackers can exploit the 'v_interface' parameter by sending a crafted POST request to the add/ip/ endpoint with a stored XSS payload. | 2026-01-21 | 7.2 | CVE-2021-47873 | ExploitDB-49662 VestaCP Official Vendor Homepage VestaCP Alternative Download Site VulnCheck Advisory: VestaCP < 0.9.8-25 - Stored Cross-Site Scripting |
| Vfsforgit--VFS for Git | VFS for Git 1.0.21014.1 contains an unquoted service path vulnerability in the GVFS.Service Windows service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem privileges during service startup or system reboot. | 2026-01-21 | 7.8 | CVE-2021-47874 | ExploitDB-49661 Vendor Homepage VulnCheck Advisory: VFS for Git 1.0.21014.1 - 'GVFS.Service' Unquoted Service Path |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue. | 2026-01-21 | 8.8 | CVE-2026-22807 | https://github.com/vllm-project/vllm/security/advisories/GHSA-2pc9-4j83-qjmr https://github.com/vllm-project/vllm/pull/32194 https://github.com/vllm-project/vllm/commit/78d13ea9de4b1ce5e4d8a5af9738fea71fb024e5 https://github.com/vllm-project/vllm/releases/tag/v0.14.0 |
| wpdevteam--NotificationX FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar | The NotificationX - FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. This is due to insufficient input sanitization and output escaping when processing preview data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user visits a malicious page that auto-submits a form to the vulnerable site. | 2026-01-20 | 7.2 | CVE-2025-15380 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9ca12315-380b-4251-b637-4e9d29df35e0?source=cve https://research.cleantalk.org/cve-2025-15380/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3433555%40notificationx&old=3426659%40notificationx&sfp_email=&sfph_mail= |
| wpmessiah--Frontis Blocks Block Library for the Block Editor | The Frontis Blocks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.6. This is due to insufficient restriction on the 'url' parameter in the 'template_proxy' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application via the '/template-proxy/' and '/proxy-image/' endpoint. | 2026-01-24 | 7.2 | CVE-2026-0807 | https://www.wordfence.com/threat-intel/vulnerabilities/id/322e0a27-9119-4b46-a043-d3a68c4fcdc4?source=cve https://plugins.trac.wordpress.org/browser/frontis-blocks/trunk/includes/Admin/Admin.php#L910 https://plugins.trac.wordpress.org/browser/frontis-blocks/tags/1.1.4/includes/Admin/Admin.php#L910 https://plugins.trac.wordpress.org/changeset/3444616/ |
| wpmudev--Hustle Email Marketing, Lead Generation, Optins, Popups | The Hustle - Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including, 7.8.9.2. This makes it possible for authenticated attackers, with a lower-privileged role (e.g., Subscriber-level access and above), to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires an admin to grant Hustle module permissions (or module edit access) to the low-privileged user so they can access the Hustle admin page and obtain the required nonce. | 2026-01-24 | 7.5 | CVE-2026-0911 | https://www.wordfence.com/threat-intel/vulnerabilities/id/22be5fb5-143e-4934-9f93-e17def18e883?source=cve https://plugins.trac.wordpress.org/changeset/3440956/wordpress-popup |
| Yodinfo--Mini Mouse | Mini Mouse 9.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary commands through an unauthenticated HTTP endpoint. Attackers can leverage the /op=command endpoint to download and execute payloads by sending crafted JSON requests with malicious script commands. | 2026-01-21 | 9.8 | CVE-2021-47851 | ExploitDB-49743 Mini Mouse Apple Store VulnCheck Advisory: Mini Mouse 9.2.0 - Remote Code Execution |
| Yodinfo--Mini Mouse | Mini Mouse 9.2.0 contains a path traversal vulnerability that allows remote attackers to access arbitrary system files and directories through crafted HTTP requests. Attackers can retrieve sensitive files like win.ini and list contents of system directories such as C:\Users\Public by manipulating file and path parameters. | 2026-01-21 | 7.5 | CVE-2021-47850 | ExploitDB-49744 Mini Mouse Apple Store VulnCheck Advisory: Mini Mouse 9.2.0 - Path Traversal |
| Yonyou--KSOA | A vulnerability was detected in Yonyou KSOA 9.0. This vulnerability affects unknown code of the file /worksheet/worksadd.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1129 | VDB-341719 | Yonyou KSOA HTTP GET Parameter worksadd.jsp sql injection VDB-341719 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734557 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/11 |
| Yonyou--KSOA | A flaw has been found in Yonyou KSOA 9.0. This issue affects some unknown processing of the file /worksheet/worksadd_plan.jsp of the component HTTP GET Parameter Handler. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1130 | VDB-341720 | Yonyou KSOA HTTP GET Parameter worksadd_plan.jsp sql injection VDB-341720 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734565 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/12 |
| Yonyou--KSOA | A vulnerability has been found in Yonyou KSOA 9.0. Impacted is an unknown function of the file /kmc/save_catalog.jsp of the component HTTP GET Parameter Handler. Such manipulation of the argument catalogid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1131 | VDB-341721 | Yonyou KSOA HTTP GET Parameter save_catalog.jsp sql injection VDB-341721 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734566 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/13 |
| Yonyou--KSOA | A vulnerability was found in Yonyou KSOA 9.0. The affected element is an unknown function of the file /kmf/edit_folder.jsp of the component HTTP GET Parameter Handler. Performing a manipulation of the argument folderid results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1132 | VDB-341722 | Yonyou KSOA HTTP GET Parameter edit_folder.jsp sql injection VDB-341722 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734568 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/15 |
| Yonyou--KSOA | A vulnerability was determined in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /kmf/folder.jsp of the component HTTP GET Parameter Handler. Executing a manipulation of the argument folderid can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1133 | VDB-341723 | Yonyou KSOA HTTP GET Parameter folder.jsp sql injection VDB-341723 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734576 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/16 |
| Yonyou--KSOA | A weakness has been identified in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /kmf/save_folder.jsp of the component HTTP GET Parameter Handler. Executing a manipulation of the argument folderid can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1177 | VDB-341771 | Yonyou KSOA HTTP GET Parameter save_folder.jsp sql injection VDB-341771 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734577 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/17 |
| Yonyou--KSOA | A security vulnerability has been detected in Yonyou KSOA 9.0. Affected by this issue is some unknown functionality of the file /kmf/select.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument folderid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1178 | VDB-341772 | Yonyou KSOA HTTP GET Parameter select.jsp sql injection VDB-341772 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734593 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/18 |
| Yonyou--KSOA | A vulnerability was detected in Yonyou KSOA 9.0. This affects an unknown part of the file /kmf/user_popedom.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument folderid results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1179 | VDB-341773 | Yonyou KSOA HTTP GET Parameter user_popedom.jsp sql injection VDB-341773 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734594 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/19 |
| Zoom Communications Inc.--Zoom Node | A Command Injection vulnerability in Zoom Node Multimedia Routers (MMRs) before version 5.2.1716.0 may allow a meeting participant to conduct remote code execution of the MMR via network access. | 2026-01-20 | 9.9 | CVE-2026-22844 | https://www.zoom.com/en/trust/security-bulletin/zsb-26001 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 10web--Photo Gallery by 10Web Mobile-Friendly Image Gallery | The Photo Gallery by 10Web - Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in all versions up to, and including, 1.8.36. This makes it possible for unauthenticated attackers to delete arbitrary image comments. Note: comments functionality is only available in the Pro version of the plugin. | 2026-01-21 | 5.3 | CVE-2026-1036 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4eb2ae42-584d-4da8-9184-461b5a37b7b6?source=cve https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.35/frontend/controllers/BWGControllerGalleryBox.php#L173 |
| adzbierajewski--Alex User Counter | The Alex User Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to missing nonce validation on the alex_user_counter_function() function. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1070 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1a5ef5b3-2900-44f0-9e13-66fbdc937b38?source=cve https://plugins.trac.wordpress.org/browser/user-counter/trunk/user-counter.php#L41 https://plugins.trac.wordpress.org/browser/user-counter/tags/6.0/user-counter.php#L41 |
| Aida Computer Information Technology Inc.--Hotel Guest Hotspot | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows Reflected XSS. This issue affects Hotel Guest Hotspot: through 22012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-22 | 5.5 | CVE-2025-4763 | https://www.usom.gov.tr/bildirim/tr-26-0001 |
| aiktp--AIKTP | The AIKTP plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the /aiktp/getToken REST API endpoint in all versions up to, and including, 5.0.04. The endpoint uses the 'verify_user_logged_in' as a permission callback, which only checks if a user is logged in, but fails to verify if the user has administrative capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to retrieve the administrator's 'aiktpz_token' access token, which can then be used to create posts, upload media library files, and access private content as the administrator. | 2026-01-24 | 5.4 | CVE-2026-1103 | https://www.wordfence.com/threat-intel/vulnerabilities/id/84846d95-792d-4569-b0eb-876d82d0beee?source=cve https://plugins.trac.wordpress.org/browser/aiktp/tags/5.0.04/includes/aiktp-sync.php#L123 https://plugins.trac.wordpress.org/browser/aiktp/tags/5.0.04/includes/aiktp-sync.php#L143 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3445248%40aiktp&new=3445248%40aiktp |
| AlchemyCMS--alchemy_cms | Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby `eval()` function to dynamically execute a string provided by the `resource_handler.engine_name` attribute in `Alchemy::ResourcesHelper#resource_url_proxy`. The vulnerability exists in `app/helpers/alchemy/resources_helper.rb` at line 28. The code explicitly bypasses security linting with `# rubocop:disable Security/Eval`, indicating that the use of a dangerous function was known but not properly mitigated. Since `engine_name` is sourced from module definitions that can be influenced by administrative configurations, it allows an authenticated attacker to escape the Ruby sandbox and execute arbitrary system commands on the host OS. Versions 7.4.12 and 8.0.3 fix the issue by replacing `eval()` with `send()`. | 2026-01-19 | 6.4 | CVE-2026-23885 | https://github.com/AlchemyCMS/alchemy_cms/security/advisories/GHSA-2762-657x-v979 https://github.com/AlchemyCMS/alchemy_cms/commit/55d03ec600fd9e07faae1138b923790028917d26 https://github.com/AlchemyCMS/alchemy_cms/commit/563c4ce45bf5813b7823bf3403ca1fc32cb769e7 https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v7.4.12 https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v8.0.3 |
| Altium--AES | A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content. | 2026-01-22 | 6.8 | CVE-2025-27379 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--Altium Designer | Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. An attacker capable of performing a man-in-the-middle (MITM) attack could exploit this issue to intercept or manipulate network traffic, potentially exposing authentication credentials or sensitive design data. | 2026-01-22 | 5.3 | CVE-2025-27377 | https://www.altium.com/platform/security-compliance/security-advisories |
| aminhashemy--GZSEO | The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. This is due to missing capability checks on multiple AJAX handlers combined with insufficient input sanitization and output escaping on the embed_code parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary content into any post on the site that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2025-14941 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c91a4d4d-5bfa-42fd-80b4-7a75ee79db19?source=cve https://plugins.trac.wordpress.org/browser/gzseo/tags/2.0.11/includes/class-gzseo-video-update.php?marks=112,365,369,370,563#L112 |
| andddd--WP-ClanWars | The WP-ClanWars plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-24 | 4.9 | CVE-2026-0806 | https://www.wordfence.com/threat-intel/vulnerabilities/id/65aa20e2-efc1-481a-8ed4-423d2420c3db?source=cve https://plugins.trac.wordpress.org/browser/wp-clanwars/trunk/classes/teams.class.php#L92 https://plugins.trac.wordpress.org/browser/wp-clanwars/tags/2.0.1/classes/teams.class.php#L92 https://cwe.mitre.org/data/definitions/89.html |
| AutomationDirect--CLICK Programmable Logic Controller | An attacker could decrypt sensitive data, impersonate legitimate users or devices, and potentially gain access to network resources for lateral attacks. | 2026-01-22 | 6.1 | CVE-2025-25051 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-02 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-02.json |
| AutomationDirect--CLICK Programmable Logic Controller | An attacker with access to the project file could use the exposed credentials to impersonate users, escalate privileges, or gain unauthorized access to systems and services. The absence of robust encryption or secure handling mechanisms increases the likelihood of this type of exploitation, leaving sensitive information more vulnerable. | 2026-01-22 | 6.1 | CVE-2025-67652 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-02 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-02.json |
| avahi--avahi | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524. | 2026-01-24 | 6.5 | CVE-2026-24401 | https://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3 https://github.com/avahi/avahi/issues/501 https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524 |
| AWS--Firecracker | A UNIX symbolic link following issue in the jailer component in Firecracker version v1.13.1 and earlier and 1.14.0 on Linux may allow a local host user with write access to the pre-created jailer directories to overwrite arbitrary host files via a symlink attack during the initialization copy at jailer startup, if the jailer is executed with root privileges. To mitigate this issue, users should upgrade to version v1.13.2 or 1.14.1 or above. | 2026-01-23 | 6 | CVE-2026-1386 | https://aws.amazon.com/security/security-bulletins/2026-003-AWS/ https://github.com/firecracker-microvm/firecracker/releases/tag/v1.14.1 https://github.com/firecracker-microvm/firecracker/releases/tag/v1.13.2 https://github.com/firecracker-microvm/firecracker/security/advisories/GHSA-36j2-f825-qvgc |
| axllent--mailpit | Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `<link rel="stylesheet" href="...">` tags to inline them for testing. Version 1.28.3 fixes the issue. | 2026-01-19 | 5.8 | CVE-2026-23845 | https://github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5j https://github.com/axllent/mailpit/commit/1679a0aba592ebc8487a996d37fea8318c984dfe https://github.com/axllent/mailpit/releases/tag/v1.28.3 |
| B&R Industrial Automation GmbH--Automation Runtime | An Allocation of Resources Without Limits or Throttling vulnerability in the ANSL-Server component of B&R Automation Runtime versions prior to 6.5 and prior to R4.93 could be exploited by an unauthenti-cated attacker on the network to win a race condition, resulting in permanent denial-of-service (DoS) conditions on affected devices. | 2026-01-19 | 6.8 | CVE-2025-11044 | https://www.br-automation.com/fileadmin/SA25P005-26597bd0.pdf |
| backstage--backstage | Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation via symlink chains (creating `link1 → link2 → /outside` where intermediate symlinks eventually resolve outside the allowed directory) and dangling symlinks (creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations). This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories. This vulnerability is fixed in `@backstage/backend-plugin-api` version 0.1.17. Users should upgrade to this version or later. Some workarounds are available. Run Backstage in a containerized environment with limited filesystem access and/or restrict template creation to trusted users. | 2026-01-21 | 6.3 | CVE-2026-24047 | https://github.com/backstage/backstage/security/advisories/GHSA-2p49-45hj-7mc9 https://github.com/backstage/backstage/commit/ae4dd5d1572a4f639e1a466fd982656b50f8e692 |
| Beckhoff Automation--TwinCAT.HMI.Server | On an instance of TwinCAT 3 HMI Server running on a device an authenticated administrator can inject arbitrary content into the custom CSS field which is persisted on the device and later returned via the login page and error page. | 2026-01-20 | 5.5 | CVE-2025-41768 | https://certvde.com/de/advisories/VDE-2025-106 |
| birkir--prime | A vulnerability was detected in birkir prime up to 0.4.0.beta.0. This issue affects some unknown processing of the file /graphql of the component GraphQL API. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1170 | VDB-341764 | birkir prime GraphQL API graphql information disclosure VDB-341764 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731100 | birkir prime <=0.4.0 Sensitive Information Disclosure https://github.com/birkir/prime/issues/541 |
| birkir--prime | A flaw has been found in birkir prime up to 0.4.0.beta.0. Impacted is an unknown function of the file /graphql of the component GraphQL Field Handler. Executing a manipulation can lead to denial of service. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1171 | VDB-341765 | birkir prime GraphQL Field graphql denial of service VDB-341765 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731101 | birkir prime <=0.4.0 GraphQL Field Duplication Vulnerability https://github.com/birkir/prime/issues/542 |
| birkir--prime | A vulnerability has been found in birkir prime up to 0.4.0.beta.0. The affected element is an unknown function of the file /graphql of the component GraphQL Directive Handler. The manipulation leads to denial of service. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1172 | VDB-341766 | birkir prime GraphQL Directive graphql denial of service VDB-341766 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731103 | birkir prime <=0.4.0 Graphql Directive Overloading Vulnerability https://github.com/birkir/prime/issues/543 |
| birkir--prime | A vulnerability was found in birkir prime up to 0.4.0.beta.0. The impacted element is an unknown function of the file /graphql of the component GraphQL Array Based Query Batch Handler. The manipulation results in denial of service. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1173 | VDB-341767 | birkir prime GraphQL Array Based Query Batch graphql denial of service VDB-341767 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731104 | birkir prime <=0.4.0 Graphql Array Based Query Batching Vulnerability https://github.com/birkir/prime/issues/544 |
| birkir--prime | A vulnerability was determined in birkir prime up to 0.4.0.beta.0. This affects an unknown function of the file /graphql of the component GraphQL Alias Handler. This manipulation causes resource consumption. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1174 | VDB-341768 | birkir prime GraphQL Alias graphql resource consumption VDB-341768 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731105 | birkir prime <=0.4.0 GraphQL Aliases Overloading Vulnerability https://github.com/birkir/prime/issues/545 |
| birkir--prime | A vulnerability was identified in birkir prime up to 0.4.0.beta.0. This impacts an unknown function of the file /graphql of the component GraphQL Directive Handler. Such manipulation leads to information exposure through error message. The attack may be performed from remote. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1175 | VDB-341769 | birkir prime GraphQL Directive graphql information exposure VDB-341769 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731106 | birkir prime <=0.4.0 GraphQL Directive Information Disclosure https://github.com/birkir/prime/issues/546 |
| birkir--prime | A security vulnerability has been detected in birkir prime up to 0.4.0.beta.0. This vulnerability affects unknown code. Such manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 4.3 | CVE-2026-1169 | VDB-341763 | birkir prime cross-site request forgery VDB-341763 | CTI Indicators (IOB, IOC) Submit #731287 | birkir prime <=0.4.0 CSRF https://github.com/birkir/prime/issues/547 |
| Bjskzy--Zhiyou ERP | A vulnerability was detected in Bjskzy Zhiyou ERP up to 11.0. Impacted is the function initRCForm of the file RichClientService.class of the component com.artery.richclient.RichClientService. Performing a manipulation results in xml external entity reference. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 6.3 | CVE-2026-1218 | VDB-341908 | Bjskzy Zhiyou ERP com.artery.richclient.RichClientService RichClientService.class initRCForm xml external entity reference VDB-341908 | CTI Indicators (IOB, IOC, IOA) Submit #735201 | Bjskzy Enterprise Resource Planning Software 11.0 XML External Entity Reference https://github.com/dingpotian/cve-vul/blob/main/Shikong-Zhiyou-ERP/Shikong-Zhiyou-ERP-XXE-RichClientService-initRCForm.md |
| BloofoxCMS--BloofoxCMS | BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. Attackers can insert malicious javascript payloads in the text field to execute scripts and potentially steal authenticated users' cookies. | 2026-01-23 | 6.4 | CVE-2021-47906 | ExploitDB-49492 Official Vendor Homepage BloofoxCMS Software Releases VulnCheck Advisory: BloofoxCMS 0.5.2.1 - 'text' Stored Cross Site Scripting |
| Bosch--Infotainment system ECU | The Infotainment ECU manufactured by Bosch which is installed in Nissan Leaf ZE1 - 2020 uses a Redbend service for over-the-air provisioning and updates. HTTPS is used for communication with the back-end server. Due to usage of the default configuration for the underlying SSL engine, the server root certificate is not verified. As a result, an attacker may be able to impersonate a Redbend backend server using a self-signed certificate. First identified on Nissan Leaf ZE1 manufactured in 2020. | 2026-01-22 | 6.5 | CVE-2025-32057 | https://www.nissan.co.uk/vehicles/new-vehicles/leaf.html http://i.blackhat.com/Asia-25/Asia-25-Evdokimov-Remote-Exploitation-of-Nissan-Leaf.pdf https://pcacybersecurity.com/resources/advisory/vulnerabilities-in-nissan-infotainment-manufactured-by-bosch |
| Bosch--Infotainment system ECU | The anti-theft protection mechanism can be bypassed by attackers due to weak response generation algorithms for the head unit. It is possible to reveal all 32 corresponding responses by sniffing CAN traffic or by pre-calculating the values, which allow to bypass the protection. First identified on Nissan Leaf ZE1 manufactured in 2020. | 2026-01-22 | 4 | CVE-2025-32056 | https://www.nissan.co.uk/vehicles/new-vehicles/leaf.html http://i.blackhat.com/Asia-25/Asia-25-Evdokimov-Remote-Exploitation-of-Nissan-Leaf.pdf https://pcacybersecurity.com/resources/advisory/vulnerabilities-in-nissan-infotainment-manufactured-by-bosch |
| brainstormforce--Custom Fonts Host Your Fonts Locally | The Custom Fonts - Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file. | 2026-01-20 | 5.3 | CVE-2025-14351 | https://www.wordfence.com/threat-intel/vulnerabilities/id/60e3a506-8811-4e7d-a16c-02f91c757705?source=cve https://plugins.trac.wordpress.org/browser/custom-fonts/trunk/includes/class-bcf-google-fonts-compatibility.php#L88 https://plugins.trac.wordpress.org/changeset/3442237/custom-fonts |
| bramdnl--Star Review Manager | The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1076 | https://www.wordfence.com/threat-intel/vulnerabilities/id/54b6a141-eb4c-4cf0-a078-5b3aeda25466?source=cve https://plugins.trac.wordpress.org/browser/star-review-manager/trunk/admin/settings.php#L3 https://plugins.trac.wordpress.org/browser/star-review-manager/tags/1.2.2/admin/settings.php#L3 |
| BROWAN COMMUNICATIONS--PrismX MX100 AP controller | PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to allowing authenticated remote attackers to obtain SMTP plaintext passwords through the web frontend. | 2026-01-20 | 4.9 | CVE-2026-1223 | https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html |
| cantothemes--Canto Testimonials | The Canto Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fx' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2026-1095 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6f2ef250-f951-4408-ac42-3272ddf46530?source=cve https://plugins.trac.wordpress.org/browser/canto-testimonials/trunk/canto-testimonials.php#L132 https://plugins.trac.wordpress.org/browser/canto-testimonials/tags/1.0/canto-testimonials.php#L132 |
| Cisco--Cisco Intersight Virtual Appliance | A vulnerability in the read-only maintenance shell of Cisco Intersight Virtual Appliance could allow an authenticated, local attacker with administrative privileges to elevate privileges to root on the virtual appliance. This vulnerability is due to improper file permissions on configuration files for system accounts within the maintenance shell of the virtual appliance. An attacker could exploit this vulnerability by accessing the maintenance shell as a read-only administrator and manipulating system files to grant root privileges. A successful exploit could allow the attacker to elevate their privileges to root on the virtual appliance and gain full control of the appliance, giving them the ability to access sensitive information, modify workloads and configurations on the host system, and cause a denial of service (DoS). | 2026-01-21 | 6 | CVE-2026-20092 | cisco-sa-intersight-privesc-p6tBm6jk |
| Cisco--Cisco Packaged Contact Center Enterprise | Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials. | 2026-01-21 | 4.8 | CVE-2026-20055 | cisco-sa-ucce-pcce-xss-2JVyg3uD |
| Cisco--Cisco Packaged Contact Center Enterprise | Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials. | 2026-01-21 | 4.8 | CVE-2026-20109 | cisco-sa-ucce-pcce-xss-2JVyg3uD |
| Cisco--Cisco Ultra-Reliable Wireless Backhaul | A vulnerability in the SSH service of Cisco IEC6400 Wireless Backhaul Edge Compute Software could allow an unauthenticated, remote attacker to cause the SSH service to stop responding. This vulnerability exists because the SSH service lacks effective flood protection. An attacker could exploit this vulnerability by initiating a denial of service (DoS) attack against the SSH port. A successful exploit could allow the attacker to cause the SSH service to be unresponsive during the period of the DoS attack. All other operations remain stable during the attack. | 2026-01-21 | 5.3 | CVE-2026-20080 | cisco-sa-iec6400-Pem5uQ7v |
| Click2Magic--Click2Magic | Click2Magic 1.1.5 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts in the chat name input. Attackers can craft a malicious payload in the chat name to capture administrator cookies when the admin processes user requests. | 2026-01-25 | 6.4 | CVE-2020-36931 | ExploitDB-49347 Vendor Homepage Official Product Website VulnCheck Advisory: Click2Magic 1.1.5 - Stored Cross-Site Scripting |
| codemacher--CM CSS Columns | The CM CSS Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' shortcode attribute in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2026-1098 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dabcc606-04ab-4fb0-bf3c-d3ad915b8904?source=cve https://plugins.trac.wordpress.org/browser/cm-css-columns/trunk/includes/Shortcoder.php#L109 https://plugins.trac.wordpress.org/browser/cm-css-columns/tags/1.2.1/includes/Shortcoder.php#L109 |
| controlplaneio-fluxcd--flux-operator | The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges. In order to be vulnerable, cluster admins must configure the Flux Operator with an OIDC provider that issues tokens lacking the expected claims (e.g., `email`, `groups`), or configure custom CEL expressions that can evaluate to empty values. After OIDC token claims are processed through CEL expressions, there is no validation that the resulting `username` and `groups` values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account's credentials instead of the authenticated user's limited permissions. This can result in privilege escalation, data exposure, and/or information disclosure. Version 0.40.0 patches the issue. | 2026-01-21 | 5.3 | CVE-2026-23990 | https://github.com/controlplaneio-fluxcd/flux-operator/security/advisories/GHSA-4xh5-jcj2-ch8q https://github.com/controlplaneio-fluxcd/flux-operator/pull/610 https://github.com/controlplaneio-fluxcd/flux-operator/commit/084540424f6de8ba5d88fb1fd1e8472ba29afd7e https://github.com/controlplaneio-fluxcd/flux-operator/releases/tag/v0.40.0 |
| CRMEB--CRMEB | A weakness has been identified in CRMEB up to 5.6.3. The impacted element is the function remoteRegister of the file crmeb/app/services/user/LoginServices.php of the component JSON Token Handler. Executing a manipulation of the argument uid can lead to improper authentication. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 5.6 | CVE-2026-1203 | VDB-341789 | CRMEB JSON Token LoginServices.php remoteRegister improper authentication VDB-341789 | CTI Indicators (IOB, IOC, IOA) Submit #735349 | Zhongbang CRMEB v5.6.3 Authentication Bypass by https://github.com/foeCat/CVE/blob/main/CRMEB/jwt_auth_bypass/remote_register_jwt_bypass.md |
| cubewp1211--CubeWP Framework | The CubeWP - All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the search feature in class-cubewp-search-ajax-hooks.php due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. | 2026-01-25 | 4.3 | CVE-2025-6461 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0edb6b7c-8a78-44b9-a5d6-b4a563c92484?source=cve https://plugins.trac.wordpress.org/changeset/3422640/cubewp-framework/trunk/cube/modules/search/class-cubewp-search-ajax-hooks.php |
| Dell--Data Protection Advisor | Dell Data Protection Advisor, versions prior to 19.12, contains an Improper Neutralization of Special Elements Used in a Template Engine vulnerability in the Server. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. | 2026-01-23 | 4.3 | CVE-2025-46699 | https://www.dell.com/support/kbdoc/en-us/000281732/dsa-2025-075-security-update-for-dell-data-protection-advisor-for-multiple-component-vulnerabilities |
| Dell--ObjectScale | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability in the Fabric Syslog. An unauthenticated attacker with remote access could potentially exploit this vulnerability to intercept and modify information in transit. | 2026-01-23 | 6.5 | CVE-2026-22274 | https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities |
| Dell--ObjectScale | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Storage of Sensitive Information vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure. | 2026-01-23 | 5.5 | CVE-2026-22276 | https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities |
| Dell--ObjectScale | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Inclusion of Sensitive Information in Source Code vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. | 2026-01-23 | 4.4 | CVE-2026-22275 | https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities |
| Dell--PowerScale OneFS | Dell PowerScale OneFS, versions 9.5.0.0 through 9.5.1.5, versions 9.6.0.0 through 9.7.1.10, versions 9.8.0.0 through 9.10.1.3, versions starting from 9.11.0.0 and prior to 9.13.0.0, contains an incorrect permission assignment for critical resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service. | 2026-01-22 | 5 | CVE-2026-22280 | https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| Dell--PowerScale OneFS | Dell PowerScale OneFS, versions prior 9.13.0.0, contains an insufficient logging vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information tampering. | 2026-01-22 | 4.3 | CVE-2026-22279 | https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| devsoftbaltic--SurveyJS: Drag & Drop Form Builder | The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. This makes it possible for unauthenticated attackers to create surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-13139 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0c06880e-06cc-4204-a031-355de4de3af2?source=cve https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/add_survey.php#L12 |
| devsoftbaltic--SurveyJS: Drag & Drop Form Builder | The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce verification on the 'SurveyJS_RenameSurvey' AJAX action. This makes it possible for unauthenticated attackers to rename surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-13194 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ab88f0cf-971f-43e1-b6b7-4eb55188ecc8?source=cve https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/rename_survey.php#L12 |
| devsoftbaltic--SurveyJS: Drag & Drop Form Builder | The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing or incorrect nonce validation on the `SurveyJS_CloneSurvey` AJAX action. This makes it possible for unauthenticated attackers to duplicate surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-13205 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e1179303-fe7c-47f1-958c-2e4d2c574e4a?source=cve https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/clone_survey.php#L8 |
| Discord--WebSocket API service | Discord through 2026-01-16 allows gathering information about whether a user's client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in the presences array (with "status": "offline"), whereas offline users are omitted from the presences array. This is arguably inconsistent with the UI description of Invisible as "You will appear offline." | 2026-01-22 | 4.3 | CVE-2026-24332 | https://xmrcat.org/discord-invisibility-bypass |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.10.0, C++ exceptions are not properly handled for and by the `TbdController` loop, leading to its caller and itself to silently terminates. Thus, this leads to a denial of service as it is responsible of SDP and ISO15118-20 servers. Version 2025.10.0 fixes the issue. | 2026-01-21 | 6.5 | CVE-2025-68135 | https://github.com/EVerest/everest-core/security/advisories/GHSA-g7mm-r6qp-96vh |
| EVerest--everest-core | EVerest is an EV charging software stack, and EVerest libocpp is a C++ implementation of the Open Charge Point Protocol. In libocpp prior to version 0.30.1, pointers returned by the `strdup` calls are never freed. At each connection attempt, the newly allocated memory area will be leaked, potentially causing memory exhaustion and denial of service. Version 0.30.1 fixes the issue. | 2026-01-21 | 4.7 | CVE-2025-68138 | https://github.com/EVerest/everest-core/security/advisories/GHSA-f8c2-44c3-7v55 https://github.com/EVerest/libocpp/blob/89c7b62ec899db637f43b54f19af2c4af30cfa66/lib/ocpp/common/websocket/websocket_libwebsockets.cpp |
| EVerest--everest-core | EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for `terminate_connection_on_failed_response` is `False`, which leaves the responsibility for session and connection termination to the EV. In this configuration, any errors encountered by the module are logged but do not trigger countermeasures such as session and connection reset or termination. This could be abused by a malicious user in order to exploit other weaknesses or vulnerabilities. While the default will stay at the setting that is described as potentially problematic in this reported issue, a mitigation is available by changing the `terminate_connection_on_failed_response` setting to `true`. However this cannot be set to this value by default since it can trigger errors in vehicle ECUs requiring ECU resets and lengthy unavailability in charging for vehicles. The maintainers judge this to be a much more important workaround then short-term unavailability of an EVSE, therefore this setting will stay at the current value. | 2026-01-21 | 4.3 | CVE-2025-68139 | https://github.com/EVerest/everest-core/security/advisories/GHSA-wqh4-pj54-6xv9 |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.9.0, once the validity of the received V2G message has been verified, it is checked whether the submitted session ID matches the registered one. However, if no session has been registered, the default value is 0. Therefore, a message submitted with a session ID of 0 is accepted, as it matches the registered value. This could allow unauthorized and anonymous indirect emission of MQTT messages and communication with V2G messages handlers, updating a session context. Version 2025.9.0 fixes the issue. | 2026-01-21 | 4.3 | CVE-2025-68140 | https://github.com/EVerest/everest-core/security/advisories/GHSA-w385-3jwp-x47x |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.9.0, in several places, integer values are concatenated to literal strings when throwing errors. This results in pointers arithmetic instead of printing the integer value as expected, like most of interpreted languages. This can be used by malicious operator to read unintended memory regions, including the heap and the stack. Version 2025.9.0 fixes the issue. | 2026-01-21 | 4.2 | CVE-2026-23955 | https://github.com/EVerest/everest-core/security/advisories/GHSA-px57-jx97-hrff |
| filebrowser--filebrowser | File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue. | 2026-01-19 | 5.3 | CVE-2026-23849 | https://github.com/filebrowser/filebrowser/security/advisories/GHSA-43mm-m3h2-3prc https://github.com/filebrowser/filebrowser/commit/24781badd413ee20333aba5cce1919d676e01889 |
| flatboy--FlatPM Ad Manager, AdSense and Custom Code | The FlatPM - Ad Manager, AdSense and Custom Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rank_math_description' custom field in all versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-20 | 6.4 | CVE-2026-0690 | https://www.wordfence.com/threat-intel/vulnerabilities/id/14b89618-8a30-4b8c-9490-f05e8fa8ca8a?source=cve https://plugins.trac.wordpress.org/changeset/3434760/flatpm-wp |
| Foxit Software Inc.--na1.foxitesign.foxit.com | URL parameters are directly embedded into JavaScript code or HTML attributes without proper encoding or sanitization. This allows attackers to inject arbitrary scripts when an authenticated user visits a crafted link. This issue affects na1.foxitesign.foxit.com: before 2026‑01‑16. | 2026-01-20 | 6.1 | CVE-2025-66523 | https://www.foxit.com/support/security-bulletins.html |
| franklioxygen--MyTube | MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via `X-Forwarded-For` header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Attackers can spoof client IPs by manipulating the `X-Forwarded-For` header, enabling unlimited requests to protected endpoints, including general API endpoints (enabling DoS) and other rate-limited functionality. Version 1.7.71 contains a patch for the issue. | 2026-01-19 | 6.5 | CVE-2026-23848 | https://github.com/franklioxygen/MyTube/security/advisories/GHSA-59gr-529g-x45h https://github.com/franklioxygen/MyTube/commit/bc057458804ae7ac70ea00605680512ed3d4257b |
| freemp--JavaScript Notifier | The JavaScript Notifier plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 1.2.8. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the `wp_footer` action. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 4.4 | CVE-2026-1191 | https://www.wordfence.com/threat-intel/vulnerabilities/id/97696702-4d40-41dd-a25f-f2ee7681a2c9?source=cve https://plugins.trac.wordpress.org/browser/javascript-notifier/trunk/javascript-notifier.php#L75 https://plugins.trac.wordpress.org/browser/javascript-notifier/tags/1.2.8/javascript-notifier.php#L75 |
| GetSimple CMS--Custom JS Plugin | GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to execute remote code on the hosting server when an authenticated administrator visits the page. | 2026-01-21 | 5.3 | CVE-2021-47860 | ExploitDB-49816 Vendor Homepage GetSimple CMS GitHub Repository Researcher Disclosure ExploitDB-49712 VulnCheck Advisory: GetSimple CMS Custom JS 0.1 - CSRF to XSS to RCE |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that under certain circumstances could have allowed an authenticated user to create a denial of service condition by configuring malformed Wiki documents that bypass cycle detection. | 2026-01-22 | 6.5 | CVE-2025-13335 | GitLab Issue #581060 HackerOne Bug Bounty Report #3418023 https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending repeated malformed SSH authentication requests. | 2026-01-22 | 5.3 | CVE-2026-1102 | GitLab Issue #579746 https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/ |
| hallsofmontezuma--Moderate Selected Posts | The Moderate Selected Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce verification on the msp_admin_page() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-14907 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4bc23291-1b73-4e92-83ba-0c7f455ac126?source=cve https://plugins.trac.wordpress.org/browser/moderate-selected-posts/tags/1.4/inc/admin.php#L71 |
| HAMASTAR Technology--MeetingHub | MeetingHub developed by HAMASTAR Technology has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access specific API functions and obtain meeting-related information. | 2026-01-22 | 5.3 | CVE-2026-1332 | https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). In versions prior to 1.5.0, a cross-site scripting vulnerability can be triggered because the extension and content-type are not checked during the profile photo update step. Version 1.5.0 fixes the issue. | 2026-01-22 | 5.4 | CVE-2026-24034 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-mvwg-7c8w-qw2p https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft job titles, descriptions and application link allowing unauthenticated users to view unpublished roles and access the application workflow for unpublished jobs. Unauthorized access to unpublished job posts can leak sensitive internal hiring information and cause confusion among candidates. This issue has been fixed in version 1.5.0. | 2026-01-22 | 5.3 | CVE-2026-24036 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-q4xr-w96p-3vg7 https://github.com/horilla-opensource/horilla/commit/9a585a1588431499092a49d7e82cb77daa4d99ee https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). An Improper Access Control vulnerability exists in Horilla HR Software starting in version 1.4.0 and prior to version 1.5.0, allowing any authenticated employee to upload documents on behalf of another employee without proper authorization. This occurs due to insufficient server-side validation of the employee_id parameter during file upload operations, allowing any authenticated employee to upload document in behalf of any employee. Version 1.5.0 fixes the issue. | 2026-01-22 | 4.3 | CVE-2026-24035 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-fm3f-xpgx-8xr3 https://drive.google.com/file/d/1i00-NnipvxH8bGY-SyqEjnDQfxIbVGRR/view?usp=sharing https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the has_xss() function attempts to block XSS by matching input against a set of regex patterns. However, the regexes are incomplete and context-agnostic, making them easy to bypass. Attackers are able to redirect users to malicious domains, run external JavaScript, and steal CSRF tokens that can be used to craft CSRF attacks against admins. This issue has been fixed in version 1.5.0. | 2026-01-22 | 4.8 | CVE-2026-24037 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-rqw5-fjm4-rgvm https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). Version 1.4.0 has Improper Access Control, allowing low-privileged employees to self-approve documents they have uploaded. The document-approval UI is intended to be restricted to administrator or high-privilege roles only; however, an insufficient server-side authorization check on the approval endpoint lets a standard employee modify the approval status of their own uploaded document. A successful exploitation allows users with only employee-level permissions to alter application state reserved for administrators. This undermines the integrity of HR processes (for example, acceptance of credentials, certifications, or supporting materials), and may enable submission of unvetted documents. This issue is fixed in version 1.5.0. | 2026-01-22 | 4.3 | CVE-2026-24039 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-99mq-mhwv-w9qx https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| IBM--Application Gateway | IBM Application Gateway 23.10 through 25.09 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-01-20 | 5.4 | CVE-2025-36396 | https://www.ibm.com/support/pages/node/7256857 |
| IBM--Application Gateway | IBM Application Gateway 23.10 through 25.09 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. | 2026-01-20 | 5.4 | CVE-2025-36397 | https://www.ibm.com/support/pages/node/7256857 |
| IBM--ApplinX | IBM ApplinX 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-01-20 | 6.4 | CVE-2025-36408 | https://www.ibm.com/support/pages/node/7257446 |
| IBM--ApplinX | IBM ApplinX 11.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-01-20 | 5.4 | CVE-2025-36409 | https://www.ibm.com/support/pages/node/7257446 |
| IBM--ApplinX | IBM ApplinX 11.1 could disclose sensitive information about server architecture that could aid in further attacks against the system. | 2026-01-20 | 5.3 | CVE-2025-36419 | https://www.ibm.com/support/pages/node/7257446 |
| IBM--Aspera Console | IBM Aspera Console 3.4.7 stores potentially sensitive information in log files that could be read by a local privileged user. | 2026-01-20 | 4.9 | CVE-2025-13925 | https://www.ibm.com/support/pages/node/7256544 |
| IBM--Business Automation Workflow containers | IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map. | 2026-01-20 | 5.5 | CVE-2025-36058 | https://www.ibm.com/support/pages/node/7256777 |
| IBM--Business Automation Workflow containers | IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls. | 2026-01-20 | 4.7 | CVE-2025-36059 | https://www.ibm.com/support/pages/node/7256777 |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory. | 2026-01-20 | 5.9 | CVE-2025-1719 | https://www.ibm.com/support/pages/node/7257006 |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory. | 2026-01-20 | 5.9 | CVE-2025-1722 | https://www.ibm.com/support/pages/node/7257006 |
| IBM--Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system. | 2026-01-20 | 6.3 | CVE-2025-36063 | https://www.ibm.com/support/pages/node/7257244 |
| IBM--Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system. | 2026-01-20 | 6.3 | CVE-2025-36065 | https://www.ibm.com/support/pages/node/7257244 |
| IBM--Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-01-20 | 6.1 | CVE-2025-36066 | https://www.ibm.com/support/pages/node/7257244 |
| IBM--Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0.00 through 5.2.0.12 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system. | 2026-01-20 | 6.3 | CVE-2025-36115 | https://www.ibm.com/support/pages/node/7257244 |
| IBM--Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-01-20 | 5.4 | CVE-2025-36113 | https://www.ibm.com/support/pages/node/7257244 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. The BilateralBlurImage method will allocate a set of double buffers inside AcquireBilateralTLS. But, in versions prior to 7.1.2-13, the last element in the set is not properly initialized. This will result in a release of an invalid pointer inside DestroyBilateralTLS when the memory allocation fails. Version 7.1.2-13 contains a patch for the issue. | 2026-01-20 | 6.5 | CVE-2026-22770 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-39h3-g67r-7g3c https://github.com/ImageMagick/ImageMagick/commit/3e0330721020e0c5bb52e4b77c347527dd71658e |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Versions 14.10.1 and below have a NULL pointer dereference vulnerability in the MSL (Magick Scripting Language) parser when processing <comment> tags before images are loaded. This can lead to DoS attack due to assertion failure (debug builds) or NULL pointer dereference (release builds). This issue is fixed in version 14.10.2. | 2026-01-22 | 6.5 | CVE-2026-23952 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5vx3-wx4q-6cj8 https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Versions prior to 7.1.2-13 have a stack overflow via infinite recursion in MSL (Magick Scripting Language) `<write>` command when writing to MSL format. Version 7.1.2-13 fixes the issue. | 2026-01-20 | 5.5 | CVE-2026-23874 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9vj4-wc7r-p844 |
| iqonicdesign--KiviCare Clinic & Patient Management System (EHR) | The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport() function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upload text files and PDF documents to the affected site's server which may be leveraged for further attacks such as hosting malicious content or phishing pages via PDF files. | 2026-01-23 | 5.3 | CVE-2026-0927 | https://www.wordfence.com/threat-intel/vulnerabilities/id/489931ef-bac3-4de8-84ec-6f226d96f778?source=cve https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/KCAppointmentController.php#L1328 https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/tags/3.6.15/app/controllers/KCAppointmentController.php#L1328 https://plugins.trac.wordpress.org/changeset/3443088/kivicare-clinic-management-system/trunk/app/controllers/KCAppointmentController.php |
| itsourcecode--Society Management System | A vulnerability was identified in itsourcecode Society Management System 1.0. This affects an unknown function of the file /admin/expenses.php. The manipulation of the argument detail leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2026-01-19 | 4.3 | CVE-2026-1134 | VDB-341724 | itsourcecode Society Management System expenses.php cross site scripting VDB-341724 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735156 | itsourcecode Society Management System V1.0 cross site scripting https://github.com/TEhS411/cve/issues/7 https://itsourcecode.com/ |
| itsourcecode--Society Management System | A security flaw has been discovered in itsourcecode Society Management System 1.0. This impacts an unknown function of the file /admin/activity.php. The manipulation of the argument Title results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-19 | 4.3 | CVE-2026-1135 | VDB-341725 | itsourcecode Society Management System activity.php cross site scripting VDB-341725 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735157 | itsourcecode Society Management System V1.0 cross site scripting https://github.com/TEhS411/cve/issues/8 https://itsourcecode.com/ |
| jamiesage123--MyBB Thread Redirect Plugin | MyBB Thread Redirect Plugin 0.2.1 contains a cross-site scripting vulnerability in the custom text input field for thread redirects. Attackers can inject malicious SVG scripts that will execute when other users view the thread, allowing arbitrary script execution. | 2026-01-23 | 6.1 | CVE-2018-25116 | ExploitDB-49505 Thread Redirect Plugin GitHub Repository VulnCheck Advisory: MyBB Thread Redirect Plugin 0.2.1 - Cross-Site Scripting |
| kohler--hotcrp | HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document API to download any documents (PDFs, attachments) associated with any submission. The problem was patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0. | 2026-01-19 | 6.5 | CVE-2026-23878 | https://github.com/kohler/hotcrp/security/advisories/GHSA-vh3x-xwj4-jvqx https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508 https://github.com/kohler/hotcrp/commit/ceacd5f1476458792c44c6a993670f02c984b4a0 |
| kometschuh--Same Category Posts | The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. This is due to the use of `htmlspecialchars_decode()` on taxonomy term names before output, which decodes HTML entities that WordPress intentionally encodes for safety. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 5.4 | CVE-2025-14797 | https://www.wordfence.com/threat-intel/vulnerabilities/id/70434876-4876-4da8-9af1-6f6ef5632f26?source=cve https://plugins.trac.wordpress.org/browser/same-category-posts/tags/1.1.19/same-category-posts.php#L665 https://plugins.trac.wordpress.org/browser/same-category-posts/tags/1.1.19/same-category-posts.php#L639 https://plugins.trac.wordpress.org/browser/same-category-posts/tags/1.1.19/same-category-posts.php#L707 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444428%40same-category-posts&new=3444428%40same-category-posts&sfp_email=&sfph_mail= |
| leadbi--LeadBI Plugin for WordPress | The LeadBI Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_id' parameter of the 'leadbi_form' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2026-1189 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3a196eaa-64c7-447b-9384-b58fcba57ec0?source=cve https://wordpress.org/plugins/leadbi/ https://plugins.trac.wordpress.org/browser/leadbi/trunk/includes/Plugin.php#L72 https://plugins.trac.wordpress.org/browser/leadbi/tags/1.7/includes/Plugin.php#L72 |
| legalweb--WP DSGVO Tools (GDPR) | The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lw_content_block' shortcode in all versions up to, and including, 3.1.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-23 | 6.4 | CVE-2026-0914 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4474c79b-f93a-4725-8345-ad5c5260913c?source=cve https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.35/public/shortcodes/content-block-shortcode.php#L17 https://plugins.trac.wordpress.org/changeset/3440083/ |
| lovor--Cookie consent for developers | The Cookie consent for developers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple settings fields in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-24 | 4.4 | CVE-2026-1084 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c16918a9-7b73-418d-adbd-aa17cb1d8cf8?source=cve https://plugins.trac.wordpress.org/browser/cookie-consent-for-developers/trunk/admin/class-ntg-cookie-consent-admin.php#L112 https://plugins.trac.wordpress.org/browser/cookie-consent-for-developers/trunk/admin/partials/ntg-cookie-consent-admin-display.php#L108 https://plugins.trac.wordpress.org/browser/cookie-consent-for-developers/tags/1.7.1/admin/class-ntg-cookie-consent-admin.php#L112 https://plugins.trac.wordpress.org/browser/cookie-consent-for-developers/tags/1.7.1/admin/partials/ntg-cookie-consent-admin-display.php#L108 |
| magazine3--Schema & Structured Data for WP & AMP | The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-23 | 6.4 | CVE-2025-14069 | https://www.wordfence.com/threat-intel/vulnerabilities/id/651a7036-d421-41b7-91db-102e60d8274e?source=cve https://plugins.trac.wordpress.org/browser/schema-and-structured-data-for-wp/tags/1.53/admin_section/common-function.php#L1874 https://plugins.trac.wordpress.org/browser/schema-and-structured-data-for-wp/tags/1.53/admin_section/structure-admin.php#L2605 https://plugins.trac.wordpress.org/browser/schema-and-structured-data-for-wp/tags/1.53/output/function.php#L171 https://plugins.trac.wordpress.org/changeset/3441582/schema-and-structured-data-for-wp/trunk?contextall=1&old=3429983&old_path=%2Fschema-and-structured-data-for-wp%2Ftrunk#file0 |
| mainichiweb--Friendly Functions for Welcart | The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1208 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6cc709e0-870b-4d12-9ac8-55da498768a1?source=cve https://plugins.trac.wordpress.org/browser/friendly-functions-for-welcart/tags/1.2.5/ffw_function_settings.php#L53 https://plugins.trac.wordpress.org/browser/friendly-functions-for-welcart/tags/1.2.5/ffw_function_settings.php#L58 https://plugins.trac.wordpress.org/changeset/3445305/ |
| marcinlawrowski--Wise Analytics | The Wise Analytics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.9. This is due to missing capability checks on the REST API endpoint '/wise-analytics/v1/report'. This makes it possible for unauthenticated attackers to access sensitive analytics data including administrator usernames, login timestamps, visitor tracking information, and business intelligence data via the 'name' parameter granted they can send unauthenticated requests. | 2026-01-24 | 5.3 | CVE-2025-14609 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d92c80cb-080b-4774-8c66-1d5cf68e771f?source=cve https://plugins.trac.wordpress.org/browser/wise-analytics/trunk/src/Endpoints/ReportsEndpoint.php#L43 https://plugins.trac.wordpress.org/browser/wise-analytics/tags/1.1.9/src/Endpoints/ReportsEndpoint.php#L43 |
| mastodon--mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched. | 2026-01-22 | 6.5 | CVE-2026-23964 | https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4 https://github.com/mastodon/mastodon/releases/tag/v4.3.18 https://github.com/mastodon/mastodon/releases/tag/v4.4.12 https://github.com/mastodon/mastodon/releases/tag/v4.5.5 |
| mastodon--mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted. Furthermore, under certain circumstances, previously-unknown posts from suspended users can be processed. This issue allows old posts from suspended users to occasionally end up on timelines on all Mastodon versions. Additionally, on Mastodon versions from v4.5.0 to v4.5.4, v4.4.5 to v4.4.11, v4.3.13 to v4.3.17, and v4.2.26 to v4.2.29, remote suspended users can partially bypass the suspension to get new posts in. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched. | 2026-01-22 | 5.3 | CVE-2026-23961 | https://github.com/mastodon/mastodon/security/advisories/GHSA-5h2f-wg8j-xqwp https://github.com/mastodon/mastodon/releases/tag/v4.3.18 https://github.com/mastodon/mastodon/releases/tag/v4.4.12 https://github.com/mastodon/mastodon/releases/tag/v4.5.5 |
| mastodon--mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as the name or keyword. Any local user can abuse the list or filter fields to cause disproportionate storage and computing resource usage. They can additionally cause their own web interface to be unusable, although they must intentionally do this to themselves or unknowingly approve a malicious API client. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched. | 2026-01-22 | 4.3 | CVE-2026-23963 | https://github.com/mastodon/mastodon/security/advisories/GHSA-6x3w-9g92-gvf3 https://github.com/mastodon/mastodon/releases/tag/v4.3.18 https://github.com/mastodon/mastodon/releases/tag/v4.4.12 https://github.com/mastodon/mastodon/releases/tag/v4.5.5 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-36556 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2272 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the sendOruReport functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-44000 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2270 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the fetchPriorStudies functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-46270 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2258 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the downloadZip functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-53516 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2254 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyTranscript functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-53707 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2267 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyHL7Route functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-53854 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2265 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the encapsulatedDoc functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54157 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2256 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the emailfailedjob functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54495 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2255 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the existingUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54778 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2257 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyAutopurgeFilter functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54814 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2261 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the autoPurge functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. An attacker can provide a URL to a malicious website to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54817 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2253 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyAeTitle functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54852 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2260 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54853 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2268 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyCoercion functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54861 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2262 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyAnonymize functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-55071 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2259 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the notifynewstudy functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-57786 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2269 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyRoute functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-57787 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2266 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyEmail functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-57881 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2263 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyHL7App functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-58080 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2264 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the status parameter. | 2026-01-20 | 6.1 | CVE-2025-58087 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the archivedir parameter. | 2026-01-20 | 6.1 | CVE-2025-58088 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the longtermdir parameter. | 2026-01-20 | 6.1 | CVE-2025-58089 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the uploaddir parameter. | 2026-01-20 | 6.1 | CVE-2025-58090 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the thumbnaildir parameter. | 2026-01-20 | 6.1 | CVE-2025-58091 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the phpexe parameter. | 2026-01-20 | 6.1 | CVE-2025-58092 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the phpdir parameter. | 2026-01-20 | 6.1 | CVE-2025-58093 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the worklistsrc parameter. | 2026-01-20 | 6.1 | CVE-2025-58094 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the imagedir parameter. | 2026-01-20 | 6.1 | CVE-2025-58095 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| mehtevas--Responsive Header Plugin | The Responsive Header plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple plugin settings parameters in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-24 | 4.4 | CVE-2026-1300 | https://www.wordfence.com/threat-intel/vulnerabilities/id/30821418-48c0-4bc6-8bf1-f558671bff24?source=cve https://downloads.wordpress.org/plugin/responsive-header.1.0.zip https://wordpress.org/plugins/responsive-header/ https://plugins.trac.wordpress.org/browser/responsive-header/trunk/rhp-settings.php#L103 https://plugins.trac.wordpress.org/browser/responsive-header/tags/1.0/rhp-settings.php#L103 |
| Mfscripts--YetiShare File Hosting Script | YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the url parameter in the url_upload_handler endpoint to access sensitive files like /etc/passwd by using file:/// protocol. | 2026-01-23 | 4 | CVE-2021-47899 | ExploitDB-49534 Vendor Homepage Software Product Page VulnCheck Advisory: YetiShare File Hosting Script 5.1.0 Remote File Upload SSRF Vulnerability |
| MineAdmin--MineAdmin | A vulnerability was identified in MineAdmin 1.x/2.x. The impacted element is an unknown function of the file /system/cache/view of the component View Interface. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 6.3 | CVE-2026-1193 | VDB-341778 | MineAdmin View view improper authorization VDB-341778 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734270 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x Logical flaw and vulnerability https://github.com/SourByte05/MineAdmin-Vulnerability/issues/6 |
| MineAdmin--MineAdmin | A security flaw has been discovered in MineAdmin 1.x/2.x. This affects an unknown function of the component Swagger. The manipulation results in information disclosure. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 5.3 | CVE-2026-1194 | VDB-341779 | MineAdmin Swagger information disclosure VDB-341779 | CTI Indicators (IOB, IOC, TTP) Submit #734271 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x Swagger Information Leakage Vulnerability https://github.com/SourByte05/MineAdmin-Vulnerability/issues/5 |
| MineAdmin--MineAdmin | A weakness has been identified in MineAdmin 1.x/2.x. This impacts the function refresh of the file /system/refresh of the component JWT Token Handler. This manipulation causes insufficient verification of data authenticity. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is said to be difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 5 | CVE-2026-1195 | VDB-341780 | MineAdmin JWT Token refresh data authenticity VDB-341780 | CTI Indicators (IOB, IOC, IOA) Submit #734272 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x Flaw Vulnerability https://github.com/SourByte05/MineAdmin-Vulnerability/issues/4 |
| neop--Postalicious | The Postalicious plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-24 | 4.4 | CVE-2026-1266 | https://www.wordfence.com/threat-intel/vulnerabilities/id/512c9a2f-b023-4e28-8dd8-35795e68a8b3?source=cve https://plugins.trac.wordpress.org/browser/postalicious/trunk/wp-postalicious.php#L316 https://plugins.trac.wordpress.org/browser/postalicious/tags/3.0.1/wp-postalicious.php#L316 https://plugins.trac.wordpress.org/browser/postalicious/trunk/wp-postalicious.php#L533 https://plugins.trac.wordpress.org/browser/postalicious/tags/3.0.1/wp-postalicious.php#L533 https://plugins.trac.wordpress.org/browser/postalicious/trunk/wp-postalicious.php#L541 https://plugins.trac.wordpress.org/browser/postalicious/tags/3.0.1/wp-postalicious.php#L541 https://plugins.trac.wordpress.org/browser/postalicious/trunk/wp-postalicious.php#L548 https://plugins.trac.wordpress.org/browser/postalicious/tags/3.0.1/wp-postalicious.php#L548 |
| nhomcaodem--Viet contact | The Viet contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-20 | 4.4 | CVE-2026-1045 | https://www.wordfence.com/threat-intel/vulnerabilities/id/131a6a35-e0d2-4613-8614-24bf11011098?source=cve https://plugins.trac.wordpress.org/browser/viet-contact/trunk/inc/vietcontact-admin.php#L34 https://plugins.trac.wordpress.org/browser/viet-contact/trunk/inc/vietcontact-content.php#L11 |
| norcross--WP Hello Bar | The WP Hello Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'digit_one' and 'digit_two' parameters in all versions up to, and including, 1.02 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-20 | 4.4 | CVE-2026-1042 | https://www.wordfence.com/threat-intel/vulnerabilities/id/73b55486-adb8-40c6-9113-c98618d9cb00?source=cve https://downloads.wordpress.org/plugin/wp-hello-bar.1.02.zip https://wordpress.org/plugins/wp-hello-bar/ https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L214 https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L222 https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L152 |
| NVIDIA--CUDA Toolkit | NVIDIA Nsight Systems for Windows contains a vulnerability in the application's DLL loading mechanism where an attacker could cause an uncontrolled search path element by exploiting insecure DLL search paths. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service and information disclosure. | 2026-01-20 | 6.7 | CVE-2025-33231 | https://nvd.nist.gov/vuln/detail/CVE-2025-33231 https://www.cve.org/CVERecord?id=CVE-2025-33231 https://nvidia.custhelp.com/app/answers/detail/a_id/5755 |
| opencryptoki--opencryptoki | openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. Versions 2.3.2 and above are vulnerable to symlink-following when running in privileged contexts. A token-group user can redirect file operations to arbitrary filesystem targets by planting symlinks in group-writable token directories, resulting in privilege escalation or data exposure. Token and lock directories are 0770 (group-writable for token users), so any token-group member can plant files and symlinks inside them. When run as root, the base code handling token directory file access, as well as several openCryptoki tools used for administrative purposes, may reset ownership or permissions on existing files inside the token directories. An attacker with token-group membership can exploit the system when an administrator runs a PKCS#11 application or administrative tool that performs chown on files inside the token directory during normal maintenance. This issue is fixed in commit 5e6e4b4, but has not been included in a released version at the time of publication. | 2026-01-22 | 6.8 | CVE-2026-23893 | https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-j6c7-mvpx-jx5q https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45 |
| OpenEMR Foundation, Inc.--OpenEMR | OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript through user profile parameters. Attackers can exploit the vulnerability by crafting a malicious payload to download and execute a web shell, enabling remote command execution on the vulnerable OpenEMR instance. | 2026-01-21 | 5.4 | CVE-2021-47817 | ExploitDB-49784 OpenEMR Official Website OpenEMR 5.0.2.1 Download SonarSource Vulnerability Analysis Vulnerability Demonstration Video VulnCheck Advisory: OpenEMR 5.0.2.1 - Remote Code Execution |
| opf--openproject | OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings → Sessions. When deleting a session, it was not properly checked if the session belongs to the user. As the ID that is used to identify these session objects use incremental integers, users could iterate requests using `DELETE /my/sessions/:id` and thus unauthenticate other users. Users did not have access to any sensitive information (like browser identifier, IP addresses, etc) of other users that are stored in the session. The problem was patched in OpenProject versions 16.6.5 and 17.0.1. No known workarounds are available as this does not require any permissions or other that can temporarily be disabled. | 2026-01-19 | 6.5 | CVE-2026-23646 | https://github.com/opf/openproject/security/advisories/GHSA-w422-xf8f-v4vp https://github.com/opf/openproject/releases/tag/v16.6.5 https://github.com/opf/openproject/releases/tag/v17.0.1 |
| opf--openproject | OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions 17.0.1 and 16.6.5, due to a failed permission check, if a user had the View Members permission in any project, they could enumerate all Groups and view which other users are part of the group. The issue has been fixed in OpenProject 17.0.1 and 16.6.5. No known workarounds are available. | 2026-01-19 | 4.3 | CVE-2026-23721 | https://github.com/opf/openproject/security/advisories/GHSA-vj77-wrc2-5h5h |
| Oracle Corporation--JD Edwards EnterpriseOne Tools | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are 9.2.0.0-9.2.26.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data as well as unauthorized read access to a subset of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21946 | Oracle Advisory |
| Oracle Corporation--MySQL Cluster | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21936 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 6.5 | CVE-2026-21949 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 6.5 | CVE-2026-21950 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 6.5 | CVE-2026-21968 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 5.3 | CVE-2026-21929 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21937 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21941 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21948 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21952 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21964 | Oracle Advisory |
| Oracle Corporation--Oracle Agile Product Lifecycle Management for Process | Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Product Quality Management). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile Product Lifecycle Management for Process accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | 2026-01-20 | 6.5 | CVE-2026-21944 | Oracle Advisory |
| Oracle Corporation--Oracle APEX Sample Applications | Vulnerability in the Oracle APEX Sample Applications product of Oracle APEX (component: Brookstrut Sample App). Supported versions that are affected are 23.2.0, 23.2.1, 24.1.0, 24.2.0 and 24.2.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle APEX Sample Applications. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle APEX Sample Applications, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle APEX Sample Applications accessible data as well as unauthorized read access to a subset of Oracle APEX Sample Applications accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 5.4 | CVE-2026-21931 | Oracle Advisory |
| Oracle Corporation--Oracle Applications DBA | Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: Java utils). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications DBA. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Applications DBA accessible data as well as unauthorized access to critical data or complete access to all Oracle Applications DBA accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N). | 2026-01-20 | 6.5 | CVE-2026-21960 | Oracle Advisory |
| Oracle Corporation--Oracle Configurator | Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Configurator accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | 2026-01-20 | 5.3 | CVE-2026-21972 | Oracle Advisory |
| Oracle Corporation--Oracle Database Server | Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.29 and 21.3-21.20. Easily exploitable vulnerability allows high privileged attacker having Authenticated User privilege with network access via Oracle Net to compromise Java VM. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Java VM. CVSS 3.1 Base Score 4.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.5 | CVE-2026-21975 | Oracle Advisory |
| Oracle Corporation--Oracle FLEXCUBE Universal Banking | Vulnerability in the Oracle FLEXCUBE Universal Banking product of Oracle Financial Services Applications (component: Relationship Pricing). Supported versions that are affected are 14.0.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle FLEXCUBE Universal Banking accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | 2026-01-20 | 6.5 | CVE-2026-21978 | Oracle Advisory |
| Oracle Corporation--Oracle Hospitality OPERA 5 Property Services | Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.6.27.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Hospitality OPERA 5 Property Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 Property Services accessible data as well as unauthorized read access to a subset of Oracle Hospitality OPERA 5 Property Services accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21966 | Oracle Advisory |
| Oracle Corporation--Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21933 | Oracle Advisory |
| Oracle Corporation--Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). | 2026-01-20 | 4.8 | CVE-2026-21925 | Oracle Advisory |
| Oracle Corporation--Oracle Life Sciences Central Coding | Vulnerability in the Oracle Life Sciences Central Coding product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Coding. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences Central Coding accessible data as well as unauthorized read access to a subset of Oracle Life Sciences Central Coding accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). | 2026-01-20 | 6.5 | CVE-2026-21980 | Oracle Advisory |
| Oracle Corporation--Oracle Life Sciences Central Designer | Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences Central Designer accessible data as well as unauthorized read access to a subset of Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). | 2026-01-20 | 6.5 | CVE-2026-21923 | Oracle Advisory |
| Oracle Corporation--Oracle Life Sciences Central Designer | Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | 2026-01-20 | 6.5 | CVE-2026-21970 | Oracle Advisory |
| Oracle Corporation--Oracle Life Sciences Central Designer | Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | 2026-01-20 | 5.3 | CVE-2026-21974 | Oracle Advisory |
| Oracle Corporation--Oracle Planning and Budgeting Cloud Service | Vulnerability in the Oracle Planning and Budgeting Cloud Service product of Oracle Hyperion (component: EPM Agent). The supported version that is affected is 25.04.07. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Planning and Budgeting Cloud Service executes to compromise Oracle Planning and Budgeting Cloud Service. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Planning and Budgeting Cloud Service accessible data. Note: Update EPM Agent. Please refer to <a href="https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/diepm/epm_agent_downloading_agent_110x80569d70.html">Downloading the EPM Agent for more information. CVSS 3.1 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N). | 2026-01-20 | 4.2 | CVE-2026-21922 | Oracle Advisory |
| Oracle Corporation--Oracle Planning and Budgeting Cloud Service | Vulnerability in the Oracle Planning and Budgeting Cloud Service product of Oracle Hyperion (component: EPM Agent). The supported version that is affected is 25.04.07. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Planning and Budgeting Cloud Service executes to compromise Oracle Planning and Budgeting Cloud Service. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Planning and Budgeting Cloud Service accessible data. Note: Update EPM Agent. Please refer to <a href="https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/diepm/epm_agent_downloading_agent_110x80569d70.html">Downloading the EPM Agent for more information. CVSS 3.1 Base Score 4.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N). | 2026-01-20 | 4.2 | CVE-2026-21979 | Oracle Advisory |
| Oracle Corporation--Oracle Scripting | Vulnerability in the Oracle Scripting product of Oracle E-Business Suite (component: Scripting Admin). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Scripting. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Scripting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Scripting accessible data as well as unauthorized read access to a subset of Oracle Scripting accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21943 | Oracle Advisory |
| Oracle Corporation--Oracle Solaris | Vulnerability in the Oracle Solaris product of Oracle Systems (component: Driver). The supported version that is affected is 11. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data as well as unauthorized access to critical data or complete access to all Oracle Solaris accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N). | 2026-01-20 | 5.8 | CVE-2026-21927 | Oracle Advisory |
| Oracle Corporation--Oracle Solaris | Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel). The supported version that is affected is 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Solaris. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Solaris accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | 2026-01-20 | 5.3 | CVE-2026-21928 | Oracle Advisory |
| Oracle Corporation--Oracle Solaris | Vulnerability in the Oracle Solaris product of Oracle Systems (component: Driver). The supported version that is affected is 11. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data as well as unauthorized access to critical data or complete access to all Oracle Solaris accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N). | 2026-01-20 | 5.8 | CVE-2026-21935 | Oracle Advisory |
| Oracle Corporation--Oracle Solaris | Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystems). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris. CVSS 3.1 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H). | 2026-01-20 | 5 | CVE-2026-21942 | Oracle Advisory |
| Oracle Corporation--Oracle Utilities Application Framework | Vulnerability in the Oracle Utilities Application Framework product of Oracle Utilities Applications (component: General). Supported versions that are affected are 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3, 4.5.0.2.0, 25.4 and 25.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Utilities Application Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Utilities Application Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Utilities Application Framework accessible data as well as unauthorized read access to a subset of Oracle Utilities Application Framework accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 5.4 | CVE-2026-21924 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). | 2026-01-20 | 6 | CVE-2026-21963 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). | 2026-01-20 | 6 | CVE-2026-21985 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 4.6 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:L). | 2026-01-20 | 4.6 | CVE-2026-21981 | Oracle Advisory |
| Oracle Corporation--Oracle Workflow | Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Workflow accessible data. CVSS 3.1 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N). | 2026-01-20 | 4.9 | CVE-2026-21959 | Oracle Advisory |
| Oracle Corporation--PeopleSoft Enterprise HCM Human Resources | Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft (component: Company Dir / Org Chart Viewer, Employee Snapshot). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Human Resources. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise HCM Human Resources, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Human Resources accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise HCM Human Resources accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21961 | Oracle Advisory |
| Oracle Corporation--PeopleSoft Enterprise PeopleTools | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21938 | Oracle Advisory |
| Oracle Corporation--PeopleSoft Enterprise PeopleTools | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Integration Broker). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21951 | Oracle Advisory |
| Oracle Corporation--PeopleSoft Enterprise PeopleTools | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Push Notifications). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). | 2026-01-20 | 5.4 | CVE-2026-21934 | Oracle Advisory |
| Oracle Corporation--PeopleSoft Enterprise SCM Purchasing | Vulnerability in the PeopleSoft Enterprise SCM Purchasing product of Oracle PeopleSoft (component: Purchasing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM Purchasing. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise SCM Purchasing accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise SCM Purchasing accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). | 2026-01-20 | 5.4 | CVE-2026-21971 | Oracle Advisory |
| ostin654--JustClick registration plugin | The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on the `PHP_SELF` server variable. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-24 | 6.1 | CVE-2025-13676 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f1420ec8-55e4-448d-8230-228d1e566b97?source=cve https://plugins.trac.wordpress.org/browser/justclick-subscriber/trunk/justclick.php#L154 https://plugins.trac.wordpress.org/browser/justclick-subscriber/tags/0.1/justclick.php#L154 |
| Palantir--com.palantir.aries:aries | A vulnerability in Palantir's Aries service allowed unauthenticated access to log viewing and management functionality on Apollo instances using default configuration. The defect resulted in both authentication and authorization checks being bypassed, potentially allowing any network-accessible client to view system logs and perform operations without valid credentials. No evidence of exploitation was identified during the vulnerability window. | 2026-01-22 | 6.6 | CVE-2025-68609 | https://palantir.safebase.us/?tcuUid=955a313a-1735-48a6-9fb4-e10404f14eb5 |
| pdfcrowd--Save as PDF Plugin by PDFCrowd | The Save as PDF Plugin by PDFCrowd plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'options' parameter in all versions up to, and including, 4.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. NOTE: Successful exploitation of this vulnerability requires that the PDFCrowd API key is blank (also known as "demo mode", which is the default configuration when the plugin is installed) or known. | 2026-01-24 | 6.1 | CVE-2026-0862 | https://www.wordfence.com/threat-intel/vulnerabilities/id/74172fcb-7428-464a-89f1-f1f3af50e361?source=cve https://plugins.trac.wordpress.org/changeset/3438577/save-as-pdf-by-pdfcrowd |
| peachpay--PeachPay Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) | The PeachPay - Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. This makes it possible for unauthenticated attackers to modify the status of arbitrary WooCommerce orders. | 2026-01-20 | 5.3 | CVE-2025-14978 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5480a151-3e3a-46ba-9712-6c61fba06812?source=cve https://plugins.trac.wordpress.org/browser/peachpay-for-woocommerce/tags/1.119.5/core/payments/convesiopay/routes/class-peachpay-convesiopay-webhook.php#L33 |
| PHPGurukul--News Portal | A vulnerability was identified in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /admin/add-subadmins.php of the component Add Sub-Admin Page. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit is publicly available and might be used. | 2026-01-19 | 6.3 | CVE-2026-1141 | VDB-341733 | PHPGurukul News Portal Add Sub-Admin add-subadmins.php improper authorization VDB-341733 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735483 | PHPGurukul News Portal Project in PHP and MySql 1.0 Improper Access Controls https://github.com/Asim-QAZi/BrokenAccessControl-News-Portal-Project-in-PHP-and-MySQL-in-PHPGurukul https://phpgurukul.com/ |
| PHPGurukul--News Portal | A security flaw has been discovered in PHPGurukul News Portal 1.0. The impacted element is an unknown function. Performing a manipulation results in cross-site request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-19 | 4.3 | CVE-2026-1142 | VDB-341734 | PHPGurukul News Portal cross-site request forgery VDB-341734 | CTI Indicators (IOB, IOC) Submit #735498 | PHPGurukul News Portal Project in PHP and MySql 1.0 Cross-Site Request Forgery https://github.com/Asim-QAZi/CSRF-Add-Subadmin-in-News-Portal-Project-in-PHP-and-MySql-in-PHPGurukul https://phpgurukul.com/ |
| plugins360--All-in-One Video Gallery | The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. This makes it possible for unauthenticated attackers to create and delete videos on the Bunny Stream CDN associated with the victim's account, provided they can obtain a valid nonce which is exposed in public player templates. | 2026-01-23 | 6.5 | CVE-2025-14947 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bedfb712-faf6-4131-b254-e6d7c367f49f?source=cve https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/includes/init.php#L373 https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/public/bunny-stream.php#L131 https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/public/bunny-stream.php#L285 https://plugins.trac.wordpress.org/changeset/3441541/ |
| plugins360--All-in-One Video Gallery | The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary string-based user meta keys for their own account. | 2026-01-24 | 4.3 | CVE-2025-15516 | https://www.wordfence.com/threat-intel/vulnerabilities/id/218e4ed5-661b-49e1-8b23-457a93fd53fa?source=cve https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.6.4/admin/admin.php#L1062 |
| pytest--pytest | pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges. | 2026-01-22 | 6.8 | CVE-2025-71176 | https://github.com/pytest-dev/pytest/issues/13669 https://www.openwall.com/lists/oss-security/2026/01/21/5 |
| quickjs-ng--quickjs | A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue. | 2026-01-19 | 6.3 | CVE-2026-1144 | VDB-341737 | quickjs-ng quickjs Atomics Ops quickjs.c use after free VDB-341737 | CTI Indicators (IOB, IOC, IOA) Submit #735537 | quickjs-ng quickjs v0.11.0 Use After Free Submit #735538 | quickjs-ng quickjs v0.11.0 Use After Free (Duplicate) https://github.com/quickjs-ng/quickjs/issues/1301 https://github.com/quickjs-ng/quickjs/pull/1303 https://github.com/quickjs-ng/quickjs/issues/1302 https://github.com/quickjs-ng/quickjs/commit/ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141 |
| quickjs-ng--quickjs | A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by this vulnerability is the function js_typed_array_constructor_ta of the file quickjs.c. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 53aebe66170d545bb6265906fe4324e4477de8b4. It is suggested to install a patch to address this issue. | 2026-01-19 | 6.3 | CVE-2026-1145 | VDB-341738 | quickjs-ng quickjs quickjs.c js_typed_array_constructor_ta heap-based overflow VDB-341738 | CTI Indicators (IOB, IOC, IOA) Submit #735539 | quickjs-ng quickjs v0.11.0 Heap-based Buffer Overflow https://github.com/quickjs-ng/quickjs/issues/1305 https://github.com/quickjs-ng/quickjs/pull/1306 https://github.com/quickjs-ng/quickjs/issues/1305#issue-3785444372 https://github.com/paralin/quickjs/commit/53aebe66170d545bb6265906fe4324e4477de8b4 |
| rebelcode--RSS Aggregator RSS Import, News Feeds, Feed to Post, and Autoblogging | The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-23 | 6.4 | CVE-2025-14745 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dd201949-d3a1-4fdb-bf98-252fbfd59380?source=cve https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/core/src/Renderer.php#L209 https://plugins.trac.wordpress.org/changeset/3439384/wp-rss-aggregator/trunk/core/src/Renderer.php |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow. | 2026-01-21 | 6.5 | CVE-2025-14559 | https://access.redhat.com/security/cve/CVE-2025-14559 RHBZ#2421711 |
| Red Hat--Red Hat Build of Keycloak | A flaw was identified in Keycloak's OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk. | 2026-01-20 | 5.8 | CVE-2026-1180 | https://access.redhat.com/security/cve/CVE-2026-1180 RHBZ#2430781 |
| robiulawal40--Alpha Blocks | The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alpha_block_css' parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2025-14985 | https://www.wordfence.com/threat-intel/vulnerabilities/id/745dcc4c-1c52-4ac7-9ac6-033770282a3b?source=cve https://plugins.trac.wordpress.org/browser/alpha-blocks/tags/1.5.0/class/block_inline_style.php#L175 |
| rtowebsites--AdminQuickbar | The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. This makes it possible for unauthenticated attackers to modify plugin settings and update post titles via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-14630 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bb70ad52-b964-4c56-98a2-06be375a79af?source=cve https://plugins.trac.wordpress.org/browser/adminquickbar/tags/1.9.3/Lib/AdminQuickbar.php#L88 https://plugins.trac.wordpress.org/browser/adminquickbar/tags/1.9.3/Lib/Sidebar.php#L386 https://plugins.trac.wordpress.org/browser/adminquickbar/trunk/Lib/AdminQuickbar.php#L88 https://plugins.trac.wordpress.org/browser/adminquickbar/trunk/Lib/Sidebar.php#L386 |
| Sangfor--Operation and Maintenance Security Management System | A security flaw has been discovered in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function edit_pwd_mall of the file /fort/login/edit_pwd_mall. The manipulation of the argument flag results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-22 | 5.3 | CVE-2026-1325 | VDB-342301 | Sangfor Operation and Maintenance Security Management System edit_pwd_mall password recovery VDB-342301 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736208 | Sangfor Operation and Maintenance Security Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) 3.0.12 Unauthenticated Arbitrary Password Reset https://github.com/LX-LX88/cve/issues/21 |
| satollo--Newsletter Send awesome emails from WordPress | The Newsletter - Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated attackers to unsubscribe newsletter subscribers via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link. | 2026-01-20 | 4.3 | CVE-2026-1051 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8de2156f-5087-4c16-8e5d-93b5c72ec536?source=cve https://plugins.trac.wordpress.org/browser/newsletter/tags/9.1.0/unsubscription/unsubscription.php#L141 |
| sauravrox--Set Bulk Post Categories | The Set Bulk Post Categories plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the bulk category update functionality. This makes it possible for unauthenticated attackers to modify post categories in bulk via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1081 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9503f908-ead2-4c34-89b9-1e2348b90f3c?source=cve https://plugins.trac.wordpress.org/browser/set-bulk-post-categories/trunk/set-bulk-categories.php#L36 https://plugins.trac.wordpress.org/browser/set-bulk-post-categories/tags/1.1/set-bulk-categories.php#L36 |
| Seacms--Seacms | SeaCMS 11.1 contains a stored cross-site scripting vulnerability in the checkuser parameter of the admin settings page. Attackers can inject malicious JavaScript payloads that will execute in users' browsers when the page is loaded. | 2026-01-25 | 6.4 | CVE-2020-36932 | ExploitDB-49251 Official Seacms Product Homepage VulnCheck Advisory: Seacms 11.1 - 'checkuser' Stored XSS |
| shahinurislam--Meta-box GalleryMeta | The Meta-box GalleryMeta plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mb_gallery' custom post type in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Author-level access and above, to create and publish galleries. | 2026-01-24 | 4.3 | CVE-2026-0687 | https://www.wordfence.com/threat-intel/vulnerabilities/id/872c61aa-c95c-4b86-8e39-8112bb117a0b?source=cve https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/include/posttype.php#L29 https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/gallerymetaboxes.php#L375 |
| shahinurislam--Meta-box GalleryMeta | The Meta-box GalleryMeta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-24 | 4.4 | CVE-2026-1302 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bb9ae252-7e5f-4dc0-a162-100493b81980?source=cve https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/templates/single-mb_gallery.php#L31 https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/templates/single-mb_gallery.php#L33 https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/gallerymetaboxes.php#L119 https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/gallerymetaboxes.php#L314 |
| shazdeh--Administrative Shortcodes | The Administrative Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'login' and 'logout' shortcode attributes in all versions up to, and including, 0.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2026-1099 | https://www.wordfence.com/threat-intel/vulnerabilities/id/de931a65-c898-4b1d-99ce-20dd646bcbb0?source=cve https://plugins.trac.wordpress.org/browser/administrative-shortcodes/trunk/administrative-shortcodes.php#L196 https://plugins.trac.wordpress.org/browser/administrative-shortcodes/tags/0.3.4/administrative-shortcodes.php#L196 |
| sigstore--rekor | Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0. | 2026-01-22 | 5.3 | CVE-2026-23831 | https://github.com/sigstore/rekor/security/advisories/GHSA-273p-m2cw-6833 https://github.com/sigstore/rekor/commit/39bae3d192bce48ef4ef2cbd1788fb5770fee8cd https://github.com/sigstore/rekor/releases/tag/v1.5.0 |
| sigstore--rekor | Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. The issue has been fixed in version 1.5.0. To workaround this issue, disable the search endpoint with --enable_retrieve_api=false. | 2026-01-22 | 5.3 | CVE-2026-24117 | https://github.com/sigstore/rekor/security/advisories/GHSA-4c4x-jm2x-pf9j https://github.com/sigstore/rekor/commit/60ef2bceba192c5bf9327d003bceea8bf1f8275f https://github.com/sigstore/rekor/releases/tag/v1.5.0 |
| sigstore--sigstore | sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from signed target metadata; however, it does not validate that the resulting path stays within the cache base directory. A malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the calling process has. Note that this should only affect clients that are directly using the TUF client in sigstore/sigstore or are using an older version of Cosign. Public Sigstore deployment users are unaffected, as TUF metadata is validated by a quorum of trusted collaborators. This issue has been fixed in version 1.10.4. As a workaround, users can disable disk caching for the legacy client by setting SIGSTORE_NO_CACHE=true in the environment, migrate to https://github.com/sigstore/sigstore-go/tree/main/pkg/tuf, or upgrade to the latest sigstore/sigstore release. | 2026-01-23 | 5.8 | CVE-2026-24137 | https://github.com/sigstore/sigstore/security/advisories/GHSA-fcv2-xgw5-pqxf https://github.com/sigstore/sigstore/commit/8ec410a2993ea78083aecf0e473a85453039496e https://github.com/sigstore/sigstore/releases/tag/v1.10.4 |
| SourceCodester--E-Learning System | A flaw has been found in SourceCodester E-Learning System 1.0. This impacts an unknown function of the file /admin/modules/lesson/index.php of the component Lesson Module Handler. Executing a manipulation of the argument Title/Description can lead to basic cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. | 2026-01-19 | 4.3 | CVE-2026-1154 | VDB-341747 | SourceCodester E-Learning System Lesson index.php cross site scripting VDB-341747 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735855 | SourceCodester E-Learning System (CAIWL) 1.0 Stored HTML Injection Vulnerability https://gist.github.com/0xCaptainFahim/dada955760b424a851de12bccadee997 https://www.sourcecodester.com/ |
| SourceCodester--Patients Waiting Area Queue Management System | A vulnerability was determined in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. This vulnerability affects unknown code. Executing a manipulation can lead to cross-site request forgery. It is possible to launch the attack remotely. | 2026-01-19 | 4.3 | CVE-2026-1148 | VDB-341741 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System cross-site request forgery VDB-341741 | CTI Indicators (IOB, IOC) Submit #735545 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Cross-Site Request Forgery |
| specialk--Head Meta Data | The Head Meta Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head-meta-data' post meta field in all versions up to, and including, 20251118 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-20 | 6.4 | CVE-2026-0608 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9592bb6d-8e1d-4c89-addd-11c07272a628?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/head-meta-data/tags/20251118&new_path=/head-meta-data/tags/20260105 |
| Spring--Spring Security | The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations. | 2026-01-22 | 5.3 | CVE-2025-22234 | Spring Security Advisory: CVE-2025-22234 |
| stefanristic--Simple Crypto Shortcodes | The Simple Crypto Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2. This is due to missing nonce validation on the scs_backend function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-14903 | https://www.wordfence.com/threat-intel/vulnerabilities/id/18bcd2ad-1989-4e2b-b82e-fddc4201c5a6?source=cve https://plugins.trac.wordpress.org/browser/simple-crypto-shortcodes/tags/1.0.2/simple_crypto_shortcodes.php#L46 https://plugins.trac.wordpress.org/browser/simple-crypto-shortcodes/tags/1.0.2/simple_crypto_shortcodes.php#L54 |
| stellarwp--The Events Calendar | The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with subscriber level access and above, to start, cancel, or revert the Custom Tables V1 database migration, including dropping the custom database tables entirely via the revert action. | 2026-01-20 | 5.4 | CVE-2025-15043 | https://www.wordfence.com/threat-intel/vulnerabilities/id/346a5b00-fb76-4413-a935-a2df4dc51984?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/the-events-calendar/tags/6.15.13&new_path=/the-events-calendar/tags/6.15.13.1 |
| sumatrapdfreader--sumatrapdf | SumatraPDF is a multi-format reader for Windows. All versions contain an off-by-one error in the validation code that only triggers with exactly 2 records, causing an integer underflow in the size calculation. This bug exists in PalmDbReader::GetRecord when opening a crafted Mobi file, resulting in an out-of-bounds heap read that crashes the app. There are no published fixes at the time of publication. | 2026-01-22 | 5.5 | CVE-2026-23951 | https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-hj4w-c5x8-p2hv https://github.com/sumatrapdfreader/sumatrapdf/blob/master/src/PalmDbReader.cpp |
| swift-otel--swift-w3c-trace-context | Swift W3C TraceContext is a Swift implementation of the W3C Trace Context standard, and Swift OTel is an OpenTelemetry Protocol (OTLP) backend for Swift Log, Swift Metrics, and Swift Distributed Tracing. Prior to Swift W3C TraceContext version 1.0.0-beta.5 and Swift OTel version 1.0.4, a denial-of-service vulnerability due to improper input validation allows a remote attacker to crash the service via a malformed HTTP header. This allows crashing the process with data coming from the network when used with, for example, an HTTP server. Most common way of using Swift W3C Trace Context is through Swift OTel. Version 1.0.0-beta.5 of Swift W3C TraceContext and version 1.0.4 of Swift OTel contain a patch for this issue. As a workaround, disable either Swift OTel or the code that extracts the trace information from an incoming header (such as a `TracingMiddleware`). | 2026-01-19 | 5.3 | CVE-2026-23886 | https://github.com/swift-otel/swift-w3c-trace-context/security/advisories/GHSA-mvpq-2v8x-ww6g https://github.com/swift-otel/swift-w3c-trace-context/commit/5da9b143ba6046734de3fa51dafea28290174e4e https://github.com/swift-otel/swift-otel/releases/tag/1.0.4 https://github.com/swift-otel/swift-w3c-trace-context/releases/tag/1.0.0-beta.5 |
| tandubhai--Alchemist Ajax Upload | The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments. | 2026-01-24 | 5.3 | CVE-2025-14629 | https://www.wordfence.com/threat-intel/vulnerabilities/id/865dbcf5-7990-40f3-bb90-3ae359b52c6f?source=cve https://wordpress.org/plugins/alchemist-ajax-upload/ https://plugins.trac.wordpress.org/browser/alchemist-ajax-upload/tags/1.1/alchemist_ajax_upload.php#L231 https://plugins.trac.wordpress.org/browser/alchemist-ajax-upload/trunk/alchemist_ajax_upload.php#L231 |
| Tapandsign Technologies Software Inc.--Tap&Sign | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tapandsign Technologies Software Inc. Tap&Sign allows Cross-Site Scripting (XSS). This issue affects Tap&Sign: through 23012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-23 | 4.7 | CVE-2025-2204 | https://www.usom.gov.tr/bildirim/tr-26-0004 |
| teamzt--ZT Captcha | The ZT Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to improper nonce validation on the save_ztcpt_captcha_settings action where the nonce check can be bypassed by sending an empty token value. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1075 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9f9d6da5-1598-4df4-8efc-306370446443?source=cve https://plugins.trac.wordpress.org/browser/zt-captcha/trunk/request/CaptchaRequest.php#L37 https://plugins.trac.wordpress.org/browser/zt-captcha/tags/1.0.4/request/CaptchaRequest.php#L37 |
| technical-laohu--mpay | A security vulnerability has been detected in technical-laohu mpay up to 1.2.4. The impacted element is an unknown function of the component QR Code Image Handler. Such manipulation of the argument codeimg leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-01-19 | 4.7 | CVE-2026-1152 | VDB-341745 | technical-laohu mpay QR Code Image unrestricted upload VDB-341745 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735775 | https://gitee.com/technical-laohu/mpay mpay v1.2.4 Arbitrary file upload vulnerability https://github.com/bdkuzma/vuln/issues/17 |
| technical-laohu--mpay | A vulnerability was detected in technical-laohu mpay up to 1.2.4. This affects an unknown function. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2026-01-19 | 4.3 | CVE-2026-1153 | VDB-341746 | technical-laohu mpay cross-site request forgery VDB-341746 | CTI Indicators (IOB, IOC) Submit #735789 | https://gitee.com/technical-laohu/mpay mpay v1.2.4 Cross-Site Request Forgery https://github.com/bdkuzma/vuln/issues/18 |
| tendenci--tendenci | Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpdesk module (which is not enabled by default). This vulnerability allows Remote Code Execution (RCE) by an authenticated user with staff security level due to using Python's pickle module in helpdesk /reports/. The original CVE-2020-14942 was incompletely patched. While ticket_list() was fixed to use safe JSON deserialization, the run_report() function still uses unsafe pickle.loads(). The impact is limited to the permissions of the user running the application, typically www-data, which generally lacks write (except for upload directories) and execute permissions. This issue has been fixed in version 15.3.12. | 2026-01-22 | 6.8 | CVE-2026-23946 | https://github.com/tendenci/tendenci/security/advisories/GHSA-339m-4qw5-j2g3 https://github.com/tendenci/tendenci/issues/867 https://github.com/tendenci/tendenci/commit/23d9fd85ab7654e9c83cfc86cb4175c0bd7a77f1 https://github.com/tendenci/tendenci/commit/2ff0a457614944a1b417081c543ea4c5bb95d636 https://github.com/tendenci/tendenci/commit/63e1b84a5b163466d1d8d811d35e7021a7ca0d0e https://docs.python.org/3/library/pickle.html#restricting-globals https://github.com/advisories/GHSA-jqmc-fxxp-r589 https://github.com/tendenci/tendenci/releases/tag/v15.3.12 |
| themeruby--ThemeRuby Multi Authors Assign Multiple Writers to Posts | The ThemeRuby Multi Authors - Assign Multiple Writers to Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' shortcode attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2026-1097 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ca74bb1d-1954-4869-aaa9-bf66600cdf2a?source=cve https://plugins.trac.wordpress.org/browser/themeruby-multi-authors/trunk/includes/class-tma-shortcodes.php#L76 https://plugins.trac.wordpress.org/browser/themeruby-multi-authors/tags/1.0.0/includes/class-tma-shortcodes.php#L76 |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site. | 2026-01-20 | 5.4 | CVE-2026-0548 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0e475e02-494a-4ad0-a83c-d027c3a32989?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/tutor/tags/3.9.4/classes/User.php&new_path=/tutor/tags/3.9.5/classes/User.php |
| theupdateframework--go-tuf | go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available. | 2026-01-22 | 5.9 | CVE-2026-23991 | https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-846p-jg2w-w324 https://github.com/theupdateframework/go-tuf/commit/73345ab6b0eb7e59d525dac17a428f043074cef6 https://github.com/theupdateframework/go-tuf/releases/tag/v2.3.1 |
| theupdateframework--go-tuf | go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1. | 2026-01-22 | 5.9 | CVE-2026-23992 | https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525 https://github.com/theupdateframework/go-tuf/commit/b38d91fdbc69dfe31fe9230d97dafe527ea854a0 |
| thimpress--LearnPress WordPress LMS Plugin for Create and Sell Online Courses | The LearnPress - WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. This makes it possible for unauthenticated attackers to extract sensitive data including user first names and last names. Other information such as social profile links and enrollment are also included. | 2026-01-20 | 5.3 | CVE-2025-14798 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6fb00ce4-aa82-4479-b7f6-79e7bde098c1?source=cve https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/jwt/rest-api/version1/class-lp-rest-users-v1-controller.php#L134 https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/jwt/rest-api/version1/class-lp-rest-users-v1-controller.php#L35 |
| thorsten--phpMyFAQ | phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version | 2026-01-24 | 6.5 | CVE-2026-24420 | https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7p9h-m7m8-vhhv |
| thorsten--phpMyFAQ | phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17. | 2026-01-24 | 6.5 | CVE-2026-24421 | https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-wm8h-26fv-mg7g |
| thorsten--phpMyFAQ | phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning records marked as non-public (isVisible=false) along with user email addresses, with similar exposures present in comment, news, and FAQ APIs. This information disclosure vulnerability could enable attackers to harvest email addresses for phishing campaigns or access content that was explicitly marked as private. This issue has been fixed in version 4.0.17. | 2026-01-24 | 5.3 | CVE-2026-24422 | https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-j4rc-96xj-gvqc |
| Totolink--LR350 | A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This issue affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument ip leads to command injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2026-01-19 | 6.3 | CVE-2026-1149 | VDB-341742 | Totolink LR350 POST Request cstecgi.cgi setDiagnosisCfg command injection VDB-341742 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735695 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setDiagnosisCfg-2e453a41781f800d9ba9c6da80b55276?source=copy_link https://www.totolink.net/ |
| Totolink--LR350 | A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. Impacted is the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument command results in command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-19 | 6.3 | CVE-2026-1150 | VDB-341743 | Totolink LR350 POST Request cstecgi.cgi setTracerouteCfg command injection VDB-341743 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735696 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setTracerouteCfg-2e453a41781f803494e3e4161a393487?source=copy_link https://www.totolink.net/ |
| Totolink--NR1800X | A weakness has been identified in Totolink NR1800X 9.1.0u.6279_B20210910. This vulnerability affects the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument Hostname causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-22 | 6.3 | CVE-2026-1326 | VDB-342302 | Totolink NR1800X POST Request cstecgi.cgi setWanCfg command injection VDB-342302 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735787 | TOTOLINK NR1800X NR1800X_Firmware V9.1.0u.6279_B20210910 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-NR1800X-setWanCfg-2e453a41781f80b390f3e1ce0d9dd5b9?source=copy_link https://www.totolink.net/ |
| Totolink--NR1800X | A security vulnerability has been detected in Totolink NR1800X 9.1.0u.6279_B20210910. This issue affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Such manipulation of the argument command leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-01-22 | 6.3 | CVE-2026-1327 | VDB-342303 | Totolink NR1800X POST Request cstecgi.cgi setTracerouteCfg command injection VDB-342303 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735790 | TOTOLINK NR1800X NR1800X_Firmware V9.1.0u.6279_B20210910 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-NR1800X-setTracerouteCfg-2e453a41781f80df8ef9d32983758502?source=copy_link https://www.totolink.net/ |
| typemill--typemill | Typemill is a flat-file, Markdown-based CMS designed for informational documentation websites. A reflected Cross-Site Scripting (XSS) exists in the login error view template `login.twig` of versions 2.19.1 and below. The `username` value can be echoed back without proper contextual encoding when authentication fails. An attacker can execute script in the login page context. This issue has been fixed in version 2.19.2. | 2026-01-23 | 5.4 | CVE-2026-24127 | https://github.com/typemill/typemill/security/advisories/GHSA-65x4-pjhj-r8wr https://github.com/typemill/typemill/commit/b506acd11e80fb9c8db5fa6c2c8ad73580b4e88c https://github.com/typemill/typemill/releases/tag/v2.19.2 |
| uncannyowl--Uncanny Automator Easy Automation, Integration, Webhooks & Workflow Builder Plugin | The Uncanny Automator - Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user with a verified Discord account accesses the injected page. | 2026-01-23 | 6.4 | CVE-2025-15522 | https://www.wordfence.com/threat-intel/vulnerabilities/id/41c54e1b-69b9-4594-8f1e-7ef17f120791?source=cve https://wordpress.org/plugins/uncanny-automator https://plugins.trac.wordpress.org/browser/uncanny-automator/tags/6.10.0.2/src/integrations/discord/shortcodes/discord-user-mapping-shortcode.php#L128 https://plugins.trac.wordpress.org/changeset/3440408/uncanny-automator/trunk/src/integrations/discord/shortcodes/discord-user-mapping-shortcode.php |
| vektor-inc--VK Google Job Posting Manager | The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Description field in versions up to, and including, 1.2.20 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2025-12836 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4e0fd492-19ee-430e-a495-99ad28043bf9?source=cve https://plugins.trac.wordpress.org/browser/vk-google-job-posting-manager/tags/1.2.20/vk-google-job-posting-manager.php#L419 https://plugins.trac.wordpress.org/browser/vk-google-job-posting-manager/tags/1.2.20/vk-google-job-posting-manager.php#L468 |
| vintagedaddyo--MyBB Delete Account Plugin | MyBB Delete Account Plugin 1.4 contains a cross-site scripting vulnerability in the account deletion reason input field. Attackers can inject malicious scripts that will execute in the admin interface when viewing delete account reasons. | 2026-01-23 | 6.1 | CVE-2021-47905 | ExploitDB-49500 MyBB Delete Account Plugin Repository VulnCheck Advisory: MyBB Delete Account Plugin 1.4 - Cross-Site Scripting |
| waqasvickey0071--WP Youtube Video Gallery | The WP Youtube Video Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce verification on the wpYTVideoGallerySettingSave() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-14906 | https://www.wordfence.com/threat-intel/vulnerabilities/id/53709d2c-6522-40f0-9dc4-82517d3ee7b2?source=cve https://plugins.trac.wordpress.org/browser/wp-youtube-video-gallery/tags/1.0/admin/admin.php#L444 |
| wedevs--weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot | The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit any documentation post. The vulnerability was partially patched in version 2.1.16. | 2026-01-23 | 4.3 | CVE-2025-13921 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c56234f3-7dd6-4dff-887d-5ddbf0cb7d3c?source=cve https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.14/includes/functions.php#L506 https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.14/includes/Installer.php#L21 https://plugins.trac.wordpress.org/changeset/3426704/ https://plugins.trac.wordpress.org/changeset/3440068/ |
| wedevs--weMail Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation | The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin's REST API trusting the `x-wemail-user` HTTP header to identify users without verifying the request originates from an authenticated WordPress session. This makes it possible for unauthenticated attackers who know or can guess an admin email (easily enumerable via `/wp-json/wp/v2/users`) to impersonate that user and access the CSV subscriber endpoints, potentially exfiltrating subscriber PII (emails, names, phone numbers) from imported CSV files. | 2026-01-20 | 5.3 | CVE-2025-14348 | https://www.wordfence.com/threat-intel/vulnerabilities/id/59c0caa2-d0c2-472e-83c3-d11ad313720d?source=cve https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Csv.php#L79 https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Csv.php#L85 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3442404%40wemail%2Ftrunk&old=3423372%40wemail%2Ftrunk&sfp_email=&sfph_mail=#file1 |
| wizit--Wizit Gateway for WooCommerce | The Wizit Gateway for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Order Cancellation in all versions up to, and including, 1.2.9. This is due to a lack of authentication and authorization checks in the 'handle_checkout_redirecturl_response' function. This makes it possible for unauthenticated attackers to cancel arbitrary WooCommerce orders by sending a crafted request with a valid order ID. | 2026-01-24 | 5.3 | CVE-2025-14843 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b6926c2c-79d4-477c-a2eb-ba62545f2e2b?source=cve https://plugins.trac.wordpress.org/browser/wizit-gateway-for-woocommerce/tags/1.2.9/class-wizit-gateway.php?marks=1249,1341-1349#L1249 |
| wpchill--Image Photo Gallery Final Tiles Grid | The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple AJAX actions in all versions up to, and including, 3.6.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to view, create, modify, clone, delete, and reassign ownership of galleries created by other users, including administrators. | 2026-01-19 | 5.4 | CVE-2025-15466 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0afcfe15-2d7d-4c96-a408-28f35577a927?source=cve https://plugins.trac.wordpress.org/changeset/3435746/ |
| wpdevteam--NotificationX FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar | The NotificationX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'regenerate' and 'reset' REST API endpoints in all versions up to, and including, 3.1.11. This makes it possible for authenticated attackers, with Contributor-level access and above, to reset analytics for any NotificationX campaign, regardless of ownership. | 2026-01-20 | 4.3 | CVE-2026-0554 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e3cd843b-ab38-45c4-a661-78d4e6db5201?source=cve https://research.cleantalk.org/cve-2026-0554 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3433555%40notificationx&old=3426659%40notificationx&sfp_email=&sfph_mail= |
| wpdirectorykit--WP Directory Kit | The WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the wdk_public_action AJAX handler. This makes it possible for unauthenticated attackers to extract email addresses for users with Directory Kit-specific user roles. | 2026-01-24 | 5.3 | CVE-2025-13920 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8905dcc7-d3c8-4ae8-818c-df3e6ed2ad9c?source=cve https://plugins.trac.wordpress.org/changeset/3435482/wpdirectorykit |
| wpdiscover--Timeline Event History | The Timeline Event History plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `id` parameter in all versions up to, and including, 3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-24 | 6.1 | CVE-2026-1127 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ba779595-2674-4d84-bc41-889ae60bd6a4?source=cve https://plugins.trac.wordpress.org/browser/timeline-event-history/tags/3.2/includes/admin/class-timeline-wp-field-builder.php#L540 |
| wpgmaps--WP Go Maps (formerly WP Google Maps) | The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the processBackgroundAction() function in all versions up to, and including, 10.0.04. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global map engine settings. | 2026-01-24 | 5.3 | CVE-2026-0593 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7f0741c1-a5d7-41a4-a739-2cb7cb836509?source=cve https://plugins.trac.wordpress.org/changeset/3439283/wp-google-maps/trunk/includes/class.admin-notices.php |
| Yodinfo--Mini Mouse | Mini Mouse 9.3.0 contains a path traversal vulnerability that allows attackers to access sensitive system directories through the device information endpoint. Attackers can retrieve file lists from system directories like /usr, /etc, and /var by manipulating file path parameters in API requests. | 2026-01-21 | 6.2 | CVE-2021-47849 | ExploitDB-49747 Mini Mouse Apple Store VulnCheck Advisory: Mini Mouse 9.3.0 - Local File inclusion / Path Traversal |
| zainali99--MyBB Trending Widget Plugin | MyBB Trending Widget Plugin 1.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through thread titles. Attackers can modify thread titles with script payloads that will execute when other users view the trending widget. | 2026-01-23 | 6.1 | CVE-2018-25132 | ExploitDB-49504 Trending Widget GitHub Repository VulnCheck Advisory: MyBB Trending Widget Plugin 1.2 - Cross-Site Scripting |
| zero1zerouk--Login Page Editor | The Login Page Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the devotion_loginform_process() AJAX action. This makes it possible for unauthenticated attackers to update the plugin's login page settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1088 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f428b90d-8830-445d-b1f1-d8f860dae5cf?source=cve https://plugins.trac.wordpress.org/browser/login-page-editor/trunk/class/devotion.core.class.php#L50 https://plugins.trac.wordpress.org/browser/login-page-editor/tags/1.2/class/devotion.core.class.php#L50 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Athroniaeth--fastapi-api-key | FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a timing side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a key_id corresponds to a valid key, potentially accelerating brute-force or enumeration attacks. All users relying on verify_key() for API key authentication prior to the fix are affected. Users should upgrade to version 1.1.0 to receive a patch. The patch applies a uniform random delay (min_delay to max_delay) to all responses regardless of outcome, eliminating the timing correlation. Some workarounds are available. Add an application-level fixed delay or random jitter to all authentication responses (success and failure) before the fix is applied and/or use rate limiting to reduce the feasibility of statistical timing attacks. | 2026-01-21 | 3.7 | CVE-2026-23996 | https://github.com/Athroniaeth/fastapi-api-key/security/advisories/GHSA-95c6-p277-p87g https://github.com/Athroniaeth/fastapi-api-key/commit/310b2c5c77305f38c63c0b917539a0344071dfd8 https://github.com/Athroniaeth/fastapi-api-key/releases/tag/1.1.0 |
| backstage--backstage | Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints. | 2026-01-21 | 3.5 | CVE-2026-24048 | https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9 https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb |
| Beetel--777VR1 | A security flaw has been discovered in Beetel 777VR1 up to 01.00.09/01.00.09_55. This affects an unknown part of the component UART Interface. Performing a manipulation results in information disclosure. The attack may be carried out on the physical device. The attack is considered to have high complexity. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-25 | 2 | CVE-2026-1407 | VDB-342796 | Beetel 777VR1 UART information disclosure VDB-342796 | CTI Indicators (IOB, IOC, TTP) Submit #736322 | Beetel Beetel 777VR1 Broadband Router Firmware Version: V01.00.09 / V01.00.09_55 Cleartext Exposure of Sensitive Credentials in Boot Logs - UART https://gist.github.com/raghav20232023/253c041842f622d9c2cb6ee4111c2227 |
| Beetel--777VR1 | A weakness has been identified in Beetel 777VR1 up to 01.00.09/01.00.09_55. This vulnerability affects unknown code of the component UART Interface. Executing a manipulation can lead to weak password requirements. The physical device can be targeted for the attack. The attack requires a high level of complexity. It is stated that the exploitability is difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-25 | 2 | CVE-2026-1408 | VDB-342797 | Beetel 777VR1 UART weak password VDB-342797 | CTI Indicators (IOB, IOC, TTP) Submit #739384 | Beetel Beetel 777VR1 Broadband Router Firmware Version: V01.00.09 / V01.00.09_55 CWE-521 — Weak Password Requirements https://gist.github.com/raghav20232023/9c51cbd91f3798b1c10f3f30fb631633 |
| Beetel--777VR1 | A security vulnerability has been detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the attack on the physical device. The attack's complexity is rated as high. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-25 | 2 | CVE-2026-1409 | VDB-342798 | Beetel 777VR1 UART excessive authentication VDB-342798 | CTI Indicators (IOB, IOC, TTP) Submit #739399 | Beetel Beetel 777VR1 Broadband Router Firmware Version: V01.00.09 / V01.00.09_55 CWE-307 Improper Restriction - Excessive Authentication Attempts https://gist.github.com/raghav20232023/19900b427445adf37f64ae953611bfce |
| Dell--PowerScale OneFS | Dell PowerScale OneFS, versions 9.5.0.0 through 9.5.1.5, versions 9.6.0.0 through 9.7.1.10, versions 9.8.0.0 through 9.10.1.3, versions starting from 9.11.0.0 and prior to 9.13.0.0, contains a Time-of-check Time-of-use (TOCTOU) race condition vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to denial of service. | 2026-01-22 | 3.5 | CVE-2026-22281 | https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| franklioxygen--MyTube | MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below have a Mass Assignment vulnerability in the settings management functionality due to insufficient input validation. The application's saveSettings() function accepts arbitrary key-value pairs without validating property names against allowed settings. The function uses Record<string, any> as input type and iterates over all entries using Object.entries() without filtering unauthorized properties. Any field sent by the attacker is directly persisted to the database, regardless of whether it corresponds to a legitimate application setting. This issue has been fixed in version 1.7.78. | 2026-01-23 | 2.7 | CVE-2026-24140 | https://github.com/franklioxygen/MyTube/security/advisories/GHSA-c938-x24g-fxcx https://github.com/franklioxygen/MyTube/commit/9d737cb373f7af3e5c92d458e2832caf817b6de6 |
| HCL Software--AION | HCL AION is affected by a Missing Security Response Headers vulnerability. The absence of standard security headers may weaken the application's overall security posture and increase its susceptibility to common web-based attacks. | 2026-01-19 | 3.5 | CVE-2025-55249 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software--AION | HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. | 2026-01-19 | 3.1 | CVE-2025-55251 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software--AION | HCL AION version 2 is affected by a Weak Password Policy vulnerability. This can allow the use of easily guessable passwords, potentially resulting in unauthorized access | 2026-01-19 | 3.1 | CVE-2025-55252 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software--AION | HCL AION version 2 is affected by a Cacheable HTTP Response vulnerability. This may lead to unintended storage of sensitive or dynamic content, potentially resulting in unauthorized access or information disclosure. | 2026-01-19 | 2.8 | CVE-2025-52659 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software--AION | HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. | 2026-01-19 | 2.7 | CVE-2025-52660 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software--AION | HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised. | 2026-01-19 | 2.4 | CVE-2025-52661 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software--AION | HCL AION version 2 is affected by a Technical Error Disclosure vulnerability. This can expose sensitive technical details, potentially resulting in information disclosure or aiding further attacks. | 2026-01-19 | 1.8 | CVE-2025-55250 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| IBM--ApplinX | IBM ApplinX 11.1 could allow an authenticated user to perform unauthorized administrative actions on the server due to server-side enforcement of client-side security. | 2026-01-20 | 3.1 | CVE-2025-36410 | https://www.ibm.com/support/pages/node/7257446 |
| IBM--ApplinX | IBM ApplinX 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | 2026-01-20 | 3.5 | CVE-2025-36411 | https://www.ibm.com/support/pages/node/7257446 |
| lcg0124--BootDo | A weakness has been identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. Affected is the function Save of the file /blog/bContent/save of the component ContentController. This manipulation of the argument content/author/title causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. | 2026-01-19 | 3.5 | CVE-2026-1136 | VDB-341726 | lcg0124 BootDo ContentController save cross site scripting VDB-341726 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735164 | BootDo V1.0 Cross Site Scripting https://github.com/webzzaa/CVE-/issues/4 |
| lcg0124--BootDo | A vulnerability was determined in lcg0124 BootDo up to 5ccd963c74058036b466e038cff37de4056c1600. Affected by this vulnerability is the function redirectToLogin of the file AccessControlFilter.java of the component Host Header Handler. This manipulation of the argument Hostname causes open redirect. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. | 2026-01-25 | 3.5 | CVE-2026-1406 | VDB-342794 | lcg0124 BootDo Host Header AccessControlFilter.java redirectToLogin VDB-342794 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736271 | BootDo web V1.0 Host header injection https://github.com/webzzaa/CVE-/issues/5 |
| libexpat project--libexpat | In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data. | 2026-01-23 | 2.9 | CVE-2026-24515 | https://github.com/libexpat/libexpat/pull/1131 |
| lobehub--lobe-chat | LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. `userId` filter in the database query is commented out, so it's enabling attackers to delete other users' KB files if they know the knowledge base ID and file ID. While the vulnerability is confirmed, practical exploitation requires knowing target's KB ID and target's file ID. These IDs are random and not easily enumerable. However, IDs may leak through shared links, logs, referrer headers and so on. Missing authorization check is a critical security flaw regardless. Users should upgrade to version 2.0.0-next.193 to receive a patch. | 2026-01-19 | 3.7 | CVE-2026-23522 | https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6 |
| MineAdmin--MineAdmin | A security vulnerability has been detected in MineAdmin 1.x/2.x. Affected is an unknown function of the file /system/getFileInfoById. Such manipulation of the argument ID leads to information disclosure. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 3.1 | CVE-2026-1196 | VDB-341781 | MineAdmin getFileInfoById information disclosure VDB-341781 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734273 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x getFileInfoById Arbitrary File Read Vulnerability https://github.com/SourByte05/MineAdmin-Vulnerability/issues/3 |
| MineAdmin--MineAdmin | A vulnerability was detected in MineAdmin 1.x/2.x. Affected by this vulnerability is an unknown functionality of the file /system/downloadById. Performing a manipulation of the argument ID results in information disclosure. The attack can be initiated remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 3.1 | CVE-2026-1197 | VDB-341782 | MineAdmin downloadById information disclosure VDB-341782 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734274 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x downloadById Arbitrary File Download Vulnerability https://github.com/SourByte05/MineAdmin-Vulnerability/issues/2 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Pluggable Auth). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L). | 2026-01-20 | 2.7 | CVE-2026-21965 | Oracle Advisory |
| Oracle Corporation--Oracle Java SE | Vulnerability in Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u471-b50. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). | 2026-01-20 | 3.1 | CVE-2026-21947 | Oracle Advisory |
| Oracle Corporation--Oracle Zero Data Loss Recovery Appliance Software | Vulnerability in the Oracle Zero Data Loss Recovery Appliance Software product of Oracle Zero Data Loss Recovery Appliance (component: Security). Supported versions that are affected are 23.1.0-23.1.202509. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Oracle Zero Data Loss Recovery Appliance Software. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Zero Data Loss Recovery Appliance Software accessible data. CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). | 2026-01-20 | 3.1 | CVE-2026-21977 | Oracle Advisory |
| Oracle Corporation--Oracle ZFS Storage Appliance Kit | Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Filesystems). The supported version that is affected is 8.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle ZFS Storage Appliance Kit executes to compromise Oracle ZFS Storage Appliance Kit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle ZFS Storage Appliance Kit accessible data. CVSS 3.1 Base Score 2.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N). | 2026-01-20 | 2.3 | CVE-2026-21930 | Oracle Advisory |
| pbrong--hrms | A vulnerability was detected in pbrong hrms 1.0.1. The affected element is the function UpdateRecruitmentById of the file /handler/recruitment.go. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. | 2026-01-19 | 3.5 | CVE-2026-1161 | VDB-341755 | pbrong hrms recruitment.go UpdateRecruitmentById cross site scripting VDB-341755 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736510 | Pbrong hrms 1.0.1 Stored Cross Site Scripting Vulnerability https://github.com/TheLiao233/cve/issues/1 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak's refresh token rotation hardening can be undermined. | 2026-01-21 | 3.1 | CVE-2026-1035 | https://access.redhat.com/security/cve/CVE-2026-1035 RHBZ#2430314 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control. | 2026-01-21 | 2.7 | CVE-2025-14083 | https://access.redhat.com/security/cve/CVE-2025-14083 RHBZ#2419086 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS). | 2026-01-21 | 3.7 | CVE-2026-0988 | https://access.redhat.com/security/cve/CVE-2026-0988 RHBZ#2429886 |
| roxnor--MetForm Contact Form, Survey, Quiz, & Custom Form Builder for Elementor | The MetForm - Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without a server-side secret. This makes it possible for unauthenticated attackers to access form submission entry data via MetForm shortcodes for entries created within the transient TTL (default is 15 minutes). | 2026-01-24 | 3.7 | CVE-2026-0633 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d72cc420-1ff5-403b-b4ea-7c820fdebcf3?source=cve https://plugins.trac.wordpress.org/changeset/3438419/metform |
| SourceCodester--Patients Waiting Area Queue Management System | A vulnerability has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /php/api_register_patient.php. Such manipulation of the argument firstName/lastName leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2026-01-19 | 3.5 | CVE-2026-1146 | VDB-341739 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System api_register_patient.php cross site scripting VDB-341739 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735543 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Cross Site Scripting |
| SourceCodester--Patients Waiting Area Queue Management System | A vulnerability was found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. This affects an unknown part of the file /php/api_patient_schedule.php. Performing a manipulation of the argument Reason results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. | 2026-01-19 | 3.5 | CVE-2026-1147 | VDB-341740 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System api_patient_schedule.php cross site scripting VDB-341740 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735544 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Cross Site Scripting |
| technical-laohu--mpay | A weakness has been identified in technical-laohu mpay up to 1.2.4. The affected element is an unknown function of the component User Center. This manipulation of the argument Nickname causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-19 | 2.4 | CVE-2026-1151 | VDB-341744 | technical-laohu mpay User Center cross site scripting VDB-341744 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735773 | https://gitee.com/technical-laohu/mpay mpay v1.2.4 Stored Cross-Site Scripting https://github.com/bdkuzma/vuln/issues/16 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 7-Zip--7-Zip | 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26743. | 2026-01-23 | not yet calculated | CVE-2025-11002 | ZDI-25-950 |
| AA-Team--SearchAzon | Cross-Site Request Forgery (CSRF) vulnerability in AA-Team SearchAzon searchazon allows Cross Site Request Forgery. This issue affects SearchAzon: from n/a through <= 1.4. | 2026-01-22 | not yet calculated | CVE-2026-22360 | https://patchstack.com/database/Wordpress/Plugin/searchazon/vulnerability/wordpress-searchazon-plugin-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| AA-Team--Wordpress Movies Bulk Importer | Cross-Site Request Forgery (CSRF) vulnerability in AA-Team Wordpress Movies Bulk Importer movies importer allows Cross Site Request Forgery. This issue affects Wordpress Movies Bulk Importer: from n/a through <= 1.0. | 2026-01-22 | not yet calculated | CVE-2026-22359 | https://patchstack.com/database/Wordpress/Plugin/movies%20importer/vulnerability/wordpress-wordpress-movies-bulk-importer-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Abacre--Abacre | Abacre Retail Point of Sale 14.0.0.396 is vulnerable to content-based blind SQL injection. The vulnerability exists in the Search function of the Orders page. | 2026-01-20 | not yet calculated | CVE-2025-67261 | https://www.abacre.com/retailpointofsale/ https://packetstorm.news/files/id/214046/ |
| Abacre--Abacre | Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site scripting (XSS) vulnerability in the Clients module. The application fails to properly sanitize user-supplied input stored in the Name and Surname fields. An attacker can insert malicious HTML or script content into these fields, which, persisted in the database. | 2026-01-20 | not yet calculated | CVE-2025-67263 | https://www.abacre.com/retailpointofsale/ https://packetstorm.news/files/id/214045/ |
| ABCdatos--Proteccin de datos – RGPD | Missing Authorization vulnerability in ABCdatos Protección de datos – RGPD proteccion-datos-rgpd allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Protección de datos – RGPD: from n/a through <= 0.68. | 2026-01-23 | not yet calculated | CVE-2026-24539 | https://patchstack.com/database/Wordpress/Plugin/proteccion-datos-rgpd/vulnerability/wordpress-proteccion-de-datos-rgpd-plugin-0-68-broken-access-control-vulnerability?_s_id=cve |
| Ability, Inc--Web Accessibility with Max Access | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ability, Inc Web Accessibility with Max Access accessibility-toolbar allows Stored XSS. This issue affects Web Accessibility with Max Access: from n/a through <= 2.1.0. | 2026-01-23 | not yet calculated | CVE-2026-24629 | https://patchstack.com/database/Wordpress/Plugin/accessibility-toolbar/vulnerability/wordpress-web-accessibility-with-max-access-plugin-2-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| AbsolutePlugins--Absolute Addons For Elementor | Missing Authorization vulnerability in AbsolutePlugins Absolute Addons For Elementor absolute-addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Absolute Addons For Elementor: from n/a through <= 1.0.14. | 2026-01-22 | not yet calculated | CVE-2026-22468 | https://patchstack.com/database/Wordpress/Plugin/absolute-addons/vulnerability/wordpress-absolute-addons-for-elementor-plugin-1-0-14-broken-access-control-vulnerability?_s_id=cve |
| adamlabs--WordPress Photo Gallery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in adamlabs WordPress Photo Gallery photo-gallery-portfolio allows Reflected XSS. This issue affects WordPress Photo Gallery: from n/a through <= 1.1.0. | 2026-01-22 | not yet calculated | CVE-2025-53240 | https://patchstack.com/database/Wordpress/Plugin/photo-gallery-portfolio/vulnerability/wordpress-wordpress-photo-gallery-plugin-1-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| agmorpheus--Syntax Highlighter Compress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in agmorpheus Syntax Highlighter Compress syntax-highlighter-compress allows Reflected XSS. This issue affects Syntax Highlighter Compress: from n/a through <= 3.0.83.3. | 2026-01-22 | not yet calculated | CVE-2025-68859 | https://patchstack.com/database/Wordpress/Plugin/syntax-highlighter-compress/vulnerability/wordpress-syntax-highlighter-compress-plugin-3-0-83-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| AivahThemes--Anona | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AivahThemes Anona anona allows Path Traversal. This issue affects Anona: from n/a through <= 8.0. | 2026-01-22 | not yet calculated | CVE-2025-68901 | https://patchstack.com/database/Wordpress/Theme/anona/vulnerability/wordpress-anona-theme-8-0-arbitrary-file-deletion-vulnerability?_s_id=cve |
| AivahThemes--Anona | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AivahThemes Anona anona allows Path Traversal. This issue affects Anona: from n/a through <= 8.0. | 2026-01-22 | not yet calculated | CVE-2025-68902 | https://patchstack.com/database/Wordpress/Theme/anona/vulnerability/wordpress-anona-theme-8-0-arbitrary-file-download-vulnerability?_s_id=cve |
| AivahThemes--Anona | Deserialization of Untrusted Data vulnerability in AivahThemes Anona anona allows Object Injection. This issue affects Anona: from n/a through <= 8.0. | 2026-01-22 | not yet calculated | CVE-2025-68903 | https://patchstack.com/database/Wordpress/Theme/anona/vulnerability/wordpress-anona-theme-8-0-php-object-injection-vulnerability?_s_id=cve |
| AivahThemes--Hostme v2 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AivahThemes Hostme v2 hostmev2 allows Path Traversal. This issue affects Hostme v2: from n/a through <= 7.0. | 2026-01-22 | not yet calculated | CVE-2025-68907 | https://patchstack.com/database/Wordpress/Theme/hostmev2/vulnerability/wordpress-hostme-v2-theme-7-0-arbitrary-file-deletion-vulnerability?_s_id=cve |
| Alejandro--Quick Restaurant Reservations | Missing Authorization vulnerability in Alejandro Quick Restaurant Reservations quick-restaurant-reservations allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Quick Restaurant Reservations: from n/a through <= 1.6.7. | 2026-01-23 | not yet calculated | CVE-2026-24529 | https://patchstack.com/database/Wordpress/Plugin/quick-restaurant-reservations/vulnerability/wordpress-quick-restaurant-reservations-plugin-1-6-7-broken-access-control-vulnerability?_s_id=cve |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Ping Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-25568. | 2026-01-23 | not yet calculated | CVE-2026-0779 | ZDI-26-001 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28289. | 2026-01-23 | not yet calculated | CVE-2026-0780 | ZDI-26-002 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28290. | 2026-01-23 | not yet calculated | CVE-2026-0781 | ZDI-26-003 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28291. | 2026-01-23 | not yet calculated | CVE-2026-0782 | ZDI-26-004 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28292. | 2026-01-23 | not yet calculated | CVE-2026-0783 | ZDI-26-005 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28293. | 2026-01-23 | not yet calculated | CVE-2026-0784 | ZDI-26-006 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter API Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the API interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28294. | 2026-01-23 | not yet calculated | CVE-2026-0785 | ZDI-26-007 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter SCI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the SCI module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28295. | 2026-01-23 | not yet calculated | CVE-2026-0786 | ZDI-26-008 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter SAC Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SAC module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28296. | 2026-01-23 | not yet calculated | CVE-2026-0787 | ZDI-26-009 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Persistent Cross-Site Scripting Vulnerability. This vulnerability allows remote attackers to execute web requests with a target user's privileges on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the functionality for viewing the syslog. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to interact with the application in the context of the target user. Was ZDI-CAN-28298. | 2026-01-23 | not yet calculated | CVE-2026-0788 | ZDI-26-010 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Inclusion of Authentication Cookie in Response Body Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper management of sensitive information. An attacker can leverage this vulnerability to disclose information in the context of the device. Was ZDI-CAN-28297. | 2026-01-23 | not yet calculated | CVE-2026-0789 | ZDI-26-011 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Direct Request Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based user interface. By navigating directly to a URL, a user can gain unauthorized access to data. An attacker can leverage this vulnerability to disclose information in the context of the device. Was ZDI-CAN-28299. | 2026-01-23 | not yet calculated | CVE-2026-0790 | ZDI-26-012 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter SIP INVITE Replaces Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the Replaces header of SIP INVITE requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28300. | 2026-01-23 | not yet calculated | CVE-2026-0791 | ZDI-26-013 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter SIP INVITE Alert-Info Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the Alert-Info header of SIP INVITE requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28301. | 2026-01-23 | not yet calculated | CVE-2026-0792 | ZDI-26-014 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter InformaCast Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the InformaCast functionality. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28302. | 2026-01-23 | not yet calculated | CVE-2026-0793 | ZDI-26-015 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter SIP Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of SIP calls. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28303. | 2026-01-23 | not yet calculated | CVE-2026-0794 | ZDI-26-016 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28321. | 2026-01-23 | not yet calculated | CVE-2026-0795 | ZDI-26-017 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28322. | 2026-01-23 | not yet calculated | CVE-2026-0796 | ZDI-26-018 |
| AmentoTech--Workreap Core | Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Workreap Core workreap_core allows Authentication Abuse. This issue affects Workreap Core: from n/a through <= 3.4.0. | 2026-01-22 | not yet calculated | CVE-2025-69101 | https://patchstack.com/database/Wordpress/Plugin/workreap_core/vulnerability/wordpress-workreap-core-plugin-3-4-0-account-takeover-vulnerability?_s_id=cve |
| AncoraThemes--DiveIt | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes DiveIt diveit allows PHP Local File Inclusion. This issue affects DiveIt: from n/a through <= 1.4.3. | 2026-01-22 | not yet calculated | CVE-2025-69059 | https://patchstack.com/database/Wordpress/Theme/diveit/vulnerability/wordpress-diveit-theme-1-4-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Hobo | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hobo hobo allows PHP Local File Inclusion. This issue affects Hobo: from n/a through <= 1.0.10. | 2026-01-22 | not yet calculated | CVE-2025-69077 | https://patchstack.com/database/Wordpress/Theme/hobo/vulnerability/wordpress-hobo-theme-1-0-10-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Indoor Plants | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Indoor Plants indoor-plants allows PHP Local File Inclusion. This issue affects Indoor Plants: from n/a through <= 1.2.7. | 2026-01-22 | not yet calculated | CVE-2025-69066 | https://patchstack.com/database/Wordpress/Theme/indoor-plants/vulnerability/wordpress-indoor-plants-theme-1-2-7-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Malta | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Malta malta allows PHP Local File Inclusion. This issue affects Malta: from n/a through <= 1.3.3. | 2026-01-22 | not yet calculated | CVE-2025-69078 | https://patchstack.com/database/Wordpress/Theme/malta/vulnerability/wordpress-malta-theme-1-3-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Modern Housewife | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Modern Housewife modernhousewife allows PHP Local File Inclusion. This issue affects Modern Housewife: from n/a through <= 1.0.12. | 2026-01-22 | not yet calculated | CVE-2025-69076 | https://patchstack.com/database/Wordpress/Theme/modernhousewife/vulnerability/wordpress-modern-housewife-theme-1-0-12-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--MoveMe | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes MoveMe moveme allows PHP Local File Inclusion. This issue affects MoveMe: from n/a through <= 1.2.15. | 2026-01-22 | not yet calculated | CVE-2025-69061 | https://patchstack.com/database/Wordpress/Theme/moveme/vulnerability/wordpress-moveme-theme-1-2-15-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Muji | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Muji muji allows PHP Local File Inclusion. This issue affects Muji: from n/a through <= 1.2.0. | 2026-01-22 | not yet calculated | CVE-2025-69068 | https://patchstack.com/database/Wordpress/Theme/muji/vulnerability/wordpress-muji-theme-1-2-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--PartyMaker | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes PartyMaker partymaker allows PHP Local File Inclusion. This issue affects PartyMaker: from n/a through <= 1.1.15. | 2026-01-22 | not yet calculated | CVE-2025-69058 | https://patchstack.com/database/Wordpress/Theme/partymaker/vulnerability/wordpress-partymaker-theme-1-1-15-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Pearson Specter | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pearson Specter pearsonspecter allows PHP Local File Inclusion. This issue affects Pearson Specter: from n/a through <= 1.11.3. | 2026-01-22 | not yet calculated | CVE-2025-69074 | https://patchstack.com/database/Wordpress/Theme/pearsonspecter/vulnerability/wordpress-pearson-specter-theme-1-11-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Pets Land | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pets Land petsland allows PHP Local File Inclusion. This issue affects Pets Land: from n/a through <= 1.2.8. | 2026-01-22 | not yet calculated | CVE-2025-69064 | https://patchstack.com/database/Wordpress/Theme/petsland/vulnerability/wordpress-pets-land-theme-1-2-8-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Piqes | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Piqes piqes allows PHP Local File Inclusion. This issue affects Piqes: from n/a through <= 1.0.11. | 2026-01-22 | not yet calculated | CVE-2025-69073 | https://patchstack.com/database/Wordpress/Theme/piqes/vulnerability/wordpress-piqes-theme-1-0-11-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Prider | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Prider prider allows PHP Local File Inclusion. This issue affects Prider: from n/a through <= 1.1.3.1. | 2026-01-22 | not yet calculated | CVE-2025-69072 | https://patchstack.com/database/Wordpress/Theme/prider/vulnerability/wordpress-prider-theme-1-1-3-1-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Snow Mountain | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Snow Mountain snowmountain allows PHP Local File Inclusion. This issue affects Snow Mountain: from n/a through <= 1.4.3. | 2026-01-22 | not yet calculated | CVE-2025-69065 | https://patchstack.com/database/Wordpress/Theme/snowmountain/vulnerability/wordpress-snow-mountain-theme-1-4-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Tails | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tails tails allows PHP Local File Inclusion. This issue affects Tails: from n/a through <= 1.4.12. | 2026-01-22 | not yet calculated | CVE-2025-69067 | https://patchstack.com/database/Wordpress/Theme/tails/vulnerability/wordpress-tails-theme-1-4-12-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--TanTum | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes TanTum tantum allows PHP Local File Inclusion. This issue affects TanTum: from n/a through <= 1.1.13. | 2026-01-22 | not yet calculated | CVE-2025-69071 | https://patchstack.com/database/Wordpress/Theme/tantum/vulnerability/wordpress-tantum-theme-1-1-13-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Tornados | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tornados tornados allows PHP Local File Inclusion. This issue affects Tornados: from n/a through <= 2.1. | 2026-01-22 | not yet calculated | CVE-2025-69070 | https://patchstack.com/database/Wordpress/Theme/tornados/vulnerability/wordpress-tornados-theme-2-1-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--uReach | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes uReach ureach allows PHP Local File Inclusion. This issue affects uReach: from n/a through <= 1.3.3. | 2026-01-22 | not yet calculated | CVE-2025-69060 | https://patchstack.com/database/Wordpress/Theme/ureach/vulnerability/wordpress-ureach-theme-1-3-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Weedles | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Weedles weedles allows PHP Local File Inclusion. This issue affects Weedles: from n/a through <= 1.1.12. | 2026-01-22 | not yet calculated | CVE-2025-69062 | https://patchstack.com/database/Wordpress/Theme/weedles/vulnerability/wordpress-weedles-theme-1-1-12-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Yolox | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Yolox yolox allows PHP Local File Inclusion. This issue affects Yolox: from n/a through <= 1.0.15. | 2026-01-22 | not yet calculated | CVE-2025-69075 | https://patchstack.com/database/Wordpress/Theme/yolox/vulnerability/wordpress-yolox-theme-1-0-15-local-file-inclusion-vulnerability?_s_id=cve |
| Angel Costa--WP SEO Search | Cross-Site Request Forgery (CSRF) vulnerability in Angel Costa WP SEO Search wp-seo-search allows Cross Site Request Forgery. This issue affects WP SEO Search: from n/a through <= 1.1. | 2026-01-22 | not yet calculated | CVE-2025-67626 | https://patchstack.com/database/Wordpress/Plugin/wp-seo-search/vulnerability/wordpress-wp-seo-search-plugin-1-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Anritsu--ShockLine | Anritsu ShockLine CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu ShockLine. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27833. | 2026-01-23 | not yet calculated | CVE-2025-15348 | ZDI-25-1199 |
| Anritsu--ShockLine | Anritsu ShockLine SCPI Race Condition Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Anritsu ShockLine. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SCPI component. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27315. | 2026-01-23 | not yet calculated | CVE-2025-15349 | ZDI-25-1200 |
| Anritsu--VectorStar | Anritsu VectorStar CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu VectorStar. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27039. | 2026-01-23 | not yet calculated | CVE-2025-15350 | ZDI-25-1201 |
| Anritsu--VectorStar | Anritsu VectorStar CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu VectorStar. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27040. | 2026-01-23 | not yet calculated | CVE-2025-15351 | ZDI-25-1202 |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version. | 2026-01-21 | not yet calculated | CVE-2026-21852 | https://github.com/anthropics/claude-code/security/advisories/GHSA-jh7p-qr78-84p7 |
| Antideo--Antideo Email Validator | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Antideo Antideo Email Validator antideo-email-validator allows Blind SQL Injection. This issue affects Antideo Email Validator: from n/a through <= 1.0.10. | 2026-01-22 | not yet calculated | CVE-2025-68017 | https://patchstack.com/database/Wordpress/Plugin/antideo-email-validator/vulnerability/wordpress-antideo-email-validator-plugin-1-0-10-sql-injection-vulnerability?_s_id=cve |
| antoniobg--ABG Rich Pins | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in antoniobg ABG Rich Pins abg-rich-pins allows Stored XSS. This issue affects ABG Rich Pins: from n/a through <= 1.1. | 2026-01-23 | not yet calculated | CVE-2026-24558 | https://patchstack.com/database/Wordpress/Plugin/abg-rich-pins/vulnerability/wordpress-abg-rich-pins-plugin-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Apache Software Foundation--Apache Linkis | A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters. Scope of Impact This issue affects Apache Linkis: from 1.3.0 through 1.7.0. Severity level moderate Solution Continuously check if the connection information contains the "%" character; if it does, perform URL decoding. Users are recommended to upgrade to version 1.8.0, which fixes the issue. More questions about this vulnerability can be discussed here: https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve | 2026-01-19 | not yet calculated | CVE-2025-29847 | https://lists.apache.org/thread/03l5rfkgdt022o75jp8x4tzpqxz8g057 |
| Apache Software Foundation--Apache Linkis | A vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage. Affected Scope Component: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64. Version: Apache Linkis 1.0.0 - 1.7.0 Trigger Conditions The value of the configuration item is an invalid Base64 string. Log files are readable by users other than hive-site.xml administrators. Severity: Low The probability of Base64 decoding failure is low. The leakage is only triggered when logs at the Error level are exposed. Remediation Apache Linkis 1.8.0 and later versions have replaced the log with desensitized content. logger.error("URL decode failed: {}", e.getMessage()); // ä¸å†è¾“出 str Users are recommended to upgrade to version 1.8.0, which fixes the issue. | 2026-01-19 | not yet calculated | CVE-2025-59355 | https://lists.apache.org/thread/75z7vhftw6w1mllndgpkfmcj0fzo4lbj https://lists.apache.org/thread/4dcgmqdkk2p5y4k43ok5rgd4ylx8698h |
| Apache Software Foundation--Apache Solr | Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components. Only deployments that meet all of the following criteria are impacted by this vulnerability: * Use of Solr's "RuleBasedAuthorizationPlugin" * A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple "roles" * A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: "config-read", "config-edit", "schema-read", "metrics-read", or "security-read". * A RuleBasedAuthorizationPlugin permission list that doesn't define the "all" pre-defined permission * A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway) Users can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the "all" pre-defined permission and associates the permission with an "admin" or other privileged role. Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1. | 2026-01-21 | not yet calculated | CVE-2026-22022 | https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbn |
| Apache Software Foundation--Apache Solr | The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths" security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element . These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem. On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM "user" hashes. Solr deployments are subject to this vulnerability if they meet the following criteria: * Solr is running in its "standalone" mode. * Solr's "allowPath" setting is being used to restrict file access to certain directories. * Solr's "create core" API is exposed and accessible to untrusted users. This can happen if Solr's RuleBasedAuthorizationPlugin https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html is disabled, or if it is enabled but the "core-admin-edit" predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles. Users can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if disabled) and configuring a permission-list that prevents untrusted users from creating new Solr cores. Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue. | 2026-01-21 | not yet calculated | CVE-2026-22444 | https://lists.apache.org/thread/qkrb9dd4xrlqmmq73lrhkbfkttto2d1m |
| Apple--Container | The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames. This issue is addressed in container 0.8.0 and containerization 0.21.0. | 2026-01-22 | not yet calculated | CVE-2026-20613 | https://github.com/apple/containerization/security/advisories/GHSA-cq3j-qj2h-6rv3 |
| Apryse--Apryse | A Local File Inclusion (LFI) and a Server-Side Request Forgery (SSRF) vulnerability was found in the InsertFromHtmlString() function of the Apryse HTML2PDF SDK thru 11.6.0. These vulnerabilities could allow an attacker to read local files on the server or make arbitrary HTTP requests to internal or external services. Both vulnerabilities could lead to the disclosure of sensitive data or potential system takeover. | 2026-01-22 | not yet calculated | CVE-2025-56589 | http://apryse.com https://www.stratascale.com/resource/apryse-server-module-ssrf-lfi/ |
| Apryse--Apryse | An issue was discovered in the InsertFromURL() function of the Apryse HTML2PDF SDK thru 11.10. This vulnerability could allow an attacker to execute arbitrary operating system commands on the local server. | 2026-01-22 | not yet calculated | CVE-2025-56590 | http://apryse.com https://www.stratascale.com/resource/apryse-server-argument-injection-rce/ |
| Aptsys--Aptsys | An information disclosure vulnerability exists in the /srvs/membersrv/getCashiers endpoint of the Aptsys gemscms backend platform thru 2025-05-28. This unauthenticated endpoint returns a list of cashier accounts, including names, email addresses, usernames, and passwords hashed using MD5. As MD5 is a broken cryptographic function, the hashes can be easily reversed using public tools, exposing user credentials in plaintext. This allows remote attackers to perform unauthorized logins and potentially gain access to sensitive POS operations or backend functions. | 2026-01-23 | not yet calculated | CVE-2025-52026 | http://aptsys.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39 |
| ApusTheme--Drone | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ApusTheme Drone drone allows Reflected XSS. This issue affects Drone: from n/a through <= 1.40. | 2026-01-22 | not yet calculated | CVE-2025-49249 | https://patchstack.com/database/Wordpress/Theme/drone/vulnerability/wordpress-drone-theme-1-40-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| arduino--ArduinoCore-avr | ArduinoCore-avr contains the source code and configuration files of the Arduino AVR Boards platform. A vulnerability in versions prior to 1.8.7 allows an attacker to trigger a stack-based buffer overflow when converting floating-point values to strings with high precision. By passing very large `decimalPlaces` values to the affected String constructors or concat methods, the `dtostrf` function writes beyond fixed-size stack buffers, causing memory corruption and denial of service. Under specific conditions, this could enable arbitrary code execution on AVR-based Arduino boards. ### Patches - The Fix is included starting from the `1.8.7` release available from the following link [ArduinoCore-avr v1.8.7](https://github.com/arduino/ArduinoCore-avr) - The Fixing Commit is available at the following link [1a6a417f89c8901dad646efce74ae9d3ddebfd59](https://github.com/arduino/ArduinoCore-avr/pull/613/commits/1a6a417f89c8901dad646efce74ae9d3ddebfd59) ### References - [ASEC-26-001 ArduinoCore-avr vXXXX Resolves Buffer Overflow Vulnerability](https://support.arduino.cc/hc/en-us/articles/XXXXX) ### Credits - Maxime Rossi Bellom and Ramtine Tofighi Shirazi from SecMate (https://secmate.dev/) | 2026-01-21 | not yet calculated | CVE-2025-69209 | https://github.com/arduino/ArduinoCore-avr/security/advisories/GHSA-pvx3-fm7w-6hjm https://github.com/arduino/ArduinoCore-avr/pull/613 https://github.com/arduino/ArduinoCore-avr/commit/82a8ad2fb33911d8927c7af22e0472b94325d1a7 https://github.com/arduino/ArduinoCore-avr/releases/tag/1.8.7 https://support.arduino.cc/hc/en-us/articles/24985906702748-ASEC-26-001-ArduinoCore-AVR-v1-8-7-Resolves-Stack-Based-Buffer-Overflow-Vulnerability |
| Arevico--WP Simple Redirect | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arevico WP Simple Redirect wp-simple-redirect allows Reflected XSS. This issue affects WP Simple Redirect: from n/a through <= 1.1. | 2026-01-22 | not yet calculated | CVE-2025-68884 | https://patchstack.com/database/Wordpress/Plugin/wp-simple-redirect/vulnerability/wordpress-wp-simple-redirect-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| argoproj--argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user's browser under the Argo Server origin, enabling API actions with the victim's privileges. Versions 3.6.17 and 3.7.8 fix the issue. | 2026-01-21 | not yet calculated | CVE-2026-23960 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cv78-6m8q-ph82 https://github.com/argoproj/argo-workflows/commit/159a5c56285ecd4d3bb0a67aeef4507779a44e17 https://github.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961ede9fc30797/server/artifacts/artifact_server.go#L194-L244 https://github.com/argoproj/argo-workflows/releases/tag/v3.6.17 https://github.com/argoproj/argo-workflows/releases/tag/v3.7.8 |
| Arksine--moonraker | Moonraker is a Python web server providing API access to Klipper 3D printing firmware. In versions 0.9.3 and below, instances configured with the "ldap" component enabled are vulnerable to LDAP search filter injection techniques via the login endpoint. The 401 error response message can be used to determine whether or not a search was successful, allowing for brute force methods to discover LDAP entries on the server such as user IDs and user attributes. This issue has been fixed in version 0.10.0. | 2026-01-22 | not yet calculated | CVE-2026-24130 | https://github.com/Arksine/moonraker/security/advisories/GHSA-3jqf-v4mv-747g https://github.com/Arksine/moonraker/commit/74c5d8e44c4a4abbfbb06fb991e7ebb9ac947f42 |
| Arraytics--Eventin | Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection. This issue affects Eventin: from n/a through <= 4.1.1. | 2026-01-22 | not yet calculated | CVE-2025-68047 | https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-0-52-php-object-injection-vulnerability?_s_id=cve |
| artbees--JupiterX Core | Deserialization of Untrusted Data vulnerability in artbees JupiterX Core jupiterx-core allows Object Injection. This issue affects JupiterX Core: from n/a through <= 4.10.1. | 2026-01-22 | not yet calculated | CVE-2025-50004 | https://patchstack.com/database/Wordpress/Plugin/jupiterx-core/vulnerability/wordpress-jupiterx-core-plugin-4-10-1-php-object-injection-vulnerability?_s_id=cve |
| artplacer--ArtPlacer Widget | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Stored XSS. This issue affects ArtPlacer Widget: from n/a through <= 2.23.1. | 2026-01-23 | not yet calculated | CVE-2026-24555 | https://patchstack.com/database/Wordpress/Plugin/artplacer-widget/vulnerability/wordpress-artplacer-widget-plugin-2-23-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Arul Prasad J--WP Quick Post Duplicator | Missing Authorization vulnerability in Arul Prasad J WP Quick Post Duplicator wp-quick-post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Quick Post Duplicator: from n/a through <= 2.1. | 2026-01-22 | not yet calculated | CVE-2026-24387 | https://patchstack.com/database/Wordpress/Plugin/wp-quick-post-duplicator/vulnerability/wordpress-wp-quick-post-duplicator-plugin-2-1-broken-access-control-vulnerability?_s_id=cve |
| Ashan Perera--LifePress | Missing Authorization vulnerability in Ashan Perera LifePress lifepress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects LifePress: from n/a through <= 2.1.3. | 2026-01-23 | not yet calculated | CVE-2026-24563 | https://patchstack.com/database/Wordpress/Plugin/lifepress/vulnerability/wordpress-lifepress-plugin-2-1-3-broken-access-control-vulnerability-2?_s_id=cve |
| Atomberg--Atomberg | An issue in Atomberg Atomberg Erica Smart Fan Firmware Version: V1.0.36 allows an attacker to obtain sensitive information and escalate privileges via a crafted deauth frame | 2026-01-22 | not yet calculated | CVE-2025-69822 | https://github.com/CipherX1802/CVE-2025-69822-Atomberg_Erica_SmatFan_Security_Assessment/blob/main/Atomberg_Erica_SmatFan_Security_Assessment_Report.pdf https://github.com/CipherX1802/CVE-2025-69822-Atomberg_Erica_SmatFan_Security_Assessment.git |
| Automated Logic--WebCTRL | Storing Passwords in a Recoverable Format vulnerability in Automated Logic WebCTRL on Windows, Carrier i-Vu on Windows. Storing Passwords in a Recoverable Format vulnerability (CWE-257) in the Web session management component allows an attacker to access stored passwords in a recoverable format which makes them subject to password reuse attacks by malicious users. This issue affects WebCTRL: from 6.0 through 9.0; i-Vu: from 6.0 through 9.0. | 2026-01-22 | not yet calculated | CVE-2025-14295 | https://www.corporate.carrier.com/product-security/advisories-resources/ |
| averta--Depicter Slider | Missing Authorization vulnerability in averta Depicter Slider depicter allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Depicter Slider: from n/a through <= 4.0.4. | 2026-01-22 | not yet calculated | CVE-2025-68558 | https://patchstack.com/database/Wordpress/Plugin/depicter/vulnerability/wordpress-depicter-slider-plugin-4-0-4-broken-access-control-vulnerability?_s_id=cve |
| axiomthemes--Amuli | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Amuli amuli allows PHP Local File Inclusion. This issue affects Amuli: from n/a through <= 2.3.0. | 2026-01-22 | not yet calculated | CVE-2025-50003 | https://patchstack.com/database/Wordpress/Theme/amuli/vulnerability/wordpress-amuli-theme-2-3-0-local-file-inclusion-vulnerability?_s_id=cve |
| ayecode--Restaurante | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ayecode Restaurante restaurante allows Reflected XSS. This issue affects Restaurante: from n/a through <= 3.0.7. | 2026-01-22 | not yet calculated | CVE-2025-52746 | https://patchstack.com/database/Wordpress/Theme/restaurante/vulnerability/wordpress-restaurante-theme-3-0-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Bdtask--Isshue | HTML Injection vulnerability in Isshue by Bdtask, consisting os an HTML injection due to a lack os proper validation of user input by sending a POST request to '/category_product_search', affecting the 'product_name' parameter. | 2026-01-20 | not yet calculated | CVE-2025-40679 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/html-injection-isshue-bdtask |
| bdthemes--Element Pack Elementor Addons | Cross-Site Request Forgery (CSRF) vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Cross Site Request Forgery. This issue affects Element Pack Elementor Addons: from n/a through <= 8.3.13. | 2026-01-22 | not yet calculated | CVE-2025-31413 | https://patchstack.com/database/Wordpress/Plugin/bdthemes-element-pack-lite/vulnerability/wordpress-element-pack-elementor-addons-plugin-8-3-13-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Beam--Beam | Directory Traversal vulnerability in Beam beta9 v.0.1.552 allows a remote attacker to obtain sensitive information via the joinCleanPath function | 2026-01-22 | not yet calculated | CVE-2025-69820 | https://github.com/aws/aws-sdk-php/security/advisories/GHSA-557v-xcg6-rm5m https://github.com/ryotaromatsui/CVEs/tree/main/CVE-2025-69820 https://github.com/beam-cloud/beta9/blob/c1cd75e813cf7d53e916157d920099e89ef45caa/pkg/abstractions/volume/multipart.go#L45 |
| Beaver Builder--Beaver Builder | Improper Control of Generation of Code ('Code Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Code Injection. This issue affects Beaver Builder: from n/a through <= 2.9.4.1. | 2026-01-22 | not yet calculated | CVE-2025-69319 | https://patchstack.com/database/Wordpress/Plugin/beaver-builder-lite-version/vulnerability/wordpress-beaver-builder-plugin-2-9-4-1-arbitrary-code-execution-vulnerability?_s_id=cve |
| Benjamin Intal--Stackable | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benjamin Intal Stackable stackable-ultimate-gutenberg-blocks allows Stored XSS. This issue affects Stackable: from n/a through <= 3.19.5. | 2026-01-22 | not yet calculated | CVE-2025-47500 | https://patchstack.com/database/Wordpress/Plugin/stackable-ultimate-gutenberg-blocks/vulnerability/wordpress-stackable-plugin-3-19-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| bestwebsoft--Multilanguage by BestWebSoft | Missing Authorization vulnerability in bestwebsoft Multilanguage by BestWebSoft multilanguage allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Multilanguage by BestWebSoft: from n/a through <= 1.5.2. | 2026-01-23 | not yet calculated | CVE-2026-24598 | https://patchstack.com/database/Wordpress/Plugin/multilanguage/vulnerability/wordpress-multilanguage-by-bestwebsoft-plugin-1-5-2-broken-access-control-vulnerability?_s_id=cve |
| Binance--Binance | A buffer over-read in the PublicKey::verify() method of Binance - Trust Wallet Core before commit 5668c67 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-20 | not yet calculated | CVE-2025-66692 | https://github.com/trustwallet/wallet-core/commit/5668c67 https://gist.github.com/inkman97/b791189338f73b758c31a7db3cd50c2d |
| binary-parser--binary-parser | A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process. | 2026-01-20 | not yet calculated | CVE-2026-1245 | https://github.com/keichi/binary-parser/pull/283 https://github.com/keichi/binary-parser https://www.npmjs.com/package/binary-parser https://kb.cert.org/vuls/id/102648 |
| blazethemes--Blogistic | Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogistic blogistic allows Using Malicious Files. This issue affects Blogistic: from n/a through <= 1.0.5. | 2026-01-22 | not yet calculated | CVE-2025-68909 | https://patchstack.com/database/Wordpress/Theme/blogistic/vulnerability/wordpress-blogistic-theme-1-0-5-arbitrary-file-upload-vulnerability?_s_id=cve |
| blazethemes--Blogmatic | Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogmatic blogmatic. This issue affects Blogmatic: from n/a through <= 1.0.3. | 2026-01-22 | not yet calculated | CVE-2025-62050 | https://patchstack.com/database/Wordpress/Theme/blogmatic/vulnerability/wordpress-blogmatic-theme-1-0-3-arbitrary-file-upload-vulnerability?_s_id=cve |
| blazethemes--Blogzee | Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogzee blogzee allows Using Malicious Files. This issue affects Blogzee: from n/a through <= 1.0.5. | 2026-01-22 | not yet calculated | CVE-2025-68910 | https://patchstack.com/database/Wordpress/Theme/blogzee/vulnerability/wordpress-blogzee-theme-1-0-5-arbitrary-file-upload-vulnerability?_s_id=cve |
| blazethemes--News Event | Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes News Event news-event. This issue affects News Event: from n/a through <= 1.0.1. | 2026-01-22 | not yet calculated | CVE-2025-62056 | https://patchstack.com/database/Wordpress/Theme/news-event/vulnerability/wordpress-news-event-theme-1-0-1-arbitrary-file-upload-vulnerability?_s_id=cve |
| Booking Activities Team--Booking Activities | Incorrect Privilege Assignment vulnerability in Booking Activities Team Booking Activities booking-activities allows Privilege Escalation. This issue affects Booking Activities: from n/a through <= 1.16.44. | 2026-01-22 | not yet calculated | CVE-2025-67953 | https://patchstack.com/database/Wordpress/Plugin/booking-activities/vulnerability/wordpress-booking-activities-plugin-1-16-44-privilege-escalation-vulnerability?_s_id=cve |
| bookingalgorithms--BA Book Everything | Missing Authorization vulnerability in bookingalgorithms BA Book Everything ba-book-everything allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BA Book Everything: from n/a through <= 1.8.16. | 2026-01-22 | not yet calculated | CVE-2026-24371 | https://patchstack.com/database/Wordpress/Plugin/ba-book-everything/vulnerability/wordpress-ba-book-everything-plugin-1-8-16-broken-access-control-vulnerability?_s_id=cve |
| Boopathi Rajan--WP Test Email | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Boopathi Rajan WP Test Email wp-test-email allows Reflected XSS. This issue affects WP Test Email: from n/a through <= 1.1.7. | 2026-01-22 | not yet calculated | CVE-2025-69102 | https://patchstack.com/database/Wordpress/Plugin/wp-test-email/vulnerability/wordpress-wp-test-email-plugin-1-1-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Botble--TransP | HTML injection vulnerability in multiple Botble products such as TransP, Athena, Martfury, and Homzen, consisting of an HTML injection due to a lack of proper validation of user input by sending a request to '/search' using the 'q' parameter. | 2026-01-20 | not yet calculated | CVE-2026-1183 | https://www.incibe.es/en/incibe-cert/notices/aviso/html-injection-multiple-botble-products |
| boxnow--BOX NOW Delivery | Missing Authorization vulnerability in boxnow BOX NOW Delivery box-now-delivery allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BOX NOW Delivery: from n/a through <= 3.0.2. | 2026-01-23 | not yet calculated | CVE-2026-24571 | https://patchstack.com/database/Wordpress/Plugin/box-now-delivery/vulnerability/wordpress-box-now-delivery-plugin-3-0-2-broken-access-control-vulnerability?_s_id=cve |
| bPlugins--B Accordion | Insertion of Sensitive Information Into Sent Data vulnerability in bPlugins B Accordion b-accordion allows Retrieve Embedded Sensitive Data. This issue affects B Accordion: from n/a through <= 2.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24565 | https://patchstack.com/database/Wordpress/Plugin/b-accordion/vulnerability/wordpress-b-accordion-plugin-2-0-0-sensitive-data-exposure-vulnerability?_s_id=cve |
| bPlugins--B Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins B Slider b-slider allows DOM-Based XSS. This issue affects B Slider: from n/a through <= 2.0.6. | 2026-01-22 | not yet calculated | CVE-2026-24383 | https://patchstack.com/database/Wordpress/Plugin/b-slider/vulnerability/wordpress-b-slider-plugin-2-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Brecht--WP Recipe Maker | Missing Authorization vulnerability in Brecht WP Recipe Maker wp-recipe-maker allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Recipe Maker: from n/a through <= 10.2.4. | 2026-01-22 | not yet calculated | CVE-2026-24357 | https://patchstack.com/database/Wordpress/Plugin/wp-recipe-maker/vulnerability/wordpress-wp-recipe-maker-plugin-10-2-4-broken-access-control-vulnerability?_s_id=cve |
| briarinc--Anything Order by Terms | Missing Authorization vulnerability in briarinc Anything Order by Terms anything-order-by-terms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Anything Order by Terms: from n/a through <= 1.4.0. | 2026-01-23 | not yet calculated | CVE-2026-24567 | https://patchstack.com/database/Wordpress/Plugin/anything-order-by-terms/vulnerability/wordpress-anything-order-by-terms-plugin-1-4-0-broken-access-control-vulnerability?_s_id=cve |
| Broadstreet--Broadstreet Ads | Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Broadstreet Ads: from n/a through <= 1.52.1. | 2026-01-22 | not yet calculated | CVE-2025-69311 | https://patchstack.com/database/Wordpress/Plugin/broadstreet/vulnerability/wordpress-broadstreet-ads-plugin-1-52-1-broken-access-control-vulnerability?_s_id=cve |
| bslthemes--Myour | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in bslthemes Myour myour allows PHP Local File Inclusion. This issue affects Myour: from n/a through <= 1.5.1. | 2026-01-22 | not yet calculated | CVE-2025-67615 | https://patchstack.com/database/Wordpress/Theme/myour/vulnerability/wordpress-myour-theme-1-5-1-local-file-inclusion-vulnerability?_s_id=cve |
| BZOTheme--Mella | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Mella mella allows PHP Local File Inclusion. This issue affects Mella: from n/a through <= 1.2.29. | 2026-01-22 | not yet calculated | CVE-2025-67616 | https://patchstack.com/database/Wordpress/Theme/mella/vulnerability/wordpress-mella-theme-1-2-29-local-file-inclusion-vulnerability?_s_id=cve |
| cardpaysolutions--Payment Gateway Authorize.Net CIM for WooCommerce | Missing Authorization vulnerability in cardpaysolutions Payment Gateway Authorize.Net CIM for WooCommerce authnet-cim-for-woo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payment Gateway Authorize.Net CIM for WooCommerce: from n/a through <= 2.1.2. | 2026-01-22 | not yet calculated | CVE-2025-68013 | https://patchstack.com/database/Wordpress/Plugin/authnet-cim-for-woo/vulnerability/wordpress-payment-gateway-authorize-net-cim-for-woocommerce-plugin-2-1-2-arbitrary-content-deletion-vulnerability?_s_id=cve |
| Cargus eCommerce--Cargus | Insertion of Sensitive Information Into Sent Data vulnerability in Cargus eCommerce Cargus cargus allows Retrieve Embedded Sensitive Data. This issue affects Cargus: from n/a through <= 1.5.8. | 2026-01-23 | not yet calculated | CVE-2026-24589 | https://patchstack.com/database/Wordpress/Plugin/cargus/vulnerability/wordpress-cargus-plugin-1-5-8-sensitive-data-exposure-vulnerability?_s_id=cve |
| Casey Bisson--wpCAS | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Casey Bisson wpCAS wpcas allows Reflected XSS. This issue affects wpCAS: from n/a through <= 1.07. | 2026-01-22 | not yet calculated | CVE-2025-68858 | https://patchstack.com/database/Wordpress/Plugin/wpcas/vulnerability/wordpress-wpcas-plugin-1-0-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Chainlit--Chainlit | Chainlit versions prior to 2.9.4 contain an arbitrary file read vulnerability in the /project/element update flow. An authenticated client can send a custom Element with a user-controlled path value, causing the server to copy the referenced file into the attacker's session. The resulting element identifier (chainlitKey) can then be used to retrieve the file contents via /project/file/<chainlitKey>, allowing disclosure of any file readable by the Chainlit service. | 2026-01-19 | not yet calculated | CVE-2026-22218 | https://github.com/Chainlit/chainlit/releases/tag/2.9.4 https://www.zafran.io/resources/chainleak-critical-ai-framework-vulnerabilities-expose-data-enable-cloud-takeover https://www.vulncheck.com/advisories/chainlit-arbitrary-file-read-via-project-element |
| Chainlit--Chainlit | Chainlit versions prior to 2.9.4 contain a server-side request forgery (SSRF) vulnerability in the /project/element update flow when configured with the SQLAlchemy data layer backend. An authenticated client can provide a user-controlled url value in an Element, which is fetched by the SQLAlchemy element creation logic using an outbound HTTP GET request. This allows an attacker to make arbitrary HTTP requests from the Chainlit server to internal network services or cloud metadata endpoints and store the retrieved responses via the configured storage provider. | 2026-01-19 | not yet calculated | CVE-2026-22219 | https://github.com/Chainlit/chainlit/releases/tag/2.9.4 https://www.zafran.io/resources/chainleak-critical-ai-framework-vulnerabilities-expose-data-enable-cloud-takeover https://www.vulncheck.com/advisories/chainlit-sqlalchemy-data-layer-ssrf-via-project-element |
| Chandni Patel--WP MapIt | Missing Authorization vulnerability in Chandni Patel WP MapIt wp-mapit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP MapIt: from n/a through <= 3.0.3. | 2026-01-22 | not yet calculated | CVE-2026-22466 | https://patchstack.com/database/Wordpress/Plugin/wp-mapit/vulnerability/wordpress-wp-mapit-plugin-3-0-3-broken-access-control-vulnerability?_s_id=cve |
| charmbracelet--soft-serve | Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3. | 2026-01-22 | not yet calculated | CVE-2026-24058 | https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-pchf-49fh-w34r https://github.com/charmbracelet/soft-serve/commit/8539f9ad39918b67d612a35785a2b4326efc8741 https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.3 |
| Chris Simmons--WP BackItUp | Missing Authorization vulnerability in Chris Simmons WP BackItUp wp-backitup allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP BackItUp: from n/a through <= 2.0.0. | 2026-01-22 | not yet calculated | CVE-2025-68039 | https://patchstack.com/database/Wordpress/Plugin/wp-backitup/vulnerability/wordpress-wp-backitup-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve |
| cjjparadoxmax--Synergy Project Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cjjparadoxmax Synergy Project Manager synergy-project-manager allows Stored XSS. This issue affects Synergy Project Manager: from n/a through <= 1.5. | 2026-01-22 | not yet calculated | CVE-2025-68898 | https://patchstack.com/database/Wordpress/Plugin/synergy-project-manager/vulnerability/wordpress-synergy-project-manager-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| cleverplugins--SEO Booster | Missing Authorization vulnerability in cleverplugins SEO Booster seo-booster allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SEO Booster: from n/a through <= 6.1.8. | 2026-01-22 | not yet calculated | CVE-2025-68019 | https://patchstack.com/database/Wordpress/Plugin/seo-booster/vulnerability/wordpress-seo-booster-plugin-6-1-8-broken-access-control-vulnerability?_s_id=cve |
| CleverReach--CleverReach WP | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CleverReach® CleverReach® WP cleverreach-wp allows SQL Injection. This issue affects CleverReach® WP: from n/a through <= 1.5.22. | 2026-01-22 | not yet calculated | CVE-2025-68034 | https://patchstack.com/database/Wordpress/Plugin/cleverreach-wp/vulnerability/wordpress-cleverreach-wp-plugin-1-5-22-sql-injection-vulnerability?_s_id=cve |
| CleverSoft--Anon | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CleverSoft Anon anon2x allows Reflected XSS. This issue affects Anon: from n/a through <= 2.2.10. | 2026-01-22 | not yet calculated | CVE-2025-67620 | https://patchstack.com/database/Wordpress/Theme/anon2x/vulnerability/wordpress-anon-theme-2-2-10-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Cloudflare--Wrangler | SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler. Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution. ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the --commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to: * Run any shell command. * Exfiltrate environment variables. * Compromise the CI runner to install backdoors or modify build artifacts. Credits Disclosed responsibly by kny4hacker. Mitigation * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher. * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher. * Users on Wrangler v2 (EOL) should upgrade to a supported major version. | 2026-01-20 | not yet calculated | CVE-2026-0933 | https://github.com/cloudflare/workers-sdk |
| Cloudinary--Cloudinary | Missing Authorization vulnerability in Cloudinary Cloudinary cloudinary-image-management-and-manipulation-in-the-cloud-cdn allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cloudinary: from n/a through <= 3.3.0. | 2026-01-23 | not yet calculated | CVE-2026-24560 | https://patchstack.com/database/Wordpress/Plugin/cloudinary-image-management-and-manipulation-in-the-cloud-cdn/vulnerability/wordpress-cloudinary-plugin-3-3-0-broken-access-control-vulnerability?_s_id=cve |
| CloudPanel--CLP Varnish Cache | Missing Authorization vulnerability in CloudPanel CLP Varnish Cache clp-varnish-cache allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CLP Varnish Cache: from n/a through <= 1.0.2. | 2026-01-23 | not yet calculated | CVE-2026-24525 | https://patchstack.com/database/Wordpress/Plugin/clp-varnish-cache/vulnerability/wordpress-clp-varnish-cache-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve |
| Codeless--Slider Templates | Missing Authorization vulnerability in Codeless Slider Templates slider-templates allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Slider Templates: from n/a through <= 1.0.3. | 2026-01-22 | not yet calculated | CVE-2025-68009 | https://patchstack.com/database/Wordpress/Plugin/slider-templates/vulnerability/wordpress-slider-templates-plugin-1-0-3-broken-access-control-vulnerability?_s_id=cve |
| codisto--Omnichannel for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codisto Omnichannel for WooCommerce codistoconnect allows Stored XSS. This issue affects Omnichannel for WooCommerce: from n/a through <= 1.3.65. | 2026-01-22 | not yet calculated | CVE-2025-68041 | https://patchstack.com/database/Wordpress/Plugin/codistoconnect/vulnerability/wordpress-omnichannel-for-woocommerce-plugin-1-3-65-cross-site-scripting-xss-vulnerability?_s_id=cve |
| COP--UX Flat | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in COP UX Flat ux-flat allows Stored XSS. This issue affects UX Flat: from n/a through <= 5.4.0. | 2026-01-23 | not yet calculated | CVE-2026-24576 | https://patchstack.com/database/Wordpress/Plugin/ux-flat/vulnerability/wordpress-ux-flat-plugin-5-4-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| copier-org--copier | Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` flag. As it turns out, a safe template can currently include arbitrary files/directories outside the local template clone location by using symlinks along with `_preserve_symlinks: false` (which is Copier's default setting). Version 9.11.2 patches the issue. | 2026-01-21 | not yet calculated | CVE-2026-23968 | https://github.com/copier-org/copier/security/advisories/GHSA-xjhm-gp88-8pfx https://github.com/copier-org/copier/commit/b3a7b3772d17cf0e7a4481978188c9f536c8d8f6 |
| copier-org--copier | Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` flag. As it turns out, a safe template can currently write to arbitrary directories outside the destination path by using directory a symlink along with `_preserve_symlinks: true` and a generated directory structure whose rendered path is inside the symlinked directory. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc. Version 9.11.2 patches the issue. | 2026-01-21 | not yet calculated | CVE-2026-23986 | https://github.com/copier-org/copier/security/advisories/GHSA-4fqp-r85r-hxqh https://github.com/copier-org/copier/commit/b3a7b3772d17cf0e7a4481978188c9f536c8d8f6 https://github.com/copier-org/copier/releases/tag/v9.11.2 |
| coreshop--CoreShop | CoreShop is a Pimcore enhanced eCommerce solution. An error-based SQL Injection vulnerability was identified in versions prior to 4.1.9 in the `CustomerTransformerController` within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a SQL query, leading to database error disclosure and potential data extraction. Version 4.1.9 fixes the issue. | 2026-01-22 | not yet calculated | CVE-2026-23959 | https://github.com/coreshop/CoreShop/security/advisories/GHSA-fqcv-8859-86x2 https://github.com/coreshop/CoreShop/commit/af80b8f5c7df5f02f44e9c5e0a4a564de274eec2 https://github.com/coreshop/CoreShop/releases/tag/4.1.9 |
| cozythemes--HomeLancer | Missing Authorization vulnerability in cozythemes HomeLancer homelancer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HomeLancer: from n/a through <= 1.0.1. | 2026-01-22 | not yet calculated | CVE-2025-49375 | https://patchstack.com/database/Wordpress/Theme/homelancer/vulnerability/wordpress-homelancer-theme-1-0-1-broken-access-control-vulnerability?_s_id=cve |
| Craig Hewitt--Seriously Simple Podcasting | Server-Side Request Forgery (SSRF) vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Server Side Request Forgery. This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.1. | 2026-01-22 | not yet calculated | CVE-2026-24360 | https://patchstack.com/database/Wordpress/Plugin/seriously-simple-podcasting/vulnerability/wordpress-seriously-simple-podcasting-plugin-3-14-1-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| crawlchat--crawlchat | CrawlChat is an open-source, AI-powered platform that transforms technical documentation into intelligent chatbots. Prior to version 0.0.8, a non-existing permission check for the CrawlChat's Discord bot allows non-manage guild users to put malicious content onto the collection knowledge base. Usually, admin / mods of a Discord guild use the `jigsaw` emoji to save a specific message (chain) onto the collection's knowledge base of CrawlChat. Unfortunately an permission check (for e.g. MANAGE_SERVER; MANAGE_MESSAGES etc.) was not done, allowing normal users of the guild to information to the knowledge base. With targeting specific parts that are commonly asked, users can manipulate the content given out by the bot (on all integrations), to e.g. redirect users to a malicious site, or send information to a malicious user. Version 0.0.8 patches the issue. | 2026-01-19 | not yet calculated | CVE-2026-23875 | https://github.com/crawlchat/crawlchat/security/advisories/GHSA-f484-62p4-6w4p https://github.com/crawlchat/crawlchat/commit/f90ebb93c6a830f6cf609d683f6425af8434573a https://github.com/crawlchat/crawlchat/releases/tag/v0.0.8 |
| CridioStudio--ListingPro Reviews | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro Reviews listingpro-reviews allows Reflected XSS. This issue affects ListingPro Reviews: from n/a through <= 1.7. | 2026-01-22 | not yet calculated | CVE-2025-69051 | https://patchstack.com/database/Wordpress/Plugin/listingpro-reviews/vulnerability/wordpress-listingpro-reviews-theme-1-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CRM Perks--Integration for Contact Form 7 HubSpot | Insertion of Sensitive Information Into Sent Data vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Retrieve Embedded Sensitive Data. This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.3. | 2026-01-23 | not yet calculated | CVE-2026-24559 | https://patchstack.com/database/Wordpress/Plugin/cf7-hubspot/vulnerability/wordpress-integration-for-contact-form-7-hubspot-plugin-1-4-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| Crocoblock--JetEngine | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS. This issue affects JetEngine: from n/a through <= 3.7.7. | 2026-01-22 | not yet calculated | CVE-2025-67923 | https://patchstack.com/database/Wordpress/Plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-7-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| cvat-ai--cvat | CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or project, then get the victim user to either edit that label, or view a shape that refers to that label; and/or get the victim user to upload a maliciously crafted SVG image when configuring a skeleton. This gives the attacker temporary access to all CVAT resources that the victim user can access. Version 2.55.0 fixes the issue. | 2026-01-21 | not yet calculated | CVE-2026-23516 | https://github.com/cvat-ai/cvat/security/advisories/GHSA-3m7p-wx65-c7mp https://github.com/cvat-ai/cvat/commit/40800707fe39e3ff76c8d036eb953eb12d764e70 |
| cvat-ai--cvat | CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.0.0 through 2.54.0, users that have the staff status may freely change their permissions, including giving themselves superuser status and joining the admin group, which gives them full access to the data in the CVAT instance. Version 2.55.0 fixes the issue. As a workaround, review the list of users with staff status and revoke it from any users that are not expected to have superuser privileges. | 2026-01-21 | not yet calculated | CVE-2026-23526 | https://github.com/cvat-ai/cvat/security/advisories/GHSA-7pvv-w55f-qmw7 https://github.com/cvat-ai/cvat/commit/88ac7aa4d5b52271a30f1aa387c0f5745f8f77d4 |
| D-Link--D-View 8 | D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over the D-View system. | 2026-01-21 | not yet calculated | CVE-2026-23754 | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10471 https://www.vulncheck.com/advisories/dlink-dview-8-idor-allows-credential-disclosure-and-account-takeover |
| D-Link--D-View 8 | D-Link D-View 8 versions 2.0.1.107 and below contain an uncontrolled search path vulnerability in the installer. When executed with elevated privileges via UAC, the installer attempts to load version.dll from its execution directory, allowing DLL preloading. An attacker can supply a malicious version.dll alongside the legitimate installer so that, when a victim runs the installer and approves the UAC prompt, attacker-controlled code executes with administrator privileges. This can lead to full system compromise. | 2026-01-21 | not yet calculated | CVE-2026-23755 | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10471 https://www.vulncheck.com/advisories/dlink-dview-8-installer-dll-preloading-via-uncontrolled-search-path |
| daap-daap | NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a (newer commit after version 28.2) allows remote attackers to cause a Denial of Service. | 2026-01-20 | not yet calculated | CVE-2025-57155 | https://github.com/owntone/owntone-server/commit/d857116e4143a500d6a1ea13f4baa057ba3b0028 https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md |
| dacp--dacp | NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash). | 2026-01-20 | not yet calculated | CVE-2025-57156 | https://github.com/owntone/owntone-server/issues/1907 https://github.com/owntone/owntone-server/commit/5e4d40ee03ae22ab79534bb1410fa9db96c9fabd https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md |
| dacp--dacp | A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server. | 2026-01-20 | not yet calculated | CVE-2025-63648 | https://github.com/owntone/owntone-server/issues/1933 https://github.com/owntone/owntone-server/commit/5f526c7a7e08c567a5c72421d74a79dafdd07621 https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md |
| Damian--WP Popups | Missing Authorization vulnerability in Damian WP Popups wp-popups-lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Popups: from n/a through <= 2.2.0.3. | 2026-01-23 | not yet calculated | CVE-2026-24616 | https://patchstack.com/database/Wordpress/Plugin/wp-popups-lite/vulnerability/wordpress-wp-popups-plugin-2-2-0-3-broken-access-control-vulnerability?_s_id=cve |
| Daniel Iser--Easy Modal | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Daniel Iser Easy Modal easy-modal allows Stored XSS. This issue affects Easy Modal: from n/a through <= 2.1.0. | 2026-01-23 | not yet calculated | CVE-2026-24617 | https://patchstack.com/database/Wordpress/Plugin/easy-modal/vulnerability/wordpress-easy-modal-plugin-2-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| dataease--dataease | Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user's password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin's password by exploiting unmonitored API endpoints that verify JWT tokens. The vulnerability has been fixed in v2.10.19. No known workarounds are available. | 2026-01-22 | not yet calculated | CVE-2026-23958 | https://github.com/dataease/dataease/security/advisories/GHSA-5wvm-4m4q-rh7j |
| dataease--SQLBot | SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.5.0 contain a missing authentication vulnerability in the /api/v1/datasource/uploadExcel endpoint, allowing a remote unauthenticated attacker to upload arbitrary Excel/CSV files and inject data directly into the PostgreSQL database. The endpoint is explicitly added to the authentication whitelist, causing the TokenMiddleware to bypass all token validation. Uploaded files are parsed by pandas and inserted into the database via to_sql() with if_exists='replace' mode. The vulnerability has been fixed in v1.5.0. No known workarounds are available. | 2026-01-21 | not yet calculated | CVE-2025-69285 | https://github.com/dataease/SQLBot/security/advisories/GHSA-crfm-cch4-hjpv https://github.com/dataease/SQLBot/releases/tag/v1.5.0 |
| Deetronix--Booking Ultra Pro | Insertion of Sensitive Information Into Sent Data vulnerability in Deetronix Booking Ultra Pro booking-ultra-pro allows Retrieve Embedded Sensitive Data. This issue affects Booking Ultra Pro: from n/a through <= 1.1.23. | 2026-01-22 | not yet calculated | CVE-2025-68006 | https://patchstack.com/database/Wordpress/Plugin/booking-ultra-pro/vulnerability/wordpress-booking-ultra-pro-plugin-1-1-23-sensitive-data-exposure-vulnerability?_s_id=cve |
| Design--Stylish Cost Calculator | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Design Stylish Cost Calculator stylish-cost-calculator allows Stored XSS. This issue affects Stylish Cost Calculator: from n/a through <= 8.1.8. | 2026-01-23 | not yet calculated | CVE-2026-24630 | https://patchstack.com/database/Wordpress/Plugin/stylish-cost-calculator/vulnerability/wordpress-stylish-cost-calculator-plugin-8-1-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| designingmedia--Hostiko | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designingmedia Hostiko hostiko allows Reflected XSS. This issue affects Hostiko: from n/a through < 94.3.6. | 2026-01-22 | not yet calculated | CVE-2025-67949 | https://patchstack.com/database/Wordpress/Theme/hostiko/vulnerability/wordpress-hostiko-theme-94-3-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| designthemes--Kids Heaven | Deserialization of Untrusted Data vulnerability in designthemes Kids Heaven kids-world allows Object Injection. This issue affects Kids Heaven: from n/a through <= 3.2. | 2026-01-22 | not yet calculated | CVE-2025-67619 | https://patchstack.com/database/Wordpress/Theme/kids-world/vulnerability/wordpress-kids-heaven-theme-3-2-php-object-injection-vulnerability?_s_id=cve |
| designthemes--OneLife | Deserialization of Untrusted Data vulnerability in designthemes OneLife onelife allows Object Injection. This issue affects OneLife: from n/a through <= 3.9. | 2026-01-22 | not yet calculated | CVE-2025-69002 | https://patchstack.com/database/Wordpress/Theme/onelife/vulnerability/wordpress-onelife-theme-3-9-php-object-injection-vulnerability?_s_id=cve |
| designthemes--Reservation Plugin | Missing Authorization vulnerability in designthemes Reservation Plugin dt-reservation-plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Reservation Plugin: from n/a through <= 1.7. | 2026-01-22 | not yet calculated | CVE-2025-69095 | https://patchstack.com/database/Wordpress/Plugin/dt-reservation-plugin/vulnerability/wordpress-reservation-plugin-plugin-1-7-settings-change-vulnerability?_s_id=cve |
| designthemes--Vivagh | Deserialization of Untrusted Data vulnerability in designthemes Vivagh vivagh allows Object Injection. This issue affects Vivagh: from n/a through <= 2.4. | 2026-01-22 | not yet calculated | CVE-2025-68899 | https://patchstack.com/database/Wordpress/Theme/vivagh/vulnerability/wordpress-vivagh-theme-2-4-php-object-injection-vulnerability?_s_id=cve |
| Devolutions--Server | SQL Injection vulnerability in remote-sessions in Devolutions Server. This issue affects Devolutions Server 2025.3.1 through 2025.3.12 | 2026-01-19 | not yet calculated | CVE-2026-0610 | https://devolutions.net/security/advisories/DEVO-2026-0003/ |
| Devolutions--Server | Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules. This issue affects Server: from 2025.3.1 through 2025.3.12. | 2026-01-19 | not yet calculated | CVE-2026-1007 | https://devolutions.net/security/advisories/DEVO-2026-0003/ |
| DevsBlink--EduBlink Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DevsBlink EduBlink Core edublink-core allows PHP Local File Inclusion. This issue affects EduBlink Core: from n/a through <= 2.0.7. | 2026-01-23 | not yet calculated | CVE-2026-24635 | https://patchstack.com/database/Wordpress/Plugin/edublink-core/vulnerability/wordpress-edublink-core-plugin-2-0-7-local-file-inclusion-vulnerability?_s_id=cve |
| Devsbrain--Flex QR Code Generator | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Devsbrain Flex QR Code Generator flex-qr-code-generator allows DOM-Based XSS. This issue affects Flex QR Code Generator: from n/a through <= 1.2.8. | 2026-01-23 | not yet calculated | CVE-2026-24614 | https://patchstack.com/database/Wordpress/Plugin/flex-qr-code-generator/vulnerability/wordpress-flex-qr-code-generator-plugin-1-2-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Dimitri Grassi--Salon booking system | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Retrieve Embedded Sensitive Data. This issue affects Salon booking system: from n/a through <= 10.30.3. | 2026-01-22 | not yet calculated | CVE-2025-67954 | https://patchstack.com/database/Wordpress/Plugin/salon-booking-system/vulnerability/wordpress-salon-booking-system-plugin-10-30-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| DioxusLabs--components | Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, `use_animated_open` formats a string for `eval` with an `id` that can be user supplied. Commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a patches the issue. | 2026-01-23 | not yet calculated | CVE-2026-24474 | https://github.com/DioxusLabs/components/security/advisories/GHSA-34pj-292j-xr69 https://github.com/DioxusLabs/components/commit/41e4242ecb1062d04ae42a5215363c1d9fd4e23a |
| Discord--Client | Discord Client Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Discord Client. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the discord_rpc module. The product loads a file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-27057. | 2026-01-23 | not yet calculated | CVE-2026-0776 | ZDI-26-040 |
| Dmytro Shteflyuk--CodeColorer | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dmytro Shteflyuk CodeColorer codecolorer allows Stored XSS. This issue affects CodeColorer: from n/a through <= 0.10.1. | 2026-01-22 | not yet calculated | CVE-2025-68012 | https://patchstack.com/database/Wordpress/Plugin/codecolorer/vulnerability/wordpress-codecolorer-plugin-0-10-1-stored-cross-site-scripting-xss-vulnerability?_s_id=cve |
| docmost--docmost | Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend can render attacker-controlled Mermaid diagrams using mermaid.render(), then inject the returned SVG/HTML into the DOM via dangerouslySetInnerHTML without sanitization. Mermaid per-diagram %%{init}%% directives allow overriding securityLevel and enabling htmlLabels, permitting arbitrary HTML/JS execution for any viewer. This issue has been fixed in version 0.24.0. | 2026-01-21 | not yet calculated | CVE-2026-23630 | https://github.com/docmost/docmost/security/advisories/GHSA-r4hj-mc62-jmwj https://github.com/docmost/docmost/commit/cb9f27da9a8b4940760e37e5238a1eb91e427daf https://github.com/docmost/docmost/releases/tag/v0.24.0 |
| docopt.cpp--docopt.cpp | A signed integer overflow in docopt.cpp v0.6.2 (LeafPattern::match in docopt_private.h) when merging occurrence counters (e.g., default LONG_MAX + first user "-v/--verbose") can cause counter wrap (negative/unbounded semantics) and lead to logic/policy bypass in applications that rely on occurrence-based limits, rate-gating, or safety toggles. In hardened builds (e.g., UBSan or -ftrapv), the overflow may also result in process abort (DoS). | 2026-01-23 | not yet calculated | CVE-2025-67125 | https://gist.github.com/thesmartshadow/672afe8828844c833f46f8ebe2f5f3bd https://github.com/docopt/docopt.cpp |
| Doogee--Doogee | An OS command injection vulnerability in the com.sprd.engineermode component in Doogee Note59, Note59 Pro, and Note59 Pro+ allows a local attacker to execute arbitrary code and escalate privileges via the EngineerMode ADB shell, due to incomplete patching of CVE-2025-31710 | 2026-01-23 | not yet calculated | CVE-2025-67264 | http://doogee.com https://github.com/Skorpion96/unisoc-su/blob/main/CVE-2025-67264.md |
| Dotstore--Fraud Prevention For Woocommerce | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers allows Retrieve Embedded Sensitive Data. This issue affects Fraud Prevention For Woocommerce: from n/a through <= 2.3.1. | 2026-01-23 | not yet calculated | CVE-2026-24553 | https://patchstack.com/database/Wordpress/Plugin/woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers/vulnerability/wordpress-fraud-prevention-for-woocommerce-plugin-2-3-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| dragonflyoss--dragonfly | Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1. | 2026-01-22 | not yet calculated | CVE-2026-24124 | https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-j8hf-cp34-g4j7 https://github.com/dragonflyoss/dragonfly/commit/9fb9a2dfde3100f32dc7f48eabee4c2b64eac55f |
| Dynamicweb--Dynamicweb | An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once an attacker is authenticated as the new admin user they have added, it is possible to upload an executable file and achieve command execution. This is fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later). | 2026-01-23 | not yet calculated | CVE-2022-25369 | https://www.dynamicweb.com/resources/downloads?Category=Releases https://www.assetnote.io/resources/research/advisory-dynamicweb-logic-flaw-leading-to-rce-cve-2022-25369 |
| e-plugins--Final User | Missing Authorization vulnerability in e-plugins Final User final-user allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Final User: from n/a through <= 1.2.5. | 2026-01-22 | not yet calculated | CVE-2025-69187 | https://patchstack.com/database/Wordpress/Plugin/final-user/vulnerability/wordpress-final-user-plugin-1-2-5-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Final User | Incorrect Privilege Assignment vulnerability in e-plugins Final User final-user allows Privilege Escalation. This issue affects Final User: from n/a through <= 1.2.5. | 2026-01-22 | not yet calculated | CVE-2025-69293 | https://patchstack.com/database/Wordpress/Plugin/final-user/vulnerability/wordpress-final-user-plugin-1-2-5-privilege-escalation-vulnerability?_s_id=cve |
| e-plugins--fitness-trainer | Missing Authorization vulnerability in e-plugins fitness-trainer fitness-trainer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects fitness-trainer: from n/a through <= 1.7.1. | 2026-01-22 | not yet calculated | CVE-2025-69188 | https://patchstack.com/database/Wordpress/Plugin/fitness-trainer/vulnerability/wordpress-fitness-trainer-plugin-1-7-1-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Hospital Doctor Directory | Missing Authorization vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9. | 2026-01-22 | not yet calculated | CVE-2025-68057 | https://patchstack.com/database/Wordpress/Plugin/hospital-doctor-directory/vulnerability/wordpress-hospital-doctor-directory-plugin-1-3-9-broken-access-control-vulnerability-2?_s_id=cve |
| e-plugins--Hospital Doctor Directory | Incorrect Privilege Assignment vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Privilege Escalation. This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9. | 2026-01-22 | not yet calculated | CVE-2025-69183 | https://patchstack.com/database/Wordpress/Plugin/hospital-doctor-directory/vulnerability/wordpress-hospital-doctor-directory-plugin-1-3-9-privilege-escalation-vulnerability?_s_id=cve |
| e-plugins--Hospital Doctor Directory | Missing Authorization vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9. | 2026-01-22 | not yet calculated | CVE-2025-69186 | https://patchstack.com/database/Wordpress/Plugin/hospital-doctor-directory/vulnerability/wordpress-hospital-doctor-directory-plugin-1-3-9-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Hotel Listing | Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hotel Listing: from n/a through <= 1.4.2. | 2026-01-22 | not yet calculated | CVE-2025-68059 | https://patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-2-broken-access-control-vulnerability-2?_s_id=cve |
| e-plugins--Hotel Listing | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Hotel Listing hotel-listing allows Reflected XSS. This issue affects Hotel Listing: from n/a through <= 1.4.0. | 2026-01-22 | not yet calculated | CVE-2025-69056 | https://patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| e-plugins--Hotel Listing | Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hotel Listing: from n/a through <= 1.4.2. | 2026-01-22 | not yet calculated | CVE-2025-69185 | https://patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-2-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Institutions Directory | Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Institutions Directory: from n/a through <= 1.3..4. | 2026-01-22 | not yet calculated | CVE-2025-68058 | https://patchstack.com/database/Wordpress/Plugin/institutions-directory/vulnerability/wordpress-institutions-directory-plugin-1-3-4-broken-access-control-vulnerability-2?_s_id=cve |
| e-plugins--Institutions Directory | Incorrect Privilege Assignment vulnerability in e-plugins Institutions Directory institutions-directory allows Privilege Escalation. This issue affects Institutions Directory: from n/a through <= 1.3.4. | 2026-01-22 | not yet calculated | CVE-2025-69182 | https://patchstack.com/database/Wordpress/Plugin/institutions-directory/vulnerability/wordpress-institutions-directory-plugin-1-3-4-privilege-escalation-vulnerability?_s_id=cve |
| e-plugins--Institutions Directory | Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Institutions Directory: from n/a through <= 1.3.4. | 2026-01-22 | not yet calculated | CVE-2025-69184 | https://patchstack.com/database/Wordpress/Plugin/institutions-directory/vulnerability/wordpress-institutions-directory-plugin-1-3-4-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Lawyer Directory | Incorrect Privilege Assignment vulnerability in e-plugins Lawyer Directory lawyer-directory allows Privilege Escalation. This issue affects Lawyer Directory: from n/a through <= 1.3.3. | 2026-01-22 | not yet calculated | CVE-2025-67966 | https://patchstack.com/database/Wordpress/Plugin/lawyer-directory/vulnerability/wordpress-lawyer-directory-plugin-1-3-3-privilege-escalation-vulnerability?_s_id=cve |
| e-plugins--Lawyer Directory | Missing Authorization vulnerability in e-plugins Lawyer Directory lawyer-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Lawyer Directory: from n/a through <= 1.3.3. | 2026-01-22 | not yet calculated | CVE-2025-67967 | https://patchstack.com/database/Wordpress/Plugin/lawyer-directory/vulnerability/wordpress-lawyer-directory-plugin-1-3-3-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Lawyer Directory | Missing Authorization vulnerability in e-plugins Lawyer Directory lawyer-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Lawyer Directory: from n/a through <= 1.3.4. | 2026-01-22 | not yet calculated | CVE-2025-69181 | https://patchstack.com/database/Wordpress/Plugin/lawyer-directory/vulnerability/wordpress-lawyer-directory-plugin-1-3-4-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Listihub | Missing Authorization vulnerability in e-plugins Listihub listihub allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Listihub: from n/a through <= 1.0.6. | 2026-01-22 | not yet calculated | CVE-2025-69190 | https://patchstack.com/database/Wordpress/Theme/listihub/vulnerability/wordpress-listihub-theme-1-0-6-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--ListingHub | Missing Authorization vulnerability in e-plugins ListingHub listinghub allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ListingHub: from n/a through <= 1.2.7. | 2026-01-22 | not yet calculated | CVE-2025-69191 | https://patchstack.com/database/Wordpress/Plugin/listinghub/vulnerability/wordpress-listinghub-plugin-1-2-7-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Real Estate Pro | Missing Authorization vulnerability in e-plugins Real Estate Pro real-estate-pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Real Estate Pro: from n/a through <= 2.1.5. | 2026-01-22 | not yet calculated | CVE-2025-69192 | https://patchstack.com/database/Wordpress/Plugin/real-estate-pro/vulnerability/wordpress-real-estate-pro-plugin-2-1-5-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--WP Membership | Missing Authorization vulnerability in e-plugins WP Membership wp-membership allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Membership: from n/a through <= 1.6.4. | 2026-01-22 | not yet calculated | CVE-2025-69193 | https://patchstack.com/database/Wordpress/Plugin/wp-membership/vulnerability/wordpress-wp-membership-plugin-1-6-4-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--WP Membership | Incorrect Privilege Assignment vulnerability in e-plugins WP Membership wp-membership allows Privilege Escalation. This issue affects WP Membership: from n/a through <= 1.6.4. | 2026-01-22 | not yet calculated | CVE-2025-69292 | https://patchstack.com/database/Wordpress/Plugin/wp-membership/vulnerability/wordpress-wp-membership-plugin-1-6-4-privilege-escalation-vulnerability?_s_id=cve |
| Ecwid by Lightspeed Ecommerce Shopping Cart--Ecwid Shopping Cart | Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.5. | 2026-01-23 | not yet calculated | CVE-2026-24580 | https://patchstack.com/database/Wordpress/Plugin/ecwid-shopping-cart/vulnerability/wordpress-ecwid-shopping-cart-plugin-7-0-5-broken-access-control-vulnerability?_s_id=cve |
| Ecwid by Lightspeed Ecommerce Shopping Cart--Ecwid Shopping Cart | Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.5. | 2026-01-23 | not yet calculated | CVE-2026-24613 | https://patchstack.com/database/Wordpress/Plugin/ecwid-shopping-cart/vulnerability/wordpress-ecwid-shopping-cart-plugin-7-0-5-broken-access-control-vulnerability-2?_s_id=cve |
| Edge-Themes--Eldon | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Eldon eldon allows PHP Local File Inclusion. This issue affects Eldon: from n/a through <= 1.0. | 2026-01-22 | not yet calculated | CVE-2025-69057 | https://patchstack.com/database/Wordpress/Theme/eldon/vulnerability/wordpress-eldon-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| Edge-Themes--Overworld | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Overworld overworld allows PHP Local File Inclusion. This issue affects Overworld: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2025-69050 | https://patchstack.com/database/Wordpress/Theme/overworld/vulnerability/wordpress-overworld-theme-1-3-local-file-inclusion-vulnerability?_s_id=cve |
| Elated-Themes--Laurent | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent laurent allows PHP Local File Inclusion. This issue affects Laurent: from n/a through <= 3.1. | 2026-01-23 | not yet calculated | CVE-2026-24609 | https://patchstack.com/database/Wordpress/Theme/laurent/vulnerability/wordpress-laurent-theme-3-1-local-file-inclusion-vulnerability?_s_id=cve |
| Elated-Themes--Laurent Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent Core laurent-core allows PHP Local File Inclusion. This issue affects Laurent Core: from n/a through <= 2.4.1. | 2026-01-23 | not yet calculated | CVE-2026-24608 | https://patchstack.com/database/Wordpress/Plugin/laurent-core/vulnerability/wordpress-laurent-core-plugin-2-4-1-local-file-inclusion-vulnerability?_s_id=cve |
| Elated-Themes--Search & Go | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Search & Go search-and-go allows PHP Local File Inclusion. This issue affects Search & Go: from n/a through <= 2.8. | 2026-01-22 | not yet calculated | CVE-2025-69005 | https://patchstack.com/database/Wordpress/Theme/search-and-go/vulnerability/wordpress-search-go-theme-2-8-local-file-inclusion-vulnerability?_s_id=cve |
| Elated-Themes--Sweet Jane | Authorization Bypass Through User-Controlled Key vulnerability in Elated-Themes Sweet Jane sweetjane allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sweet Jane: from n/a through <= 1.2. | 2026-01-22 | not yet calculated | CVE-2026-22426 | https://patchstack.com/database/Wordpress/Theme/sweetjane/vulnerability/wordpress-sweet-jane-theme-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Elated-Themes--Tbel | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Töbel tobel allows PHP Local File Inclusion. This issue affects Töbel: from n/a through <= 1.6. | 2026-01-22 | not yet calculated | CVE-2025-69049 | https://patchstack.com/database/Wordpress/Theme/tobel/vulnerability/wordpress-toebel-theme-1-6-local-file-inclusion-vulnerability?_s_id=cve |
| Elated-Themes--The Aisle | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes The Aisle theaisle allows PHP Local File Inclusion. This issue affects The Aisle: from n/a through < 2.9.1. | 2026-01-22 | not yet calculated | CVE-2025-67941 | https://patchstack.com/database/Wordpress/Theme/theaisle/vulnerability/wordpress-the-aisle-theme-2-9-1-local-file-inclusion-vulnerability?_s_id=cve |
| Element Invader--Element Invader – Template Kits for Elementor | Missing Authorization vulnerability in Element Invader Element Invader – Template Kits for Elementor elementinvader allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Element Invader – Template Kits for Elementor: from n/a through <= 1.2.4. | 2026-01-22 | not yet calculated | CVE-2026-24386 | https://patchstack.com/database/Wordpress/Plugin/elementinvader/vulnerability/wordpress-element-invader-template-kits-for-elementor-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve |
| Enel X--JuiceBox 40 | Enel X JuiceBox 40 Telnet Service Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Enel X JuiceBox 40 charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the telnet service, which listens on TCP port 2000 by default. The issue results from the lack of authentication prior to allowing remote connections. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23285. | 2026-01-23 | not yet calculated | CVE-2026-0778 | ZDI-26-041 |
| esphome--esphome | ESPHome is a system to control microcontrollers remotely through Home Automation systems. In versions 2025.9.0 through 2025.12.6, an integer overflow in the API component's protobuf decoder allows denial-of-service attacks when API encryption is not used. The bounds check `ptr + field_length > end` in `components/api/proto.cpp` can overflow when a malicious client sends a large `field_length` value. This affects all ESPHome device platforms (ESP32, ESP8266, RP2040, LibreTiny). The overflow bypasses the out-of-bounds check, causing the device to read invalid memory and crash. When using the plaintext API protocol, this attack can be performed without authentication. When noise encryption is enabled, knowledge of the encryption key is required. Users should upgrade to ESPHome 2025.12.7 or later to receive a patch, enable API encryption with a unique key per device, and follow the Security Best Practices. | 2026-01-19 | not yet calculated | CVE-2026-23833 | https://github.com/esphome/esphome/security/advisories/GHSA-4h3h-63v6-88qx https://github.com/esphome/esphome/pull/13306 https://github.com/esphome/esphome/commit/69d7b6e9210390051318bd8e6410727689de08d6 https://esphome.io/guides/security_best_practices |
| Essekia--Tablesome | Missing Authorization vulnerability in Essekia Tablesome tablesome allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tablesome: from n/a through <= 1.1.35.2. | 2026-01-23 | not yet calculated | CVE-2026-24524 | https://patchstack.com/database/Wordpress/Plugin/tablesome/vulnerability/wordpress-tablesome-plugin-1-1-35-2-broken-access-control-vulnerability?_s_id=cve |
| Event Espresso--Event Espresso 4 Decaf | Missing Authorization vulnerability in Event Espresso Event Espresso 4 Decaf event-espresso-decaf allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Event Espresso 4 Decaf: from n/a through <= 5.0.37.decaf. | 2026-01-22 | not yet calculated | CVE-2025-68007 | https://patchstack.com/database/Wordpress/Plugin/event-espresso-decaf/vulnerability/wordpress-event-espresso-4-decaf-plugin-5-0-37-decaf-settings-change-vulnerability?_s_id=cve |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.12.0, `is_message_crc_correct` in the DZG_GSH01 powermeter SLIP parser reads `vec[vec.size()-1]` and `vec[vec.size()-2]` without checking that at least two bytes are present. Malformed SLIP frames on the serial link can reach `is_message_crc_correct` with `vec.size() < 2` (only via the multi-message path), causing an out-of-bounds read before CRC verification and `pop_back` underflow. Therefore, an attacker controlling the serial input can reliably crash the process. Version 2025.12.0 fixes the issue. | 2026-01-21 | not yet calculated | CVE-2025-68132 | https://github.com/EVerest/everest-core/security/advisories/GHSA-79gc-m8w6-9hx5 https://github.com/EVerest/everest-core/commit/b8139b95144e3fe0082789b7fafe4e532ee494a1 |
| ExpressTech Systems--Quiz And Survey Master | Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Quiz And Survey Master: from n/a through <= 10.3.3. | 2026-01-22 | not yet calculated | CVE-2026-24358 | https://patchstack.com/database/Wordpress/Plugin/quiz-master-next/vulnerability/wordpress-quiz-and-survey-master-plugin-10-3-3-broken-access-control-vulnerability?_s_id=cve |
| expresstechsoftware--MemberPress Discord Addon | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in expresstechsoftware MemberPress Discord Addon expresstechsoftwares-memberpress-discord-add-on allows Reflected XSS. This issue affects MemberPress Discord Addon: from n/a through <= 1.1.4. | 2026-01-22 | not yet calculated | CVE-2025-68838 | https://patchstack.com/database/Wordpress/Plugin/expresstechsoftwares-memberpress-discord-add-on/vulnerability/wordpress-memberpress-discord-addon-plugin-1-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| external-secrets--external-secrets | External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed in version 1.2.0, as everything done with that templating function can be done in a different way while respecting External Secrets Operator's safeguards As a workaround, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource. | 2026-01-21 | not yet calculated | CVE-2026-22822 | https://github.com/external-secrets/external-secrets/security/advisories/GHSA-77v3-r3jw-j2v2 https://github.com/external-secrets/external-secrets/issues/5690 https://github.com/external-secrets/external-secrets/pull/3895 https://github.com/external-secrets/external-secrets/commit/17d3e22b8d3fbe339faf8515a95ec06ec92b1feb https://github.com/external-secrets/external-secrets/releases/tag/v1.2.0 |
| extremeidea--bidorbuy Store Integrator | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in extremeidea bidorbuy Store Integrator bidorbuystoreintegrator allows Reflected XSS. This issue affects bidorbuy Store Integrator: from n/a through <= 2.12.0. | 2026-01-22 | not yet calculated | CVE-2025-68883 | https://patchstack.com/database/Wordpress/Plugin/bidorbuystoreintegrator/vulnerability/wordpress-bidorbuy-store-integrator-plugin-2-12-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Farost--Energia | Unrestricted Upload of File with Dangerous Type vulnerability in Farost Energia energia allows Upload a Web Shell to a Web Server. This issue affects Energia: from n/a through <= 1.1.2. | 2026-01-22 | not yet calculated | CVE-2025-50002 | https://patchstack.com/database/Wordpress/Theme/energia/vulnerability/wordpress-energia-theme-1-1-2-arbitrary-file-upload-vulnerability?_s_id=cve |
| favethemes--Homey Core | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey Core homey-core allows Reflected XSS. This issue affects Homey Core: from n/a through <= 2.4.3. | 2026-01-22 | not yet calculated | CVE-2025-67964 | https://patchstack.com/database/Wordpress/Plugin/homey-core/vulnerability/wordpress-homey-core-plugin-2-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| favethemes--Houzez Theme - Functionality | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez Theme - Functionality houzez-theme-functionality allows Stored XSS. This issue affects Houzez Theme - Functionality: from n/a through <= 4.2.6. | 2026-01-22 | not yet calculated | CVE-2026-24355 | https://patchstack.com/database/Wordpress/Plugin/houzez-theme-functionality/vulnerability/wordpress-houzez-theme-functionality-plugin-4-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| FireStorm Plugins--FireStorm Professional Real Estate | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FireStorm Plugins FireStorm Professional Real Estate fs-real-estate-plugin allows Blind SQL Injection. This issue affects FireStorm Professional Real Estate: from n/a through <= 2.7.11. | 2026-01-22 | not yet calculated | CVE-2026-22470 | https://patchstack.com/database/Wordpress/Plugin/fs-real-estate-plugin/vulnerability/wordpress-firestorm-professional-real-estate-plugin-2-7-11-sql-injection-vulnerability?_s_id=cve |
| fleetdm--fleet | fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM. | 2026-01-21 | not yet calculated | CVE-2026-22808 | https://github.com/fleetdm/fleet/security/advisories/GHSA-gfpw-jgvr-cw4j |
| fleetdm--fleet | Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations. Fleet's debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege "Observer" role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist as a workaround. | 2026-01-21 | not yet calculated | CVE-2026-23517 | https://github.com/fleetdm/fleet/security/advisories/GHSA-4r5r-ccr6-q6f6 https://github.com/fleetdm/fleet/commit/5c030e32a3a9bc512355b5e1bf19636e4e6d0317 |
| fleetdm--fleet | Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM. | 2026-01-21 | not yet calculated | CVE-2026-23518 | https://github.com/fleetdm/fleet/security/advisories/GHSA-63m5-974w-448v https://github.com/fleetdm/fleet/commit/e225ef57912c8f4ac8977e24b5ebe1d9fd875257 |
| flexostudio--flexo-posts-manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexostudio flexo-posts-manager flexo-posts-manager allows Reflected XSS. This issue affects flexo-posts-manager: from n/a through <= 1.0001. | 2026-01-22 | not yet calculated | CVE-2025-52762 | https://patchstack.com/database/Wordpress/Plugin/flexo-posts-manager/vulnerability/wordpress-flexo-posts-manager-plugin-1-0001-cross-site-scripting-xss-vulnerability?_s_id=cve |
| FmeAddons--Registration & Login with Mobile Phone Number for WooCommerce | Missing Authorization vulnerability in FmeAddons Registration & Login with Mobile Phone Number for WooCommerce registration-login-with-mobile-phone-number allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Registration & Login with Mobile Phone Number for WooCommerce: from n/a through <= 1.3.1. | 2026-01-22 | not yet calculated | CVE-2025-69052 | https://patchstack.com/database/Wordpress/Plugin/registration-login-with-mobile-phone-number/vulnerability/wordpress-registration-login-with-mobile-phone-number-for-woocommerce-plugin-1-2-9-broken-access-control-vulnerability?_s_id=cve |
| FooEvents--FooEvents for WooCommerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FooEvents FooEvents for WooCommerce fooevents allows SQL Injection. This issue affects FooEvents for WooCommerce: from n/a through <= 1.20.4. | 2026-01-22 | not yet calculated | CVE-2025-69045 | https://patchstack.com/database/Wordpress/Plugin/fooevents/vulnerability/wordpress-fooevents-for-woocommerce-plugin-1-20-4-sql-injection-vulnerability?_s_id=cve |
| foreverpinetree--TheNa | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree TheNa thena allows Reflected XSS. This issue affects TheNa: from n/a through <= 1.5.5. | 2026-01-22 | not yet calculated | CVE-2025-67614 | https://patchstack.com/database/Wordpress/Theme/thena/vulnerability/wordpress-thena-theme-1-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Foundation Agents--MetaGPT | Foundation Agents MetaGPT deserialize_message Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foundation Agents MetaGPT. Authentication is not required to exploit this vulnerability. The specific flaw exists within the deserialize_message function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28121. | 2026-01-23 | not yet calculated | CVE-2026-0760 | ZDI-26-026 |
| Foundation Agents--MetaGPT | Foundation Agents MetaGPT actionoutput_str_to_mapping Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foundation Agents MetaGPT. Authentication is not required to exploit this vulnerability. The specific flaw exists within the actionoutput_str_to_mapping function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28124. | 2026-01-23 | not yet calculated | CVE-2026-0761 | ZDI-26-027 |
| Framelink--Figma MCP Server | Framelink Figma MCP Server fetchWithRetry Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Framelink Figma MCP Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the fetchWithRetry method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27877. | 2026-01-23 | not yet calculated | CVE-2025-15061 | ZDI-25-1197 vendor-provided URL |
| Frank Corso--Quote Master | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Frank Corso Quote Master quote-master allows Reflected XSS. This issue affects Quote Master: from n/a through <= 7.1.1. | 2026-01-22 | not yet calculated | CVE-2025-68849 | https://patchstack.com/database/Wordpress/Plugin/quote-master/vulnerability/wordpress-quote-master-plugin-7-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| franklioxygen--MyTube | MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export endpoint, enabling low-privileged users to access sensitive data they should not have permission to view. | 2026-01-23 | not yet calculated | CVE-2026-24139 | https://github.com/franklioxygen/MyTube/security/advisories/GHSA-hhc3-8q8c-89q7 https://github.com/franklioxygen/MyTube/commit/e271775e27d51b26e54731b7b874447f47a1f280 |
| Free5GC--Free5GC | An issue was discovered in Free5gc NRF 1.4.0. In the access-token generation logic of free5GC, the AccessTokenScopeCheck() function in file internal/sbi/processor/access_token.go bypasses all scope validation when the attacker uses a crafted targetNF value. This allows attackers to obtain an access token with any arbitrary scope. | 2026-01-23 | not yet calculated | CVE-2025-66719 | https://github.com/free5gc/free5gc/issues/736 https://github.com/free5gc/nrf/pull/73 |
| Free5GC--Free5GC | Null pointer dereference in free5gc pcf 1.4.0 in file internal/sbi/processor/ampolicy.go in function HandleDeletePoliciesPolAssoId. | 2026-01-23 | not yet calculated | CVE-2025-66720 | https://github.com/free5gc/free5gc/issues/726 https://github.com/free5gc/pcf/pull/57 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23530 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-r4hv-852m-fq7p https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L1689-L1696 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L1713-L1716 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L951-L953 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23531 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xj5h-9cr5-23c5 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L1139-L1145 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client's `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23532 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fq8c-87hj-7gvr https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/gdi/gfx.c#L1368-L1382 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23533 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-32q9-m5qr-9j2v https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L268-L281 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L336 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23534 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3frr-mp8w-4599 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L878-L879 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L883-L884 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a client‑side global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23732 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7qxp-j2fj-c3pp https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/cache/glyph.c#L463-L480 https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/codec/color.c#L261-L277 https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/core/graphics.c#L138 https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/core/orders.c#L2186C17-L2199 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23883 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qcrr-85qx-4p6x https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_graphics.c#L312-L319 https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_graphics.c#L340 https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/pointer.c#L164-L174 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23884 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cfgj-vc84-f3pp https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/offscreen.c#L114-L122 https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/offscreen.c#L87-L91 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| Fsas Technologies Inc.--ServerView Agents for Windows | The installer of ServerView Agents for Windows provided by Fsas Technologies Inc. may insecurely load Dynamic Link Libraries. Arbitrary code may be executed with the administrator privilege when the installer is executed. | 2026-01-21 | not yet calculated | CVE-2026-24016 | https://www.fsastech.com/ja-jp/resources/security/2026/0121.html https://jvn.jp/en/jp/JVN65211823/ |
| fuelthemes--North | Deserialization of Untrusted Data vulnerability in fuelthemes North north-wp allows Object Injection. This issue affects North: from n/a through <= 5.7.5. | 2026-01-22 | not yet calculated | CVE-2025-69099 | https://patchstack.com/database/Wordpress/Theme/north-wp/vulnerability/wordpress-north-theme-5-7-5-php-object-injection-vulnerability?_s_id=cve |
| fuelthemes--North | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes North north-wp allows PHP Local File Inclusion. This issue affects North: from n/a through <= 5.7.5. | 2026-01-22 | not yet calculated | CVE-2025-69100 | https://patchstack.com/database/Wordpress/Theme/north-wp/vulnerability/wordpress-north-theme-5-7-5-local-file-inclusion-vulnerability?_s_id=cve |
| fuelthemes--Werkstatt | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes Werkstatt werkstatt allows PHP Local File Inclusion. This issue affects Werkstatt: from n/a through < 4.8.3. | 2026-01-22 | not yet calculated | CVE-2025-69314 | https://patchstack.com/database/Wordpress/Theme/werkstatt/vulnerability/wordpress-werkstatt-theme-4-8-3-local-file-inclusion-vulnerability?_s_id=cve |
| fuelthemes--WerkStatt Plugin | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes WerkStatt Plugin werkstatt-plugin allows PHP Local File Inclusion. This issue affects WerkStatt Plugin: from n/a through <= 1.6.6. | 2026-01-22 | not yet calculated | CVE-2025-63017 | https://patchstack.com/database/Wordpress/Plugin/werkstatt-plugin/vulnerability/wordpress-werkstatt-plugin-plugin-1-6-6-local-file-inclusion-vulnerability?_s_id=cve |
| garidium--g-FFL Checkout | Unrestricted Upload of File with Dangerous Type vulnerability in garidium g-FFL Checkout g-ffl-checkout allows Upload a Web Shell to a Web Server. This issue affects g-FFL Checkout: from n/a through <= 2.1.0. | 2026-01-22 | not yet calculated | CVE-2025-68001 | https://patchstack.com/database/Wordpress/Plugin/g-ffl-checkout/vulnerability/wordpress-g-ffl-checkout-plugin-2-1-0-arbitrary-file-upload-vulnerability?_s_id=cve |
| Gemini MCP Tool--gemini-mcp-tool | gemini-mcp-tool execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of gemini-mcp-tool. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the execAsync method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27783. | 2026-01-23 | not yet calculated | CVE-2026-0755 | ZDI-26-021 |
| gemsloyalty--gemsloyalty | A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public API endpoints, exposing potentially sensitive information useful for further exploitation. This issue is classified under CWE-209: Information Exposure Through an Error Message. | 2026-01-23 | not yet calculated | CVE-2025-52022 | http://aptsys.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39 |
| gemsloyalty--gemsloyalty | A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public API endpoints, exposing potentially sensitive information useful for further exploitation. This issue is classified under CWE-209: Information Exposure Through an Error Message. | 2026-01-23 | not yet calculated | CVE-2025-52023 | http://aptsys.com http://gemscms.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39 |
| gemsloyalty--gemsloyalty | A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services, each with an HTML form for submitting test input. These panels are intended for developer use, but are accessible in production environments with no authentication or session validation. This grants any external actor the ability to discover, test, and execute API endpoints that perform critical functions including but not limited to user transaction retrieval, credit adjustments, POS actions, and internal data queries. | 2026-01-23 | not yet calculated | CVE-2025-52024 | http://aptsys.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39 |
| gemsloyalty--gemsloyalty | An SQL Injection vulnerability exists in the GetServiceByRestaurantID endpoint of the Aptsys gemscms POS Platform backend thru 2025-05-28. The vulnerability arises because user input is directly inserted into a dynamic SQL query syntax without proper sanitization or parameterization. This allows an attacker to inject and execute arbitrary SQL code by submitting crafted input in the id parameter, leading to unauthorized data access or modification. | 2026-01-23 | not yet calculated | CVE-2025-52025 | http://aptsys.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39 |
| Genetech Products--Pie Register | Missing Authorization vulnerability in Genetech Products Pie Register pie-register allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pie Register: from n/a through <= 3.8.4.7. | 2026-01-23 | not yet calculated | CVE-2026-24577 | https://patchstack.com/database/Wordpress/Plugin/pie-register/vulnerability/wordpress-pie-register-plugin-3-8-4-7-broken-access-control-vulnerability?_s_id=cve |
| Get-Simple--My SMTP Contact Plugin | GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server. | 2026-01-21 | not yet calculated | CVE-2021-47778 | ExploitDB-49774 Vendor Homepage GetSimple CMS GitHub Repository Full Disclosure Repository VulnCheck Advisory: GetSimple CMS My SMTP Contact Plugin 1.1.2 - PHP Code Injection |
| getarcaneapp--arcane | Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy middleware handled `/api/environments/{id}/...` requests for remote environments before authentication was enforced. When the environment ID was not local, the middleware proxied the request and attached the manager-held agent token, even if the caller was unauthenticated. This enabled unauthenticated access to remote environment operations (e.g., listing containers, streaming logs, or other agent endpoints). An unauthenticated attacker could access and manipulate remote environment resources via the proxy, potentially leading to data exposure, unauthorized changes, or service disruption. Version 1.13.2 patches the vulnerability. | 2026-01-19 | not yet calculated | CVE-2026-23944 | https://github.com/getarcaneapp/arcane/security/advisories/GHSA-2jv8-39rp-cqqr https://github.com/getarcaneapp/arcane/pull/1532 https://github.com/getarcaneapp/arcane/commit/2008e1b93b25d0c4c3fff3af07843766231614eb https://github.com/getarcaneapp/arcane/releases/tag/v1.13.2 |
| GetSimple CMS--My SMTP Contact Plugin | GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery (CSRF) vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. This may allow unauthorized changes but does not directly enable remote code execution. | 2026-01-21 | not yet calculated | CVE-2021-47830 | ExploitDB-49774 ExploitDB-49798 GetSimple CMS Webpage GetSimple CMS GitHub Repository VulnCheck Advisory: GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF |
| GetSimple CMS--My SMTP Contact Plugin | GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to inject arbitrary client-side code that executes in the administrator's browser when visiting a malicious page. | 2026-01-21 | not yet calculated | CVE-2021-47870 | Full Disclosure Repository Vendor Homepage GetSimple CMS GitHub Repository ExploitDB-49798 VulnCheck Advisory: GetSimple CMS My SMTP Contact Plugin 1.1.2 - Stored XSS |
| GIMP--GIMP | GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PSP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28232. | 2026-01-23 | not yet calculated | CVE-2025-15059 | ZDI-25-1196 vendor-provided URL |
| Gitea--Gitea Open Source Git Server | Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content. | 2026-01-22 | not yet calculated | CVE-2026-0798 | GitHub Security Advisory GitHub Pull Request #36319 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access. | 2026-01-22 | not yet calculated | CVE-2026-20736 | GitHub Security Advisory GitHub Pull Request #36320 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization. | 2026-01-22 | not yet calculated | CVE-2026-20750 | GitHub Security Advisory GitHub Pull Request #36318 GitHub Pull Request #36373 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications. | 2026-01-22 | not yet calculated | CVE-2026-20800 | GitHub Security Advisory GitHub Pull Request #36339 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches. | 2026-01-22 | not yet calculated | CVE-2026-20883 | GitHub Security Advisory GitHub Pull Request #36340 GitHub Pull Request #36368 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users. | 2026-01-22 | not yet calculated | CVE-2026-20888 | GitHub Security Advisory GitHub Pull Request #36341 GitHub Pull Request #36356 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories. | 2026-01-22 | not yet calculated | CVE-2026-20897 | GitHub Security Advisory GitHub Pull Request #36344 GitHub Pull Request #36349 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities. | 2026-01-22 | not yet calculated | CVE-2026-20904 | GitHub Security Advisory GitHub Pull Request #36346 GitHub Pull Request #36361 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users. | 2026-01-22 | not yet calculated | CVE-2026-20912 | GitHub Security Advisory GitHub Pull Request #36320 GitHub Pull Request #36355 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| github-kanban-mcp-server--github-kanban-mcp-server | github-kanban-mcp-server execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of github-kanban-mcp-server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the create_issue parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27784. | 2026-01-23 | not yet calculated | CVE-2026-0756 | ZDI-26-022 |
| GLS--GLS Shipping for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GLS GLS Shipping for WooCommerce gls-shipping-for-woocommerce allows Reflected XSS. This issue affects GLS Shipping for WooCommerce: from n/a through <= 1.4.0. | 2026-01-22 | not yet calculated | CVE-2025-68011 | https://patchstack.com/database/Wordpress/Plugin/gls-shipping-for-woocommerce/vulnerability/wordpress-gls-shipping-for-woocommerce-plugin-1-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| goalthemes--Bailly | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Bailly bailly allows PHP Local File Inclusion. This issue affects Bailly: from n/a through <= 1.3.4. | 2026-01-22 | not yet calculated | CVE-2025-69039 | https://patchstack.com/database/Wordpress/Theme/bailly/vulnerability/wordpress-bailly-theme-1-3-4-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Bfres | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Bfres bfres allows PHP Local File Inclusion. This issue affects Bfres: from n/a through <= 1.2.1. | 2026-01-22 | not yet calculated | CVE-2025-69040 | https://patchstack.com/database/Wordpress/Theme/bfres/vulnerability/wordpress-bfres-theme-1-2-1-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Dekoro | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Dekoro dekoro allows PHP Local File Inclusion. This issue affects Dekoro: from n/a through <= 1.0.7. | 2026-01-22 | not yet calculated | CVE-2025-69041 | https://patchstack.com/database/Wordpress/Theme/dekoro/vulnerability/wordpress-dekoro-theme-1-0-7-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Hyori | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Hyori hyori allows PHP Local File Inclusion. This issue affects Hyori: from n/a through <= 1.3.6. | 2026-01-22 | not yet calculated | CVE-2025-69038 | https://patchstack.com/database/Wordpress/Theme/hyori/vulnerability/wordpress-hyori-theme-1-3-6-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Lindo | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Lindo lindo allows PHP Local File Inclusion. This issue affects Lindo: from n/a through <= 1.2.5. | 2026-01-22 | not yet calculated | CVE-2025-69042 | https://patchstack.com/database/Wordpress/Theme/lindo/vulnerability/wordpress-lindo-theme-1-2-5-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Pippo | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Pippo pippo allows PHP Local File Inclusion. This issue affects Pippo: from n/a through <= 1.2.3. | 2026-01-22 | not yet calculated | CVE-2025-69037 | https://patchstack.com/database/Wordpress/Theme/pippo/vulnerability/wordpress-pippo-theme-1-2-3-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Rashy | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Rashy rashy allows PHP Local File Inclusion. This issue affects Rashy: from n/a through <= 1.1.3. | 2026-01-22 | not yet calculated | CVE-2025-69043 | https://patchstack.com/database/Wordpress/Theme/rashy/vulnerability/wordpress-rashy-theme-1-1-3-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Vango | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Vango vango allows PHP Local File Inclusion. This issue affects Vango: from n/a through <= 1.3.3. | 2026-01-22 | not yet calculated | CVE-2025-69044 | https://patchstack.com/database/Wordpress/Theme/vango/vulnerability/wordpress-vango-theme-1-3-3-local-file-inclusion-vulnerability?_s_id=cve |
| Google--Chrome | Out of bounds memory access in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) | 2026-01-20 | not yet calculated | CVE-2026-0899 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/458914193 |
| Google--Chrome | Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) | 2026-01-20 | not yet calculated | CVE-2026-0900 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/465730465 |
| Google--Chrome | Inappropriate implementation in Blink in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High) | 2026-01-20 | not yet calculated | CVE-2026-0901 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/40057499 |
| Google--Chrome | Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) | 2026-01-20 | not yet calculated | CVE-2026-0902 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/469143679 |
| Google--Chrome | Inappropriate implementation in Downloads in Google Chrome on Windows prior to 144.0.7559.59 allowed a remote attacker to bypass dangerous file type protections via a malicious file. (Chromium security severity: Medium) | 2026-01-20 | not yet calculated | CVE-2026-0903 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/444803530 |
| Google--Chrome | Incorrect security UI in Digital Credentials in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2026-01-20 | not yet calculated | CVE-2026-0904 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/452209495 |
| Google--Chrome | Insufficient policy enforcement in Network in Google Chrome prior to 144.0.7559.59 allowed an attack who obtained a network log file to potentially obtain potentially sensitive information via a network log file. (Chromium security severity: Medium) | 2026-01-20 | not yet calculated | CVE-2026-0905 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/465466773 |
| Google--Chrome | Incorrect security UI in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low) | 2026-01-20 | not yet calculated | CVE-2026-0906 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/467448811 |
| Google--Chrome | Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-01-20 | not yet calculated | CVE-2026-0907 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/444653104 |
| Google--Chrome | Use after free in ANGLE in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low) | 2026-01-20 | not yet calculated | CVE-2026-0908 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/452209503 |
| Google--Sentencepiece | Invalid memory access in Sentencepiece versions less than 0.2.1 when using a vulnerable model file, which is not created in the normal training procedure. | 2026-01-22 | not yet calculated | CVE-2026-1260 | https://github.com/google/sentencepiece/releases/tag/v0.2.1 |
| GPT Academic--GPT Academic | GPT Academic stream_daas Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Interaction with a malicious DAAS server is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the stream_daas function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27956. | 2026-01-23 | not yet calculated | CVE-2026-0762 | ZDI-26-028 |
| GPT Academic--GPT Academic | GPT Academic run_in_subprocess_wrapper_func Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the run_in_subprocess_wrapper_func function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27958. | 2026-01-23 | not yet calculated | CVE-2026-0763 | ZDI-26-029 |
| GPT Academic--GPT Academic | GPT Academic upload Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the upload endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27957. | 2026-01-23 | not yet calculated | CVE-2026-0764 | ZDI-26-030 |
| gregmolnar--Simple XML Sitemap | Cross-Site Request Forgery (CSRF) vulnerability in gregmolnar Simple XML Sitemap simple-xml-sitemap allows Stored XSS. This issue affects Simple XML Sitemap: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2026-22355 | https://patchstack.com/database/Wordpress/Plugin/simple-xml-sitemap/vulnerability/wordpress-simple-xml-sitemap-plugin-1-3-csrf-to-stored-xss-vulnerability?_s_id=cve |
| Hangzhou Kuozhi Network Technology Co., Ltd.--EduSoho | EduSoho versions prior to 22.4.7 contain an arbitrary file read vulnerability in the classroom-course-statistics export functionality. A remote, unauthenticated attacker can supply crafted path traversal sequences in the fileNames[] parameter to read arbitrary files from the server filesystem, including application configuration files such as config/parameters.yml that may contain secrets and database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-19 (UTC). | 2026-01-22 | not yet calculated | CVE-2023-7335 | https://www.edusoho.com/ https://github.com/edusoho/edusoho/releases/tag/v22.4.7 https://cn-sec.com/archives/2451582.html https://blog.csdn.net/qq_41904294/article/details/135007351 https://github.com/zeroChen00/exp-poc/blob/main/EduSoho%E6%95%99%E5%9F%B9%E7%B3%BB%E7%BB%9Fclassropm-course-statistics%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md https://github.com/gobysec/GobyVuls/blob/master/CNVD-2023-03903.md https://www.cnvd.org.cn/flaw/show/CNVD-2023-03903 https://www.vulncheck.com/advisories/edusoho-arbitrary-file-read-via-classroom-course-statistics |
| HappyMonster--Happy Addons for Elementor | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons allows Blind SQL Injection. This issue affects Happy Addons for Elementor: from n/a through <= 3.20.4. | 2026-01-22 | not yet calculated | CVE-2025-68999 | https://patchstack.com/database/Wordpress/Plugin/happy-elementor-addons/vulnerability/wordpress-happy-addons-for-elementor-plugin-3-20-4-sql-injection-vulnerability?_s_id=cve |
| Harmonic Design--HD Quiz | Missing Authorization vulnerability in Harmonic Design HD Quiz hd-quiz allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HD Quiz: from n/a through <= 2.0.9. | 2026-01-23 | not yet calculated | CVE-2026-24544 | https://patchstack.com/database/Wordpress/Plugin/hd-quiz/vulnerability/wordpress-hd-quiz-plugin-2-0-9-broken-access-control-vulnerability?_s_id=cve |
| Harmonic Design--HDForms | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Harmonic Design HDForms hdforms allows Path Traversal. This issue affects HDForms: from n/a through <= 1.6.1. | 2026-01-22 | not yet calculated | CVE-2025-68912 | https://patchstack.com/database/Wordpress/Plugin/hdforms/vulnerability/wordpress-hdforms-plugin-1-6-1-arbitrary-file-deletion-vulnerability?_s_id=cve |
| hassantafreshi--Easy Form Builder | Missing Authorization vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Easy Form Builder: from n/a through <= 3.9.6. | 2026-01-22 | not yet calculated | CVE-2026-22472 | https://patchstack.com/database/Wordpress/Plugin/easy-form-builder/vulnerability/wordpress-easy-form-builder-plugin-3-9-4-broken-access-control-vulnerability?_s_id=cve |
| hexpm--hexpm | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.SharedAuthorizationView' modules) allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/hexpm_web/views/shared_authorization_view.ex and program routines 'Elixir.HexpmWeb.SharedAuthorizationView':render_grouped_scopes/3. This issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before c692438684ead90c3bcbfb9ccf4e63c768c668a8, from pkg:github/hexpm/hexpm@617e44c71f1dd9043870205f371d375c5c4d886d before pkg:github/hexpm/hexpm@c692438684ead90c3bcbfb9ccf4e63c768c668a8; hex.pm: from 2025-10-01 before 2026-01-19. | 2026-01-19 | not yet calculated | CVE-2026-21618 | https://github.com/hexpm/hexpm/security/advisories/GHSA-6cw9-5gg4-rhpj https://github.com/hexpm/hexpm/commit/c692438684ead90c3bcbfb9ccf4e63c768c668a8 |
| highwarden--Super Interactive Maps | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in highwarden Super Interactive Maps super-interactive-maps allows Reflected XSS. This issue affects Super Interactive Maps: from n/a through <= 2.3. | 2026-01-22 | not yet calculated | CVE-2025-49045 | https://patchstack.com/database/Wordpress/Plugin/super-interactive-maps/vulnerability/wordpress-super-interactive-maps-plugin-2-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| highwarden--Super Logos Showcase | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in highwarden Super Logos Showcase superlogoshowcase-wp allows Reflected XSS. This issue affects Super Logos Showcase: from n/a through <= 2.8. | 2026-01-22 | not yet calculated | CVE-2025-69054 | https://patchstack.com/database/Wordpress/Plugin/superlogoshowcase-wp/vulnerability/wordpress-super-logos-showcase-plugin-2-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Horea Radu--Materialis Companion | Missing Authorization vulnerability in Horea Radu Materialis Companion materialis-companion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Materialis Companion: from n/a through <= 1.3.52. | 2026-01-23 | not yet calculated | CVE-2026-24543 | https://patchstack.com/database/Wordpress/Plugin/materialis-companion/vulnerability/wordpress-materialis-companion-plugin-1-3-52-broken-access-control-vulnerability?_s_id=cve |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking "Session Expired" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue. | 2026-01-22 | not yet calculated | CVE-2026-24010 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8w-49h3 https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| Hossni Mubarak--JobWP | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hossni Mubarak JobWP jobwp allows Stored XSS. This issue affects JobWP: from n/a through <= 2.4.5. | 2026-01-22 | not yet calculated | CVE-2025-69318 | https://patchstack.com/database/Wordpress/Plugin/jobwp/vulnerability/wordpress-jobwp-plugin-2-4-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Hotwired Turbo--Hotwire Turbo | Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers. | 2026-01-20 | not yet calculated | CVE-2025-66803 | https://github.com/hotwired/turbo/pull/1399 https://turbo.hotwired.dev/handbook/frames https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvp |
| Hubitat--Elevation C3 | An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation. | 2026-01-22 | not yet calculated | CVE-2026-1201 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06 |
| Hyyan Abo Fakher--Hyyan WooCommerce Polylang Integration | Missing Authorization vulnerability in Hyyan Abo Fakher Hyyan WooCommerce Polylang Integration woo-poly-integration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hyyan WooCommerce Polylang Integration: from n/a through <= 1.5.0. | 2026-01-23 | not yet calculated | CVE-2026-24585 | https://patchstack.com/database/Wordpress/Plugin/woo-poly-integration/vulnerability/wordpress-hyyan-woocommerce-polylang-integration-plugin-1-5-0-broken-access-control-vulnerability?_s_id=cve |
| Icegram--Icegram | Missing Authorization vulnerability in Icegram Icegram icegram allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Icegram: from n/a through <= 3.1.35. | 2026-01-22 | not yet calculated | CVE-2025-68507 | https://patchstack.com/database/Wordpress/Plugin/icegram/vulnerability/wordpress-icegram-plugin-3-1-35-broken-access-control-vulnerability?_s_id=cve |
| ichurakov--Paid Downloads | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ichurakov Paid Downloads paid-downloads allows Blind SQL Injection. This issue affects Paid Downloads: from n/a through <= 3.15. | 2026-01-22 | not yet calculated | CVE-2025-68857 | https://patchstack.com/database/Wordpress/Plugin/paid-downloads/vulnerability/wordpress-paid-downloads-plugin-3-15-sql-injection-vulnerability?_s_id=cve |
| ilmosys--Order Listener for WooCommerce | Missing Authorization vulnerability in ilmosys Order Listener for WooCommerce woc-order-alert allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Order Listener for WooCommerce: from n/a through <= 3.6.1. | 2026-01-22 | not yet calculated | CVE-2025-68018 | https://patchstack.com/database/Wordpress/Plugin/woc-order-alert/vulnerability/wordpress-order-listener-for-woocommerce-plugin-3-6-0-broken-access-control-vulnerability?_s_id=cve |
| Imaginate Solutions--File Uploads Addon for WooCommerce | Missing Authorization vulnerability in Imaginate Solutions File Uploads Addon for WooCommerce woo-addon-uploads allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects File Uploads Addon for WooCommerce: from n/a through <= 1.7.3. | 2026-01-23 | not yet calculated | CVE-2026-24625 | https://patchstack.com/database/Wordpress/Plugin/woo-addon-uploads/vulnerability/wordpress-file-uploads-addon-for-woocommerce-plugin-1-7-3-broken-access-control-vulnerability?_s_id=cve |
| Imagination Technologies--Graphics DDK | A web page that contains unusual GPU shader code is loaded from the Internet into the GPU compiler process triggers a write use-after-free crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device. The shader code contained in the web page executes a path in the compiler that held onto an out of date pointer, pointing to a freed memory object. | 2026-01-24 | not yet calculated | CVE-2025-13952 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imran Emu--Owl Carousel WP | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu Owl Carousel WP owl-carousel-wp allows Stored XSS. This issue affects Owl Carousel WP: from n/a through <= 2.2.2. | 2026-01-22 | not yet calculated | CVE-2026-22388 | https://patchstack.com/database/Wordpress/Plugin/owl-carousel-wp/vulnerability/wordpress-owl-carousel-wp-plugin-2-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| iNET--iNET Webkit | Missing Authorization vulnerability in iNET iNET Webkit inet-webkit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects iNET Webkit: from n/a through <= 1.2.4. | 2026-01-23 | not yet calculated | CVE-2026-24566 | https://patchstack.com/database/Wordpress/Plugin/inet-webkit/vulnerability/wordpress-inet-webkit-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve |
| Infility--Infility Global | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS. This issue affects Infility Global: from n/a through <= 2.14.50. | 2026-01-22 | not yet calculated | CVE-2025-68864 | https://patchstack.com/database/Wordpress/Plugin/infility-global/vulnerability/wordpress-infility-global-plugin-2-14-49-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Inkscape--Inkscape | MacOS version of Inkscape bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle. An attacker with local user access can invoke this interpreter with arbitrary commands or scripts, leveraging the application's previously granted TCC permissions to access user's files in privacy-protected folders without triggering user prompts. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Inkscape, potentially disguising attacker's malicious intent. This issue has been fixed in 1.4.3 version of Inkscape. | 2026-01-22 | not yet calculated | CVE-2025-15523 | https://inkscape.org/ https://cert.pl/en/posts/2026/01/CVE-2025-15523/ |
| InspiryThemes--Real Homes CRM | Unrestricted Upload of File with Dangerous Type vulnerability in InspiryThemes Real Homes CRM realhomes-crm allows Using Malicious Files. This issue affects Real Homes CRM: from n/a through <= 1.0.0. | 2026-01-22 | not yet calculated | CVE-2025-67968 | https://patchstack.com/database/Wordpress/Plugin/realhomes-crm/vulnerability/wordpress-real-homes-crm-plugin-1-0-0-arbitrary-file-upload-vulnerability?_s_id=cve |
| Intermesh--groupoffice | Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS). Users who interact with these specially crafted file names within the Group-Office application are affected. While the scope is limited to the file-viewing context, it could still be used to interfere with user sessions or perform unintended actions in the browser. This issue is fixed in versions 6.8.149 and 25.0.80. | 2026-01-21 | not yet calculated | CVE-2026-23887 | https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gj5-gvvr-g6hp https://github.com/Intermesh/groupoffice/commit/3fa40d7edd31fbe33babe07061d5a14ad19ea40f https://github.com/Intermesh/groupoffice/commit/ac91b128157bc9c5ea015b6141ce71cd3bbc43f0 |
| Israpil--Textmetrics | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Israpil Textmetrics webtexttool allows Code Injection. This issue affects Textmetrics: from n/a through <= 3.6.3. | 2026-01-23 | not yet calculated | CVE-2026-24564 | https://patchstack.com/database/Wordpress/Plugin/webtexttool/vulnerability/wordpress-textmetrics-plugin-3-6-3-arbitrary-shortcode-execution-vulnerability?_s_id=cve |
| jagdish1o1--Delay Redirects | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jagdish1o1 Delay Redirects delay-redirects allows DOM-Based XSS. This issue affects Delay Redirects: from n/a through <= 1.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24632 | https://patchstack.com/database/Wordpress/Plugin/delay-redirects/vulnerability/wordpress-delay-redirects-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Jahid Hasan--Admin login URL Change | Missing Authorization vulnerability in Jahid Hasan Admin login URL Change admin-login-url-change allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Admin login URL Change: from n/a through <= 1.1.5. | 2026-01-23 | not yet calculated | CVE-2026-24578 | https://patchstack.com/database/Wordpress/Plugin/admin-login-url-change/vulnerability/wordpress-admin-login-url-change-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve |
| Jamf--Jamf Pro | Authentication Bypass by Primary Weakness vulnerability in Jamf Jamf Pro allows unspecified impact. This issue affects Jamf Pro: from 11.20 through 11.24. | 2026-01-21 | not yet calculated | CVE-2026-1290 | https://learn.jamf.com/en-US/bundle/jamf-pro-release-notes-11.24.0/page/Resolved_Issues.html |
| jegtheme--JNews - Frontend Submit | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews - Frontend Submit jnews-frontend-submit allows Reflected XSS. This issue affects JNews - Frontend Submit: from n/a through <= 11.0.0. | 2026-01-22 | not yet calculated | CVE-2025-68904 | https://patchstack.com/database/Wordpress/Plugin/jnews-frontend-submit/vulnerability/wordpress-jnews-frontend-submit-plugin-11-0-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| jegtheme--JNews - Pay Writer | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jegtheme JNews - Pay Writer jnews-pay-writer allows PHP Local File Inclusion. This issue affects JNews - Pay Writer: from n/a through <= 11.0.0. | 2026-01-22 | not yet calculated | CVE-2025-68905 | https://patchstack.com/database/Wordpress/Plugin/jnews-pay-writer/vulnerability/wordpress-jnews-pay-writer-plugin-11-0-0-local-file-inclusion-vulnerability?_s_id=cve |
| jegtheme--JNews - Video | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews - Video jnews-video allows Reflected XSS. This issue affects JNews - Video: from n/a through <= 11.0.2. | 2026-01-22 | not yet calculated | CVE-2025-68906 | https://patchstack.com/database/Wordpress/Plugin/jnews-video/vulnerability/wordpress-jnews-video-plugin-11-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Johan Jonk Stenstrm--Cookies and Content Security Policy | Insertion of Sensitive Information Into Sent Data vulnerability in Johan Jonk Stenström Cookies and Content Security Policy cookies-and-content-security-policy allows Retrieve Embedded Sensitive Data. This issue affects Cookies and Content Security Policy: from n/a through <= 2.34. | 2026-01-22 | not yet calculated | CVE-2025-63019 | https://patchstack.com/database/Wordpress/Plugin/cookies-and-content-security-policy/vulnerability/wordpress-cookies-and-content-security-policy-plugin-2-34-sensitive-data-exposure-vulnerability?_s_id=cve |
| John James Jacoby--WP Term Order | Cross-Site Request Forgery (CSRF) vulnerability in John James Jacoby WP Term Order wp-term-order allows Cross Site Request Forgery. This issue affects WP Term Order: from n/a through <= 2.1.0. | 2026-01-23 | not yet calculated | CVE-2026-24542 | https://patchstack.com/database/Wordpress/Plugin/wp-term-order/vulnerability/wordpress-wp-term-order-plugin-2-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Jthemes--xSmart | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes xSmart xsmart allows Reflected XSS. This issue affects xSmart: from n/a through <= 1.2.9.4. | 2026-01-22 | not yet calculated | CVE-2025-50006 | https://patchstack.com/database/Wordpress/Theme/xsmart/vulnerability/wordpress-xsmart-theme-1-2-9-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Jthemes--xSmart | Incorrect Privilege Assignment vulnerability in Jthemes xSmart xsmart allows Privilege Escalation. This issue affects xSmart: from n/a through <= 1.2.9.4. | 2026-01-22 | not yet calculated | CVE-2025-50007 | https://patchstack.com/database/Wordpress/Theme/xsmart/vulnerability/wordpress-xsmart-theme-1-2-9-4-privilege-escalation-vulnerability?_s_id=cve |
| Jthemes--xSmart | Missing Authorization vulnerability in Jthemes xSmart xsmart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects xSmart: from n/a through <= 1.2.9.4. | 2026-01-22 | not yet calculated | CVE-2025-54002 | https://patchstack.com/database/Wordpress/Theme/xsmart/vulnerability/wordpress-xsmart-theme-1-2-9-4-broken-access-control-vulnerability?_s_id=cve |
| JV--HarfBuzz::Shaper | HarfBuzz::Shaper versions before 0.032 for Perl contains a bundled library with a null pointer dereference vulnerability. Versions before 0.032 contain HarfBuzz 8.4.0 or earlier bundled as hb_src.tar.gz in the source tarball, which is affected by CVE-2026-22693. | 2026-01-19 | not yet calculated | CVE-2026-0943 | https://bugzilla.redhat.com/show_bug.cgi?id=2429296 https://www.cve.org/CVERecord?id=CVE-2026-22693 https://metacpan.org/release/JV/HarfBuzz-Shaper-0.032/changes |
| Kaira--Blockons | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kaira Blockons blockons allows Stored XSS. This issue affects Blockons: from n/a through <= 1.2.15. | 2026-01-23 | not yet calculated | CVE-2026-24550 | https://patchstack.com/database/Wordpress/Plugin/blockons/vulnerability/wordpress-blockons-plugin-1-2-15-cross-site-scripting-xss-vulnerability?_s_id=cve |
| kamleshyadav--WP Lead Capturing Pages | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection. This issue affects WP Lead Capturing Pages: from n/a through <= 2.5. | 2026-01-22 | not yet calculated | CVE-2025-49050 | https://patchstack.com/database/Wordpress/Plugin/wp-lead-capture/vulnerability/wordpress-wp-lead-capturing-pages-plugin-2-5-sql-injection-vulnerability-2?_s_id=cve |
| kamleshyadav--WP Lead Capturing Pages | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection. This issue affects WP Lead Capturing Pages: from n/a through <= 2.5. | 2026-01-22 | not yet calculated | CVE-2025-49055 | https://patchstack.com/database/Wordpress/Plugin/wp-lead-capture/vulnerability/wordpress-wp-lead-capturing-pages-plugin-2-5-sql-injection-vulnerability?_s_id=cve |
| Kapil Chugh--My Post Order | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kapil Chugh My Post Order my-posts-order allows Reflected XSS. This issue affects My Post Order: from n/a through <= 1.2.1.1. | 2026-01-22 | not yet calculated | CVE-2025-68004 | https://patchstack.com/database/Wordpress/Plugin/my-posts-order/vulnerability/wordpress-my-post-order-plugin-1-2-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Kapil Paul--Payment Gateway bKash for WC | Missing Authorization vulnerability in Kapil Paul Payment Gateway bKash for WC woo-payment-bkash allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payment Gateway bKash for WC: from n/a through <= 3.1.0. | 2026-01-22 | not yet calculated | CVE-2025-62754 | https://patchstack.com/database/Wordpress/Plugin/woo-payment-bkash/vulnerability/wordpress-payment-gateway-bkash-for-wc-plugin-3-0-0-broken-access-control-vulnerability?_s_id=cve |
| Katana Network--Development Starter Kit | Katana Network Development Starter Kit executeCommand Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Katana Network Development Starter Kit. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the executeCommand method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27786. | 2026-01-23 | not yet calculated | CVE-2026-0759 | ZDI-26-025 |
| kpdecker--jsdiff | jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, and 4.0.4, attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its "leading garbage"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, and 4.0.4 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\r`, `\u2028`, or `\u2029`. | 2026-01-22 | not yet calculated | CVE-2026-24001 | https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx https://github.com/kpdecker/jsdiff/issues/653 https://github.com/kpdecker/jsdiff/pull/649 https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5 |
| Kriesi--Enfold | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold enfold allows DOM-Based XSS. This issue affects Enfold: from n/a through <= 7.1.3. | 2026-01-22 | not yet calculated | CVE-2025-68900 | https://patchstack.com/database/Wordpress/Theme/enfold/vulnerability/wordpress-enfold-theme-7-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| kutsy--AJAX Hits Counter + Popular Posts Widget | Missing Authorization vulnerability in kutsy AJAX Hits Counter + Popular Posts Widget ajax-hits-counter allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AJAX Hits Counter + Popular Posts Widget: from n/a through <= 0.10.210305. | 2026-01-23 | not yet calculated | CVE-2026-24587 | https://patchstack.com/database/Wordpress/Plugin/ajax-hits-counter/vulnerability/wordpress-ajax-hits-counter-popular-posts-widget-plugin-0-10-210305-broken-access-control-vulnerability?_s_id=cve |
| LambertGroup--Accordion Slider PRO | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Accordion Slider PRO accordion_slider_pro allows Reflected XSS. This issue affects Accordion Slider PRO: from n/a through <= 1.2. | 2026-01-22 | not yet calculated | CVE-2025-49066 | https://patchstack.com/database/Wordpress/Plugin/accordion_slider_pro/vulnerability/wordpress-accordion-slider-pro-plugin-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--HTML5 Video Player | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Video Player lbg-vp2-html5-bottom allows Reflected XSS. This issue affects HTML5 Video Player: from n/a through <= 5.3.5. | 2026-01-22 | not yet calculated | CVE-2025-27005 | https://patchstack.com/database/Wordpress/Plugin/lbg-vp2-html5-bottom/vulnerability/wordpress-html5-video-player-plugin-5-3-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--HTML5 Video Player with Playlist & Multiple Skins | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Video Player with Playlist & Multiple Skins lbg-vp2-html5-rightside allows Reflected XSS. This issue affects HTML5 Video Player with Playlist & Multiple Skins: from n/a through <= 5.3.5. | 2026-01-22 | not yet calculated | CVE-2025-32123 | https://patchstack.com/database/Wordpress/Plugin/lbg-vp2-html5-rightside/vulnerability/wordpress-html5-video-player-with-playlist-multiple-skins-plugin-5-3-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--Image&Video FullScreen Background | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows Reflected XSS. This issue affects Image&Video FullScreen Background: from n/a through <= 1.6.7. | 2026-01-22 | not yet calculated | CVE-2025-47666 | https://patchstack.com/database/Wordpress/Plugin/lbg_fullscreen_fullwidth_slider/vulnerability/wordpress-image-video-fullscreen-background-plugin-1-6-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--Magic Responsive Slider and Carousel WordPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Responsive Slider and Carousel WordPress magic_carousel allows Reflected XSS. This issue affects Magic Responsive Slider and Carousel WordPress: from n/a through <= 1.6. | 2026-01-22 | not yet calculated | CVE-2025-49043 | https://patchstack.com/database/Wordpress/Plugin/magic_carousel/vulnerability/wordpress-magic-responsive-slider-and-carousel-wordpress-plugin-1-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--Magic Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Slider magic_slider allows Reflected XSS. This issue affects Magic Slider: from n/a through <= 2.2. | 2026-01-22 | not yet calculated | CVE-2025-48094 | https://patchstack.com/database/Wordpress/Plugin/magic_slider/vulnerability/wordpress-magic-slider-plugin-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--Universal Video Player | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player universal-video-player allows Reflected XSS. This issue affects Universal Video Player: from n/a through <= 3.8.4. | 2026-01-22 | not yet calculated | CVE-2025-69048 | https://patchstack.com/database/Wordpress/Plugin/universal-video-player/vulnerability/wordpress-universal-video-player-plugin-3-8-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--Universal Video Player | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player universal-video-player allows Reflected XSS. This issue affects Universal Video Player: from n/a through <= 3.8.4. | 2026-01-22 | not yet calculated | CVE-2025-69053 | https://patchstack.com/database/Wordpress/Plugin/universal-video-player/vulnerability/wordpress-universal-video-player-plugin-3-8-4-reflected-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| LambertGroup--xPromoter | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup xPromoter top_bar_promoter allows Reflected XSS. This issue affects xPromoter: from n/a through <= 1.3.4. | 2026-01-22 | not yet calculated | CVE-2025-49046 | https://patchstack.com/database/Wordpress/Plugin/top_bar_promoter/vulnerability/wordpress-xpromoter-plugin-1-3-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Langflow--Langflow | Langflow code Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the code parameter provided to the validate endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-27322. | 2026-01-23 | not yet calculated | CVE-2026-0768 | ZDI-26-034 |
| Langflow--Langflow | Langflow eval_custom_component_code Eval Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of eval_custom_component_code function. The issue results from the lack of proper validation of a user-supplied string before using it to execute python code. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26972. | 2026-01-23 | not yet calculated | CVE-2026-0769 | ZDI-26-035 |
| Langflow--Langflow | Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325. | 2026-01-23 | not yet calculated | CVE-2026-0770 | ZDI-26-036 |
| Langflow--Langflow | Langflow PythonFunction Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Attack vectors and exploitability will vary depending on the configuration of the product. The specific flaw exists within the handling of Python function components. Depending upon product configuration, an attacker may be able to introduce custom Python code into a workflow. An attacker can leverage this vulnerability to execute code in the context of the application. Was ZDI-CAN-27497. | 2026-01-23 | not yet calculated | CVE-2026-0771 | ZDI-26-037 |
| Langflow--Langflow | Langflow Disk Cache Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is required to exploit this vulnerability. The specific flaw exists within the disk cache service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27919. | 2026-01-23 | not yet calculated | CVE-2026-0772 | ZDI-26-038 |
| langfuse--langfuse | Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorization. The projectId is preserved throughout the OAuth flow, and the callback stores installations based on this untrusted metadata. This allows an attacker to bind their Slack workspace to any project and potentially receive changes to prompts stored in Langfuse Prompt Management. An attacker can replace existing Prompt Slack Automation integrations or pre-register a malicious one, though the latter requires an authenticated user to unknowingly configure it despite visible workspace and channel indicators in the UI. This issue has been fixed in version 3.147.0. | 2026-01-22 | not yet calculated | CVE-2026-24055 | https://github.com/langfuse/langfuse/security/advisories/GHSA-pvq7-vvfj-p98x https://github.com/langfuse/langfuse/commit/3adc89e4d72729eabef55e46888b8ce80a7e3b0a https://github.com/langfuse/langfuse/releases/tag/v3.147.0 https://langfuse.com/docs/prompt-management/features/webhooks-slack-integrations |
| launchinteractive--Merge + Minify + Refresh | Cross-Site Request Forgery (CSRF) vulnerability in launchinteractive Merge + Minify + Refresh merge-minify-refresh allows Cross Site Request Forgery. This issue affects Merge + Minify + Refresh: from n/a through <= 2.14. | 2026-01-22 | not yet calculated | CVE-2026-24384 | https://patchstack.com/database/Wordpress/Plugin/merge-minify-refresh/vulnerability/wordpress-merge-minify-refresh-plugin-2-14-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| LavaLite--LavaLite CMS | LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim. | 2026-01-23 | not yet calculated | CVE-2025-71177 | https://github.com/LavaLite/cms/issues/420 https://lavalite.org/ https://www.vulncheck.com/advisories/lavalite-cms-stored-xss-via-package-creation-and-search |
| LazyCoders LLC--LazyTasks | Incorrect Privilege Assignment vulnerability in LazyCoders LLC LazyTasks lazytasks-project-task-management allows Privilege Escalation. This issue affects LazyTasks: from n/a through <= 1.4.01. | 2026-01-22 | not yet calculated | CVE-2025-68869 | https://patchstack.com/database/Wordpress/Plugin/lazytasks-project-task-management/vulnerability/wordpress-lazytasks-plugin-1-2-37-privilege-escalation-vulnerability?_s_id=cve |
| Leap13--Premium Addons for Elementor | Missing Authorization vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Premium Addons for Elementor: from n/a through <= 4.11.63. | 2026-01-22 | not yet calculated | CVE-2025-69300 | https://patchstack.com/database/Wordpress/Plugin/premium-addons-for-elementor/vulnerability/wordpress-premium-addons-for-elementor-plugin-4-11-63-settings-change-vulnerability?_s_id=cve |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: phy: isp1301: fix non-OF device reference imbalance A recent change fixing a device reference leak in a UDC driver introduced a potential use-after-free in the non-OF case as the isp1301_get_client() helper only increases the reference count for the returned I2C device in the OF case. Increment the reference count also for non-OF so that the caller can decrement it unconditionally. Note that this is inherently racy just as using the returned I2C device is since nothing is preventing the PHY driver from being unbound while in use. | 2026-01-23 | not yet calculated | CVE-2025-71145 | https://git.kernel.org/stable/c/43e58abad6c08c5f0943594126ef4cd6559aac0b https://git.kernel.org/stable/c/03bbdaa4da8c6ea0c8431a5011db188a07822c8a https://git.kernel.org/stable/c/75c5d9bce072abbbc09b701a49869ac23c34a906 https://git.kernel.org/stable/c/5d3df03f70547d4e3fc10ed4381c052eff51b157 https://git.kernel.org/stable/c/7501ecfe3e5202490c2d13dc7e181203601fcd69 https://git.kernel.org/stable/c/b4b64fda4d30a83a7f00e92a0c8a1d47699609f3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: fix leaked ct in error paths There are some situations where ct might be leaked as error paths are skipping the refcounted check and return immediately. In order to solve it make sure that the check is always called. | 2026-01-23 | not yet calculated | CVE-2025-71146 | https://git.kernel.org/stable/c/08fa37f4c8c59c294e9c18fea2d083ee94074e5a https://git.kernel.org/stable/c/e1ac8dce3a893641bef224ad057932f142b8a36f https://git.kernel.org/stable/c/f381a33f34dda9e4023e38ba68c943bca83245e9 https://git.kernel.org/stable/c/325eb61bb30790ea27782203a17b007ce1754a67 https://git.kernel.org/stable/c/0b88be7211d21a0d68bb1e56dc805944e3654d6f https://git.kernel.org/stable/c/4bd2b89f4028f250dd1c1625eb3da1979b04a5e8 https://git.kernel.org/stable/c/2e2a720766886190a6d35c116794693aabd332b6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix a memory leak in tpm2_load_cmd 'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode' but it is not freed in the failure paths. Address this by wrapping the blob into with a cleanup helper. | 2026-01-23 | not yet calculated | CVE-2025-71147 | https://git.kernel.org/stable/c/3fd7df4636d8fd5e3592371967a5941204368936 https://git.kernel.org/stable/c/af0689cafb127a8d1af78cc8b72585c9b2a19ecd https://git.kernel.org/stable/c/19166de9737218b77122c41a5730ac87025e089f https://git.kernel.org/stable/c/9b015f2918b95bdde2ca9cefa10ef02b138aae1e https://git.kernel.org/stable/c/9e7c63c69f57b1db1a8a1542359a6167ff8fcef1 https://git.kernel.org/stable/c/62cd5d480b9762ce70d720a81fa5b373052ae05f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/handshake: restore destructor on submit failure handshake_req_submit() replaces sk->sk_destruct but never restores it when submission fails before the request is hashed. handshake_sk_destruct() then returns early and the original destructor never runs, leaking the socket. Restore sk_destruct on the error path. | 2026-01-23 | not yet calculated | CVE-2025-71148 | https://git.kernel.org/stable/c/cd8cf2be3717137554744233fda051ffc09d1d44 https://git.kernel.org/stable/c/7b82a1d6ae869533d8bdb0282a3a78faed8e63dd https://git.kernel.org/stable/c/b225325be7b247c7268e65eea6090db1fc786d1f https://git.kernel.org/stable/c/6af2a01d65f89e73c1cbb9267f8880d83a88cee4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: correctly handle io_poll_add() return value on update When the core of io_uring was updated to handle completions consistently and with fixed return codes, the POLL_REMOVE opcode with updates got slightly broken. If a POLL_ADD is pending and then POLL_REMOVE is used to update the events of that request, if that update causes the POLL_ADD to now trigger, then that completion is lost and a CQE is never posted. Additionally, ensure that if an update does cause an existing POLL_ADD to complete, that the completion value isn't always overwritten with -ECANCELED. For that case, whatever io_poll_add() set the value to should just be retained. | 2026-01-23 | not yet calculated | CVE-2025-71149 | https://git.kernel.org/stable/c/8b777ab48441b153502772ecfc78c107d4353f29 https://git.kernel.org/stable/c/0126560370ed5217958b85657b590ad25e8b9c00 https://git.kernel.org/stable/c/c1669c03bfbc2a9b5ebff4428eecebe734c646fe https://git.kernel.org/stable/c/13a8f7b88c2d40c6b33f6216190478dda95d385f https://git.kernel.org/stable/c/84230ad2d2afbf0c44c32967e525c0ad92e26b4e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix refcount leak when invalid session is found on session lookup When a session is found but its state is not SMB2_SESSION_VALID, It indicates that no valid session was found, but it is missing to decrement the reference count acquired by the session lookup, which results in a reference count leak. This patch fixes the issue by explicitly calling ksmbd_user_session_put to release the reference to the session. | 2026-01-23 | not yet calculated | CVE-2025-71150 | https://git.kernel.org/stable/c/0fb87b28cafae71e9c8248432cc3a6a1fd759efc https://git.kernel.org/stable/c/e54fb2a4772545701766cba08aab20de5eace8cd https://git.kernel.org/stable/c/02e06785e85b4bd86ef3d23b7c8d87acc76773d5 https://git.kernel.org/stable/c/8cabcb4dd3dc85dd83a37d26efcc59a66a4074d7 https://git.kernel.org/stable/c/cafb57f7bdd57abba87725eb4e82bbdca4959644 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: Fix memory and information leak in smb3_reconfigure() In smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the function returns immediately without freeing and erasing the newly allocated new_password and new_password2. This causes both a memory leak and a potential information leak. Fix this by calling kfree_sensitive() on both password buffers before returning in this error case. | 2026-01-23 | not yet calculated | CVE-2025-71151 | https://git.kernel.org/stable/c/bc390b2737205163e48cc1655f6a0c8cd55b02fc https://git.kernel.org/stable/c/5679cc90bb5415801fa29041da0319d9e15d295d https://git.kernel.org/stable/c/bb82aaee16907dc4d0b9b0ca7953ceb3edc328c6 https://git.kernel.org/stable/c/cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: dsa: properly keep track of conduit reference Problem description ------------------- DSA has a mumbo-jumbo of reference handling of the conduit net device and its kobject which, sadly, is just wrong and doesn't make sense. There are two distinct problems. 1. The OF path, which uses of_find_net_device_by_node(), never releases the elevated refcount on the conduit's kobject. Nominally, the OF and non-OF paths should result in objects having identical reference counts taken, and it is already suspicious that dsa_dev_to_net_device() has a put_device() call which is missing in dsa_port_parse_of(), but we can actually even verify that an issue exists. With CONFIG_DEBUG_KOBJECT_RELEASE=y, if we run this command "before" and "after" applying this patch: (unbind the conduit driver for net device eno2) echo 0000:00:00.2 > /sys/bus/pci/drivers/fsl_enetc/unbind we see these lines in the output diff which appear only with the patch applied: kobject: 'eno2' (ffff002009a3a6b8): kobject_release, parent 0000000000000000 (delayed 1000) kobject: '109' (ffff0020099d59a0): kobject_release, parent 0000000000000000 (delayed 1000) 2. After we find the conduit interface one way (OF) or another (non-OF), it can get unregistered at any time, and DSA remains with a long-lived, but in this case stale, cpu_dp->conduit pointer. Holding the net device's underlying kobject isn't actually of much help, it just prevents it from being freed (but we never need that kobject directly). What helps us to prevent the net device from being unregistered is the parallel netdev reference mechanism (dev_hold() and dev_put()). Actually we actually use that netdev tracker mechanism implicitly on user ports since commit 2f1e8ea726e9 ("net: dsa: link interfaces with the DSA master to get rid of lockdep warnings"), via netdev_upper_dev_link(). But time still passes at DSA switch probe time between the initial of_find_net_device_by_node() code and the user port creation time, time during which the conduit could unregister itself and DSA wouldn't know about it. So we have to run of_find_net_device_by_node() under rtnl_lock() to prevent that from happening, and release the lock only with the netdev tracker having acquired the reference. Do we need to keep the reference until dsa_unregister_switch() / dsa_switch_shutdown()? 1: Maybe yes. A switch device will still be registered even if all user ports failed to probe, see commit 86f8b1c01a0a ("net: dsa: Do not make user port errors fatal"), and the cpu_dp->conduit pointers remain valid. I haven't audited all call paths to see whether they will actually use the conduit in lack of any user port, but if they do, it seems safer to not rely on user ports for that reference. 2. Definitely yes. We support changing the conduit which a user port is associated to, and we can get into a situation where we've moved all user ports away from a conduit, thus no longer hold any reference to it via the net device tracker. But we shouldn't let it go nonetheless - see the next change in relation to dsa_tree_find_first_conduit() and LAG conduits which disappear. We have to be prepared to return to the physical conduit, so the CPU port must explicitly keep another reference to it. This is also to say: the user ports and their CPU ports may not always keep a reference to the same conduit net device, and both are needed. As for the conduit's kobject for the /sys/class/net/ entry, we don't care about it, we can release it as soon as we hold the net device object itself. History and blame attribution ----------------------------- The code has been refactored so many times, it is very difficult to follow and properly attribute a blame, but I'll try to make a short history which I hope to be correct. We have two distinct probing paths: - one for OF, introduced in 2016 i ---truncated--- | 2026-01-23 | not yet calculated | CVE-2025-71152 | https://git.kernel.org/stable/c/0e766b77ba5093583dfe609fae0aa1545c46dbbd https://git.kernel.org/stable/c/06e219f6a706c367c93051f408ac61417643d2f9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix memory leak in get_file_all_info() In get_file_all_info(), if vfs_getattr() fails, the function returns immediately without freeing the allocated filename, leading to a memory leak. Fix this by freeing the filename before returning in this error case. | 2026-01-23 | not yet calculated | CVE-2025-71153 | https://git.kernel.org/stable/c/5012b4c812230ae066902a00442708c999111183 https://git.kernel.org/stable/c/676907004256e0226c7ed3691db9f431404ca258 https://git.kernel.org/stable/c/d026f47db68638521df8543535ef863814fb01b1 https://git.kernel.org/stable/c/0c56693b06a68476ba113db6347e7897475f9e4c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure In async_set_registers(), when usb_submit_urb() fails, the allocated async_req structure and URB are not freed, causing a memory leak. The completion callback async_set_reg_cb() is responsible for freeing these allocations, but it is only called after the URB is successfully submitted and completes (successfully or with error). If submission fails, the callback never runs and the memory is leaked. Fix this by freeing both the URB and the request structure in the error path when usb_submit_urb() fails. | 2026-01-23 | not yet calculated | CVE-2025-71154 | https://git.kernel.org/stable/c/a4e2442d3c48355a84463342f397134f149936d7 https://git.kernel.org/stable/c/2f966186b99550e3c665dbfb87b8314e30acea02 https://git.kernel.org/stable/c/db2244c580540306d60ce783ed340190720cd429 https://git.kernel.org/stable/c/4bd4ea3eb326608ffc296db12c105f92dc2f2190 https://git.kernel.org/stable/c/6492ad6439ff1a479fc94dc6052df3628faed8b6 https://git.kernel.org/stable/c/151403e903840c9cf06754097b6732c14f26c532 https://git.kernel.org/stable/c/12cab1191d9890097171156d06bfa8d31f1e39c8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: s390: Fix gmap_helper_zap_one_page() again A few checks were missing in gmap_helper_zap_one_page(), which can lead to memory corruption in the guest under specific circumstances. Add the missing checks. | 2026-01-23 | not yet calculated | CVE-2025-71155 | https://git.kernel.org/stable/c/2af2abbcbf8573100288e8f8aea2dab8a2a0ceb7 https://git.kernel.org/stable/c/2f393c228cc519ddf19b8c6c05bf15723241aa96 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gve: defer interrupt enabling until NAPI registration Currently, interrupts are automatically enabled immediately upon request. This allows interrupt to fire before the associated NAPI context is fully initialized and cause failures like below: [ 0.946369] Call Trace: [ 0.946369] <IRQ> [ 0.946369] __napi_poll+0x2a/0x1e0 [ 0.946369] net_rx_action+0x2f9/0x3f0 [ 0.946369] handle_softirqs+0xd6/0x2c0 [ 0.946369] ? handle_edge_irq+0xc1/0x1b0 [ 0.946369] __irq_exit_rcu+0xc3/0xe0 [ 0.946369] common_interrupt+0x81/0xa0 [ 0.946369] </IRQ> [ 0.946369] <TASK> [ 0.946369] asm_common_interrupt+0x22/0x40 [ 0.946369] RIP: 0010:pv_native_safe_halt+0xb/0x10 Use the `IRQF_NO_AUTOEN` flag when requesting interrupts to prevent auto enablement and explicitly enable the interrupt in NAPI initialization path (and disable it during NAPI teardown). This ensures that interrupt lifecycle is strictly coupled with readiness of NAPI context. | 2026-01-23 | not yet calculated | CVE-2025-71156 | https://git.kernel.org/stable/c/f5b7f49bd2377916ad57cbd1210c61196daff013 https://git.kernel.org/stable/c/48f9277680925e1a8623d6b2c50aadb7af824ace https://git.kernel.org/stable/c/3d970eda003441f66551a91fda16478ac0711617 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/core: always drop device refcount in ib_del_sub_device_and_put() Since nldev_deldev() (introduced by commit 060c642b2ab8 ("RDMA/nldev: Add support to add/delete a sub IB device through netlink") grabs a reference using ib_device_get_by_index() before calling ib_del_sub_device_and_put(), we need to drop that reference before returning -EOPNOTSUPP error. | 2026-01-23 | not yet calculated | CVE-2025-71157 | https://git.kernel.org/stable/c/20436f2742a92b7afeb2504eb559a98d2196b001 https://git.kernel.org/stable/c/fe8d456080423b9ed410469fbd1e2098d3acce2b https://git.kernel.org/stable/c/fa3c411d21ebc26ffd175c7256c37cefa35020aa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse: ensure worker is torn down When an IRQ worker is running, unplugging the device would cause a crash. The sealevel hardware this driver was written for was not hotpluggable, so I never realized it. This change uses a spinlock to protect a list of workers, which it tears down on disconnect. | 2026-01-23 | not yet calculated | CVE-2025-71158 | https://git.kernel.org/stable/c/472d900c8bcac301ae0e40fdca7db799bd989ff5 https://git.kernel.org/stable/c/179ef1127d7a4f09f0e741fa9f30b8a8e7886271 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node() Previously, btrfs_get_or_create_delayed_node() set the delayed_node's refcount before acquiring the root->delayed_nodes lock. Commit e8513c012de7 ("btrfs: implement ref_tracker for delayed_nodes") moved refcount_set inside the critical section, which means there is no longer a memory barrier between setting the refcount and setting btrfs_inode->delayed_node. Without that barrier, the stores to node->refs and btrfs_inode->delayed_node may become visible out of order. Another thread can then read btrfs_inode->delayed_node and attempt to increment a refcount that hasn't been set yet, leading to a refcounting bug and a use-after-free warning. The fix is to move refcount_set back to where it was to take advantage of the implicit memory barrier provided by lock acquisition. Because the allocations now happen outside of the lock's critical section, they can use GFP_NOFS instead of GFP_ATOMIC. | 2026-01-23 | not yet calculated | CVE-2025-71159 | https://git.kernel.org/stable/c/c8385851a5435f4006281828d428e5d0b0bbf8af https://git.kernel.org/stable/c/83f59076a1ae6f5c6845d6f7ed3a1a373d883684 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: avoid chain re-validation if possible Hamza Mahfooz reports cpu soft lock-ups in nft_chain_validate(): watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547] [..] RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables] [..] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_table_validate+0x6b/0xb0 [nf_tables] nf_tables_validate+0x8b/0xa0 [nf_tables] nf_tables_commit+0x1df/0x1eb0 [nf_tables] [..] Currently nf_tables will traverse the entire table (chain graph), starting from the entry points (base chains), exploring all possible paths (chain jumps). But there are cases where we could avoid revalidation. Consider: 1 input -> j2 -> j3 2 input -> j2 -> j3 3 input -> j1 -> j2 -> j3 Then the second rule does not need to revalidate j2, and, by extension j3, because this was already checked during validation of the first rule. We need to validate it only for rule 3. This is needed because chain loop detection also ensures we do not exceed the jump stack: Just because we know that j2 is cycle free, its last jump might now exceed the allowed stack size. We also need to update all reachable chains with the new largest observed call depth. Care has to be taken to revalidate even if the chain depth won't be an issue: chain validation also ensures that expressions are not called from invalid base chains. For example, the masquerade expression can only be called from NAT postrouting base chains. Therefore we also need to keep record of the base chain context (type, hooknum) and revalidate if the chain becomes reachable from a different hook location. | 2026-01-23 | not yet calculated | CVE-2025-71160 | https://git.kernel.org/stable/c/53de1e6cde8f9b791d9cf61aa0e7b02cf5bbe8b1 https://git.kernel.org/stable/c/14fa3d1927f1382f86e3f70a51f26005c8e3cff6 https://git.kernel.org/stable/c/09d6074995c186e449979fe6c1b0f1a69cf9bd3b https://git.kernel.org/stable/c/8e1a1bc4f5a42747c08130b8242ebebd1210b32f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm-verity: disable recursive forward error correction There are two problems with the recursive correction: 1. It may cause denial-of-service. In fec_read_bufs, there is a loop that has 253 iterations. For each iteration, we may call verity_hash_for_block recursively. There is a limit of 4 nested recursions - that means that there may be at most 253^4 (4 billion) iterations. Red Hat QE team actually created an image that pushes dm-verity to this limit - and this image just makes the udev-worker process get stuck in the 'D' state. 2. It doesn't work. In fec_read_bufs we store data into the variable "fio->bufs", but fio bufs is shared between recursive invocations, if "verity_hash_for_block" invoked correction recursively, it would overwrite partially filled fio->bufs. | 2026-01-23 | not yet calculated | CVE-2025-71161 | https://git.kernel.org/stable/c/232948cf600fba69aff36b25d85ef91a73a35756 https://git.kernel.org/stable/c/d9f3e47d3fae0c101d9094bc956ed24e7a0ee801 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: tegra-adma: Fix use-after-free A use-after-free bug exists in the Tegra ADMA driver when audio streams are terminated, particularly during XRUN conditions. The issue occurs when the DMA buffer is freed by tegra_adma_terminate_all() before the vchan completion tasklet finishes accessing it. The race condition follows this sequence: 1. DMA transfer completes, triggering an interrupt that schedules the completion tasklet (tasklet has not executed yet) 2. Audio playback stops, calling tegra_adma_terminate_all() which frees the DMA buffer memory via kfree() 3. The scheduled tasklet finally executes, calling vchan_complete() which attempts to access the already-freed memory Since tasklets can execute at any time after being scheduled, there is no guarantee that the buffer will remain valid when vchan_complete() runs. Fix this by properly synchronizing the virtual channel completion: - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the descriptors as terminated instead of freeing the descriptor. - Add the callback tegra_adma_synchronize() that calls vchan_synchronize() which kills any pending tasklets and frees any terminated descriptors. Crash logs: [ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0 [ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0 [ 337.427562] Call trace: [ 337.427564] dump_backtrace+0x0/0x320 [ 337.427571] show_stack+0x20/0x30 [ 337.427575] dump_stack_lvl+0x68/0x84 [ 337.427584] print_address_description.constprop.0+0x74/0x2b8 [ 337.427590] kasan_report+0x1f4/0x210 [ 337.427598] __asan_load8+0xa0/0xd0 [ 337.427603] vchan_complete+0x124/0x3b0 [ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0 [ 337.427617] tasklet_action+0x30/0x40 [ 337.427623] __do_softirq+0x1a0/0x5c4 [ 337.427628] irq_exit+0x110/0x140 [ 337.427633] handle_domain_irq+0xa4/0xe0 [ 337.427640] gic_handle_irq+0x64/0x160 [ 337.427644] call_on_irq_stack+0x20/0x4c [ 337.427649] do_interrupt_handler+0x7c/0x90 [ 337.427654] el1_interrupt+0x30/0x80 [ 337.427659] el1h_64_irq_handler+0x18/0x30 [ 337.427663] el1h_64_irq+0x7c/0x80 [ 337.427667] cpuidle_enter_state+0xe4/0x540 [ 337.427674] cpuidle_enter+0x54/0x80 [ 337.427679] do_idle+0x2e0/0x380 [ 337.427685] cpu_startup_entry+0x2c/0x70 [ 337.427690] rest_init+0x114/0x130 [ 337.427695] arch_call_rest_init+0x18/0x24 [ 337.427702] start_kernel+0x380/0x3b4 [ 337.427706] __primary_switched+0xc0/0xc8 | 2026-01-25 | not yet calculated | CVE-2025-71162 | https://git.kernel.org/stable/c/cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca https://git.kernel.org/stable/c/be655c3736b3546f39bc8116ffbf2a3b6cac96c4 https://git.kernel.org/stable/c/2efd07a7c36949e6fa36a69183df24d368bf9e96 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix device leaks on compat bind and unbind Make sure to drop the reference taken when looking up the idxd device as part of the compat bind and unbind sysfs interface. | 2026-01-25 | not yet calculated | CVE-2025-71163 | https://git.kernel.org/stable/c/0c97ff108f825a70c3bb29d65ddf0a013d231bb9 https://git.kernel.org/stable/c/a7226fd61def74b60dd8e47ec84cabafc39d575b https://git.kernel.org/stable/c/799900f01792cf8b525a44764f065f83fcafd468 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset `qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class itself is active. Two qfq_class objects may point to the same leaf_qdisc. This happens when: 1. one QFQ qdisc is attached to the dev as the root qdisc, and 2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get() / qdisc_put()) and is pending to be destroyed, as in function tc_new_tfilter. When packets are enqueued through the root QFQ qdisc, the shared leaf_qdisc->q.qlen increases. At the same time, the second QFQ qdisc triggers qdisc_put and qdisc_destroy: the qdisc enters qfq_reset() with its own q->q.qlen == 0, but its class's leaf qdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate an inactive aggregate and trigger a null-deref in qfq_deactivate_agg: [ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 0.903571] #PF: supervisor write access in kernel mode [ 0.903860] #PF: error_code(0x0002) - not-present page [ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0 [ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI [ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE [ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 [ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) [ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 Code starting with the faulting instruction =========================================== 0: 0f 84 4d 01 00 00 je 0x153 6: 48 89 70 18 mov %rsi,0x18(%rax) a: 8b 4b 10 mov 0x10(%rbx),%ecx d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx 14: 48 8b 78 08 mov 0x8(%rax),%rdi 18: 48 d3 e2 shl %cl,%rdx 1b: 48 21 f2 and %rsi,%rdx 1e: 48 2b 13 sub (%rbx),%rdx 21: 48 8b 30 mov (%rax),%rsi 24: 48 d3 ea shr %cl,%rdx 27: 8b 4b 18 mov 0x18(%rbx),%ecx ... [ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 [ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 [ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 [ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 [ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 [ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 [ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 [ 0.910247] PKRU: 55555554 [ 0.910391] Call Trace: [ 0.910527] <TASK> [ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485) [ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036) [ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076) [ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447) [ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) [ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861) [ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550) [ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) [ 0.912296] ? __alloc_skb (net/core/skbuff.c:706) [ 0.912484] netlink_sendmsg (net/netlink/af ---truncated--- | 2026-01-21 | not yet calculated | CVE-2026-22976 | https://git.kernel.org/stable/c/6116a83ec167d3ab1390cded854d237481f41b63 https://git.kernel.org/stable/c/0809c4bc06c9c961222df29f2eccfd449304056f https://git.kernel.org/stable/c/cdb24200b043438a144df501f1ebbd926bb1a2c7 https://git.kernel.org/stable/c/11bf9134613f6c71fc0ff36c5d8d33856f6ae3bb https://git.kernel.org/stable/c/43497313d0da3e12b5cfcd97aa17bf48ee663f95 https://git.kernel.org/stable/c/51ffd447bc37bf1a5776b85523f51d2bc69977f6 https://git.kernel.org/stable/c/c1d73b1480235731e35c81df70b08f4714a7d095 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: sock: fix hardened usercopy panic in sock_recv_errqueue skbuff_fclone_cache was created without defining a usercopy region, [1] unlike skbuff_head_cache which properly whitelists the cb[] field. [2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is enabled and the kernel attempts to copy sk_buff.cb data to userspace via sock_recv_errqueue() -> put_cmsg(). The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone() (from skbuff_fclone_cache) [1] 2. The skb is cloned via skb_clone() using the pre-allocated fclone [3] 3. The cloned skb is queued to sk_error_queue for timestamp reporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE) 5. sock_recv_errqueue() calls put_cmsg() to copy serr->ee from skb->cb [4] 6. __check_heap_object() fails because skbuff_fclone_cache has no usercopy whitelist [5] When cloned skbs allocated from skbuff_fclone_cache are used in the socket error queue, accessing the sock_exterr_skb structure in skb->cb via put_cmsg() triggers a usercopy hardening violation: [ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_fclone_cache' (offset 296, size 16)! [ 5.382796] kernel BUG at mm/usercopy.c:102! [ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI [ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7 [ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80 [ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490 [ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246 [ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74 [ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0 [ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74 [ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001 [ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00 [ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000 [ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0 [ 5.384903] PKRU: 55555554 [ 5.384903] Call Trace: [ 5.384903] <TASK> [ 5.384903] __check_heap_object+0x9a/0xd0 [ 5.384903] __check_object_size+0x46c/0x690 [ 5.384903] put_cmsg+0x129/0x5e0 [ 5.384903] sock_recv_errqueue+0x22f/0x380 [ 5.384903] tls_sw_recvmsg+0x7ed/0x1960 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5.384903] ? schedule+0x6d/0x270 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5.384903] ? mutex_unlock+0x81/0xd0 [ 5.384903] ? __pfx_mutex_unlock+0x10/0x10 [ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10 [ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0 [ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 The crash offset 296 corresponds to skb2->cb within skbuff_fclones: - sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 - offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 = 272 + 24 (inside sock_exterr_skb.ee) This patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure. [1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885 [2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104 [3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566 [4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491 [5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719 | 2026-01-21 | not yet calculated | CVE-2026-22977 | https://git.kernel.org/stable/c/88dd6be7ebb3153b662c2cebcb06e032a92857f5 https://git.kernel.org/stable/c/c655d2167bf014d4c61b4faeca59b60ff9b9f6b1 https://git.kernel.org/stable/c/8c6901aa29626e35045130bac09b75f791acca85 https://git.kernel.org/stable/c/582a5e922a9652fcbb7d0165c95d5b20aa37575d https://git.kernel.org/stable/c/005671c60fcf1dbdb8bddf12a62568fd5e4ec391 https://git.kernel.org/stable/c/e00b169eaac5f7cdbf710c354c8fa76d02009115 https://git.kernel.org/stable/c/2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: avoid kernel-infoleak from struct iw_point struct iw_point has a 32bit hole on 64bit arches. struct iw_point { void __user *pointer; /* Pointer to the data (in user space) */ __u16 length; /* number of fields or size in bytes */ __u16 flags; /* Optional params */ }; Make sure to zero the structure to avoid disclosing 32bits of kernel data to user space. | 2026-01-23 | not yet calculated | CVE-2026-22978 | https://git.kernel.org/stable/c/d943b5f592767b107ba8c12a902f17431350378c https://git.kernel.org/stable/c/a3827e310b5a73535646ef4a552d53b3c8bf74f6 https://git.kernel.org/stable/c/442ceac0393185e9982323f6682a52a53e8462b1 https://git.kernel.org/stable/c/d21ec867d84c9f3a9845d7d8c90c9ce35dbe48f8 https://git.kernel.org/stable/c/024f71a57d563fbe162e528c8bf2d27e9cac7c7b https://git.kernel.org/stable/c/e3c35177103ead4658b8a62f41e3080d45885464 https://git.kernel.org/stable/c/21cbf883d073abbfe09e3924466aa5e0449e7261 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: fix memory leak in skb_segment_list for GRO packets When skb_segment_list() is called during packet forwarding, it handles packets that were aggregated by the GRO engine. Historically, the segmentation logic in skb_segment_list assumes that individual segments are split from a parent SKB and may need to carry their own socket memory accounting. Accordingly, the code transfers truesize from the parent to the newly created segments. Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this truesize subtraction in skb_segment_list() was valid because fragments still carry a reference to the original socket. However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed this behavior by ensuring that fraglist entries are explicitly orphaned (skb->sk = NULL) to prevent illegal orphaning later in the stack. This change meant that the entire socket memory charge remained with the head SKB, but the corresponding accounting logic in skb_segment_list() was never updated. As a result, the current code unconditionally adds each fragment's truesize to delta_truesize and subtracts it from the parent SKB. Since the fragments are no longer charged to the socket, this subtraction results in an effective under-count of memory when the head is freed. This causes sk_wmem_alloc to remain non-zero, preventing socket destruction and leading to a persistent memory leak. The leak can be observed via KMEMLEAK when tearing down the networking environment: unreferenced object 0xffff8881e6eb9100 (size 2048): comm "ping", pid 6720, jiffies 4295492526 backtrace: kmem_cache_alloc_noprof+0x5c6/0x800 sk_prot_alloc+0x5b/0x220 sk_alloc+0x35/0xa00 inet6_create.part.0+0x303/0x10d0 __sock_create+0x248/0x640 __sys_socket+0x11b/0x1d0 Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST packets constructed by GRO, the truesize adjustment is removed. The call to skb_release_head_state() must be preserved. As documented in commit cf673ed0e057 ("net: fix fraglist segmentation reference count leak"), it is still required to correctly drop references to SKB extensions that may be overwritten during __copy_skb_header(). | 2026-01-23 | not yet calculated | CVE-2026-22979 | https://git.kernel.org/stable/c/0b27828ebd1ed3107d7929c3737adbe862e99e74 https://git.kernel.org/stable/c/88bea149db2057112af3aaf63534b24fab5858ab https://git.kernel.org/stable/c/3264881431e308b9c72cb8a0159d57a56d67dd79 https://git.kernel.org/stable/c/c114a32a2e70b82d447f409f7ffcfa3058f9d5bd https://git.kernel.org/stable/c/238e03d0466239410b72294b79494e43d4fabe77 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: provide locking for v4_end_grace Writing to v4_end_grace can race with server shutdown and result in memory being accessed after it was freed - reclaim_str_hashtbl in particularly. We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is held while client_tracking_op->init() is called and that can wait for an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a deadlock. nfsd4_end_grace() is also called by the landromat work queue and this doesn't require locking as server shutdown will stop the work and wait for it before freeing anything that nfsd4_end_grace() might access. However, we must be sure that writing to v4_end_grace doesn't restart the work item after shutdown has already waited for it. For this we add a new flag protected with nn->client_lock. It is set only while it is safe to make client tracking calls, and v4_end_grace only schedules work while the flag is set with the spinlock held. So this patch adds a nfsd_net field "client_tracking_active" which is set as described. Another field "grace_end_forced", is set when v4_end_grace is written. After this is set, and providing client_tracking_active is set, the laundromat is scheduled. This "grace_end_forced" field bypasses other checks for whether the grace period has finished. This resolves a race which can result in use-after-free. | 2026-01-23 | not yet calculated | CVE-2026-22980 | https://git.kernel.org/stable/c/ca97360860eb02e3ae4ba42c19b439a0fcecbf06 https://git.kernel.org/stable/c/e8bfa2401d4c51eca6e48e9b33c798828ca9df61 https://git.kernel.org/stable/c/34eb22836e0cdba093baac66599d68c4cd245a9d https://git.kernel.org/stable/c/06600719d0f7a723811c45e4d51f5b742f345309 https://git.kernel.org/stable/c/ba4811c8b433bfa681729ca42cc62b6034f223b0 https://git.kernel.org/stable/c/53f07d095e7e680c5e4569a55a019f2c0348cdc6 https://git.kernel.org/stable/c/2857bd59feb63fcf40fe4baf55401baea6b4feb4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: detach and close netdevs while handling a reset Protect the reset path from callbacks by setting the netdevs to detached state and close any netdevs in UP state until the reset handling has completed. During a reset, the driver will de-allocate resources for the vport, and there is no guarantee that those will recover, which is why the existing vport_ctrl_lock does not provide sufficient protection. idpf_detach_and_close() is called right before reset handling. If the reset handling succeeds, the netdevs state is recovered via call to idpf_attach_and_open(). If the reset handling fails the netdevs remain down. The detach/down calls are protected with RTNL lock to avoid racing with callbacks. On the recovery side the attach can be done without holding the RTNL lock as there are no callbacks expected at that point, due to detach/close always being done first in that flow. The previous logic restoring the netdevs state based on the IDPF_VPORT_UP_REQUESTED flag in the init task is not needed anymore, hence the removal of idpf_set_vport_state(). The IDPF_VPORT_UP_REQUESTED is still being used to restore the state of the netdevs following the reset, but has no use outside of the reset handling flow. idpf_init_hard_reset() is converted to void, since it was used as such and there is no error handling being done based on its return value. Before this change, invoking hard and soft resets simultaneously will cause the driver to lose the vport state: ip -br a <inf> UP echo 1 > /sys/class/net/ens801f0/device/reset& \ ethtool -L ens801f0 combined 8 ip -br a <inf> DOWN ip link set <inf> up ip -br a <inf> DOWN Also in case of a failure in the reset path, the netdev is left exposed to external callbacks, while vport resources are not initialized, leading to a crash on subsequent ifup/down: [408471.398966] idpf 0000:83:00.0: HW reset detected [408471.411744] idpf 0000:83:00.0: Device HW Reset initiated [408472.277901] idpf 0000:83:00.0: The driver was unable to contact the device's firmware. Check that the FW is running. Driver state= 0x2 [408508.125551] BUG: kernel NULL pointer dereference, address: 0000000000000078 [408508.126112] #PF: supervisor read access in kernel mode [408508.126687] #PF: error_code(0x0000) - not-present page [408508.127256] PGD 2aae2f067 P4D 0 [408508.127824] Oops: Oops: 0000 [#1] SMP NOPTI ... [408508.130871] RIP: 0010:idpf_stop+0x39/0x70 [idpf] ... [408508.139193] Call Trace: [408508.139637] <TASK> [408508.140077] __dev_close_many+0xbb/0x260 [408508.140533] __dev_change_flags+0x1cf/0x280 [408508.140987] netif_change_flags+0x26/0x70 [408508.141434] dev_change_flags+0x3d/0xb0 [408508.141878] devinet_ioctl+0x460/0x890 [408508.142321] inet_ioctl+0x18e/0x1d0 [408508.142762] ? _copy_to_user+0x22/0x70 [408508.143207] sock_do_ioctl+0x3d/0xe0 [408508.143652] sock_ioctl+0x10e/0x330 [408508.144091] ? find_held_lock+0x2b/0x80 [408508.144537] __x64_sys_ioctl+0x96/0xe0 [408508.144979] do_syscall_64+0x79/0x3d0 [408508.145415] entry_SYSCALL_64_after_hwframe+0x76/0x7e [408508.145860] RIP: 0033:0x7f3e0bb4caff | 2026-01-23 | not yet calculated | CVE-2026-22981 | https://git.kernel.org/stable/c/ac122f5fb050903b3d262001562c452be95eaf70 https://git.kernel.org/stable/c/2e281e1155fc476c571c0bd2ffbfe28ab829a5c3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: Fix crash when adding interface under a lag Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag") fixed a similar issue in the lan966x driver caused by a NULL pointer dereference. The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic and is susceptible to the same crash. This issue specifically affects the ocelot_vsc7514.c frontend, which leaves unused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as it uses the DSA framework which registers all ports. Fix this by checking if the port pointer is valid before accessing it. | 2026-01-23 | not yet calculated | CVE-2026-22982 | https://git.kernel.org/stable/c/8767f238b0e6c3d0b295ac6dce9fbe6a99bd1b9d https://git.kernel.org/stable/c/b17818307446c5a8d925a39a792261dbfa930041 https://git.kernel.org/stable/c/2985712dc76dfa670eb7fd607c09d4d48e5f5c6e https://git.kernel.org/stable/c/03fb1708b7d1e76aecebf767ad059c319845039f https://git.kernel.org/stable/c/f490af47bbee02441e356a1e0b86e3b3dd5120ff https://git.kernel.org/stable/c/34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: do not write to msg_get_inq in callee NULL pointer dereference fix. msg_get_inq is an input field from caller to callee. Don't set it in the callee, as the caller may not clear it on struct reuse. This is a kernel-internal variant of msghdr only, and the only user does reinitialize the field. So this is not critical for that reason. But it is more robust to avoid the write, and slightly simpler code. And it fixes a bug, see below. Callers set msg_get_inq to request the input queue length to be returned in msg_inq. This is equivalent to but independent from the SO_INQ request to return that same info as a cmsg (tp->recvmsg_inq). To reduce branching in the hot path the second also sets the msg_inq. That is WAI. This is a fix to commit 4d1442979e4a ("af_unix: don't post cmsg for SO_INQ unless explicitly asked for"), which fixed the inverse. Also avoid NULL pointer dereference in unix_stream_read_generic if state->msg is NULL and msg->msg_get_inq is written. A NULL state->msg can happen when splicing as of commit 2b514574f7e8 ("net: af_unix: implement splice for stream af_unix sockets"). Also collapse two branches using a bitwise or. | 2026-01-23 | not yet calculated | CVE-2026-22983 | https://git.kernel.org/stable/c/ffa2be496ef65055b28b39c6bd9a7d66943ee89a https://git.kernel.org/stable/c/7d11e047eda5f98514ae62507065ac961981c025 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in handle_auth_done() Perform an explicit bounds check on payload_len to avoid a possible out-of-bounds access in the callout. [ idryomov: changelog ] | 2026-01-23 | not yet calculated | CVE-2026-22984 | https://git.kernel.org/stable/c/194cfe2af4d2a1de599d39dad636b47c2f6c2c96 https://git.kernel.org/stable/c/79fe3511db416d2f2edcfd93569807cb02736e5e https://git.kernel.org/stable/c/ef208ea331ef688729f64089b895ed1b49e842e3 https://git.kernel.org/stable/c/2802ef3380fa8c4a08cda51ec1f085b1a712e9e2 https://git.kernel.org/stable/c/2d653bb63d598ae4b096dd678744bdcc34ee89e8 https://git.kernel.org/stable/c/818156caffbf55cb4d368f9c3cac64e458fb49c9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL pointer crash on early ethtool operations The RSS LUT is not initialized until the interface comes up, causing the following NULL pointer crash when ethtool operations like rxhash on/off are performed before the interface is brought up for the first time. Move RSS LUT initialization from ndo_open to vport creation to ensure LUT is always available. This enables RSS configuration via ethtool before bringing the interface up. Simplify LUT management by maintaining all changes in the driver's soft copy and programming zeros to the indirection table when rxhash is disabled. Defer HW programming until the interface comes up if it is down during rxhash and LUT configuration changes. Steps to reproduce: ** Load idpf driver; interfaces will be created modprobe idpf ** Before bringing the interfaces up, turn rxhash off ethtool -K eth2 rxhash off [89408.371875] BUG: kernel NULL pointer dereference, address: 0000000000000000 [89408.371908] #PF: supervisor read access in kernel mode [89408.371924] #PF: error_code(0x0000) - not-present page [89408.371940] PGD 0 P4D 0 [89408.371953] Oops: Oops: 0000 [#1] SMP NOPTI <snip> [89408.372052] RIP: 0010:memcpy_orig+0x16/0x130 [89408.372310] Call Trace: [89408.372317] <TASK> [89408.372326] ? idpf_set_features+0xfc/0x180 [idpf] [89408.372363] __netdev_update_features+0x295/0xde0 [89408.372384] ethnl_set_features+0x15e/0x460 [89408.372406] genl_family_rcv_msg_doit+0x11f/0x180 [89408.372429] genl_rcv_msg+0x1ad/0x2b0 [89408.372446] ? __pfx_ethnl_set_features+0x10/0x10 [89408.372465] ? __pfx_genl_rcv_msg+0x10/0x10 [89408.372482] netlink_rcv_skb+0x58/0x100 [89408.372502] genl_rcv+0x2c/0x50 [89408.372516] netlink_unicast+0x289/0x3e0 [89408.372533] netlink_sendmsg+0x215/0x440 [89408.372551] __sys_sendto+0x234/0x240 [89408.372571] __x64_sys_sendto+0x28/0x30 [89408.372585] x64_sys_call+0x1909/0x1da0 [89408.372604] do_syscall_64+0x7a/0xfa0 [89408.373140] ? clear_bhb_loop+0x60/0xb0 [89408.373647] entry_SYSCALL_64_after_hwframe+0x76/0x7e [89408.378887] </TASK> <snip> | 2026-01-23 | not yet calculated | CVE-2026-22985 | https://git.kernel.org/stable/c/b29a5a7dd1f4293ee49c469938c25bf85a5aa802 https://git.kernel.org/stable/c/83f38f210b85676f40ba8586b5a8edae19b56995 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix race condition for gdev->srcu If two drivers were calling gpiochip_add_data_with_key(), one may be traversing the srcu-protected list in gpio_name_to_desc(), meanwhile other has just added its gdev in gpiodev_add_to_list_unlocked(). This creates a non-mutexed and non-protected timeframe, when one instance is dereferencing and using &gdev->srcu, before the other has initialized it, resulting in crash: [ 4.935481] Unable to handle kernel paging request at virtual address ffff800272bcc000 [ 4.943396] Mem abort info: [ 4.943400] ESR = 0x0000000096000005 [ 4.943403] EC = 0x25: DABT (current EL), IL = 32 bits [ 4.943407] SET = 0, FnV = 0 [ 4.943410] EA = 0, S1PTW = 0 [ 4.943413] FSC = 0x05: level 1 translation fault [ 4.943416] Data abort info: [ 4.943418] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 4.946220] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 4.955261] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 4.955268] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000038e6c000 [ 4.961449] [ffff800272bcc000] pgd=0000000000000000 [ 4.969203] , p4d=1000000039739003 [ 4.979730] , pud=0000000000000000 [ 4.980210] phandle (CPU): 0x0000005e, phandle (BE): 0x5e000000 for node "reset" [ 4.991736] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP ... [ 5.121359] pc : __srcu_read_lock+0x44/0x98 [ 5.131091] lr : gpio_name_to_desc+0x60/0x1a0 [ 5.153671] sp : ffff8000833bb430 [ 5.298440] [ 5.298443] Call trace: [ 5.298445] __srcu_read_lock+0x44/0x98 [ 5.309484] gpio_name_to_desc+0x60/0x1a0 [ 5.320692] gpiochip_add_data_with_key+0x488/0xf00 5.946419] ---[ end trace 0000000000000000 ]--- Move initialization code for gdev fields before it is added to gpio_devices, with adjacent initialization code. Adjust goto statements to reflect modified order of operations [Bartosz: fixed a build issue, removed stray newline] | 2026-01-23 | not yet calculated | CVE-2026-22986 | https://git.kernel.org/stable/c/fb674c8f1a5d8dd3113a7326030f963fa2d79c02 https://git.kernel.org/stable/c/a7ac22d53d0990152b108c3f4fe30df45fcb0181 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy syzbot reported a crash in tc_act_in_hw() during netns teardown where tcf_idrinfo_destroy() passed an ERR_PTR(-EBUSY) value as a tc_action pointer, leading to an invalid dereference. Guard against ERR_PTR entries when iterating the action IDR so teardown does not call tc_act_in_hw() on an error pointer. | 2026-01-23 | not yet calculated | CVE-2026-22987 | https://git.kernel.org/stable/c/67550a1130b647bb0d093c9c0a810c69aa6a30a8 https://git.kernel.org/stable/c/adb25a46dc0a43173f5ea5f5f58fc8ba28970c7c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arp: do not assume dev_hard_header() does not change skb->head arp_create() is the only dev_hard_header() caller making assumption about skb->head being unchanged. A recent commit broke this assumption. Initialize @arp pointer after dev_hard_header() call. | 2026-01-23 | not yet calculated | CVE-2026-22988 | https://git.kernel.org/stable/c/e432dbff342b95fe44645f9a90fcf333c80f4b5e https://git.kernel.org/stable/c/393525dee5c39acff8d6705275d7fcaabcfb7f0a https://git.kernel.org/stable/c/70bddc16491ef4681f3569b3a2c80309a3edcdd1 https://git.kernel.org/stable/c/029935507d0af6553c45380fbf6feecf756fd226 https://git.kernel.org/stable/c/dd6ccec088adff4bdf33e2b2dd102df20a7128fa https://git.kernel.org/stable/c/949647e7771a4a01963fe953a96d81fba7acecf3 https://git.kernel.org/stable/c/c92510f5e3f82ba11c95991824a41e59a9c5ed81 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: check that server is running in unlock_filesystem If we are trying to unlock the filesystem via an administrative interface and nfsd isn't running, it crashes the server. This happens currently because nfsd4_revoke_states() access state structures (eg., conf_id_hashtbl) that has been freed as a part of the server shutdown. [ 59.465072] Call trace: [ 59.465308] nfsd4_revoke_states+0x1b4/0x898 [nfsd] (P) [ 59.465830] write_unlock_fs+0x258/0x440 [nfsd] [ 59.466278] nfsctl_transaction_write+0xb0/0x120 [nfsd] [ 59.466780] vfs_write+0x1f0/0x938 [ 59.467088] ksys_write+0xfc/0x1f8 [ 59.467395] __arm64_sys_write+0x74/0xb8 [ 59.467746] invoke_syscall.constprop.0+0xdc/0x1e8 [ 59.468177] do_el0_svc+0x154/0x1d8 [ 59.468489] el0_svc+0x40/0xe0 [ 59.468767] el0t_64_sync_handler+0xa0/0xe8 [ 59.469138] el0t_64_sync+0x1ac/0x1b0 Ensure this can't happen by taking the nfsd_mutex and checking that the server is still up, and then holding the mutex across the call to nfsd4_revoke_states(). | 2026-01-23 | not yet calculated | CVE-2026-22989 | https://git.kernel.org/stable/c/d95499900fe52f3d461ed26b7a30bebea8f12914 https://git.kernel.org/stable/c/e06c9f6c0f554148d4921c2a15bd054260a054ac https://git.kernel.org/stable/c/d0424066fcd294977f310964bed6f2a487fa4515 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted such that the incremental osdmap epoch is different from what is expected, there is no need to BUG. Instead, just declare the incremental osdmap to be invalid. | 2026-01-23 | not yet calculated | CVE-2026-22990 | https://git.kernel.org/stable/c/9aa0b0c14cefece078286d78b97d4c09685e372d https://git.kernel.org/stable/c/4b106fbb1c7b841cd402abd83eb2447164c799ea https://git.kernel.org/stable/c/6afd2a4213524bc742b709599a3663aeaf77193c https://git.kernel.org/stable/c/d3613770e2677683e65d062da5e31f48c409abe9 https://git.kernel.org/stable/c/6c6cec3db3b418c4fdf815731bc39e46dff75e1b https://git.kernel.org/stable/c/6348d70af847b79805374fe628d3809a63fd7df3 https://git.kernel.org/stable/c/e00c3f71b5cf75681dbd74ee3f982a99cb690c2b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: make free_choose_arg_map() resilient to partial allocation free_choose_arg_map() may dereference a NULL pointer if its caller fails after a partial allocation. For example, in decode_choose_args(), if allocation of arg_map->args fails, execution jumps to the fail label and free_choose_arg_map() is called. Since arg_map->size is updated to a non-zero value before memory allocation, free_choose_arg_map() will iterate over arg_map->args and dereference a NULL pointer. To prevent this potential NULL pointer dereference and make free_choose_arg_map() more resilient, add checks for pointers before iterating. | 2026-01-23 | not yet calculated | CVE-2026-22991 | https://git.kernel.org/stable/c/9b3730dabcf3764bfe3ff07caf55e641a0b45234 https://git.kernel.org/stable/c/851241d3f78a5505224dc21c03d8692f530256b4 https://git.kernel.org/stable/c/ec1850f663da64842614c86b20fe734be070c2ba https://git.kernel.org/stable/c/8081faaf089db5280c3be820948469f7c58ef8dd https://git.kernel.org/stable/c/c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf https://git.kernel.org/stable/c/f21c3fdb96833aac2f533506899fe38c19cf49d5 https://git.kernel.org/stable/c/e3fe30e57649c551757a02e1cad073c47e1e075e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: return the handler error from mon_handle_auth_done() Currently any error from ceph_auth_handle_reply_done() is propagated via finish_auth() but isn't returned from mon_handle_auth_done(). This results in higher layers learning that (despite the monitor considering us to be successfully authenticated) something went wrong in the authentication phase and reacting accordingly, but msgr2 still trying to proceed with establishing the session in the background. In the case of secure mode this can trigger a WARN in setup_crypto() and later lead to a NULL pointer dereference inside of prepare_auth_signature(). | 2026-01-23 | not yet calculated | CVE-2026-22992 | https://git.kernel.org/stable/c/77229551f2cf72f3e35636db68e6a825b912cf16 https://git.kernel.org/stable/c/33908769248b38a5e77cf9292817bb28e641992d https://git.kernel.org/stable/c/e097cd858196b1914309e7e3d79b4fa79383754d https://git.kernel.org/stable/c/d2c4a5f6996683f287f3851ef5412797042de7f1 https://git.kernel.org/stable/c/9e0101e57534ef0e7578dd09608a6106736b82e5 https://git.kernel.org/stable/c/e84b48d31b5008932c0a0902982809fbaa1d3b70 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL ptr issue after soft reset During soft reset, the RSS LUT is freed and not restored unless the interface is up. If an ethtool command that accesses the rss lut is attempted immediately after reset, it will result in NULL ptr dereference. Also, there is no need to reset the rss lut if the soft reset does not involve queue count change. After soft reset, set the RSS LUT to default values based on the updated queue count only if the reset was a result of a queue count change and the LUT was not configured by the user. In all other cases, don't touch the LUT. Steps to reproduce: ** Bring the interface down (if up) ifconfig eth1 down ** update the queue count (eg., 27->20) ethtool -L eth1 combined 20 ** display the RSS LUT ethtool -x eth1 [82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000 [82375.558373] #PF: supervisor read access in kernel mode [82375.558391] #PF: error_code(0x0000) - not-present page [82375.558408] PGD 0 P4D 0 [82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI <snip> [82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf] [82375.558786] Call Trace: [82375.558793] <TASK> [82375.558804] rss_prepare.isra.0+0x187/0x2a0 [82375.558827] rss_prepare_data+0x3a/0x50 [82375.558845] ethnl_default_doit+0x13d/0x3e0 [82375.558863] genl_family_rcv_msg_doit+0x11f/0x180 [82375.558886] genl_rcv_msg+0x1ad/0x2b0 [82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10 [82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10 [82375.558937] netlink_rcv_skb+0x58/0x100 [82375.558957] genl_rcv+0x2c/0x50 [82375.558971] netlink_unicast+0x289/0x3e0 [82375.558988] netlink_sendmsg+0x215/0x440 [82375.559005] __sys_sendto+0x234/0x240 [82375.559555] __x64_sys_sendto+0x28/0x30 [82375.560068] x64_sys_call+0x1909/0x1da0 [82375.560576] do_syscall_64+0x7a/0xfa0 [82375.561076] ? clear_bhb_loop+0x60/0xb0 [82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e <snip> | 2026-01-23 | not yet calculated | CVE-2026-22993 | https://git.kernel.org/stable/c/ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f https://git.kernel.org/stable/c/ebecca5b093895da801b3eba1a55b4ec4027d196 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix reference count leak in bpf_prog_test_run_xdp() syzbot is reporting unregister_netdevice: waiting for sit0 to become free. Usage count = 2 problem. A debug printk() patch found that a refcount is obtained at xdp_convert_md_to_buff() from bpf_prog_test_run_xdp(). According to commit ec94670fcb3b ("bpf: Support specifying ingress via xdp_md context in BPF_PROG_TEST_RUN"), the refcount obtained by xdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md(). Therefore, we can consider that the error handling path introduced by commit 1c1949982524 ("bpf: introduce frags support to bpf_prog_test_run_xdp()") forgot to call xdp_convert_buff_to_md(). | 2026-01-23 | not yet calculated | CVE-2026-22994 | https://git.kernel.org/stable/c/368569bc546d3368ee9980ba79fc42fdff9a3365 https://git.kernel.org/stable/c/98676ee71fd4eafeb8be63c7f3f1905d40e03101 https://git.kernel.org/stable/c/fb9ef40cccdbacce36029b305d0ef1e12e4fea38 https://git.kernel.org/stable/c/737be05a765761d7d7c9f7fe92274bd8e6f6951e https://git.kernel.org/stable/c/ec69daabe45256f98ac86c651b8ad1b2574489a7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ublk: fix use-after-free in ublk_partition_scan_work A race condition exists between the async partition scan work and device teardown that can lead to a use-after-free of ub->ub_disk: 1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk() 2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does: - del_gendisk(ub->ub_disk) - ublk_detach_disk() sets ub->ub_disk = NULL - put_disk() which may free the disk 3. The worker ublk_partition_scan_work() then dereferences ub->ub_disk leading to UAF Fix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold a reference to the disk during the partition scan. The spinlock in ublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker either gets a valid reference or sees NULL and exits early. Also change flush_work() to cancel_work_sync() to avoid running the partition scan work unnecessarily when the disk is already detached. | 2026-01-23 | not yet calculated | CVE-2026-22995 | https://git.kernel.org/stable/c/72e28774e9644c2bdbb4920842fbf77103a15a85 https://git.kernel.org/stable/c/f0d385f6689f37a2828c686fb279121df006b4cb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails, mlx5e_priv in mlx5e_dev devlink private is used to reference the netdev and mdev associated with that struct. Instead, store netdev directly into mlx5e_dev and get mdev from the containing mlx5_adev aux device structure. This fixes a kernel oops in mlx5e_remove when switchdev mode fails due to change profile failure. $ devlink dev eswitch set pci/0000:00:03.0 mode switchdev Error: mlx5_core: Failed setting eswitch to offloads. dmesg: workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 $ devlink dev reload pci/0000:00:03.0 ==> oops BUG: kernel NULL pointer dereference, address: 0000000000000520 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 3 UID: 0 PID: 521 Comm: devlink Not tainted 6.18.0-rc5+ #117 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_remove+0x68/0x130 RSP: 0018:ffffc900034838f0 EFLAGS: 00010246 RAX: ffff88810283c380 RBX: ffff888101874400 RCX: ffffffff826ffc45 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff888102d789c0 R08: ffff8881007137f0 R09: ffff888100264e10 R10: ffffc90003483898 R11: ffffc900034838a0 R12: ffff888100d261a0 R13: ffff888100d261a0 R14: ffff8881018749a0 R15: ffff888101874400 FS: 00007f8565fea740(0000) GS:ffff88856a759000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000520 CR3: 000000010b11a004 CR4: 0000000000370ef0 Call Trace: <TASK> device_release_driver_internal+0x19c/0x200 bus_remove_device+0xc6/0x130 device_del+0x160/0x3d0 ? devl_param_driverinit_value_get+0x2d/0x90 mlx5_detach_device+0x89/0xe0 mlx5_unload_one_devl_locked+0x3a/0x70 mlx5_devlink_reload_down+0xc8/0x220 devlink_reload+0x7d/0x260 devlink_nl_reload_doit+0x45b/0x5a0 genl_family_rcv_msg_doit+0xe8/0x140 | 2026-01-25 | not yet calculated | CVE-2026-22996 | https://git.kernel.org/stable/c/dcb2ad755a16cb0ecd2dc98234d71a6e216ae7fe https://git.kernel.org/stable/c/a3d4f87d41f5140f1cf5c02fce5cdad2637f6244 https://git.kernel.org/stable/c/123eda2e5b1638e298e3a66bb1e64a8da92de5e1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is called only when the timer is enabled, we need to call j1939_session_deactivate_activate_next() if we cancelled the timer. Otherwise, refcount for j1939_session leaks, which will later appear as | unregister_netdevice: waiting for vcan0 to become free. Usage count = 2. problem. | 2026-01-25 | not yet calculated | CVE-2026-22997 | https://git.kernel.org/stable/c/cb2a610867bc379988bae0bb4b8bbc59c0decf1a https://git.kernel.org/stable/c/6121b7564c725b632ffe4764abe85aa239d37703 https://git.kernel.org/stable/c/1809c82aa073a11b7d335ae932d81ce51a588a4a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs. The nvmet_tcp_build_pdu_iovec() function dereferences these pointers without NULL checks. This can be triggered by sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before sending a CONNECT command or NVMe write command. Attack vectors that trigger NULL pointer dereferences: 1. H2C_DATA PDU sent before CONNECT → both pointers NULL 2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL 3. H2C_DATA PDU for uninitialized command slot → both pointers NULL The fix validates both cmd->req.sg and cmd->iov before calling nvmet_tcp_build_pdu_iovec(). Both checks are required because: - Uninitialized commands: both NULL - READ commands: cmd->req.sg allocated, cmd->iov NULL - WRITE commands: both allocated | 2026-01-25 | not yet calculated | CVE-2026-22998 | https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913 https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF. | 2026-01-25 | not yet calculated | CVE-2026-22999 | https://git.kernel.org/stable/c/362e269bb03f7076ba9990e518aeddb898232e50 https://git.kernel.org/stable/c/e9d8f11652fa08c647bf7bba7dd8163241a332cd https://git.kernel.org/stable/c/3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix crash on profile change rollback failure mlx5e_netdev_change_profile can fail to attach a new profile and can fail to rollback to old profile, in such case, we could end up with a dangling netdev with a fully reset netdev_priv. A retry to change profile, e.g. another attempt to call mlx5e_netdev_change_profile via switchdev mode change, will crash trying to access the now NULL priv->mdev. This fix allows mlx5e_netdev_change_profile() to handle previous failures and an empty priv, by not assuming priv is valid. Pass netdev and mdev to all flows requiring mlx5e_netdev_change_profile() and avoid passing priv. In mlx5e_netdev_change_profile() check if current priv is valid, and if not, just attach the new profile without trying to access the old one. This fixes the following oops, when enabling switchdev mode for the 2nd time after first time failure: ## Enabling switchdev mode first time: mlx5_core 0012:03:00.1: E-Switch: Supported tc chains and prios offload workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 ^^^^^^^^ mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) ## retry: Enabling switchdev mode 2nd time: mlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload BUG: kernel NULL pointer dereference, address: 0000000000000038 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 13 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc4+ #91 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_detach_netdev+0x3c/0x90 Code: 50 00 00 f0 80 4f 78 02 48 8b bf e8 07 00 00 48 85 ff 74 16 48 8b 73 78 48 d1 ee 83 e6 01 83 f6 01 40 0f b6 f6 e8 c4 42 00 00 <48> 8b 45 38 48 85 c0 74 08 48 89 df e8 cc 47 40 1e 48 8b bb f0 07 RSP: 0018:ffffc90000673890 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8881036a89c0 RCX: 0000000000000000 RDX: ffff888113f63800 RSI: ffffffff822fe720 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000002dcd R09: 0000000000000000 R10: ffffc900006738e8 R11: 00000000ffffffff R12: 0000000000000000 R13: 0000000000000000 R14: ffff8881036a89c0 R15: 0000000000000000 FS: 00007fdfb8384740(0000) GS:ffff88856a9d6000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000038 CR3: 0000000112ae0005 CR4: 0000000000370ef0 Call Trace: <TASK> mlx5e_netdev_change_profile+0x45/0xb0 mlx5e_vport_rep_load+0x27b/0x2d0 mlx5_esw_offloads_rep_load+0x72/0xf0 esw_offloads_enable+0x5d0/0x970 mlx5_eswitch_enable_locked+0x349/0x430 ? is_mp_supported+0x57/0xb0 mlx5_devlink_eswitch_mode_set+0x26b/0x430 devlink_nl_eswitch_set_doit+0x6f/0xf0 genl_family_rcv_msg_doit+0xe8/0x140 genl_rcv_msg+0x18b/0x290 ? __pfx_devlink_nl_pre_doit+0x10/0x10 ? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10 ? __pfx_devlink_nl_post_doit+0x10/0x10 ? __pfx_genl_rcv_msg+0x10/0x10 netlink_rcv_skb+0x52/0x100 genl_rcv+0x28/0x40 netlink_unicast+0x282/0x3e0 ? __alloc_skb+0xd6/0x190 netlink_sendmsg+0x1f7/0x430 __sys_sendto+0x213/0x220 ? __sys_recvmsg+0x6a/0xd0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x50/0x1f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fdfb8495047 | 2026-01-25 | not yet calculated | CVE-2026-23000 | https://git.kernel.org/stable/c/dad52950b409d6923880d65a4cddb383286e17d2 https://git.kernel.org/stable/c/e05b8084a20f6bd5827d338c928e5e0fcbafa496 https://git.kernel.org/stable/c/4dadc4077e3f77d6d31e199a925fc7a705e7adeb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: macvlan: fix possible UAF in macvlan_forward_source() Add RCU protection on (struct macvlan_source_entry)->vlan. Whenever macvlan_hash_del_source() is called, we must clear entry->vlan pointer before RCU grace period starts. This allows macvlan_forward_source() to skip over entries queued for freeing. Note that macvlan_dev are already RCU protected, as they are embedded in a standard netdev (netdev_priv(ndev)). https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u | 2026-01-25 | not yet calculated | CVE-2026-23001 | https://git.kernel.org/stable/c/8518712a2ca952d6da2238c6f0a16b4ae5ea3f13 https://git.kernel.org/stable/c/6dbead9c7677186f22b7981dd085a0feec1f038e https://git.kernel.org/stable/c/7470a7a63dc162f07c26dbf960e41ee1e248d80e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: lib/buildid: use __kernel_read() for sleepable context Prevent a "BUG: unable to handle kernel NULL pointer dereference in filemap_read_folio". For the sleepable context, convert freader to use __kernel_read() instead of direct page cache access via read_cache_folio(). This simplifies the faultable code path by using the standard kernel file reading interface which handles all the complexity of reading file data. At the moment we are not changing the code for non-sleepable context which uses filemap_get_folio() and only succeeds if the target folios are already in memory and up-to-date. The reason is to keep the patch simple and easier to backport to stable kernels. Syzbot repro does not crash the kernel anymore and the selftests run successfully. In the follow up we will make __kernel_read() with IOCB_NOWAIT work for non-sleepable contexts. In addition, I would like to replace the secretmem check with a more generic approach and will add fstest for the buildid code. | 2026-01-25 | not yet calculated | CVE-2026-23002 | https://git.kernel.org/stable/c/b11dfb7708f212b96c7973a474014c071aa02e05 https://git.kernel.org/stable/c/568aeb3476c770a3863c755dd2a199c212434286 https://git.kernel.org/stable/c/777a8560fd29738350c5094d4166fe5499452409 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() Blamed commit did not take care of VLAN encapsulations as spotted by syzbot [1]. Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729 __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860 ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903 gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1 ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500 ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:318 [inline] ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core net/core/dev.c:6139 [inline] __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252 netif_receive_skb_internal net/core/dev.c:6338 [inline] netif_receive_skb+0x57/0x630 net/core/dev.c:6397 tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xbe2/0x15d0 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline] __se_sys_write fs/read_write.c:746 [inline] __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4960 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586 __alloc_skb+0x805/0x1040 net/core/skbuff.c:690 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712 sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995 tun_alloc_skb drivers/net/tun.c:1461 [inline] tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xbe2/0x15d0 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline] __se_sys_write fs/read_write.c:746 [inline] __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 | 2026-01-25 | not yet calculated | CVE-2026-23003 | https://git.kernel.org/stable/c/df5ffde9669314500809bc498ae73d6d3d9519ac https://git.kernel.org/stable/c/b9f915340f25cae1562f18e1eb52deafca328414 https://git.kernel.org/stable/c/81c734dae203757fb3c9eee6f9896386940776bd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() syzbot was able to crash the kernel in rt6_uncached_list_flush_dev() in an interesting way [1] Crash happens in list_del_init()/INIT_LIST_HEAD() while writing list->prev, while the prior write on list->next went well. static inline void INIT_LIST_HEAD(struct list_head *list) { WRITE_ONCE(list->next, list); // This went well WRITE_ONCE(list->prev, list); // Crash, @list has been freed. } Issue here is that rt6_uncached_list_del() did not attempt to lock ul->lock, as list_empty(&rt->dst.rt_uncached) returned true because the WRITE_ONCE(list->next, list) happened on the other CPU. We might use list_del_init_careful() and list_empty_careful(), or make sure rt6_uncached_list_del() always grabs the spinlock whenever rt->dst.rt_uncached_list has been set. A similar fix is neeed for IPv4. [1] BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline] BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline] BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 Write of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450 CPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)} Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: netns cleanup_net Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 INIT_LIST_HEAD include/linux/list.h:46 [inline] list_del_init include/linux/list.h:296 [inline] rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853 addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2268 [inline] call_netdevice_notifiers net/core/dev.c:2282 [inline] netif_close_many+0x29c/0x410 net/core/dev.c:1785 unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353 ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248 cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> Allocated by task 803: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4953 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270 dst_alloc+0x105/0x170 net/core/dst.c:89 ip6_dst_alloc net/ipv6/route.c:342 [inline] icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333 mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr ---truncated--- | 2026-01-25 | not yet calculated | CVE-2026-23004 | https://git.kernel.org/stable/c/722de945216144af7cd4d39bdeb936108d2595a7 https://git.kernel.org/stable/c/9a6f0c4d5796ab89b5a28a890ce542344d58bd69 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in response to a guest WRMSR, clear XFD-disabled features in the saved (or to be restored) XSTATE_BV to ensure KVM doesn't attempt to load state for features that are disabled via the guest's XFD. Because the kernel executes XRSTOR with the guest's XFD, saving XSTATE_BV[i]=1 with XFD[i]=1 will cause XRSTOR to #NM and panic the kernel. E.g. if fpu_update_guest_xfd() sets XFD without clearing XSTATE_BV: ------------[ cut here ]------------ WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#29: amx_test/848 Modules linked in: kvm_intel kvm irqbypass CPU: 29 UID: 1000 PID: 848 Comm: amx_test Not tainted 6.19.0-rc2-ffa07f7fd437-x86_amx_nm_xfd_non_init-vm #171 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:exc_device_not_available+0x101/0x110 Call Trace: <TASK> asm_exc_device_not_available+0x1a/0x20 RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 switch_fpu_return+0x4a/0xb0 kvm_arch_vcpu_ioctl_run+0x1245/0x1e40 [kvm] kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x62/0x940 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]--- This can happen if the guest executes WRMSR(MSR_IA32_XFD) to set XFD[18] = 1, and a host IRQ triggers kernel_fpu_begin() prior to the vmexit handler's call to fpu_update_guest_xfd(). and if userspace stuffs XSTATE_BV[i]=1 via KVM_SET_XSAVE: ------------[ cut here ]------------ WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#14: amx_test/867 Modules linked in: kvm_intel kvm irqbypass CPU: 14 UID: 1000 PID: 867 Comm: amx_test Not tainted 6.19.0-rc2-2dace9faccd6-x86_amx_nm_xfd_non_init-vm #168 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:exc_device_not_available+0x101/0x110 Call Trace: <TASK> asm_exc_device_not_available+0x1a/0x20 RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 fpu_swap_kvm_fpstate+0x6b/0x120 kvm_load_guest_fpu+0x30/0x80 [kvm] kvm_arch_vcpu_ioctl_run+0x85/0x1e40 [kvm] kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x62/0x940 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]--- The new behavior is consistent with the AMX architecture. Per Intel's SDM, XSAVE saves XSTATE_BV as '0' for components that are disabled via XFD (and non-compacted XSAVE saves the initial configuration of the state component): If XSAVE, XSAVEC, XSAVEOPT, or XSAVES is saving the state component i, the instruction does not generate #NM when XCR0[i] = IA32_XFD[i] = 1; instead, it operates as if XINUSE[i] = 0 (and the state component was in its initial state): it saves bit i of XSTATE_BV field of the XSAVE header as 0; in addition, XSAVE saves the initial configuration of the state component (the other instructions do not save state component i). Alternatively, KVM could always do XRSTOR with XFD=0, e.g. by using a constant XFD based on the set of enabled features when XSAVEing for a struct fpu_guest. However, having XSTATE_BV[i]=1 for XFD-disabled features can only happen in the above interrupt case, or in similar scenarios involving preemption on preemptible kernels, because fpu_swap_kvm_fpstate()'s call to save_fpregs_to_fpstate() saves the outgoing FPU state with the current XFD; and that is (on all but the first WRMSR to XFD) the guest XFD. Therefore, XFD can only go out of sync with XSTATE_BV in the above interrupt case, or in similar scenarios involving preemption on preemptible kernels, and it we can consider it (de facto) part of KVM ABI that KVM_GET_XSAVE returns XSTATE_BV[i]=0 for XFD-disabled features. [Move clea ---truncated--- | 2026-01-25 | not yet calculated | CVE-2026-23005 | https://git.kernel.org/stable/c/f577508cc8a0adb8b4ebe9480bba7683b6149930 https://git.kernel.org/stable/c/eea6f395ca502c4528314c8112da9b5d65f685eb https://git.kernel.org/stable/c/b45f721775947a84996deb5c661602254ce25ce6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv320adcx140: fix null pointer The "snd_soc_component" in "adcx140_priv" was only used once but never set. It was only used for reaching "dev" which is already present in "adcx140_priv". | 2026-01-25 | not yet calculated | CVE-2026-23006 | https://git.kernel.org/stable/c/61757f5191daab863d25f03680e912b5449a1eed https://git.kernel.org/stable/c/53bd838ed5950cb18927e4b2e8ee841b7cb10929 https://git.kernel.org/stable/c/be7664c81d3129fc313ef62ff275fd3d33cfecd4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: block: zero non-PI portion of auto integrity buffer The auto-generated integrity buffer for writes needs to be fully initialized before being passed to the underlying block device, otherwise the uninitialized memory can be read back by userspace or anyone with physical access to the storage device. If protection information is generated, that portion of the integrity buffer is already initialized. The integrity data is also zeroed if PI generation is disabled via sysfs or the PI tuple size is 0. However, this misses the case where PI is generated and the PI tuple size is nonzero, but the metadata size is larger than the PI tuple. In this case, the remainder ("opaque") of the metadata is left uninitialized. Generalize the BLK_INTEGRITY_CSUM_NONE check to cover any case when the metadata is larger than just the PI tuple. | 2026-01-25 | not yet calculated | CVE-2026-23007 | https://git.kernel.org/stable/c/d6072557b90e0c557df319a56f4a9dc482706d2c https://git.kernel.org/stable/c/ca22c566b89164f6e670af56ecc45f47ef3df819 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix KMS with 3D on HW version 10 HW version 10 does not have GB Surfaces so there is no backing buffer for surface backed FBs. This would result in a nullptr dereference and crash the driver causing a black screen. | 2026-01-25 | not yet calculated | CVE-2026-23008 | https://git.kernel.org/stable/c/a91bdd21d5efb3072beefbec13762b7722200c49 https://git.kernel.org/stable/c/d9186faeae6efb7d0841a5e8eb213ff4c7966614 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xhci: sideband: don't dereference freed ring when removing sideband endpoint xhci_sideband_remove_endpoint() incorrecly assumes that the endpoint is running and has a valid transfer ring. Lianqin reported a crash during suspend/wake-up stress testing, and found the cause to be dereferencing a non-existing transfer ring 'ep->ring' during xhci_sideband_remove_endpoint(). The endpoint and its ring may be in unknown state if this function is called after xHCI was reinitialized in resume (lost power), or if device is being re-enumerated, disconnected or endpoint already dropped. Fix this by both removing unnecessary ring access, and by checking ep->ring exists before dereferencing it. Also make sure endpoint is running before attempting to stop it. Remove the xhci_initialize_ring_info() call during sideband endpoint removal as is it only initializes ring structure enqueue, dequeue and cycle state values to their starting values without changing actual hardware enqueue, dequeue and cycle state. Leaving them out of sync is worse than leaving it as it is. The endpoint will get freed in after this in most usecases. If the (audio) class driver want's to reuse the endpoint after offload then it is up to the class driver to ensure endpoint is properly set up. | 2026-01-25 | not yet calculated | CVE-2026-23009 | https://git.kernel.org/stable/c/34f6634dba87ef72b3c3a3a524be663adef7ab42 https://git.kernel.org/stable/c/dd83dc1249737b837ac5d57c81f2b0977c613d9f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix use-after-free in inet6_addr_del(). syzbot reported use-after-free of inet6_ifaddr in inet6_addr_del(). [0] The cited commit accidentally moved ipv6_del_addr() for mngtmpaddr before reading its ifp->flags for temporary addresses in inet6_addr_del(). Let's move ipv6_del_addr() down to fix the UAF. [0]: BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593 CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181 inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582 sock_do_ioctl+0x118/0x280 net/socket.c:1254 sock_ioctl+0x227/0x6b0 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f164cf8f749 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749 RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003 RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288 </TASK> Allocated by task 9593: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120 inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050 addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160 inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580 sock_do_ioctl+0x118/0x280 net/socket.c:1254 sock_ioctl+0x227/0x6b0 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6099: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free_freelist_hook mm/slub.c:2569 [inline] slab_free_bulk mm/slub.c:6696 [inline] kmem_cache_free_bulk mm/slub.c:7383 [inline] kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362 kfree_bulk include/linux/slab.h:830 [inline] kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523 kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline] kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqu ---truncated--- | 2026-01-25 | not yet calculated | CVE-2026-23010 | https://git.kernel.org/stable/c/2684610a9c9c53f262fd864fa5c407e79f304804 https://git.kernel.org/stable/c/8b6dcb565e419846bd521e31d5e1f98e4d0e1179 https://git.kernel.org/stable/c/ddf96c393a33aef4887e2e406c76c2f8cda1419c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_gre: make ipgre_header() robust Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") Over the years, syzbot found many ways to crash the kernel in ipgre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ipgre device. [1] skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0 kernel BUG at net/core/skbuff.c:213 ! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: mld mld_ifc_work RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213 Call Trace: <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 | 2026-01-25 | not yet calculated | CVE-2026-23011 | https://git.kernel.org/stable/c/aa57bfea4674e6da8104fa3a37760a6f5f255dad https://git.kernel.org/stable/c/554201ed0a8f4d32e719f42caeaeb2735a9ed6ca https://git.kernel.org/stable/c/e67c577d89894811ce4dcd1a9ed29d8b63476667 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: remove call_control in inactive contexts If damon_call() is executed against a DAMON context that is not running, the function returns error while keeping the damon_call_control object linked to the context's call_controls list. Let's suppose the object is deallocated after the damon_call(), and yet another damon_call() is executed against the same context. The function tries to add the new damon_call_control object to the call_controls list, which still has the pointer to the previous damon_call_control object, which is deallocated. As a result, use-after-free happens. This can actually be triggered using the DAMON sysfs interface. It is not easily exploitable since it requires the sysfs write permission and making a definitely weird file writes, though. Please refer to the report for more details about the issue reproduction steps. Fix the issue by making two changes. Firstly, move the final kdamond_call() for cancelling all existing damon_call() requests from terminating DAMON context to be done before the ctx->kdamond reset. This makes any code that sees NULL ctx->kdamond can safely assume the context may not access damon_call() requests anymore. Secondly, let damon_call() to cleanup the damon_call_control objects that were added to the already-terminated DAMON context, before returning the error. | 2026-01-25 | not yet calculated | CVE-2026-23012 | https://git.kernel.org/stable/c/23b061f421eef03647b512f3df48861706c87db3 https://git.kernel.org/stable/c/f9132fbc2e83baf2c45a77043672a63a675c9394 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to ioq_vector. If request_irq() fails part-way, the rollback loop calls free_irq() with dev_id set to 'oct', which does not match the original dev_id and may leave the irqaction registered. This can keep IRQ handlers alive while ioq_vector is later freed during unwind/teardown, leading to a use-after-free or crash when an interrupt fires. Fix the error path to free IRQs with the same ioq_vector dev_id used during request_irq(). | 2026-01-25 | not yet calculated | CVE-2026-23013 | https://git.kernel.org/stable/c/aa05a8371ae4a452df623f7202c72409d3c50e40 https://git.kernel.org/stable/c/aa4c066229b05fc3d3c5f42693d25b1828533b6e https://git.kernel.org/stable/c/f93fc5d12d69012788f82151bee55fce937e1432 |
| linux4me2--Menu In Post | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in linux4me2 Menu In Post menu-in-post allows DOM-Based XSS. This issue affects Menu In Post: from n/a through <= 1.4.1. | 2026-01-22 | not yet calculated | CVE-2026-22349 | https://patchstack.com/database/Wordpress/Plugin/menu-in-post/vulnerability/wordpress-menu-in-post-plugin-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| livemesh--Livemesh Addons for WPBakery Page Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for WPBakery Page Builder addons-for-visual-composer allows Stored XSS. This issue affects Livemesh Addons for WPBakery Page Builder: from n/a through <= 3.9.4. | 2026-01-23 | not yet calculated | CVE-2026-24594 | https://patchstack.com/database/Wordpress/Plugin/addons-for-visual-composer/vulnerability/wordpress-livemesh-addons-for-wpbakery-page-builder-plugin-3-9-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Lodash--Lodash | Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23 | 2026-01-21 | not yet calculated | CVE-2025-13465 | https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg |
| LogicHunt--Logo Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LogicHunt Logo Slider logo-slider-wp allows Stored XSS. This issue affects Logo Slider: from n/a through <= 4.9.0. | 2026-01-23 | not yet calculated | CVE-2026-24626 | https://patchstack.com/database/Wordpress/Plugin/logo-slider-wp/vulnerability/wordpress-logo-slider-plugin-4-9-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ludwig You--WPMasterToolKit | Missing Authorization vulnerability in Ludwig You WPMasterToolKit wpmastertoolkit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPMasterToolKit: from n/a through <= 2.14.0. | 2026-01-22 | not yet calculated | CVE-2026-24388 | https://patchstack.com/database/Wordpress/Plugin/wpmastertoolkit/vulnerability/wordpress-wpmastertoolkit-plugin-2-14-0-broken-access-control-vulnerability?_s_id=cve |
| M-Files Corporation--M-Files Server | Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint. | 2026-01-21 | not yet calculated | CVE-2026-0663 | https://product.m-files.com/security-advisories/cve-2026-0663/ |
| mackron--dr_flac | dr_flac, an audio decoder within the dr_libs toolset, contains an integer overflow vulnerability flaw due to trusting the totalPCMFrameCount field from FLAC metadata before calculating buffer size, allowing an attacker with a specially crafted file to perform DoS against programs using the tool. | 2026-01-20 | not yet calculated | CVE-2025-14369 | https://github.com/mackron/dr_libs/commit/b2197b2eb7bb609df76315bebf44db4ec2a1aed0 |
| magentech--MaxShop | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech MaxShop sw_maxshop allows PHP Local File Inclusion. This issue affects MaxShop: from n/a through <= 3.6.20. | 2026-01-22 | not yet calculated | CVE-2025-69047 | https://patchstack.com/database/Wordpress/Theme/sw_maxshop/vulnerability/wordpress-maxshop-theme-3-6-20-local-file-inclusion-vulnerability?_s_id=cve |
| Mahmudul Hasan Arif--FluentBoards | Missing Authorization vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FluentBoards: from n/a through <= 1.91.1. | 2026-01-23 | not yet calculated | CVE-2026-24561 | https://patchstack.com/database/Wordpress/Plugin/fluent-boards/vulnerability/wordpress-fluentboards-plugin-1-91-1-broken-access-control-vulnerability?_s_id=cve |
| MailerLite--MailerLite WooCommerce integration | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MailerLite MailerLite - WooCommerce integration woo-mailerlite allows SQL Injection. This issue affects MailerLite - WooCommerce integration: from n/a through <= 3.1.2. | 2026-01-22 | not yet calculated | CVE-2025-67945 | https://patchstack.com/database/Wordpress/Plugin/woo-mailerlite/vulnerability/wordpress-mailerlite-woocommerce-integration-plugin-3-1-2-sql-injection-vulnerability?_s_id=cve |
| ManageIQ--manageiq | ManageIQ is an open-source management platform. A flaw was found in the ManageIQ API prior to version radjabov-2 where a malformed TimeProfile could be created causing later UI and API requests to timeout leading to a Denial of Service. Version radjabov-2 contains a patch. One may also apply the patch manually. | 2026-01-21 | not yet calculated | CVE-2026-22598 | https://github.com/ManageIQ/manageiq/security/advisories/GHSA-m832-x3g8-63j3 https://github.com/ManageIQ/manageiq/commit/79cef10c7d0278d8a37c3f547c426948180df4df.patch https://github.com/ManageIQ/manageiq/commit/86132851257d73ed9e31a88315e47a8a2b838113 |
| Marco Milesi--ANAC XML Viewer | Server-Side Request Forgery (SSRF) vulnerability in Marco Milesi ANAC XML Viewer anac-xml-viewer allows Server Side Request Forgery. This issue affects ANAC XML Viewer: from n/a through <= 1.8.2. | 2026-01-22 | not yet calculated | CVE-2025-64252 | https://patchstack.com/database/Wordpress/Plugin/anac-xml-viewer/vulnerability/wordpress-anac-xml-viewer-plugin-1-8-2-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Marco van Wieren--WPO365 | Server-Side Request Forgery (SSRF) vulnerability in Marco van Wieren WPO365 wpo365-login allows Server Side Request Forgery. This issue affects WPO365: from n/a through <= 40.0. | 2026-01-22 | not yet calculated | CVE-2025-67961 | https://patchstack.com/database/Wordpress/Plugin/wpo365-login/vulnerability/wordpress-wpo365-plugin-40-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Marcus (aka @msykes)--WP FullCalendar | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Retrieve Embedded Sensitive Data. This issue affects WP FullCalendar: from n/a through <= 1.6. | 2026-01-23 | not yet calculated | CVE-2026-24523 | https://patchstack.com/database/Wordpress/Plugin/wp-fullcalendar/vulnerability/wordpress-wp-fullcalendar-plugin-1-6-sensitive-data-exposure-vulnerability?_s_id=cve |
| Mario Peshev--WP-CRM System | Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP-CRM System: from n/a through <= 3.4.5. | 2026-01-22 | not yet calculated | CVE-2025-62106 | https://patchstack.com/database/Wordpress/Plugin/wp-crm-system/vulnerability/wordpress-wp-crm-system-plugin-3-4-5-broken-access-control-vulnerability-2?_s_id=cve |
| marynixie--Related Posts Thumbnails Plugin for WordPress | Cross-Site Request Forgery (CSRF) vulnerability in marynixie Related Posts Thumbnails Plugin for WordPress related-posts-thumbnails allows Cross Site Request Forgery. This issue affects Related Posts Thumbnails Plugin for WordPress: from n/a through <= 4.3.1. | 2026-01-23 | not yet calculated | CVE-2026-24596 | https://patchstack.com/database/Wordpress/Plugin/related-posts-thumbnails/vulnerability/wordpress-related-posts-thumbnails-plugin-for-wordpress-plugin-4-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| matiskiba--Ravpage | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in matiskiba Ravpage ravpage allows Reflected XSS. This issue affects Ravpage: from n/a through <= 2.33. | 2026-01-22 | not yet calculated | CVE-2025-68835 | https://patchstack.com/database/Wordpress/Plugin/ravpage/vulnerability/wordpress-ravpage-plugin-2-33-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| MCP Manager for Claude Desktop--MCP Manager for Claude Desktop | MCP Manager for Claude Desktop execute-command Command Injection Sandbox Escape Vulnerability. This vulnerability allows remote attackers to bypass the sandbox on affected installations of MCP Manager for Claude Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of MCP config objects. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escape the sandbox and execute arbitrary code in the context of the current process at medium integrity. Was ZDI-CAN-27810. | 2026-01-23 | not yet calculated | CVE-2026-0757 | ZDI-26-023 |
| mcp-server-siri-shortcuts--mcp-server-siri-shortcuts | mcp-server-siri-shortcuts shortcutName Command Injection Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of mcp-server-siri-shortcuts. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the shortcutName parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-27910. | 2026-01-23 | not yet calculated | CVE-2026-0758 | ZDI-26-024 |
| merkulove--Audier For Elementor | Missing Authorization vulnerability in merkulove Audier For Elementor audier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Audier For Elementor: from n/a through <= 1.0.9. | 2026-01-22 | not yet calculated | CVE-2025-66139 | https://patchstack.com/database/Wordpress/Plugin/audier-elementor/vulnerability/wordpress-audier-for-elementor-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Carter for Elementor | Missing Authorization vulnerability in merkulove Carter for Elementor carter-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Carter for Elementor: from n/a through <= 1.0.2. | 2026-01-22 | not yet calculated | CVE-2025-66136 | https://patchstack.com/database/Wordpress/Plugin/carter-elementor/vulnerability/wordpress-carter-for-elementor-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Comparimager for Elementor | Missing Authorization vulnerability in merkulove Comparimager for Elementor comparimager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Comparimager for Elementor: from n/a through <= 1.0.1. | 2026-01-22 | not yet calculated | CVE-2025-66142 | https://patchstack.com/database/Wordpress/Plugin/comparimager-elementor/vulnerability/wordpress-comparimager-for-elementor-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Crumber | Missing Authorization vulnerability in merkulove Crumber crumber-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Crumber: from n/a through <= 1.0.10. | 2026-01-22 | not yet calculated | CVE-2025-66143 | https://patchstack.com/database/Wordpress/Plugin/crumber-elementor/vulnerability/wordpress-crumber-plugin-1-0-10-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Imager for Elementor | Missing Authorization vulnerability in merkulove Imager for Elementor imager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Imager for Elementor: from n/a through <= 2.0.4. | 2026-01-22 | not yet calculated | CVE-2025-66135 | https://patchstack.com/database/Wordpress/Plugin/imager-elementor/vulnerability/wordpress-imager-for-elementor-plugin-2-0-4-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Motionger for Elementor | Missing Authorization vulnerability in merkulove Motionger for Elementor motionger-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Motionger for Elementor: from n/a through <= 2.0.4. | 2026-01-22 | not yet calculated | CVE-2025-66138 | https://patchstack.com/database/Wordpress/Plugin/motionger-elementor/vulnerability/wordpress-motionger-for-elementor-plugin-2-0-4-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Scroller | Missing Authorization vulnerability in merkulove Scroller scroller allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Scroller: from n/a through <= 2.0.2. | 2026-01-22 | not yet calculated | CVE-2025-66141 | https://patchstack.com/database/Wordpress/Plugin/scroller/vulnerability/wordpress-scroller-plugin-2-0-2-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Searcher for Elementor | Missing Authorization vulnerability in merkulove Searcher for Elementor searcher-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Searcher for Elementor: from n/a through <= 1.0.3. | 2026-01-22 | not yet calculated | CVE-2025-66137 | https://patchstack.com/database/Wordpress/Plugin/searcher-elementor/vulnerability/wordpress-searcher-for-elementor-plugin-1-0-3-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Uper for Elementor | Missing Authorization vulnerability in merkulove Uper for Elementor uper-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Uper for Elementor: from n/a through <= 1.0.5. | 2026-01-22 | not yet calculated | CVE-2025-66140 | https://patchstack.com/database/Wordpress/Plugin/uper-elementor/vulnerability/wordpress-uper-for-elementor-plugin-1-0-5-broken-access-control-vulnerability?_s_id=cve |
| Merv Barrett--Easy Property Listings | Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Easy Property Listings: from n/a through <= 3.5.17. | 2026-01-22 | not yet calculated | CVE-2025-68072 | https://patchstack.com/database/Wordpress/Plugin/easy-property-listings/vulnerability/wordpress-easy-property-listings-plugin-3-5-16-broken-access-control-vulnerability?_s_id=cve |
| Metagauss--EventPrime | Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EventPrime: from n/a through <= 4.2.8.0. | 2026-01-22 | not yet calculated | CVE-2026-24380 | https://patchstack.com/database/Wordpress/Plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-2-8-0-broken-access-control-vulnerability?_s_id=cve |
| Metagauss--RegistrationMagic | Cross-Site Request Forgery (CSRF) vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Cross Site Request Forgery. This issue affects RegistrationMagic: from n/a through <= 6.0.6.9. | 2026-01-22 | not yet calculated | CVE-2026-24374 | https://patchstack.com/database/Wordpress/Plugin/custom-registration-form-builder-with-submission-manager/vulnerability/wordpress-registrationmagic-plugin-6-0-6-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Micro.company--Form to Chat App | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Micro.company Form to Chat App form-to-chat allows Stored XSS. This issue affects Form to Chat App: from n/a through <= 1.2.5. | 2026-01-22 | not yet calculated | CVE-2026-22463 | https://patchstack.com/database/Wordpress/Plugin/form-to-chat/vulnerability/wordpress-form-to-chat-app-plugin-1-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Mikado-Themes--Biagiotti | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Biagiotti biagiotti allows PHP Local File Inclusion. This issue affects Biagiotti: from n/a through < 3.5.2. | 2026-01-22 | not yet calculated | CVE-2025-67938 | https://patchstack.com/database/Wordpress/Theme/biagiotti/vulnerability/wordpress-biagiotti-theme-3-5-2-local-file-inclusion-vulnerability?_s_id=cve |
| Mikado-Themes--Cocco | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Cocco cocco allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cocco: from n/a through <= 1.5.1. | 2026-01-22 | not yet calculated | CVE-2026-22391 | https://patchstack.com/database/Wordpress/Theme/cocco/vulnerability/wordpress-cocco-theme-1-5-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Curly | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Curly curly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Curly: from n/a through <= 3.3. | 2026-01-22 | not yet calculated | CVE-2026-22393 | https://patchstack.com/database/Wordpress/Theme/curly/vulnerability/wordpress-curly-theme-3-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Depot | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Depot depot allows PHP Local File Inclusion. This issue affects Depot: from n/a through <= 1.16. | 2026-01-22 | not yet calculated | CVE-2025-54003 | https://patchstack.com/database/Wordpress/Theme/depot/vulnerability/wordpress-depot-theme-1-16-local-file-inclusion-vulnerability?_s_id=cve |
| Mikado-Themes--Dolcino | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Dolcino dolcino allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Dolcino: from n/a through <= 1.6. | 2026-01-22 | not yet calculated | CVE-2026-22411 | https://patchstack.com/database/Wordpress/Theme/dolcino/vulnerability/wordpress-dolcino-theme-1-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Fiorello | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fiorello fiorello allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Fiorello: from n/a through <= 1.0. | 2026-01-22 | not yet calculated | CVE-2026-22396 | https://patchstack.com/database/Wordpress/Theme/fiorello/vulnerability/wordpress-fiorello-theme-1-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Fleur | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fleur fleur allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Fleur: from n/a through <= 2.0. | 2026-01-22 | not yet calculated | CVE-2026-22398 | https://patchstack.com/database/Wordpress/Theme/fleur/vulnerability/wordpress-fleur-theme-2-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Holmes | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Holmes holmes allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Holmes: from n/a through <= 1.7. | 2026-01-22 | not yet calculated | CVE-2026-22400 | https://patchstack.com/database/Wordpress/Theme/holmes/vulnerability/wordpress-holmes-theme-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Innovio | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Innovio innovio allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Innovio: from n/a through <= 1.7. | 2026-01-22 | not yet calculated | CVE-2026-22404 | https://patchstack.com/database/Wordpress/Theme/innovio/vulnerability/wordpress-innovio-theme-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Justicia | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Justicia justicia allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Justicia: from n/a through <= 1.2. | 2026-01-22 | not yet calculated | CVE-2026-22409 | https://patchstack.com/database/Wordpress/Theme/justicia/vulnerability/wordpress-justicia-theme-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Overton | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Overton overton allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Overton: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2026-22406 | https://patchstack.com/database/Wordpress/Theme/overton/vulnerability/wordpress-overton-theme-1-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--PawFriends - Pet Shop and Veterinary WordPress Theme | Cross-Site Request Forgery (CSRF) vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Cross Site Request Forgery. This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2026-22382 | https://patchstack.com/database/Wordpress/Theme/pawfriends/vulnerability/wordpress-pawfriends-pet-shop-and-veterinary-wordpress-theme-theme-1-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Mikado-Themes--Powerlift | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Powerlift powerlift allows PHP Local File Inclusion. This issue affects Powerlift: from n/a through < 3.2.1. | 2026-01-22 | not yet calculated | CVE-2025-67940 | https://patchstack.com/database/Wordpress/Theme/powerlift/vulnerability/wordpress-powerlift-theme-3-2-1-local-file-inclusion-vulnerability?_s_id=cve |
| Mikado-Themes--Roam | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Roam roam allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Roam: from n/a through <= 2.1.1. | 2026-01-22 | not yet calculated | CVE-2026-22407 | https://patchstack.com/database/Wordpress/Theme/roam/vulnerability/wordpress-roam-theme-2-1-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Rosebud | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Rosebud rosebud allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Rosebud: from n/a through <= 1.4. | 2026-01-23 | not yet calculated | CVE-2026-24631 | https://patchstack.com/database/Wordpress/Theme/rosebud/vulnerability/wordpress-rosebud-theme-1-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Verdure | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Verdure verdure allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Verdure: from n/a through <= 1.6. | 2026-01-22 | not yet calculated | CVE-2026-22430 | https://patchstack.com/database/Wordpress/Theme/verdure/vulnerability/wordpress-verdure-theme-1-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Wanderland | Missing Authorization vulnerability in Mikado-Themes Wanderland wanderland allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Wanderland: from n/a through <= 1.5. | 2026-01-22 | not yet calculated | CVE-2026-22458 | https://patchstack.com/database/Wordpress/Theme/wanderland/vulnerability/wordpress-wanderland-theme-1-5-broken-access-control-vulnerability?_s_id=cve |
| Milner--ImageDirector Capture | The use of a hard-coded encryption key in calls to the Password function in C2SGlobalSettings.dll in Milner ImageDirector Capture on Windows allows a local attacker to decrypt database credentials by reading the cryptographic key from the executable. This issue affects ImageDirector Capture: from 7.0.9 before 7.6.3.25808. | 2026-01-20 | not yet calculated | CVE-2025-58740 | https://sra.io/advisories |
| Milner--ImageDirector Capture | Insufficiently Protected Credentials vulnerability in the Credential Field of Milner ImageDirector Capture allows retrieval of credential material and enables database access. This issue affects ImageDirector Capture: from 7.0.9 through 7.6.3.25808. | 2026-01-20 | not yet calculated | CVE-2025-58741 | https://sra.io/advisories |
| Milner--ImageDirector Capture | Insufficiently Protected Credentials, Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the Connection Settings dialog in Milner ImageDirector Capture on Windows allows Adversary in the Middle (AiTM) by modifying the 'Server' field to redirect client authentication. This issue affects ImageDirector Capture: from 7.0.9 before 7.6.3.25808. | 2026-01-20 | not yet calculated | CVE-2025-58742 | https://sra.io/advisories |
| Milner--ImageDirector Capture | Use of a Broken or Risky Cryptographic Algorithm (DES) vulnerability in the Password class in C2SConnections.dll in Milner ImageDirector Capture on Windows allows Encryption Brute Forcing to obtain database credentials. This issue affects ImageDirector Capture: from 7.0.9.0 before 7.6.3.25808. | 2026-01-20 | not yet calculated | CVE-2025-58743 | https://sra.io/advisories |
| Milner--ImageDirector Capture | Use of Default Credentials, Hard-coded Credentials vulnerability in C2SGlobalSettings.dll in Milner ImageDirector Capture on Windows allows decryption of document archive files using credentials decrypted with hard-coded application encryption key. This issue affects ImageDirector Capture: from 7.0.9.0 before 7.6.3.25808. | 2026-01-20 | not yet calculated | CVE-2025-58744 | https://sra.io/advisories |
| miniserve--miniserve | A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in deployments where the attacker can create/replace filesystem entries in the upload destination directory (e.g., shared writable directory/volume). | 2026-01-23 | not yet calculated | CVE-2025-67124 | https://github.com/svenstaro/miniserve https://gist.github.com/thesmartshadow/55688f87f8b985eb530e07d00ef8c63f |
| mkscripts--Download After Email | Missing Authorization vulnerability in mkscripts Download After Email download-after-email allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Download After Email: from n/a through <= 2.1.9. | 2026-01-23 | not yet calculated | CVE-2026-24541 | https://patchstack.com/database/Wordpress/Plugin/download-after-email/vulnerability/wordpress-download-after-email-plugin-2-1-9-broken-access-control-vulnerability?_s_id=cve |
| mndpsingh287--WP Mail | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS. This issue affects WP Mail: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2025-68008 | https://patchstack.com/database/Wordpress/Plugin/wp-mail/vulnerability/wordpress-wp-mail-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| monetagwp--Monetag Official Plugin | Missing Authorization vulnerability in monetagwp Monetag Official Plugin monetag-official allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Monetag Official Plugin: from n/a through <= 1.1.3. | 2026-01-23 | not yet calculated | CVE-2026-24551 | https://patchstack.com/database/Wordpress/Plugin/monetag-official/vulnerability/wordpress-monetag-official-plugin-plugin-1-1-3-broken-access-control-vulnerability-2?_s_id=cve |
| mwtemplates--DeepDigital | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in mwtemplates DeepDigital deepdigital allows Code Injection. This issue affects DeepDigital: from n/a through <= 1.0.2. | 2026-01-22 | not yet calculated | CVE-2026-22469 | https://patchstack.com/database/Wordpress/Theme/deepdigital/vulnerability/wordpress-deepdigital-theme-1-0-2-arbitrary-shortcode-execution-vulnerability?_s_id=cve |
| MyThemeShop--WP Subscribe | Missing Authorization vulnerability in MyThemeShop WP Subscribe wp-subscribe allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Subscribe: from n/a through <= 1.2.16. | 2026-01-23 | not yet calculated | CVE-2026-24522 | https://patchstack.com/database/Wordpress/Plugin/wp-subscribe/vulnerability/wordpress-wp-subscribe-plugin-1-2-16-broken-access-control-vulnerability?_s_id=cve |
| Nelio Software--Nelio AB Testing | Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection. This issue affects Nelio AB Testing: from n/a through <= 8.1.8. | 2026-01-22 | not yet calculated | CVE-2025-67944 | https://patchstack.com/database/Wordpress/Plugin/nelio-ab-testing/vulnerability/wordpress-nelio-ab-testing-plugin-8-1-8-arbitrary-code-execution-vulnerability?_s_id=cve |
| Nelio Software--Nelio Content | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nelio Software Nelio Content nelio-content allows Blind SQL Injection. This issue affects Nelio Content: from n/a through <= 4.1.0. | 2026-01-23 | not yet calculated | CVE-2026-24572 | https://patchstack.com/database/Wordpress/Plugin/nelio-content/vulnerability/wordpress-nelio-content-plugin-4-1-0-sql-injection-vulnerability?_s_id=cve |
| neo4j--Enterprise Edition | Neo4j Enterprise edition versions prior to 2025.11.2 and 5.26.17 are vulnerable to a potential information disclosure by an attacker who has some legitimate access to the database. The vulnerability allows attacker without read access to a property to infer information about its value by trying to enumerate all possible values through observing error messages of SET property. We recommend upgrading to 2025.11.2 or 5.26.17 and above, where the issues is fixed. | 2026-01-22 | not yet calculated | CVE-2025-12738 | https://neo4j.com/security/CVE-2025-12738 |
| nerves-hub--nerves_hub_web | NervesHub is a web service that allows users to manage over-the-air (OTA) firmware updates of devices in the field. A vulnerability present starting in version 1.0.0 and prior to version 2.3.0 allowed attackers to brute-force user API tokens due to the predictable format of previously issued tokens. Tokens included user-identifiable components and were not cryptographically secure, making them susceptible to guessing or enumeration. The vulnerability could have allowed unauthorized access to user accounts or API actions protected by these tokens. A fix is available in version 2.3.0 of NervesHub. This version introduces strong, cryptographically-random tokens using `:crypto.strong_rand_bytes/1`, hashing of tokens before database storage to prevent misuse even if the database is compromised, and context-aware token storage to distinguish between session and API tokens. There are no practical workarounds for this issue other than upgrading. In sensitive environments, as a temporary mitigation, firewalling access to the NervesHub server can help limit exposure until an upgrade is possible. | 2026-01-22 | not yet calculated | CVE-2025-64097 | https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-m9vj-776q-vc8m https://github.com/nerves-hub/nerves_hub_web/pull/2024 https://github.com/nerves-hub/nerves_hub_web/releases/tag/v2.3.0 |
| netgsm--Netgsm | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in netgsm Netgsm netgsm allows Reflected XSS. This issue affects Netgsm: from n/a through <= 2.9.63. | 2026-01-22 | not yet calculated | CVE-2025-68010 | https://patchstack.com/database/Wordpress/Plugin/netgsm/vulnerability/wordpress-netgsm-plugin-2-9-62-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| NewPlane--open5GS | Open 5GS WebUI uses a hard-coded JWT signing key (change-me) whenever the environment variable JWT_SECRET_KEY is unset | 2026-01-20 | not yet calculated | CVE-2026-0622 | https://github.com/open5gs/open5gs/issues/2264 https://github.com/open5gs/open5gs/issues/856 https://github.com/open5gs/open5gs/pull/857 |
| Ninetheme--Anarkali | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ninetheme Anarkali anarkali allows PHP Local File Inclusion. This issue affects Anarkali: from n/a through <= 1.0.9. | 2026-01-22 | not yet calculated | CVE-2025-47474 | https://patchstack.com/database/Wordpress/Theme/anarkali/vulnerability/wordpress-anarkali-theme-1-0-9-local-file-inclusion-vulnerability?_s_id=cve |
| Ninetheme--Electron | Missing Authorization vulnerability in Ninetheme Electron electron allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Electron: from n/a through <= 1.8.2. | 2026-01-22 | not yet calculated | CVE-2025-5805 | https://patchstack.com/database/Wordpress/Theme/electron/vulnerability/wordpress-electron-theme-1-8-2-broken-access-control-vulnerability?_s_id=cve |
| Ninja Team--GDPR CCPA Compliance Support | Missing Authorization vulnerability in Ninja Team GDPR CCPA Compliance Support ninja-gdpr-compliance allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GDPR CCPA Compliance Support: from n/a through <= 2.7.4. | 2026-01-22 | not yet calculated | CVE-2025-68073 | https://patchstack.com/database/Wordpress/Plugin/ninja-gdpr-compliance/vulnerability/wordpress-gdpr-ccpa-compliance-support-plugin-2-7-4-broken-access-control-vulnerability?_s_id=cve |
| NixOS--nixpkgs | Tandoor Recipes is a recipe manager than can be installed with the Nix package manager. Starting in version 23.05 and prior to version 26.05, when using the default configuration of Tandoor Recipes, specifically using SQLite and default `MEDIA_ROOT`, the full database file may be externally accessible, potentially on the Internet. The root cause is that the NixOS module configures the working directory of Tandoor Recipes, as well as the value of `MEDIA_ROOT`, to be `/var/lib/tandoor-recipes`. This causes Tandoor Recipes to create its `db.sqlite3` database file in the same directory as `MEDIA_ROOT` causing it to be accessible without authentication through HTTP like any other media file. This is the case when using `GUNICORN_MEDIA=1` or when using a web server like nginx to serve media files. NixOS 26.05 changes the default value of `MEDIA_ROOT` to a sub folder of the data directory. This only applies to configurations with `system.stateVersion` >= 26.05. For older configurations, one of the workarounds should be applied instead. NixOS 25.11 has received a backport of this patch, though it doesn't fix this vulnerability without user intervention. A recommended workaround is to move `MEDIA_ROOT` into a subdirectory. Non-recommended workarounds include switching to PostgreSQL or disallowing access to `db.sqlite3`. | 2026-01-19 | not yet calculated | CVE-2026-23838 | https://github.com/NixOS/nixpkgs/security/advisories/GHSA-g8w3-p77x-mmxh https://github.com/NixOS/nixpkgs/issues/338339 https://github.com/NixOS/nixpkgs/pull/427845 https://github.com/NixOS/nixpkgs/pull/481140 |
| noCreativity--Dooodl | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in noCreativity Dooodl dooodl allows Reflected XSS. This issue affects Dooodl: from n/a through <= 2.3.0. | 2026-01-22 | not yet calculated | CVE-2025-68871 | https://patchstack.com/database/Wordpress/Plugin/dooodl/vulnerability/wordpress-dooodl-plugin-2-3-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| nodejs--node | A flaw in Node.js's Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. | 2026-01-20 | not yet calculated | CVE-2025-55130 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. | 2026-01-20 | not yet calculated | CVE-2025-55131 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. | 2026-01-20 | not yet calculated | CVE-2025-55132 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | A memory leak in Node.js's OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service. | 2026-01-20 | not yet calculated | CVE-2025-59464 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ``` | 2026-01-20 | not yet calculated | CVE-2025-59465 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions. | 2026-01-20 | not yet calculated | CVE-2025-59466 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. * The issue affects users of the Node.js permission model on version v25. In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase. | 2026-01-20 | not yet calculated | CVE-2026-21636 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped. | 2026-01-20 | not yet calculated | CVE-2026-21637 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| npm--cli | npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430. | 2026-01-23 | not yet calculated | CVE-2026-0775 | ZDI-26-043 |
| NSquared--Simply Schedule Appointments | Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simply Schedule Appointments: from n/a through <= 1.6.9.15. | 2026-01-22 | not yet calculated | CVE-2025-69315 | https://patchstack.com/database/Wordpress/Plugin/simply-schedule-appointments/vulnerability/wordpress-simply-schedule-appointments-plugin-1-6-9-15-broken-access-control-vulnerability?_s_id=cve |
| Ollama MCP Server--Ollama MCP Server | Ollama MCP Server execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ollama MCP Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the execAsync method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27683. | 2026-01-23 | not yet calculated | CVE-2025-15063 | ZDI-26-020 |
| ollama--ollama | An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder | 2026-01-21 | not yet calculated | CVE-2025-66959 | https://github.com/ollama/ollama/issues/9820 https://zero.shotlearni.ng/blog/cve-2025-66959panic-dos-via-unchecked-length-in-gguf-decoder-copy/ |
| ollama-ollama | An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata | 2026-01-21 | not yet calculated | CVE-2025-66960 | https://github.com/ollama/ollama/issues/9820 https://zero.shotlearni.ng/blog/cve-2025-66960guf-v1-string-length-cause-panic-in-readggufv1string/ |
| OmniApp--OmniApp | An unauthenticated information disclosure vulnerability in Newgen OmniApp allows attackers to enumerate valid privileged usernames via a publicly accessible client-side JavaScript resource. | 2026-01-23 | not yet calculated | CVE-2025-69908 | https://newgensoft.com/ https://github.com/CBx216/CVE-Newgen-Software-Advisories/blob/main/CVE-2025-69908.md |
| OmniDocs--OmniDocs | An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/GetListofCabinet API endpoint. A remote attacker can access this endpoint without valid credentials to retrieve sensitive internal configuration information, including cabinet names and database-related metadata. This allows unauthorized enumeration of backend deployment details and may facilitate further targeted attacks. | 2026-01-23 | not yet calculated | CVE-2025-69907 | https://newgensoft.com/ https://github.com/CBx216/CVE-Newgen-Software-Advisories/blob/main/CVE-2025-69907.md |
| omnipressteam--Omnipress | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in omnipressteam Omnipress omnipress allows PHP Local File Inclusion. This issue affects Omnipress: from n/a through <= 1.6.6. | 2026-01-23 | not yet calculated | CVE-2026-24538 | https://patchstack.com/database/Wordpress/Plugin/omnipress/vulnerability/wordpress-omnipress-plugin-1-6-6-local-file-inclusion-vulnerability?_s_id=cve |
| Onepay Sri Lanka--onepay Payment Gateway For WooCommerce | Missing Authorization vulnerability in Onepay Sri Lanka onepay Payment Gateway For WooCommerce onepay-payment-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects onepay Payment Gateway For WooCommerce: from n/a through <= 1.1.2. | 2026-01-22 | not yet calculated | CVE-2025-68016 | https://patchstack.com/database/Wordpress/Plugin/onepay-payment-gateway-for-woocommerce/vulnerability/wordpress-onepay-payment-gateway-for-woocommerce-plugin-1-1-2-other-vulnerability-type-vulnerability?_s_id=cve |
| Open WebUI--Open WebUI | Open WebUI PIP install_frontmatter_requirements Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists within the install_frontmatter_requirements function.The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28258. | 2026-01-23 | not yet calculated | CVE-2026-0765 | ZDI-26-031 |
| Open WebUI--Open WebUI | Open WebUI load_tool_module_by_id Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists within the load_tool_module_by_id function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28257. | 2026-01-23 | not yet calculated | CVE-2026-0766 | ZDI-26-032 |
| Open WebUI--Open WebUI | Open WebUI Cleartext Transmission of Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Open WebUI. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of credentials provided to the endpoint. The issue results from transmitting sensitive information in plaintext. An attacker can leverage this vulnerability to disclose transmitted credentials, leading to further compromise. Was ZDI-CAN-28259. | 2026-01-23 | not yet calculated | CVE-2026-0767 | ZDI-26-033 |
| OpenSolution--Quick.Cart | Quick.Cart is vulnerable to reflected XSS via the sSort parameter. An attacker can craft a malicious URL which, when opened, results in arbitrary JavaScript execution in the victim's browser. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-01-22 | not yet calculated | CVE-2025-67683 | https://cert.pl/posts/2026/01/CVE-2025-67683 https://opensolution.org/sklep-internetowy-quick-cart.html |
| OpenSolution--Quick.Cart | Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. This allows an attacker to include and execute uploaded PHP code, resulting in Remote Code Execution on the server. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-01-22 | not yet calculated | CVE-2025-67684 | https://cert.pl/posts/2026/01/CVE-2025-67683 https://opensolution.org/sklep-internetowy-quick-cart.html |
| orjson--orjson | The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents. | 2026-01-22 | not yet calculated | CVE-2025-67221 | https://github.com/kpatsakis/orjson_vulnerability https://github.com/ijl/orjson |
| orval-labs--orval | Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions prior to 7.19.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to CVE-2026-22785, but affects a different code path in @orval/core that was not addressed by CVE-2026-22785's fix. The vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enumDescriptions field, which is embedded without proper escaping in getEnumImplementation(). I have confirmed that the injection occurs during const enum generation and results in executable code within the generated schema files. Orval 7.19.0 and 8.0.2 contain a fix for the issue. | 2026-01-20 | not yet calculated | CVE-2026-23947 | https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv https://github.com/orval-labs/orval/releases/tag/v8.0.2 |
| orval-labs--orval | Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. The vulnerability is similar in impact to the previously reported enum x-enumDescriptions (GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core. The issue has been fixed in versions 7.20.0 and 8.0.3. | 2026-01-22 | not yet calculated | CVE-2026-24132 | https://github.com/orval-labs/orval/security/advisories/GHSA-f456-rf33-4626 https://github.com/orval-labs/orval/pull/2828 https://github.com/orval-labs/orval/pull/2829 https://github.com/orval-labs/orval/pull/2830 https://github.com/orval-labs/orval/commit/44ca8c1f5f930a3e4cefb6b79b38bcde7f8532a5 https://github.com/orval-labs/orval/commit/6d8ece07ccb80693ad43edabccb3957aceadcd06 https://github.com/orval-labs/orval/commit/9b211cddc9f009f8a671e4ac5c6cb72cd8646b62 https://github.com/orval-labs/orval/releases/tag/v7.20.0 https://github.com/orval-labs/orval/releases/tag/v8.0.3 |
| ovatheme--Athens | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Athens athens allows PHP Local File Inclusion. This issue affects Athens: from n/a through <= 1.1.6. | 2026-01-22 | not yet calculated | CVE-2025-49994 | https://patchstack.com/database/Wordpress/Theme/athens/vulnerability/wordpress-athens-theme-1-1-6-local-file-inclusion-vulnerability?_s_id=cve |
| ovatheme--Movie Booking | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ovatheme Movie Booking movie-booking allows Path Traversal. This issue affects Movie Booking: from n/a through <= 1.1.5. | 2026-01-22 | not yet calculated | CVE-2025-67963 | https://patchstack.com/database/Wordpress/Plugin/movie-booking/vulnerability/wordpress-movie-booking-plugin-1-1-5-arbitrary-file-deletion-vulnerability?_s_id=cve |
| owntone--owntone | A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server. | 2026-01-20 | not yet calculated | CVE-2025-63647 | https://github.com/archersec/poc/tree/master/owntone-server https://github.com/owntone/owntone-server/commit/53ee9a3c3921e5448f502800c4dfa787865f6cb7 https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md |
| Paolo--GeoDirectory | Cross-Site Request Forgery (CSRF) vulnerability in Paolo GeoDirectory geodirectory allows Cross Site Request Forgery. This issue affects GeoDirectory: from n/a through <= 2.8.147. | 2026-01-23 | not yet calculated | CVE-2026-24549 | https://patchstack.com/database/Wordpress/Plugin/geodirectory/vulnerability/wordpress-geodirectory-plugin-2-8-147-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Passionate Brains--Add Expires Headers & Optimized Minify | Missing Authorization vulnerability in Passionate Brains Add Expires Headers & Optimized Minify add-expires-headers allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Add Expires Headers & Optimized Minify: from n/a through <= 3.1.0. | 2026-01-23 | not yet calculated | CVE-2026-24633 | https://patchstack.com/database/Wordpress/Plugin/add-expires-headers/vulnerability/wordpress-add-expires-headers-optimized-minify-plugin-3-1-0-broken-access-control-vulnerability?_s_id=cve |
| pavothemes--Freshio | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pavothemes Freshio freshio allows PHP Local File Inclusion. This issue affects Freshio: from n/a through <= 2.4.2. | 2026-01-22 | not yet calculated | CVE-2026-22401 | https://patchstack.com/database/Wordpress/Theme/freshio/vulnerability/wordpress-freshio-theme-2-4-2-local-file-inclusion-vulnerability?_s_id=cve |
| pavothemes--Triply | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pavothemes Triply triply allows PHP Local File Inclusion. This issue affects Triply: from n/a through <= 2.4.7. | 2026-01-22 | not yet calculated | CVE-2026-22402 | https://patchstack.com/database/Wordpress/Theme/triply/vulnerability/wordpress-triply-theme-2-4-7-local-file-inclusion-vulnerability?_s_id=cve |
| peachpayments--Peach Payments Gateway | Missing Authorization vulnerability in peachpayments Peach Payments Gateway wc-peach-payments-gateway allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Peach Payments Gateway: from n/a through <= 3.3.6. | 2026-01-22 | not yet calculated | CVE-2025-67942 | https://patchstack.com/database/Wordpress/Plugin/wc-peach-payments-gateway/vulnerability/wordpress-peach-payments-gateway-plugin-3-3-6-broken-access-control-vulnerability?_s_id=cve |
| PenciDesign--Penci Pay Writer | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Pay Writer penci-pay-writer allows Stored XSS. This issue affects Penci Pay Writer: from n/a through <= 1.5. | 2026-01-23 | not yet calculated | CVE-2026-24601 | https://patchstack.com/database/Wordpress/Plugin/penci-pay-writer/vulnerability/wordpress-penci-pay-writer-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PenciDesign--Penci Review | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Review penci-review allows Stored XSS. This issue affects Penci Review: from n/a through <= 3.5. | 2026-01-23 | not yet calculated | CVE-2026-24600 | https://patchstack.com/database/Wordpress/Plugin/penci-review/vulnerability/wordpress-penci-review-plugin-3-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PenciDesign--Penci Shortcodes & Performance | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Shortcodes & Performance penci-shortcodes allows DOM-Based XSS. This issue affects Penci Shortcodes & Performance: from n/a through <= 6.1. | 2026-01-22 | not yet calculated | CVE-2026-24354 | https://patchstack.com/database/Wordpress/Plugin/penci-shortcodes/vulnerability/wordpress-penci-shortcodes-performance-plugin-6-1-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| pencilwp--X Addons for Elementor | Missing Authorization vulnerability in pencilwp X Addons for Elementor x-addons-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects X Addons for Elementor: from n/a through <= 1.0.23. | 2026-01-23 | not yet calculated | CVE-2026-24605 | https://patchstack.com/database/Wordpress/Plugin/x-addons-elementor/vulnerability/wordpress-x-addons-for-elementor-plugin-1-0-23-broken-access-control-vulnerability?_s_id=cve |
| PHPgurukul--PHPgurukul | PHPgurukul Online Course Registration v3.1 lacks Cross-Site Request Forgery (CSRF) protection on all administrative forms. An attacker can perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting a malicious webpage. | 2026-01-22 | not yet calculated | CVE-2025-70899 | https://phpgurukul.com/online-course-registration-free-download/ https://github.com/mathavamoorthi/CVE-2025-70899/blob/main/Missing_CSRF_protection_poc.md |
| Pithikos--Pithikos | An input validation issue in in Pithikos websocket-server v.0.6.4 allows a remote attacker to obtain sensitive information or cause unexpected server behavior via the websocket_server/websocket_server.py, WebSocketServer._message_received components. | 2026-01-20 | not yet calculated | CVE-2025-66902 | https://github.com/cyberinvest211/websocket-server-vuln-poc/tree/main |
| pixelgrade--Nova Blocks | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pixelgrade Nova Blocks nova-blocks allows DOM-Based XSS. This issue affects Nova Blocks: from n/a through <= 2.1.9. | 2026-01-23 | not yet calculated | CVE-2026-24528 | https://patchstack.com/database/Wordpress/Plugin/nova-blocks/vulnerability/wordpress-nova-blocks-plugin-2-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PluginOps--Landing Page Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PluginOps Landing Page Builder page-builder-add allows Stored XSS. This issue affects Landing Page Builder: from n/a through <= 1.5.3.3. | 2026-01-23 | not yet calculated | CVE-2026-24620 | https://patchstack.com/database/Wordpress/Plugin/page-builder-add/vulnerability/wordpress-landing-page-builder-plugin-1-5-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| pondol--Pondol BBS | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pondol Pondol BBS pondol-bbs allows Stored XSS. This issue affects Pondol BBS: from n/a through <= 1.1.8.4. | 2026-01-22 | not yet calculated | CVE-2025-49336 | https://patchstack.com/database/Wordpress/Plugin/pondol-bbs/vulnerability/wordpress-pondol-bbs-plugin-1-1-8-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PopCash--PopCash.Net Code Integration Tool | Missing Authorization vulnerability in PopCash PopCash.Net Code Integration Tool popcashnet-code-integration-tool allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PopCash.Net Code Integration Tool: from n/a through <= 1.8. | 2026-01-23 | not yet calculated | CVE-2026-24619 | https://patchstack.com/database/Wordpress/Plugin/popcashnet-code-integration-tool/vulnerability/wordpress-popcash-net-code-integration-tool-plugin-1-8-broken-access-control-vulnerability?_s_id=cve |
| POSIMYTH--Nexter Blocks | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Retrieve Embedded Sensitive Data. This issue affects Nexter Blocks: from n/a through <= 4.6.3. | 2026-01-22 | not yet calculated | CVE-2026-24377 | https://patchstack.com/database/Wordpress/Plugin/the-plus-addons-for-block-editor/vulnerability/wordpress-nexter-blocks-plugin-4-6-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| Poultry Farm Management System--Poultry Farm Management System | Stored Cross-Site Scripting (XSS) in Poultry Farm Management System v1.0 due to the lack of proper validation of user input by sending a POST request. The relationship between parameters and assigned identifiers is as follows: 'companyaddress', 'companyemail', 'companyname', 'country', 'mobilenumber' y 'regno' parameters in '/farm/farmprofile.php'. | 2026-01-20 | not yet calculated | CVE-2025-41024 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-poultry-farm-management-system |
| Poultry Farm Management System--Poultry Farm Management System | Stored Cross-Site Scripting (XSS) in Poultry Farm Management System v1.0 due to the lack of proper validation of user input by sending a POST request. The relationship between parameters and assigned identifiers is as follows: 'category' y 'product' parameters in '/farm/sell_product.php'. | 2026-01-20 | not yet calculated | CVE-2025-41025 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-poultry-farm-management-system |
| Prince--Integrate Google Drive | Missing Authorization vulnerability in Prince Integrate Google Drive integrate-google-drive allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Integrate Google Drive: from n/a through <= 1.5.5. | 2026-01-23 | not yet calculated | CVE-2026-24540 | https://patchstack.com/database/Wordpress/Plugin/integrate-google-drive/vulnerability/wordpress-integrate-google-drive-plugin-1-5-5-broken-access-control-vulnerability?_s_id=cve |
| Prince--Radio Player | Server-Side Request Forgery (SSRF) vulnerability in Prince Radio Player radio-player allows Server Side Request Forgery. This issue affects Radio Player: from n/a through <= 2.0.91. | 2026-01-23 | not yet calculated | CVE-2026-24548 | https://patchstack.com/database/Wordpress/Plugin/radio-player/vulnerability/wordpress-radio-player-plugin-2-0-91-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Proptech Plugin--Apimo Connector | Missing Authorization vulnerability in Proptech Plugin Apimo Connector apimo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Apimo Connector: from n/a through <= 2.6.4. | 2026-01-22 | not yet calculated | CVE-2026-22445 | https://patchstack.com/database/Wordpress/Plugin/apimo/vulnerability/wordpress-apimo-connector-plugin-2-6-4-broken-access-control-vulnerability?_s_id=cve |
| pterodactyl--panel | Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a per-server basis, and validated during the request cycle. However, in versions prior to 1.12.0, it is possible for a malicious user to send a massive volume of requests at the same time that would create more resources than the server is allotted. This is because the validation occurs early in the request cycle and does not lock the target resource while it is processing. As a result sending a large volume of requests at the same time would lead all of those requests to validate as not using any of the target resources, and then all creating the resources at the same time. As a result a server would be able to create more databases, allocations, or backups than configured. A malicious user is able to deny resources to other users on the system, and may be able to excessively consume the limited allocations for a node, or fill up backup space faster than is allowed by the system. Version 1.12.0 fixes the issue. | 2026-01-19 | not yet calculated | CVE-2025-69198 | https://github.com/pterodactyl/panel/security/advisories/GHSA-jw2v-cq5x-q68g https://github.com/pterodactyl/panel/commit/09caa0d4995bd924b53b9a9e9b4883ac27bd5607 |
| pterodactyl--panel | Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these sockets, causing an excessive volume of data over the network and overloading the host system memory and cpu. Additionally, there is not a limit applied to the total size of messages being sent or received, allowing a malicious user to open thousands of websocket connections and then send massive volumes of information over the socket, overloading the host network, and causing increased CPU and memory load within Wings. Version 1.12.0 patches the issue. | 2026-01-19 | not yet calculated | CVE-2025-69199 | https://github.com/pterodactyl/panel/security/advisories/GHSA-8w7m-w749-rx98 |
| pterodactyl--wings | Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a condition that floods the panel with activity records. After Wings sends activity logs to the panel it deletes the processed activity entries from the wings SQLite database. However, it does not consider the max parameter limit of SQLite, 32766 as of SQLite 3.32.0. If wings attempts to delete more than 32766 entries from the SQLite database in one query, it triggers an error (SQL logic error: too many SQL variables (1)) and does not remove any entries from the database. These entries are then indefinitely re-processed and resent to the panel each time the cron runs. By successfully exploiting this vulnerability, an attacker can trigger a situation where wings will keep uploading the same activity data to the panel repeatedly (growing each time to include new activity) until the panels' database server runs out of disk space. Version 1.12.0 fixes the issue. | 2026-01-19 | not yet calculated | CVE-2026-21696 | https://github.com/pterodactyl/wings/security/advisories/GHSA-2497-gp99-2m74 https://github.com/pterodactyl/wings/blob/9ffbcdcdb1163da823cf9959b9602df9f7dcb54a/internal/cron/activity_cron.go#L81 https://github.com/pterodactyl/wings/blob/9ffbcdcdb1163da823cf9959b9602df9f7dcb54a/internal/cron/sftp_cron.go#L86 |
| purethemes--WorkScout | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout workscout allows Reflected XSS. This issue affects WorkScout: from n/a through <= 4.1.07. | 2026-01-22 | not yet calculated | CVE-2025-67959 | https://patchstack.com/database/Wordpress/Theme/workscout/vulnerability/wordpress-workscout-theme-4-1-07-cross-site-scripting-xss-vulnerability?_s_id=cve |
| purethemes--WorkScout-Core | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout-Core workscout-core allows Reflected XSS. This issue affects WorkScout-Core: from n/a through <= 1.7.06. | 2026-01-22 | not yet calculated | CVE-2025-67960 | https://patchstack.com/database/Wordpress/Plugin/workscout-core/vulnerability/wordpress-workscout-core-plugin-1-7-06-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| PyPI--PiPI | An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. | 2026-01-20 | not yet calculated | CVE-2025-56005 | https://github.com/bohmiiidd/Undocumented-RCE-in-PLY |
| Python Software Foundation--CPython | When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized. | 2026-01-20 | not yet calculated | CVE-2025-11468 | https://github.com/python/cpython/pull/143936 https://github.com/python/cpython/issues/143935 https://mail.python.org/archives/list/security-announce@python.org/thread/FELSEOLBI2QR6YLG6Q7VYF7FWSGQTKLI/ https://github.com/python/cpython/commit/17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2 |
| Python Software Foundation--CPython | When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. | 2026-01-21 | not yet calculated | CVE-2025-12781 | https://github.com/python/cpython/pull/141128 https://github.com/python/cpython/issues/125346 https://mail.python.org/archives/list/security-announce@python.org/thread/KRI7GC6S27YV5NJ4FPDALS2WI5ENAFJ6/ https://github.com/python/cpython/commit/13360efd385d1a7d0659beba03787ea3d063ef9b https://github.com/python/cpython/commit/1be80bec7960f5ccd059e75f3dfbd45fca302947 https://github.com/python/cpython/commit/9060b4abbe475591b6230b23c2afefeff26fcca5 https://github.com/python/cpython/commit/e95e783dff443b68e8179fdb57737025bf02ba76 https://github.com/python/cpython/commit/fd17ee026fa9b67f6288cbafe374a3e479fe03a5 |
| Python Software Foundation--CPython | User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. | 2026-01-20 | not yet calculated | CVE-2025-15282 | https://github.com/python/cpython/pull/143926 https://github.com/python/cpython/issues/143925 https://mail.python.org/archives/list/security-announce@python.org/thread/X66HL7SISGJT33J53OHXMZT4DFLMHVKF/ https://github.com/python/cpython/commit/f25509e78e8be6ea73c811ac2b8c928c28841b9f https://github.com/python/cpython/commit/05356b1cc153108aaf27f3b72ce438af4aa218c0 |
| Python Software Foundation--CPython | The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | 2026-01-20 | not yet calculated | CVE-2025-15366 | https://github.com/python/cpython/issues/143921 https://github.com/python/cpython/pull/143922 https://mail.python.org/archives/list/security-announce@python.org/thread/DD7C7JZJYTBXMDOWKCEIEBJLBRU64OMR/ https://github.com/python/cpython/commit/6262704b134db2a4ba12e85ecfbd968534f28b45 |
| Python Software Foundation--CPython | The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | 2026-01-20 | not yet calculated | CVE-2025-15367 | https://github.com/python/cpython/pull/143924 https://github.com/python/cpython/issues/143923 https://mail.python.org/archives/list/security-announce@python.org/thread/CBFBOWVGGUJFSGITQCCBZS4GEYYZ7ZNE/ https://github.com/python/cpython/commit/b234a2b67539f787e191d2ef19a7cbdce32874e7 |
| Python Software Foundation--CPython | When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. | 2026-01-20 | not yet calculated | CVE-2026-0672 | https://github.com/python/cpython/pull/143920 https://github.com/python/cpython/issues/143919 https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/ https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70 https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440 |
| Python Software Foundation--CPython | User-controlled header names and values containing newlines can allow injecting HTTP headers. | 2026-01-20 | not yet calculated | CVE-2026-0865 | https://github.com/python/cpython/pull/143917 https://github.com/python/cpython/issues/143916 https://mail.python.org/archives/list/security-announce@python.org/thread/BJ6QPHNSHJTS3A7CFV6IBMCAP2DWRVNT/ https://github.com/python/cpython/commit/22e4d55285cee52bc4dbe061324e5f30bd4dee58 https://github.com/python/cpython/commit/23e3c0ae867cca0130e441e776c9955b9027c510 https://github.com/python/cpython/commit/4802b96a2cde58570c24c13ef3289490980961c5 https://github.com/python/cpython/commit/f7fceed79ca1bceae8dbe5ba5bc8928564da7211 https://github.com/python/cpython/commit/2f840249550e082dc351743f474ba56da10478d2 https://github.com/python/cpython/commit/e4846a93ac07a8ae9aa18203af0dd13d6e7a6995 |
| Python Software Foundation--CPython | The email module, specifically the "BytesGenerator" class, didn't properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator". | 2026-01-23 | not yet calculated | CVE-2026-1299 | https://github.com/python/cpython/pull/144126 https://github.com/python/cpython/issues/144125 https://cve.org/CVERecord?id=CVE-2024-6923 https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/ https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413 |
| Python--Protobuf | A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python's recursion stack and causing a RecursionError. | 2026-01-23 | not yet calculated | CVE-2026-0994 | https://github.com/protocolbuffers/protobuf/pull/25239 |
| QantumThemes--Kentha Elementor Widgets | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Kentha Elementor Widgets kentha-elementor allows PHP Local File Inclusion. This issue affects Kentha Elementor Widgets: from n/a through < 3.1. | 2026-01-22 | not yet calculated | CVE-2026-24390 | https://patchstack.com/database/Wordpress/Plugin/kentha-elementor/vulnerability/wordpress-kentha-elementor-widgets-plugin-3-1-local-file-inclusion-vulnerability?_s_id=cve |
| QantumThemes--KenthaRadio | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes KenthaRadio qt-kentharadio allows Reflected XSS. This issue affects KenthaRadio: from n/a through <= 2.2.0. | 2026-01-22 | not yet calculated | CVE-2025-69003 | https://patchstack.com/database/Wordpress/Theme/qt-kentharadio/vulnerability/wordpress-kentharadio-theme-2-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| QOS.CH Sarl--Logback-core | ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado. | 2026-01-22 | not yet calculated | CVE-2026-1225 | https://logback.qos.ch/news.html#1.5.25 |
| Raptive--Raptive Ads | Missing Authorization vulnerability in Raptive Raptive Ads adthrive-ads allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Raptive Ads: from n/a through <= 3.10.0. | 2026-01-23 | not yet calculated | CVE-2026-24602 | https://patchstack.com/database/Wordpress/Plugin/adthrive-ads/vulnerability/wordpress-raptive-ads-plugin-3-10-0-broken-access-control-vulnerability?_s_id=cve |
| Rasedul Haque Rumi--BD Courier Order Ratio Checker | Missing Authorization vulnerability in Rasedul Haque Rumi BD Courier Order Ratio Checker bd-courier-order-ratio-checker allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BD Courier Order Ratio Checker: from n/a through <= 2.0.1. | 2026-01-22 | not yet calculated | CVE-2026-22481 | https://patchstack.com/database/Wordpress/Plugin/bd-courier-order-ratio-checker/vulnerability/wordpress-bd-courier-order-ratio-checker-plugin-2-0-1-broken-access-control-vulnerability?_s_id=cve |
| RealMag777--TableOn | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 TableOn posts-table-filterable allows Reflected XSS. This issue affects TableOn: from n/a through <= 1.0.4.2. | 2026-01-22 | not yet calculated | CVE-2025-69316 | https://patchstack.com/database/Wordpress/Plugin/posts-table-filterable/vulnerability/wordpress-tableon-plugin-1-0-4-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Remi Corson--Easy Theme Options | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Remi Corson Easy Theme Options easy-theme-options allows Reflected XSS. This issue affects Easy Theme Options: from n/a through <= 1.0. | 2026-01-22 | not yet calculated | CVE-2025-68839 | https://patchstack.com/database/Wordpress/Plugin/easy-theme-options/vulnerability/wordpress-easy-theme-options-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| renatoatshown--Shown Connector | Missing Authorization vulnerability in renatoatshown Shown Connector shown-connector allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Shown Connector: from n/a through <= 1.2.10. | 2026-01-22 | not yet calculated | CVE-2025-68003 | https://patchstack.com/database/Wordpress/Plugin/shown-connector/vulnerability/wordpress-shown-connector-plugin-1-2-10-settings-change-vulnerability?_s_id=cve |
| Revive--Revive Adserver | HackerOne community member Faraz Ahmed (PakCyberbot) has reported a format string injection in the Revive Adserver settings. When specific character combinations are used in a setting, the admin user console could be disabled due to a fatal PHP error. | 2026-01-20 | not yet calculated | CVE-2026-21640 | https://hackerone.com/reports/3445332 |
| Revive--Revive Adserver | HackerOne community member Jad Ghamloush (0xjad) has reported an authorization bypass vulnerability in the `tracker-delete.php` script of Revive Adserver. Users with permissions to delete trackers are mistakenly allowed to delete trackers owned by other accounts. | 2026-01-20 | not yet calculated | CVE-2026-21641 | https://hackerone.com/reports/3445710 |
| Revive--Revive Adserver | HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the `banner-acl.php` and `channel-acl.php` scripts of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. | 2026-01-20 | not yet calculated | CVE-2026-21642 | https://hackerone.com/reports/3470970 |
| Revive--Revive Adserver | HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the banner-acl.php script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. | 2026-01-20 | not yet calculated | CVE-2026-21663 | https://hackerone.com/reports/3473696 |
| Revive--Revive Adserver | HackerOne community member Huynh Pham Thanh Luc (nigh7c0r3) has reported a reflected XSS vulnerability in the afr.php delivery script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. | 2026-01-20 | not yet calculated | CVE-2026-21664 | https://hackerone.com/reports/3468169 |
| richardevcom--Add Polylang support for Customizer | Cross-Site Request Forgery (CSRF) vulnerability in richardevcom Add Polylang support for Customizer add-polylang-support-for-customizer allows Cross Site Request Forgery. This issue affects Add Polylang support for Customizer: from n/a through <= 1.4.5. | 2026-01-22 | not yet calculated | CVE-2026-22462 | https://patchstack.com/database/Wordpress/Plugin/add-polylang-support-for-customizer/vulnerability/wordpress-add-polylang-support-for-customizer-plugin-1-4-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Riftzilla--QRGen | Reflected Cross-Site Scripting (XSS) vulnerability in Riftzilla's QRGen. This vulnerability allows an attavker to execute JavaScript code in the victim's browser by sending them a malicious URL using the 'id' parameter in '/article.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | 2026-01-20 | not yet calculated | CVE-2025-40644 | https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-qrgens-riftzilla |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. After running a Burp Suite active scan, the device loses ICMP connectivity, causing the web application to become inaccessible. | 2026-01-20 | not yet calculated | CVE-2025-9278 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limit Storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. | 2026-01-20 | not yet calculated | CVE-2025-9279 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. Fuzzing performed using Defensics causes the device to become unresponsive, requiring a reboot. | 2026-01-20 | not yet calculated | CVE-2025-9280 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive step limit storm tests, the device reboots | 2026-01-20 | not yet calculated | CVE-2025-9281 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive limited storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. | 2026-01-20 | not yet calculated | CVE-2025-9282 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limits Storms tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. | 2026-01-20 | not yet calculated | CVE-2025-9283 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. This vulnerability is triggered during fuzzing of multiple CIP classes, which causes the CIP port to become unresponsive. | 2026-01-20 | not yet calculated | CVE-2025-9464 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. | 2026-01-20 | not yet calculated | CVE-2025-9465 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP and CIP grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. | 2026-01-20 | not yet calculated | CVE-2025-9466 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--CompactLogix 5370 | A denial-of-service security issue in the affected product. The security issue occurs when a malformed CIP forward open message is sent. This could result in a major nonrecoverable fault a restart is required to recover. | 2026-01-20 | not yet calculated | CVE-2025-11743 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1770.html |
| Rockwell Automation--ControlLogix Redundancy Enhanced Module | Multiple denial-of-service vulnerabilities exist in the affected product. These issues can be triggered through various crafted inputs, including malformed Class 3 messages, memory leak conditions, and other resource exhaustion scenarios. Exploitation may cause the device to become unresponsive and, in some cases, result in a major nonrecoverable fault. Recovery may require a restart. | 2026-01-20 | not yet calculated | CVE-2025-14027 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1769.html |
| Rockwell Automation--Verve Asset Manager | A security issue was discovered within the legacy ADI server component of Verve Asset Manager, caused by plaintext secrets stored in environment variables on the ADI server. This component has been retired and has been optional since the 1.36 release in 2024. | 2026-01-20 | not yet calculated | CVE-2025-14376 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1767.html |
| Rockwell Automation--Verve Asset Manager | A security issue was discovered within the legacy Ansible playbook component of Verve Asset Manager, caused by plaintext secrets incorrectly stored when a playbook is running. This component has been retired and has been optional since the 1.36 release in 2024. | 2026-01-20 | not yet calculated | CVE-2025-14377 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1767.html |
| Roxnor--GetGenie | Missing Authorization vulnerability in Roxnor GetGenie getgenie allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GetGenie: from n/a through <= 4.3.0. | 2026-01-22 | not yet calculated | CVE-2026-24356 | https://patchstack.com/database/Wordpress/Plugin/getgenie/vulnerability/wordpress-getgenie-plugin-4-3-0-broken-access-control-vulnerability?_s_id=cve |
| Ruijie Networks Co., Ltd.--AP180(JA) V1.xx | AP180 series with firmware versions prior to AP_RGOS 11.9(4)B1P8 contains an OS command injection vulnerability. If this vulnerability is exploited, arbitrary commands may be executed on the devices. | 2026-01-22 | not yet calculated | CVE-2026-23699 | https://www.ruijie.co.jp/products/rg-ap180-pe_p432111650928590848.html#productDocument https://jvn.jp/en/jp/JVN86850670/ |
| RuoYi--RuoYi | Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope. | 2026-01-23 | not yet calculated | CVE-2025-70985 | https://github.com/yangzongzhuan/RuoYi https://gitee.com/y_project/RuoYi https://gitee.com/y_project/RuoYi/issues/IDIDK2 https://gist.github.com/old6ma/1a2dada02656ba9a4730c85f6c765f4f |
| RuoYi--RuoYi | Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive department data. | 2026-01-23 | not yet calculated | CVE-2025-70986 | https://github.com/yangzongzhuan/RuoYi https://gitee.com/y_project/RuoYi https://gitee.com/y_project/RuoYi/issues/IDIDME https://gist.github.com/old6ma/779320a98f361c299ca024521cb72db6 |
| Rustaurius--Ultimate Reviews | Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Ultimate Reviews ultimate-reviews allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ultimate Reviews: from n/a through <= 3.2.16. | 2026-01-23 | not yet calculated | CVE-2026-24634 | https://patchstack.com/database/Wordpress/Plugin/ultimate-reviews/vulnerability/wordpress-ultimate-reviews-plugin-3-2-16-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Ryviu--Ryviu – Product Reviews for WooCommerce | Missing Authorization vulnerability in Ryviu Ryviu – Product Reviews for WooCommerce ryviu allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ryviu – Product Reviews for WooCommerce: from n/a through <= 3.1.26. | 2026-01-23 | not yet calculated | CVE-2026-24562 | https://patchstack.com/database/Wordpress/Plugin/ryviu/vulnerability/wordpress-ryviu-product-reviews-for-woocommerce-plugin-3-1-26-broken-access-control-vulnerability?_s_id=cve |
| Saad Iqbal--AppExperts | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal AppExperts appexperts allows SQL Injection. This issue affects AppExperts: from n/a through <= 1.4.5. | 2026-01-22 | not yet calculated | CVE-2025-68881 | https://patchstack.com/database/Wordpress/Plugin/appexperts/vulnerability/wordpress-appexperts-plugin-1-4-5-sql-injection-vulnerability?_s_id=cve |
| saeros1984--Neoforum | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in saeros1984 Neoforum neoforum allows Reflected XSS. This issue affects Neoforum: from n/a through <= 1.0. | 2026-01-23 | not yet calculated | CVE-2026-24623 | https://patchstack.com/database/Wordpress/Plugin/neoforum/vulnerability/wordpress-neoforum-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| saeros1984--Neoforum | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in saeros1984 Neoforum neoforum allows Blind SQL Injection. This issue affects Neoforum: from n/a through <= 1.0. | 2026-01-23 | not yet calculated | CVE-2026-24624 | https://patchstack.com/database/Wordpress/Plugin/neoforum/vulnerability/wordpress-neoforum-plugin-1-0-sql-injection-vulnerability?_s_id=cve |
| saleor--saleor | Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform stored XSS attacks on dashboards and storefronts. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. This issue has been patched in versions 3.22.27, 3.21.43, and 3.20.108. In case of inability to upgrade straight away, a possible workaround is to use client-side cleaner. | 2026-01-21 | not yet calculated | CVE-2026-22849 | https://github.com/saleor/saleor/security/advisories/GHSA-8jcj-r5g2-qrpv https://github.com/saleor/saleor/commit/1085c7813224a0a65f1dac7275cbc3244e23c386 https://github.com/saleor/saleor/commit/676d95dbc7d811610e68f2ea8f9b6652cbd58e9b https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335 https://github.com/saleor/saleor/commit/b67a0b9d9f243e5d6c2f9c7643d42a54c24c90ee https://github.com/saleor/saleor/commit/bb5f883aeb0f085899a9d4f35d429cf7eb07a11d https://docs.saleor.io/security/#editorjs--html-cleaning |
| saleor--saleor | Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these files may be served from the same domain as the dashboard without any restrictions leading to the execution of malicious scripts in the context of the user's browser. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. Users are vulnerable if they host the media files inside the same domain as the dashboard, e.g., dashboard is at `example.com/dashboard/` and media are under `example.com/media/`. They are not impact if media files are hosted in a different domain, e.g., `media.example.com`. Users are impacted if they do not return a `Content-Disposition: attachment` header for the media files. Saleor Cloud users are not impacted. This issue has been patched in versions: 3.22.27, 3.21.43, and 3.20.108. Some workarounds are available for those unable to upgrade. Configure the servers hosting the media files (e.g., CDN or reverse proxy) to return the Content-Disposition: attachment header. This instructs browsers to download the file instead of rendering them in the browser. Prevent the servers from returning HTML and SVG files. Set-up a `Content-Security-Policy` for media files, such as `Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';`. | 2026-01-21 | not yet calculated | CVE-2026-23499 | https://github.com/saleor/saleor/security/advisories/GHSA-666h-2p49-pg95 https://github.com/saleor/saleor/commit/77f7927a0db9a216440df92c51012136f13e1d99 https://github.com/saleor/saleor/commit/7d33efc7a06252320cd51cbb20c2e308aed2fd10 https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335 https://github.com/saleor/saleor/commit/ac6936a336289c77398ef600cad3498ad4ba261c https://github.com/saleor/saleor/commit/b3cb27b3fe96dae3c879063e56d32a9398eabd24 https://docs.saleor.io/security/#restricted-file-uploads |
| saleor--saleor | Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF. | 2026-01-23 | not yet calculated | CVE-2026-24136 | https://github.com/saleor/saleor/security/advisories/GHSA-r6fj-f4r9-36gr https://github.com/saleor/saleor/commit/5dab1857fbb2801f74e2bfe86f307e4590d9d2fa https://github.com/saleor/saleor/commit/718ce1b4fc3aef68eeac1aea0cf1d70a614ba6af https://github.com/saleor/saleor/commit/9bcd4f9000b189297eeb3ac88cc28c6c30229153 https://github.com/saleor/saleor/commit/aeaced8acb5e01055eddec584263f77e517d5944 |
| Salesforce--Marketing Cloud Engagement | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026. | 2026-01-24 | not yet calculated | CVE-2026-22582 | https://help.salesforce.com/s/articleView?id=005299346&type=1 |
| Salesforce--Marketing Cloud Engagement | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (CloudPagesUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026. | 2026-01-24 | not yet calculated | CVE-2026-22583 | https://help.salesforce.com/s/articleView?id=005299346&type=1 |
| Salesforce--Marketing Cloud Engagement | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026. | 2026-01-24 | not yet calculated | CVE-2026-22585 | https://help.salesforce.com/s/articleView?id=005299346&type=1 |
| Salesforce--Marketing Cloud Engagement | Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026. | 2026-01-24 | not yet calculated | CVE-2026-22586 | https://help.salesforce.com/s/articleView?id=005299346&type=1 |
| Scalenut--Scalenut | Missing Authorization vulnerability in Scalenut Scalenut scalenut allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Scalenut: from n/a through <= 1.1.3. | 2026-01-22 | not yet calculated | CVE-2025-68882 | https://patchstack.com/database/Wordpress/Plugin/scalenut/vulnerability/wordpress-scalenut-plugin-1-1-3-broken-access-control-vulnerability?_s_id=cve |
| scriptsbundle--AdForest | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in scriptsbundle AdForest adforest allows PHP Local File Inclusion. This issue affects AdForest: from n/a through <= 6.0.11. | 2026-01-22 | not yet calculated | CVE-2025-67946 | https://patchstack.com/database/Wordpress/Theme/adforest/vulnerability/wordpress-adforest-theme-6-0-11-local-file-inclusion-vulnerability?_s_id=cve |
| scriptsbundle--AdForest Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scriptsbundle AdForest Elementor adforest-elementor allows Reflected XSS. This issue affects AdForest Elementor: from n/a through <= 3.0.11. | 2026-01-22 | not yet calculated | CVE-2025-67947 | https://patchstack.com/database/Wordpress/Plugin/adforest-elementor/vulnerability/wordpress-adforest-elementor-plugin-3-0-11-cross-site-scripting-xss-vulnerability?_s_id=cve |
| scriptsbundle--CarSpot | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scriptsbundle CarSpot carspot allows Reflected XSS. This issue affects CarSpot: from n/a through < 2.4.6. | 2026-01-22 | not yet calculated | CVE-2025-69317 | https://patchstack.com/database/Wordpress/Theme/carspot/vulnerability/wordpress-carspot-theme-2-4-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| SeaTheme--BM Content Builder | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in SeaTheme BM Content Builder bm-builder allows Path Traversal. This issue affects BM Content Builder: from n/a through <= 3.16.3. | 2026-01-22 | not yet calculated | CVE-2025-69055 | https://patchstack.com/database/Wordpress/Plugin/bm-builder/vulnerability/wordpress-bm-content-builder-plugin-3-16-3-arbitrary-file-download-vulnerability?_s_id=cve |
| Select-Themes--Don Peppe | Missing Authorization vulnerability in Select-Themes Don Peppe donpeppe allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Don Peppe: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2026-22450 | https://patchstack.com/database/Wordpress/Theme/donpeppe/vulnerability/wordpress-don-peppe-theme-1-3-broken-access-control-vulnerability?_s_id=cve |
| Select-Themes--Prowess | Missing Authorization vulnerability in Select-Themes Prowess prowess allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Prowess: from n/a through <= 1.8.1. | 2026-01-22 | not yet calculated | CVE-2026-22447 | https://patchstack.com/database/Wordpress/Theme/prowess/vulnerability/wordpress-prowess-theme-1-8-1-broken-access-control-vulnerability?_s_id=cve |
| Select-Themes--Prowess | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Prowess prowess allows PHP Local File Inclusion. This issue affects Prowess: from n/a through <= 2.3. | 2026-01-23 | not yet calculated | CVE-2026-24531 | https://patchstack.com/database/Wordpress/Theme/prowess/vulnerability/wordpress-prowess-theme-2-3-local-file-inclusion-vulnerability?_s_id=cve |
| SEOSEON EUROPE S.L--Affiliate Link Tracker | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SEOSEON EUROPE S.L Affiliate Link Tracker affiliate-link-tracker allows Stored XSS. This issue affects Affiliate Link Tracker: from n/a through <= 0.2. | 2026-01-22 | not yet calculated | CVE-2025-62077 | https://patchstack.com/database/Wordpress/Plugin/affiliate-link-tracker/vulnerability/wordpress-affiliate-link-tracker-plugin-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Sergiy Dzysyak--Suggestion Toolkit | Missing Authorization vulnerability in Sergiy Dzysyak Suggestion Toolkit suggestion-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Suggestion Toolkit: from n/a through <= 5.0. | 2026-01-23 | not yet calculated | CVE-2026-24622 | https://patchstack.com/database/Wordpress/Plugin/suggestion-toolkit/vulnerability/wordpress-suggestion-toolkit-plugin-5-0-broken-access-control-vulnerability?_s_id=cve |
| SESAME LABS, S.L--Sesame | Stored Cross-Site Scripting (XSS) vulnerability in Sesame web application, due to the fact that uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request using the 'logo' parameter in '/api/v3/companies/<ID>/logo', which are then stored on the server and executed in the context of any user who accesses the compromised resource. | 2026-01-20 | not yet calculated | CVE-2025-41084 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-sesame-web-application |
| Shahjahan Jewel--FluentForm | Improper Control of Generation of Code ('Code Injection') vulnerability in Shahjahan Jewel FluentForm fluentform allows Code Injection. This issue affects FluentForm: from n/a through <= 6.1.11. | 2026-01-22 | not yet calculated | CVE-2025-69001 | https://patchstack.com/database/Wordpress/Plugin/fluentform/vulnerability/wordpress-fluentform-plugin-6-1-11-arbitrary-shortcode-execution-vulnerability?_s_id=cve |
| sheepfish--WebP Conversion | Missing Authorization vulnerability in sheepfish WebP Conversion webp-conversion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WebP Conversion: from n/a through <= 2.1. | 2026-01-23 | not yet calculated | CVE-2026-24530 | https://patchstack.com/database/Wordpress/Plugin/webp-conversion/vulnerability/wordpress-webp-conversion-plugin-2-1-broken-access-control-vulnerability?_s_id=cve |
| shinetheme--Traveler | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection. This issue affects Traveler: from n/a through < 3.2.8. | 2026-01-22 | not yet calculated | CVE-2026-24367 | https://patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-8-sql-injection-vulnerability?_s_id=cve |
| shoutoutglobal--ShoutOut | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shoutoutglobal ShoutOut shoutout allows Reflected XSS. This issue affects ShoutOut: from n/a through <= 4.0.2. | 2026-01-22 | not yet calculated | CVE-2025-68894 | https://patchstack.com/database/Wordpress/Plugin/shoutout/vulnerability/wordpress-shoutout-plugin-4-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| SiteLock--SiteLock Security | Missing Authorization vulnerability in SiteLock SiteLock Security sitelock allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SiteLock Security: from n/a through <= 5.0.2. | 2026-01-23 | not yet calculated | CVE-2026-24532 | https://patchstack.com/database/Wordpress/Plugin/sitelock/vulnerability/wordpress-sitelock-security-plugin-5-0-2-broken-access-control-vulnerability?_s_id=cve |
| siyuan-note--siyuan | SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG <text> tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript. Version 3.5.4 patches the issue.] | 2026-01-19 | not yet calculated | CVE-2026-23847 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-w836-5gpm-7r93 https://github.com/siyuan-note/siyuan/issues/16844 https://github.com/siyuan-note/siyuan/commit/5c0cc375b47567e15edd2119066b09bb0aa18777 |
| siyuan-note--siyuan | SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side html-rendering which allows arbitrary file read (LFD). Version 3.5.4 fixes the issue. | 2026-01-19 | not yet calculated | CVE-2026-23850 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-cv54-7wv7-qxcw https://github.com/siyuan-note/siyuan/issues/16860 https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad https://github.com/siyuan-note/siyuan/blob/master/kernel/model/file.go#L1035 https://github.com/siyuan-note/siyuan/blob/v3.4.2/kernel/api/filetree.go#L799-L886 |
| siyuan-note--siyuan | SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper path validation. The vulnerability exists in the api/file.go source code. The function globalCopyFiles accepts a list of source paths (srcs) from the JSON request body. While the code checks if the source file exists using filelock.IsExist(src), it fails to validate whether the source path resides within the authorized workspace directory. Version 3.5.4 patches the issue. | 2026-01-19 | not yet calculated | CVE-2026-23851 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-94c7-g2fj-7682 https://github.com/siyuan-note/siyuan/issues/16860 https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad |
| siyuan-note--siyuan | SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block via the `/api/attr/setBlockAttrs` API. The payload is later rendered in the dynamic icon feature in an unsanitized context, leading to stored XSS and, in the desktop environment, potential remote code execution (RCE). This issue bypasses the previous fix for issue `#15970` (XSS → RCE via dynamic icons). Version 3.5.4 contains an updated fix. | 2026-01-19 | not yet calculated | CVE-2026-23852 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7c6g-g2hx-23vv https://github.com/siyuan-note/siyuan/commit/0be7e1d4e0da9aac0da850b7aeb9b50ede7e5bdb |
| sizam--REHub Framework | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in sizam REHub Framework rehub-framework allows Retrieve Embedded Sensitive Data. This issue affects REHub Framework: from n/a through < 19.9.9.4. | 2026-01-22 | not yet calculated | CVE-2025-63051 | https://patchstack.com/database/Wordpress/Plugin/rehub-framework/vulnerability/wordpress-rehub-framework-plugin-19-9-9-sensitive-data-exposure-vulnerability?_s_id=cve |
| SmartDataSoft--Electrician - Electrical Service WordPress | Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft Electrician - Electrical Service WordPress electrician allows Server Side Request Forgery. This issue affects Electrician - Electrical Service WordPress: from n/a through <= 5.6. | 2026-01-22 | not yet calculated | CVE-2026-22358 | https://patchstack.com/database/Wordpress/Theme/electrician/vulnerability/wordpress-electrician-electrical-service-wordpress-theme-5-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| SmartDataSoft--Pool Services | Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft Pool Services pool-services allows Server Side Request Forgery. This issue affects Pool Services: from n/a through <= 3.3. | 2026-01-22 | not yet calculated | CVE-2025-62741 | https://patchstack.com/database/Wordpress/Theme/pool-services/vulnerability/wordpress-pool-services-theme-3-3-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| SmarterTools--SmarterMail | SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host. | 2026-01-22 | not yet calculated | CVE-2026-23760 | https://www.smartertools.com/smartermail/release-notes/current https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/ https://code-white.com/public-vulnerability-list/#authenticationserviceforceresetpassword-missing-authentication-in-smartermail https://www.vulncheck.com/advisories/smartertools-smartermail-authentication-bypass-via-password-reset-api |
| SmarterTools--SmarterMail | SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application. | 2026-01-23 | not yet calculated | CVE-2026-24423 | https://www.smartertools.com/smartermail/release-notes/current https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api |
| Softwebmedia--Gyan Elements | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Softwebmedia Gyan Elements gyan-elements allows PHP Local File Inclusion. This issue affects Gyan Elements: from n/a through <= 2.2.1. | 2026-01-22 | not yet calculated | CVE-2026-23978 | https://patchstack.com/database/Wordpress/Plugin/gyan-elements/vulnerability/wordpress-gyan-elements-plugin-2-2-1-local-file-inclusion-vulnerability?_s_id=cve |
| solacewp--Solace | Missing Authorization vulnerability in solacewp Solace solace allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Solace: from n/a through <= 2.1.16. | 2026-01-22 | not yet calculated | CVE-2025-68911 | https://patchstack.com/database/Wordpress/Theme/solace/vulnerability/wordpress-solace-theme-2-1-16-broken-access-control-vulnerability?_s_id=cve |
| Sourcecodester--Sourcecodester | A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application preserves the user-supplied file extension during the save process. This allows an unauthenticated attacker to upload arbitrary PHP code by spoofing the MIME type as an image, leading to full system compromise. | 2026-01-23 | not yet calculated | CVE-2025-70457 | https://www.sourcecodester.com/php/18572/modern-image-gallery-app-using-php-and-mysql-source-code.html https://github.com/ismaildawoodjee/vulnerability-research/security/advisories/GHSA-8xq6-hjhw-4983 |
| Sourcecodester--Sourcecodester | A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the DomainCheckerApp class within domain/script.js of Sourcecodester Domain Availability Checker v1.0. The vulnerability occurs because the application improperly handles user-supplied data in the createResultElement method by using the unsafe innerHTML property to render domain search results. | 2026-01-23 | not yet calculated | CVE-2025-70458 | https://www.sourcecodester.com/php/18500/domain-availability-checker-using-php-and-javascript-source-code.html https://github.com/ismaildawoodjee/vulnerability-research/security/advisories/GHSA-chm7-vgf7-6f9p |
| SpringBlade--SpringBlade | Incorrect access control in the authRoutes function of SpringBlade v4.5.0 allows attackers with low-level privileges to escalate privileges. | 2026-01-23 | not yet calculated | CVE-2025-70983 | https://github.com/chillzhuang/SpringBlade https://github.com/chillzhuang/SpringBlade/issues/35 https://gist.github.com/old6ma/9c4d2ba32cd8f562cb80796538157912 |
| Steve Truman--Email Inquiry & Cart Options for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve Truman Email Inquiry & Cart Options for WooCommerce woocommerce-email-inquiry-cart-options allows DOM-Based XSS. This issue affects Email Inquiry & Cart Options for WooCommerce: from n/a through <= 3.4.3. | 2026-01-23 | not yet calculated | CVE-2026-24526 | https://patchstack.com/database/Wordpress/Plugin/woocommerce-email-inquiry-cart-options/vulnerability/wordpress-email-inquiry-cart-options-for-woocommerce-plugin-3-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| storeapps--Stock Manager for WooCommerce | Cross-Site Request Forgery (CSRF) vulnerability in storeapps Stock Manager for WooCommerce woocommerce-stock-manager allows Cross Site Request Forgery. This issue affects Stock Manager for WooCommerce: from n/a through < 3.6.0. | 2026-01-22 | not yet calculated | CVE-2026-24365 | https://patchstack.com/database/Wordpress/Plugin/woocommerce-stock-manager/vulnerability/wordpress-stock-manager-for-woocommerce-plugin-3-6-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Strategy11 Team--AWP Classifieds | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Retrieve Embedded Sensitive Data. This issue affects AWP Classifieds: from n/a through <= 4.4.3. | 2026-01-23 | not yet calculated | CVE-2026-24593 | https://patchstack.com/database/Wordpress/Plugin/another-wordpress-classifieds-plugin/vulnerability/wordpress-awp-classifieds-plugin-4-4-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| strongholdthemes--Dental Care CPT | Deserialization of Untrusted Data vulnerability in strongholdthemes Dental Care CPT dentalcare-cpt allows Object Injection. This issue affects Dental Care CPT: from n/a through <= 20.2. | 2026-01-22 | not yet calculated | CVE-2025-69035 | https://patchstack.com/database/Wordpress/Plugin/dentalcare-cpt/vulnerability/wordpress-dental-care-cpt-plugin-20-2-php-object-injection-vulnerability?_s_id=cve |
| strongholdthemes--Tech Life CPT | Deserialization of Untrusted Data vulnerability in strongholdthemes Tech Life CPT techlife-cpt allows Object Injection. This issue affects Tech Life CPT: from n/a through <= 16.4. | 2026-01-22 | not yet calculated | CVE-2025-69036 | https://patchstack.com/database/Wordpress/Plugin/techlife-cpt/vulnerability/wordpress-tech-life-cpt-plugin-16-4-php-object-injection-vulnerability?_s_id=cve |
| subhansanjaya--Carousel Horizontal Posts Content Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in subhansanjaya Carousel Horizontal Posts Content Slider carousel-horizontal-posts-content-slider allows DOM-Based XSS. This issue affects Carousel Horizontal Posts Content Slider: from n/a through <= 3.3.2. | 2026-01-22 | not yet calculated | CVE-2026-22347 | https://patchstack.com/database/Wordpress/Plugin/carousel-horizontal-posts-content-slider/vulnerability/wordpress-carousel-horizontal-posts-content-slider-plugin-3-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Sully--Media Library File Size | Missing Authorization vulnerability in Sully Media Library File Size media-library-file-size allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Media Library File Size: from n/a through <= 1.6.7. | 2026-01-23 | not yet calculated | CVE-2026-24569 | https://patchstack.com/database/Wordpress/Plugin/media-library-file-size/vulnerability/wordpress-media-library-file-size-plugin-1-6-7-broken-access-control-vulnerability?_s_id=cve |
| sumup--SumUp Payment Gateway For WooCommerce | Missing Authorization vulnerability in sumup SumUp Payment Gateway For WooCommerce sumup-payment-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SumUp Payment Gateway For WooCommerce: from n/a through <= 2.7.9. | 2026-01-23 | not yet calculated | CVE-2026-24583 | https://patchstack.com/database/Wordpress/Plugin/sumup-payment-gateway-for-woocommerce/vulnerability/wordpress-sumup-payment-gateway-for-woocommerce-plugin-2-7-9-broken-access-control-vulnerability?_s_id=cve |
| swingmx--swingmusic | Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's `list_folders()` function in the `/folder/dir-browser` endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem. Version 2.1.4 fixes the issue. | 2026-01-19 | not yet calculated | CVE-2026-23877 | https://github.com/swingmx/swingmusic/security/advisories/GHSA-pj88-9xww-gxmh https://github.com/swingmx/swingmusic/commit/9a915ca62af1502b9550722df82f5d432cb73de3 |
| Syed Balkhi--Sugar Calendar (Lite) | Missing Authorization vulnerability in Syed Balkhi Sugar Calendar (Lite) sugar-calendar-lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sugar Calendar (Lite): from n/a through <= 3.10.1. | 2026-01-23 | not yet calculated | CVE-2026-24636 | https://patchstack.com/database/Wordpress/Plugin/sugar-calendar-lite/vulnerability/wordpress-sugar-calendar-lite-plugin-3-10-1-broken-access-control-vulnerability?_s_id=cve |
| tabbyai--Tabby Checkout | Insertion of Sensitive Information Into Sent Data vulnerability in tabbyai Tabby Checkout tabby-checkout allows Retrieve Embedded Sensitive Data. This issue affects Tabby Checkout: from n/a through <= 5.8.4. | 2026-01-22 | not yet calculated | CVE-2025-68035 | https://patchstack.com/database/Wordpress/Plugin/tabby-checkout/vulnerability/wordpress-tabby-checkout-plugin-5-8-4-sensitive-data-exposure-vulnerability?_s_id=cve |
| tagDiv--tagDiv Composer | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows DOM-Based XSS. This issue affects tagDiv Composer: from n/a through <= 5.4.2. | 2026-01-22 | not yet calculated | CVE-2025-50005 | https://patchstack.com/database/Wordpress/Plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| TangibleWP--Listivo Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP Listivo Core listivo-core allows PHP Local File Inclusion. This issue affects Listivo Core: from n/a through <= 2.3.77. | 2026-01-22 | not yet calculated | CVE-2025-67957 | https://patchstack.com/database/Wordpress/Plugin/listivo-core/vulnerability/wordpress-listivo-core-plugin-2-3-77-local-file-inclusion-vulnerability?_s_id=cve |
| TangibleWP--MyHome Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP MyHome Core myhome-core allows PHP Local File Inclusion. This issue affects MyHome Core: from n/a through <= 4.1.0. | 2026-01-22 | not yet calculated | CVE-2025-67955 | https://patchstack.com/database/Wordpress/Plugin/myhome-core/vulnerability/wordpress-myhome-core-plugin-4-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| Tasos Fel--Civic Cookie Control | Missing Authorization vulnerability in Tasos Fel Civic Cookie Control civic-cookie-control-8 allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Civic Cookie Control: from n/a through <= 1.53. | 2026-01-22 | not yet calculated | CVE-2026-22348 | https://patchstack.com/database/Wordpress/Plugin/civic-cookie-control-8/vulnerability/wordpress-civic-cookie-control-plugin-1-53-broken-access-control-vulnerability?_s_id=cve |
| Taxcloud--TaxCloud for WooCommerce | Missing Authorization vulnerability in Taxcloud TaxCloud for WooCommerce simple-sales-tax allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TaxCloud for WooCommerce: from n/a through <= 8.3.8. | 2026-01-22 | not yet calculated | CVE-2025-67958 | https://patchstack.com/database/Wordpress/Plugin/simple-sales-tax/vulnerability/wordpress-taxcloud-for-woocommerce-plugin-8-3-8-broken-access-control-vulnerability?_s_id=cve |
| temash--Barberry | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in temash Barberry barberry allows PHP Local File Inclusion. This issue affects Barberry: from n/a through <= 2.9.9.87. | 2026-01-22 | not yet calculated | CVE-2025-68908 | https://patchstack.com/database/Wordpress/Theme/barberry/vulnerability/wordpress-barberry-theme-2-9-9-87-local-file-inclusion-vulnerability?_s_id=cve |
| Tenda--Tenda | Tenda AX3 firmware v16.03.12.11 contains a stack overflow in formSetIptv via the list parameter, which can cause memory corruption and enable remote code execution. | 2026-01-21 | not yet calculated | CVE-2025-69762 | https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef80718ff2c3869d32392d?pvs=74 https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef80718ff2c3869d32392d |
| Tenda--Tenda | Tenda AX3 firmware v16.03.12.11 contains a stack overflow in formSetIptv via the vlanId parameter, which can cause memory corruption and enable remote code execution. | 2026-01-21 | not yet calculated | CVE-2025-69763 | https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef8025a3c6c4b102d95dd4?source=copy_link https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef8025a3c6c4b102d95dd4 |
| Tenda--Tenda | Tenda AX3 firmware v16.03.12.11 contains a stack-based buffer overflow in the formGetIptv function due to improper handling of the stbpvid stack buffer, which may result in memory corruption and remote code execution. | 2026-01-22 | not yet calculated | CVE-2025-69764 | https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef80e9b90fdaa56f51374b?source=copy_link https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef80e9b90fdaa56f51374b |
| Tenda--Tenda | Tenda AX3 firmware v16.03.12.11 contains a stack-based buffer overflow in the formGetIptv function due to improper handling of the citytag stack buffer, which may result in memory corruption and remote code execution. | 2026-01-21 | not yet calculated | CVE-2025-69766 | https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef8043a091e6722b8e255a?source=copy_link https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef8043a091e6722b8e255a |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the time parameter of the sub_60CFC function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70644 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/3/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the deviceList parameter of the formSetWifiMacFilterCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70645 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/2/1.md |
| Tenda--Tenda | Tenda AX1803 v1.0.0.1 was discovered to contain a stack overflow in the security parameter of the sub_72290 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70646 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1803/5/1.md |
| Tenda--Tenda | Tenda AX1803 v1.0.0.1 was discovered to contain a stack overflow in the security_5g parameter of the sub_727F4 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70648 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1803/6/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the deviceList parameter of the formSetMacFilterCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70650 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/1/1.md |
| Tenda--Tenda | Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow in the ssid parameter of the form_fast_setting_wifi_set function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70651 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1803/4/1.md |
| The GNU C Library--glibc | Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process. | 2026-01-20 | not yet calculated | CVE-2025-15281 | https://sourceware.org/bugzilla/show_bug.cgi?id=33814 |
| Theme-one--The Grid | Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects The Grid: from n/a through < 2.8.0. | 2026-01-22 | not yet calculated | CVE-2026-24368 | https://patchstack.com/database/Wordpress/Plugin/the-grid/vulnerability/wordpress-the-grid-plugin-2-8-0-broken-access-control-vulnerability?_s_id=cve |
| themebeez--Cream Magazine | Missing Authorization vulnerability in themebeez Cream Magazine cream-magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cream Magazine: from n/a through <= 2.1.10. | 2026-01-23 | not yet calculated | CVE-2026-24615 | https://patchstack.com/database/Wordpress/Theme/cream-magazine/vulnerability/wordpress-cream-magazine-theme-2-1-10-broken-access-control-vulnerability?_s_id=cve |
| themebeez--Orchid Store | Missing Authorization vulnerability in themebeez Orchid Store orchid-store allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Orchid Store: from n/a through <= 1.5.15. | 2026-01-23 | not yet calculated | CVE-2026-24612 | https://patchstack.com/database/Wordpress/Theme/orchid-store/vulnerability/wordpress-orchid-store-theme-1-5-15-broken-access-control-vulnerability?_s_id=cve |
| themebeez--Simple GDPR Cookie Compliance | Missing Authorization vulnerability in themebeez Simple GDPR Cookie Compliance simple-gdpr-cookie-compliance allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple GDPR Cookie Compliance: from n/a through <= 2.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24604 | https://patchstack.com/database/Wordpress/Plugin/simple-gdpr-cookie-compliance/vulnerability/wordpress-simple-gdpr-cookie-compliance-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve |
| themebeez--Universal Google Adsense and Ads manager | Missing Authorization vulnerability in themebeez Universal Google Adsense and Ads manager universal-google-adsense-and-ads-manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Universal Google Adsense and Ads manager: from n/a through <= 1.1.8. | 2026-01-23 | not yet calculated | CVE-2026-24603 | https://patchstack.com/database/Wordpress/Plugin/universal-google-adsense-and-ads-manager/vulnerability/wordpress-universal-google-adsense-and-ads-manager-plugin-1-1-8-broken-access-control-vulnerability?_s_id=cve |
| Themefic--Hydra Booking | Incorrect Privilege Assignment vulnerability in Themefic Hydra Booking hydra-booking allows Privilege Escalation. This issue affects Hydra Booking: from n/a through <= 1.1.32. | 2026-01-22 | not yet calculated | CVE-2025-68027 | https://patchstack.com/database/Wordpress/Plugin/hydra-booking/vulnerability/wordpress-hydra-booking-plugin-1-1-32-privilege-escalation-vulnerability?_s_id=cve |
| ThemeGoods--Craft | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS. This issue affects Craft: from n/a through <= 2.3.6. | 2026-01-22 | not yet calculated | CVE-2025-68538 | https://patchstack.com/database/Wordpress/Theme/craftcoffee/vulnerability/wordpress-craft-coffee-shop-cafe-restaurant-wordpress-theme-2-3-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--DotLife | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods DotLife dotlife allows Reflected XSS. This issue affects DotLife: from n/a through < 4.9.5. | 2026-01-22 | not yet calculated | CVE-2025-68520 | https://patchstack.com/database/Wordpress/Theme/dotlife/vulnerability/wordpress-dotlife-theme-4-9-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Grand Magazine | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Magazine grandmagazine allows Reflected XSS. This issue affects Grand Magazine: from n/a through <= 3.5.7. | 2026-01-22 | not yet calculated | CVE-2025-69320 | https://patchstack.com/database/Wordpress/Theme/grandmagazine/vulnerability/wordpress-grand-magazine-theme-3-5-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Grand Restaurant Theme Elements for Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Restaurant Theme Elements for Elementor grandrestaurant-elementor allows Stored XSS. This issue affects Grand Restaurant Theme Elements for Elementor: from n/a through <= 2.1.1. | 2026-01-22 | not yet calculated | CVE-2025-63026 | https://patchstack.com/database/Wordpress/Plugin/grandrestaurant-elementor/vulnerability/wordpress-grand-restaurant-theme-elements-for-elementor-plugin-2-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Grand Spa | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Spa grandspa allows Reflected XSS. This issue affects Grand Spa: from n/a through <= 3.5.5. | 2026-01-22 | not yet calculated | CVE-2025-69321 | https://patchstack.com/database/Wordpress/Theme/grandspa/vulnerability/wordpress-grand-spa-theme-3-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Grand Tour | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Tour grandtour allows Reflected XSS. This issue affects Grand Tour: from n/a through < 5.6.2. | 2026-01-22 | not yet calculated | CVE-2025-67952 | https://patchstack.com/database/Wordpress/Theme/grandtour/vulnerability/wordpress-grand-tour-theme-5-6-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Hoteller | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Hoteller hoteller allows Reflected XSS. This issue affects Hoteller: from n/a through < 6.8.9. | 2026-01-22 | not yet calculated | CVE-2025-68518 | https://patchstack.com/database/Wordpress/Theme/hoteller/vulnerability/wordpress-hoteller-theme-6-8-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Photography | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeGoods Photography photography allows PHP Local File Inclusion. This issue affects Photography: from n/a through < 7.7.5. | 2026-01-22 | not yet calculated | CVE-2025-68510 | https://patchstack.com/database/Wordpress/Theme/photography/vulnerability/wordpress-photography-theme-7-7-5-local-file-inclusion-vulnerability?_s_id=cve |
| ThemeGoods--PhotoMe | Server-Side Request Forgery (SSRF) vulnerability in ThemeGoods PhotoMe photome allows Server Side Request Forgery. This issue affects PhotoMe: from n/a through < 5.7.2. | 2026-01-22 | not yet calculated | CVE-2026-24381 | https://patchstack.com/database/Wordpress/Theme/photome/vulnerability/wordpress-photome-theme-5-7-2-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| ThemeHunk--Contact Form & Lead Form Elementor Builder | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder lead-form-builder allows Retrieve Embedded Sensitive Data. This issue affects Contact Form & Lead Form Elementor Builder: from n/a through <= 2.0.1. | 2026-01-22 | not yet calculated | CVE-2025-68046 | https://patchstack.com/database/Wordpress/Plugin/lead-form-builder/vulnerability/wordpress-contact-form-lead-form-elementor-builder-plugin-2-0-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| themepassion--Ultra Portfolio | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in themepassion Ultra Portfolio ultra-portfolio allows Blind SQL Injection. This issue affects Ultra Portfolio: from n/a through <= 6.7. | 2026-01-22 | not yet calculated | CVE-2025-69180 | https://patchstack.com/database/Wordpress/Plugin/ultra-portfolio/vulnerability/wordpress-ultra-portfolio-plugin-6-7-sql-injection-vulnerability?_s_id=cve |
| ThemeREX--Sound | Musical Instruments Online Store | Deserialization of Untrusted Data vulnerability in ThemeREX Sound | Musical Instruments Online Store musicplace allows Object Injection. This issue affects Sound | Musical Instruments Online Store: from n/a through <= 1.6.9. | 2026-01-22 | not yet calculated | CVE-2025-69079 | https://patchstack.com/database/Wordpress/Theme/musicplace/vulnerability/wordpress-sound-musical-instruments-online-store-theme-1-6-9-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| themeton--Consult Aid | Deserialization of Untrusted Data vulnerability in themeton Consult Aid consultaid allows Object Injection. This issue affects Consult Aid: from n/a through <= 1.4.3. | 2026-01-22 | not yet calculated | CVE-2025-67617 | https://patchstack.com/database/Wordpress/Theme/consultaid/vulnerability/wordpress-consult-aid-theme-1-4-3-php-object-injection-vulnerability?_s_id=cve |
| Themeum--Tutor LMS | Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tutor LMS: from n/a through <= 3.9.4. | 2026-01-22 | not yet calculated | CVE-2025-47555 | https://patchstack.com/database/Wordpress/Plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Themeum--Tutor LMS BunnyNet Integration | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration allows DOM-Based XSS. This issue affects Tutor LMS BunnyNet Integration: from n/a through <= 1.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24584 | https://patchstack.com/database/Wordpress/Plugin/tutor-lms-bunnynet-integration/vulnerability/wordpress-tutor-lms-bunnynet-integration-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThimPress--LearnPress – Course Review | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress – Course Review learnpress-course-review allows Stored XSS. This issue affects LearnPress – Course Review: from n/a through <= 4.1.9. | 2026-01-22 | not yet calculated | CVE-2026-24361 | https://patchstack.com/database/Wordpress/Plugin/learnpress-course-review/vulnerability/wordpress-learnpress-course-review-plugin-4-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Tickera--Tickera | Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tickera: from n/a through <= 3.5.6.2. | 2026-01-22 | not yet calculated | CVE-2025-67939 | https://patchstack.com/database/Wordpress/Plugin/tickera-event-ticketing-system/vulnerability/wordpress-tickera-plugin-3-5-6-2-broken-access-control-vulnerability?_s_id=cve |
| Timur Kamaev--Kama Thumbnail | Cross-Site Request Forgery (CSRF) vulnerability in Timur Kamaev Kama Thumbnail kama-thumbnail allows Cross Site Request Forgery. This issue affects Kama Thumbnail: from n/a through <= 3.5.1. | 2026-01-23 | not yet calculated | CVE-2026-24521 | https://patchstack.com/database/Wordpress/Plugin/kama-thumbnail/vulnerability/wordpress-kama-thumbnail-plugin-3-5-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| tinyMOTT--tinyMOTT | In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), a memory leak occurs due to the broker's failure to validate or reject malformed UTF-8 strings in topic filters. An attacker can exploit this by sending repeated subscription requests with arbitrarily large or invalid filter payloads. Each request causes memory to be allocated for the malformed topic filter, but the broker does not free the associated memory, leading to unbounded heap growth and potential denial of service under sustained attack. | 2026-01-20 | not yet calculated | CVE-2025-56353 | https://github.com/JustDoIt0910/tinyMQTT/issues/19 |
| TMS Global--TMS Global | A path traversal vulnerability exists in TMS Management Console (version 6.3.7.27386.20250818) from TMS Global Software. The "Download Template" function in the profile dashboard does not neutralize directory traversal sequences (../) in the filePath parameter, allowing authenticated users to read arbitrary files, such as the server's Web.config. | 2026-01-22 | not yet calculated | CVE-2025-69612 | http://tms.com https://tmsglobalsoft.com/ https://github.com/Cr0wld3r/CVE-2025-69612/blob/main/PoC.md |
| TMS Global--TMS Global | File Upload vulnerability in TMS Global Software TMS Management Console v.6.3.7.27386.20250818 allows a remote attacker to execute arbitrary code via the Logo upload in /Customer/AddEdit | 2026-01-22 | not yet calculated | CVE-2025-69828 | https://tmsglobalsoft.com https://github.com/ZuoqTr/CVE/blob/main/CVE-2025-69828.md |
| TopDesk--TopDesk | An improper certificate validation vulnerability exists in ToDesktop Builder v0.32.1 This vulnerability allows an unauthenticated, on-path attacker to spoof backend responses by exploiting insufficient certificate validation. | 2026-01-23 | not yet calculated | CVE-2025-67229 | https://www.todesktop.com/changelog https://www.todesktop.com/security/advisories/TDSA-2025-001 |
| TopDesktop--TopDesktop | Improper permissions in the handler for the Custom URL Scheme in ToDesktop Builder v0.33.0 allows attackers with renderer-context access to invoke external protocol handlers without sufficient validation. | 2026-01-23 | not yet calculated | CVE-2025-67230 | https://www.todesktop.com/changelog https://www.todesktop.com/security/advisories/TDSA-2025-002 |
| TopDesktop--TopDesktop | A reflected cross-site scripting (XSS) vulnerability in ToDesktop Builder v0.33.1 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload. | 2026-01-23 | not yet calculated | CVE-2025-67231 | https://www.todesktop.com/changelog https://www.todesktop.com/security/advisories/TDSA-2025-003 |
| topdevs--Smart Product Viewer | Missing Authorization vulnerability in topdevs Smart Product Viewer smart-product-viewer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Smart Product Viewer: from n/a through <= 1.5.4. | 2026-01-23 | not yet calculated | CVE-2026-24588 | https://patchstack.com/database/Wordpress/Plugin/smart-product-viewer/vulnerability/wordpress-smart-product-viewer-plugin-1-5-4-broken-access-control-vulnerability?_s_id=cve |
| TP-Link Systems Inc.--Archer C20 v6.0, Archer AX53 v1.0 | Logic vulnerability in TP-Link Archer C20 v6.0 and Archer AX53 v1.0 (TDDP module) allows unauthenticated adjacent attackers to execute administrative commands including factory reset and device reboot without credentials. Attackers on the adjacent network can remotely trigger factory resets and reboots without credentials, causing configuration loss and interruption of device availability. This issue affects Archer C20 v6.0 < V6_251031. Archer AX53 v1.0 < V1_251215 | 2026-01-21 | not yet calculated | CVE-2026-0834 | https://www.tp-link.com/en/support/download/archer-c20/v6/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://mattg.systems/posts/cve-2026-0834/ |
| TP-Link Systems Inc.--Omada Software Controller | A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator. If successful, an attacker could execute arbitrary JavaScript in the administrator's browser, potentially exposing sensitive information and compromising confidentiality. | 2026-01-22 | not yet calculated | CVE-2025-9289 | https://support.omadanetworks.com/us/download/ https://support.omadanetworks.com/us/document/114950/ |
| TP-Link Systems Inc.--Omada Software Controller | An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values. Exploitation requires advanced network positioning and allows an attacker to intercept adoption traffic and forge valid authentication through offline precomputation, potentially exposing sensitive information and compromising confidentiality. | 2026-01-22 | not yet calculated | CVE-2025-9290 | https://support.omadanetworks.com/us/download/ https://support.omadanetworks.com/en/download/ https://support.omadanetworks.com/us/document/114950/ |
| Trimble--SketchUp | Trimble SketchUp SKP File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trimble SketchUp. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SKP files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27769. | 2026-01-23 | not yet calculated | CVE-2025-15062 | ZDI-25-1198 |
| Trusona--Trusona for WordPress | Missing Authorization vulnerability in Trusona Trusona for WordPress trusona allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Trusona for WordPress: from n/a through <= 2.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24627 | https://patchstack.com/database/Wordpress/Plugin/trusona/vulnerability/wordpress-trusona-for-wordpress-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve |
| TYPO3--Extension "Mailqueue" | The extension extends TYPO3' FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core version still allows for Insecure Deserialization, because the affected vulnerable code was extracted from TYPO3 core to the extension. More information about this vulnerability can be found in the related TYPO3 Core Security Advisory TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . | 2026-01-20 | not yet calculated | CVE-2026-0895 | https://typo3.org/security/advisory/typo3-ext-sa-2026-001 https://github.com/CPS-IT/mailqueue/commit/fd09aa4e1a751551bae4b228bee814e22f2048db https://github.com/CPS-IT/mailqueue/commit/12a0a35027bb5609917790a94e43bbf117abf733 |
| Unknown--Bookingor | The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data. | 2026-01-20 | not yet calculated | CVE-2025-12573 | https://wpscan.com/vulnerability/b6198d76-813c-4f13-8b3d-b4609095ae34/ |
| upnp--upnp | A command injection vulnerability exists in the upnp_relay() function in multiple ipTIME router models because the controlURL value used to pass port-forwarding information to an upper router is passed to system() without proper validation or sanitization, allowing OS command injection. | 2026-01-20 | not yet calculated | CVE-2025-55423 | https://iptime.com/iptime/?pageid=4&page_id=126&dfsid=3&dftid=583&uid=25203&mod=document https://docs.google.com/spreadsheets/d/1kryOFltCmnPJvDTpIrudgryt79uI4PWchuQ8-Gak24c/edit?usp=sharing https://github.com/0x0xxxx/CVE/blob/main/CVE-2025-55423/README.md https://github.com/0x0xxxx/CVE/blob/main/CVE-2025-55423/assets/affected_products_cve_format.json |
| uPress--Booter | Missing Authorization vulnerability in uPress Booter booter-bots-crawlers-manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Booter: from n/a through <= 1.5.7. | 2026-01-23 | not yet calculated | CVE-2026-24534 | https://patchstack.com/database/Wordpress/Plugin/booter-bots-crawlers-manager/vulnerability/wordpress-booter-plugin-1-5-7-broken-access-control-vulnerability?_s_id=cve |
| Upsonic--Upsonic | Upsonic Cloudpickle Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Upsonic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the add_tool endpoint, which listens on TCP port 7541 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26845. | 2026-01-23 | not yet calculated | CVE-2026-0773 | ZDI-26-042 |
| uxper--Golo | Missing Authorization vulnerability in uxper Golo golo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Golo: from n/a through < 1.7.5. | 2026-01-22 | not yet calculated | CVE-2026-23974 | https://patchstack.com/database/Wordpress/Theme/golo/vulnerability/wordpress-golo-theme-1-7-5-broken-access-control-vulnerability?_s_id=cve |
| uxper--Golo | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Golo golo allows PHP Local File Inclusion. This issue affects Golo: from n/a through < 1.7.5. | 2026-01-22 | not yet calculated | CVE-2026-23975 | https://patchstack.com/database/Wordpress/Theme/golo/vulnerability/wordpress-golo-theme-1-7-5-local-file-inclusion-vulnerability?_s_id=cve |
| VB-Audio Software--Matrix | VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a local privilege escalation vulnerability in the VBMatrix VAIO virtual audio driver (vbmatrixvaio64*_win10.sys). The driver allocates a 128-byte non-paged pool buffer and, upon receiving IOCTL 0x222060, maps it into user space using an MDL and MmMapLockedPagesSpecifyCache. Because the allocation size is not page-aligned, the mapping exposes the entire 0x1000-byte kernel page containing the buffer plus adjacent non-paged pool allocations with read/write permissions. An unprivileged local attacker can open a device handle (using the required 0x800 attribute flag), invoke the IOCTL to obtain the mapping, and then read or modify live kernel objects and pointers present on that page. This enables bypass of KASLR, arbitrary kernel memory read/write within the exposed page, corruption of kernel objects, and escalation to SYSTEM. | 2026-01-22 | not yet calculated | CVE-2026-23763 | https://github.com/emkaix/security-research/tree/main/CVE-2026-23763 https://forum.vb-audio.com/viewtopic.php?p=7574#p7574 https://forum.vb-audio.com/viewtopic.php?p=7527#p7527 https://vb-audio.com/ https://www.vulncheck.com/advisories/vb-audio-matrix-drivers-local-privilege-escalation-via-kernel-memory-exposure |
| VB-Audio Software--Voicemeeter (Standard) | VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). When a handle is opened with a special file attribute value, the drivers improperly initialize FILE_OBJECT->FsContext to a non-pointer magic value. If subsequent operations are not handled by the VB-Audio driver and are forwarded down the audio driver stack (e.g., via PortCls to ks.sys), the invalid FsContext value can be dereferenced, causing a kernel crash (BSoD), typically SYSTEM_SERVICE_EXCEPTION with STATUS_ACCESS_VIOLATION. This flaw allows a local unprivileged user to trigger a denial-of-service on affected Windows systems. | 2026-01-22 | not yet calculated | CVE-2026-23761 | https://github.com/emkaix/security-research/tree/main/CVE-2026-23761 https://forum.vb-audio.com/viewtopic.php?p=7574#p7574 https://forum.vb-audio.com/viewtopic.php?p=7527#p7527 https://vb-audio.com/ https://www.vulncheck.com/advisories/vb-audio-voicemeeter-and-matrix-drivers-dos-via-improper-file-object-fscontext-initialization |
| VB-Audio Software--Voicemeeter (Standard) | VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). The drivers map non-paged pool memory into user space via MmMapLockedPagesSpecifyCache using UserMode access without proper exception handling. If the mapping fails, such as when a process has exhausted available virtual address space, MmMapLockedPagesSpecifyCache raises an exception that is not caught, causing a kernel crash (BSoD), typically SYSTEM_SERVICE_EXCEPTION with STATUS_NO_MEMORY. This flaw allows a local unprivileged user to trigger a denial-of-service on affected Windows systems. | 2026-01-22 | not yet calculated | CVE-2026-23762 | https://github.com/emkaix/security-research/tree/main/CVE-2026-23762 https://forum.vb-audio.com/viewtopic.php?p=7574#p7574 https://forum.vb-audio.com/viewtopic.php?p=7527#p7527 https://vb-audio.com/ https://www.vulncheck.com/advisories/vb-audio-voicemeeter-and-matrix-drivers-dos-via-mmmaplockedpagesspecifycache |
| VB-Audio Software--Voicemeeter (Standard) | VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). The drivers allocate non-paged pool and map it into user space, where a length value associated with the allocation is exposed and can be modified by an unprivileged local attacker. On subsequent IOCTL handling, the corrupted length is used directly as the IoAllocateMdl length argument without adequate integrity checks before building and mapping the MDL, which can cause a kernel crash (BSoD), typically PAGE_FAULT_IN_NONPAGED_AREA. This flaw allows a local user to trigger a denial-of-service on affected Windows systems. | 2026-01-22 | not yet calculated | CVE-2026-23764 | https://github.com/emkaix/security-research/tree/main/CVE-2026-23764 https://forum.vb-audio.com/viewtopic.php?p=7574#p7574 https://forum.vb-audio.com/viewtopic.php?p=7527#p7527 https://vb-audio.com/ https://www.vulncheck.com/advisories/vb-audio-voicemeeter-and-matrix-drivers-dos-via-corrupted-ioallocatemdl-length |
| VEGA--VEGA | An issue in Beat XP VEGA Smartwatch (Firmware Version - RB303ATV006229) allows an attacker to cause a denial of service via the BLE connection | 2026-01-22 | not yet calculated | CVE-2025-69821 | https://github.com/CipherX1802/CVE-2025-69821-Beat-XP-Vega-Smartwatch-Security-Assessment/blob/main/BeatXP_Vega_Smartwatch_Security_Assessment_Report.pdf https://github.com/CipherX1802/CVE-2025-69821-Beat-XP-Vega-Smartwatch-Security-Assessment.git |
| VibeThemes--WPLMS | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in VibeThemes WPLMS wplms_plugin allows Path Traversal. This issue affects WPLMS: from n/a through <= 1.9.9.5.4. | 2026-01-22 | not yet calculated | CVE-2025-69097 | https://patchstack.com/database/Wordpress/Plugin/wplms_plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-4-arbitrary-file-deletion-vulnerability?_s_id=cve |
| Vladimir Statsenko--Terms descriptions | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Statsenko Terms descriptions terms-descriptions allows DOM-Based XSS. This issue affects Terms descriptions: from n/a through <= 3.4.9. | 2026-01-23 | not yet calculated | CVE-2026-24621 | https://patchstack.com/database/Wordpress/Plugin/terms-descriptions/vulnerability/wordpress-terms-descriptions-plugin-3-4-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Vollstart--Event Tickets with Ticket Scanner | Improper Control of Generation of Code ('Code Injection') vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Code Injection. This issue affects Event Tickets with Ticket Scanner: from n/a through <= 2.8.3. | 2026-01-22 | not yet calculated | CVE-2025-68015 | https://patchstack.com/database/Wordpress/Plugin/event-tickets-with-ticket-scanner/vulnerability/wordpress-event-tickets-with-ticket-scanner-plugin-2-7-10-remote-code-execution-rce-vulnerability?_s_id=cve |
| vrpr--WDV One Page Docs | Missing Authorization vulnerability in vrpr WDV One Page Docs wdv-one-page-docs allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WDV One Page Docs: from n/a through <= 1.2.4. | 2026-01-22 | not yet calculated | CVE-2025-68896 | https://patchstack.com/database/Wordpress/Plugin/wdv-one-page-docs/vulnerability/wordpress-wdv-one-page-docs-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve |
| WANotifier--WANotifier | Missing Authorization vulnerability in WANotifier WANotifier notifier allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WANotifier: from n/a through <= 2.7.12. | 2026-01-22 | not yet calculated | CVE-2025-68020 | https://patchstack.com/database/Wordpress/Plugin/notifier/vulnerability/wordpress-wanotifier-plugin-2-7-12-broken-access-control-vulnerability?_s_id=cve |
| WatchYourLAN--WatchYourLAN | WatchYourLAN Configuration Page Argument Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of WatchYourLAN. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the arpstrs parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26708. | 2026-01-23 | not yet calculated | CVE-2026-0774 | ZDI-26-039 |
| wbolt.com--IMGspider | Server-Side Request Forgery (SSRF) vulnerability in wbolt.com IMGspider imgspider allows Server Side Request Forgery. This issue affects IMGspider: from n/a through <= 2.3.12. | 2026-01-22 | not yet calculated | CVE-2026-22482 | https://patchstack.com/database/Wordpress/Plugin/imgspider/vulnerability/wordpress-imgspider-plugin-2-3-12-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Web Impian--Bayarcash WooCommerce | Missing Authorization vulnerability in Web Impian Bayarcash WooCommerce bayarcash-wc allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bayarcash WooCommerce: from n/a through <= 4.3.11. | 2026-01-23 | not yet calculated | CVE-2026-24606 | https://patchstack.com/database/Wordpress/Plugin/bayarcash-wc/vulnerability/wordpress-bayarcash-woocommerce-plugin-4-3-11-broken-access-control-vulnerability?_s_id=cve |
| WebAppick--CTX Feed | Missing Authorization vulnerability in WebAppick CTX Feed webappick-product-feed-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CTX Feed: from n/a through <= 6.6.18. | 2026-01-22 | not yet calculated | CVE-2026-22461 | https://patchstack.com/database/Wordpress/Plugin/webappick-product-feed-for-woocommerce/vulnerability/wordpress-ctx-feed-plugin-6-6-15-broken-access-control-vulnerability?_s_id=cve |
| webdevstudios--Automatic Featured Images from Videos | Missing Authorization vulnerability in webdevstudios Automatic Featured Images from Videos automatic-featured-images-from-videos allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Automatic Featured Images from Videos: from n/a through <= 1.2.7. | 2026-01-23 | not yet calculated | CVE-2026-24535 | https://patchstack.com/database/Wordpress/Plugin/automatic-featured-images-from-videos/vulnerability/wordpress-automatic-featured-images-from-videos-plugin-1-2-7-broken-access-control-vulnerability?_s_id=cve |
| WebGeniusLab--iRecco Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebGeniusLab iRecco Core irecco-core allows PHP Local File Inclusion. This issue affects iRecco Core: from n/a through <= 1.3.6. | 2026-01-22 | not yet calculated | CVE-2025-69046 | https://patchstack.com/database/Wordpress/Plugin/irecco-core/vulnerability/wordpress-irecco-core-plugin-1-3-6-local-file-inclusion-vulnerability?_s_id=cve |
| WebPros--WebPros | An issue with WordPress directory names in WebPros WordPress Toolkit before 6.9.1 allows privilege escalation. | 2026-01-22 | not yet calculated | CVE-2025-66428 | https://docs.plesk.com/release-notes/obsidian/change-log/#wordpress-toolkit-6.9.1 |
| webpushr--Webpushr | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in webpushr Webpushr webpushr-web-push-notifications allows Retrieve Embedded Sensitive Data. This issue affects Webpushr: from n/a through <= 4.38.0. | 2026-01-23 | not yet calculated | CVE-2026-24536 | https://patchstack.com/database/Wordpress/Plugin/webpushr-web-push-notifications/vulnerability/wordpress-webpushr-plugin-4-38-0-sensitive-data-exposure-vulnerability?_s_id=cve |
| Weintek--cMT3072XH | The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. A low-privileged user can modify the parameters and potentially manipulate account-level privileges. | 2026-01-22 | not yet calculated | CVE-2025-14750 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-05 |
| Weintek--cMT3072XH | A low-privileged user can bypass account credentials without confirming the user's current authentication state, which may lead to unauthorized privilege escalation. | 2026-01-22 | not yet calculated | CVE-2025-14751 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-05 |
| WEN Solutions--Contact Form 7 GetResponse Extension | Insertion of Sensitive Information Into Sent Data vulnerability in WEN Solutions Contact Form 7 GetResponse Extension contact-form-7-getresponse-extension allows Retrieve Embedded Sensitive Data. This issue affects Contact Form 7 GetResponse Extension: from n/a through <= 1.0.8. | 2026-01-23 | not yet calculated | CVE-2026-24557 | https://patchstack.com/database/Wordpress/Plugin/contact-form-7-getresponse-extension/vulnerability/wordpress-contact-form-7-getresponse-extension-plugin-1-0-8-sensitive-data-exposure-vulnerability?_s_id=cve |
| whisper-money--whisper-money | Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue. | 2026-01-19 | not yet calculated | CVE-2026-23844 | https://github.com/whisper-money/whisper-money/security/advisories/GHSA-c4g3-wpxr-2m74 https://github.com/whisper-money/whisper-money/pull/60 https://github.com/whisper-money/whisper-money/commit/80117c3edeaf5c5a5166f3815fc555a15b5ce686 |
| winkm89--teachPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in winkm89 teachPress teachpress allows Stored XSS. This issue affects teachPress: from n/a through <= 9.0.12. | 2026-01-22 | not yet calculated | CVE-2026-22353 | https://patchstack.com/database/Wordpress/Plugin/teachpress/vulnerability/wordpress-teachpress-plugin-9-0-12-cross-site-scripting-xss-vulnerability?_s_id=cve |
| winkm89--teachPress | Cross-Site Request Forgery (CSRF) vulnerability in winkm89 teachPress teachpress allows Cross Site Request Forgery. This issue affects teachPress: from n/a through <= 9.0.12. | 2026-01-22 | not yet calculated | CVE-2026-22483 | https://patchstack.com/database/Wordpress/Plugin/teachpress/vulnerability/wordpress-teachpress-plugin-9-0-12-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| WisdmLabs--Edwiser Bridge | Missing Authorization vulnerability in WisdmLabs Edwiser Bridge edwiser-bridge allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Edwiser Bridge: from n/a through <= 4.3.2. | 2026-01-23 | not yet calculated | CVE-2026-24570 | https://patchstack.com/database/Wordpress/Plugin/edwiser-bridge/vulnerability/wordpress-edwiser-bridge-plugin-4-3-2-broken-access-control-vulnerability?_s_id=cve |
| woofer696--Dinatur | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in woofer696 Dinatur dinatur allows Stored XSS. This issue affects Dinatur: from n/a through <= 1.18. | 2026-01-22 | not yet calculated | CVE-2025-68866 | https://patchstack.com/database/Wordpress/Plugin/dinatur/vulnerability/wordpress-dinatur-plugin-1-18-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WorklogPRO--WorklogPRO | The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-jira9 allows users and attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability. The vulnerability is exploited via a specially crafted payload placed in an issue's summary field | 2026-01-21 | not yet calculated | CVE-2025-57681 | https://marketplace.atlassian.com/apps/1212626/worklogpro-timesheets-for-jira/version-history https://thestarware.atlassian.net/wiki/spaces/WLP/pages/3326574597/Security+Advisory+CVE-2025-57681+-+Stored+XSS+in+WorklogPRO+DC |
| WorklogPRO--WorklogPRO | The WorklogPRO - Jira Timesheets plugin in the Jira Data Center before 4.24.2-jira9, 4.24.2-jira10 and 4.24.2-jira11 allows attackers to inject arbitrary HTML or JavaScript via XSS. This is exploited via a crafted payload placed in the name of a filter. This code is executed in the browser when the user attempts to create a timesheet with the filter timesheet type on the custom timesheet dialog because the filter name is not properly sanitized during the action. | 2026-01-20 | not yet calculated | CVE-2025-67824 | https://marketplace.atlassian.com/apps/1212626/worklogpro-timesheets-for-jira/version-history https://thestarware.atlassian.net/wiki/x/CAAdyg |
| WP Chill--Gallery PhotoBlocks | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Chill Gallery PhotoBlocks photoblocks-grid-gallery allows DOM-Based XSS. This issue affects Gallery PhotoBlocks: from n/a through <= 1.3.2. | 2026-01-22 | not yet calculated | CVE-2026-24389 | https://patchstack.com/database/Wordpress/Plugin/photoblocks-grid-gallery/vulnerability/wordpress-gallery-photoblocks-plugin-1-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP Chill--Modula Image Gallery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Chill Modula Image Gallery modula-best-grid-gallery allows Stored XSS. This issue affects Modula Image Gallery: from n/a through <= 2.13.4. | 2026-01-22 | not yet calculated | CVE-2026-23976 | https://patchstack.com/database/Wordpress/Plugin/modula-best-grid-gallery/vulnerability/wordpress-modula-image-gallery-plugin-2-13-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP Messiah--Ai Image Alt Text Generator for WP | Missing Authorization vulnerability in WP Messiah Ai Image Alt Text Generator for WP ai-image-alt-text-generator-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ai Image Alt Text Generator for WP: from n/a through <= 1.1.9. | 2026-01-23 | not yet calculated | CVE-2026-24579 | https://patchstack.com/database/Wordpress/Plugin/ai-image-alt-text-generator-for-wp/vulnerability/wordpress-ai-image-alt-text-generator-for-wp-plugin-1-1-9-broken-access-control-vulnerability?_s_id=cve |
| WP Messiah--Frontis Blocks | Server-Side Request Forgery (SSRF) vulnerability in WP Messiah Frontis Blocks frontis-blocks allows Server Side Request Forgery. This issue affects Frontis Blocks: from n/a through <= 1.1.5. | 2026-01-22 | not yet calculated | CVE-2025-68030 | https://patchstack.com/database/Wordpress/Plugin/frontis-blocks/vulnerability/wordpress-frontis-blocks-plugin-1-1-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| WP Swings--Points and Rewards for WooCommerce | Missing Authorization vulnerability in WP Swings Points and Rewards for WooCommerce points-and-rewards-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Points and Rewards for WooCommerce: from n/a through <= 2.9.5. | 2026-01-23 | not yet calculated | CVE-2026-24581 | https://patchstack.com/database/Wordpress/Plugin/points-and-rewards-for-woocommerce/vulnerability/wordpress-points-and-rewards-for-woocommerce-plugin-2-9-5-broken-access-control-vulnerability?_s_id=cve |
| WP Travel--WP Travel | Missing Authorization vulnerability in WP Travel WP Travel wp-travel allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Travel: from n/a through <= 11.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24568 | https://patchstack.com/database/Wordpress/Plugin/wp-travel/vulnerability/wordpress-wp-travel-plugin-11-0-0-broken-access-control-vulnerability?_s_id=cve |
| wpdive--ElementCamp | Missing Authorization vulnerability in wpdive ElementCamp element-camp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementCamp: from n/a through <= 2.3.2. | 2026-01-23 | not yet calculated | CVE-2026-24556 | https://patchstack.com/database/Wordpress/Plugin/element-camp/vulnerability/wordpress-elementcamp-plugin-2-3-2-broken-access-control-vulnerability?_s_id=cve |
| wpeverest--User Registration | Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects User Registration: from n/a through <= 4.4.6. | 2026-01-22 | not yet calculated | CVE-2025-67956 | https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability/wordpress-user-registration-plugin-4-4-6-broken-access-control-vulnerability?_s_id=cve |
| wpeverest--User Registration | Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects User Registration: from n/a through <= 4.4.9. | 2026-01-22 | not yet calculated | CVE-2026-24353 | https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability/wordpress-user-registration-plugin-4-4-9-arbitrary-shortcode-execution-vulnerability?_s_id=cve |
| wphocus--My auctions allegro | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS. This issue affects My auctions allegro: from n/a through <= 3.6.32. | 2026-01-22 | not yet calculated | CVE-2025-67943 | https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| wphocus--My auctions allegro | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows PHP Local File Inclusion. This issue affects My auctions allegro: from n/a through <= 3.6.33. | 2026-01-22 | not yet calculated | CVE-2026-22464 | https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-33-local-file-inclusion-vulnerability?_s_id=cve |
| wpjobportal--WP Job Portal | Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Job Portal: from n/a through <= 2.4.3. | 2026-01-22 | not yet calculated | CVE-2026-24379 | https://patchstack.com/database/Wordpress/Plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-plugin-2-4-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| wproyal--Bard | Missing Authorization vulnerability in wproyal Bard bard allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bard: from n/a through <= 2.229. | 2026-01-22 | not yet calculated | CVE-2025-63018 | https://patchstack.com/database/Wordpress/Theme/bard/vulnerability/wordpress-bard-theme-2-229-broken-access-control-vulnerability?_s_id=cve |
| wptravelengine--Travel Monster | Missing Authorization vulnerability in wptravelengine Travel Monster travel-monster allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Travel Monster: from n/a through <= 1.3.3. | 2026-01-23 | not yet calculated | CVE-2026-24607 | https://patchstack.com/database/Wordpress/Theme/travel-monster/vulnerability/wordpress-travel-monster-theme-1-3-3-broken-access-control-vulnerability?_s_id=cve |
| wpWave--Hide My WP | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWave Hide My WP hide_my_wp allows Reflected XSS. This issue affects Hide My WP: from n/a through <= 6.2.12. | 2026-01-22 | not yet calculated | CVE-2025-69098 | https://patchstack.com/database/Wordpress/Plugin/hide_my_wp/vulnerability/wordpress-hide-my-wp-plugin-6-2-12-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WPXPO--PostX | Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PostX: from n/a through <= 5.0.3. | 2026-01-22 | not yet calculated | CVE-2025-69313 | https://patchstack.com/database/Wordpress/Plugin/ultimate-post/vulnerability/wordpress-postx-plugin-5-0-3-broken-access-control-vulnerability?_s_id=cve |
| XDocReport | A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions. | 2026-01-20 | not yet calculated | CVE-2025-64087 | https://github.com/opensagres/xdocreport https://github.com/opensagres/xdocreport/pull/705 https://hackmd.io/@cuongnh/BJEnw7SAlg https://hackmd.io/@cuongnh/SkQvhEf0lx https://github.com/AT190510-Cuong/CVE-2025-64087-SSTI- |
| XDocReport--XDocReport | An XML External Entity (XXE) vulnerability in opensagres XDocReport v0.9.2 to v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .docx file. | 2026-01-20 | not yet calculated | CVE-2025-65482 | https://github.com/opensagres/xdocreport https://drive.google.com/drive/folders/1hUyCznpBN7ivo5krmyJ4OQc_q626Hy5q?usp=sharing https://hackmd.io/@cuongnh/r1B7B8fJ-g https://hackmd.io/@cuongnh/rkJPCgSy-l https://github.com/AT190510-Cuong/CVE-2025-65482-XXE- |
| XLPlugins--NextMove Lite | Authorization Bypass Through User-Controlled Key vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects NextMove Lite: from n/a through <= 2.23.0. | 2026-01-23 | not yet calculated | CVE-2026-24599 | https://patchstack.com/database/Wordpress/Plugin/woo-thank-you-page-nextmove-lite/vulnerability/wordpress-nextmove-lite-plugin-2-23-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| XpeedStudio--Bajaar - Highly Customizable WooCommerce WordPress Theme | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in XpeedStudio Bajaar - Highly Customizable WooCommerce WordPress Theme bajaar allows PHP Local File Inclusion. This issue affects Bajaar - Highly Customizable WooCommerce WordPress Theme: from n/a through <= 2.1.0. | 2026-01-22 | not yet calculated | CVE-2025-69004 | https://patchstack.com/database/Wordpress/Theme/bajaar/vulnerability/wordpress-bajaar-highly-customizable-woocommerce-wordpress-theme-theme-2-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| Xpro--Xpro Elementor Addons | Unrestricted Upload of File with Dangerous Type vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Upload a Web Shell to a Web Server. This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1. | 2026-01-22 | not yet calculated | CVE-2025-69312 | https://patchstack.com/database/Wordpress/Plugin/xpro-elementor-addons/vulnerability/wordpress-xpro-elementor-addons-plugin-1-4-19-1-arbitrary-file-upload-vulnerability?_s_id=cve |
| xtemos--WoodMart | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in xtemos WoodMart woodmart allows Code Injection. This issue affects WoodMart: from n/a through <= 8.3.7. | 2026-01-22 | not yet calculated | CVE-2025-47600 | https://patchstack.com/database/Wordpress/Theme/woodmart/vulnerability/wordpress-woodmart-theme-8-3-7-arbitrary-shortcode-execution-vulnerability?_s_id=cve |
| xwiki--xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. This issue has been patched in versions 17.8.0-rc-1, 17.4.5 and 16.10.12. To workaround, the patch can be applied manually, only a single line in templates/logging_macros.vm needs to be changed, no restart is required. | 2026-01-23 | not yet calculated | CVE-2026-24128 | https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wvqx-m5px-6cmp https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-16.10.12 https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.5 https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.8.0-rc-1 https://jira.xwiki.org/browse/XWIKI-23462 |
| yasir129--Turn Yoast SEO FAQ Block to Accordion | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in yasir129 Turn Yoast SEO FAQ Block to Accordion faq-schema-block-to-accordion allows Stored XSS. This issue affects Turn Yoast SEO FAQ Block to Accordion: from n/a through <= 1.0.6. | 2026-01-23 | not yet calculated | CVE-2026-24591 | https://patchstack.com/database/Wordpress/Plugin/faq-schema-block-to-accordion/vulnerability/wordpress-turn-yoast-seo-faq-block-to-accordion-plugin-1-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| YITHEMES--YITH WooCommerce Request A Quote | Missing Authorization vulnerability in YITHEMES YITH WooCommerce Request A Quote yith-woocommerce-request-a-quote allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects YITH WooCommerce Request A Quote: from n/a through <= 2.46.0. | 2026-01-22 | not yet calculated | CVE-2026-24366 | https://patchstack.com/database/Wordpress/Plugin/yith-woocommerce-request-a-quote/vulnerability/wordpress-yith-woocommerce-request-a-quote-plugin-2-46-0-broken-access-control-vulnerability?_s_id=cve |
| zhblue--hustoj | hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize user-supplied input (specifically the "Nickname" field) before exporting it to an .xls file (which renders as an HTML table but is opened by Excel). If a malicious user sets their nickname to an Excel formula when an administrator exports and opens the rank list in Microsoft Excel, the formula will be executed. This can lead to arbitrary command execution (RCE) on the administrator's machine or data exfiltration. A fix was not available at the time of publication. | 2026-01-21 | not yet calculated | CVE-2026-23873 | https://github.com/zhblue/hustoj/security/advisories/GHSA-gqwv-v7vx-2qjw |
| zohocrm--Zoho CRM Lead Magnet | Missing Authorization vulnerability in zohocrm Zoho CRM Lead Magnet zoho-crm-forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Zoho CRM Lead Magnet: from n/a through <= 1.8.1.5. | 2026-01-23 | not yet calculated | CVE-2026-24595 | https://patchstack.com/database/Wordpress/Plugin/zoho-crm-forms/vulnerability/wordpress-zoho-crm-lead-magnet-plugin-1-8-1-5-broken-access-control-vulnerability?_s_id=cve |
| ZoomIt--DZS Video Gallery | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ZoomIt DZS Video Gallery dzs-videogallery allows SQL Injection. This issue affects DZS Video Gallery: from n/a through <= 12.37. | 2026-01-22 | not yet calculated | CVE-2025-49049 | https://patchstack.com/database/Wordpress/Plugin/dzs-videogallery/vulnerability/wordpress-dzs-video-gallery-plugin-12-37-sql-injection-vulnerability?_s_id=cve |
| zozothemes--Miion | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Miion miion allows PHP Local File Inclusion. This issue affects Miion: from n/a through <= 1.2.7. | 2026-01-22 | not yet calculated | CVE-2025-68913 | https://patchstack.com/database/Wordpress/Theme/miion/vulnerability/wordpress-miion-theme-1-2-7-local-file-inclusion-vulnerability?_s_id=cve |
| zozothemes--Miion | Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Miion miion allows Upload a Web Shell to a Web Server. This issue affects Miion: from n/a through <= 1.2.7. | 2026-01-22 | not yet calculated | CVE-2025-68986 | https://patchstack.com/database/Wordpress/Theme/miion/vulnerability/wordpress-miion-theme-1-2-7-arbitrary-file-upload-vulnerability?_s_id=cve |
| Zuinq Studio--IsMyGym | Reflected Cross-Site Scripting (XSS) vulnerability in IsMyGym by Zuinq Studio. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL with '/<PATH>.php/<XSS>'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | 2026-01-20 | not yet calculated | CVE-2025-41081 | https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-ismygym |
Vulnerability Summary for the Week of January 12, 2026
Posted on Tuesday January 20, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 10-Strike--Strike Network Inventory Explorer Pro | 10-Strike Network Inventory Explorer Pro 9.31 contains a buffer overflow vulnerability in the text file import functionality that allows remote code execution. Attackers can craft a malicious text file with carefully constructed payload to trigger a reverse shell and execute arbitrary code on the target system. | 2026-01-15 | 9.8 | CVE-2021-47772 | ExploitDB-50472 Vendor Homepage |
| 10-Strike--Strike Network Inventory Explorer Pro | 10-Strike Network Inventory Explorer Pro 9.31 contains an unquoted service path vulnerability in the srvInventoryWebServer service running with LocalSystem privileges. Attackers can exploit the unquoted path by placing malicious executables in potential path segments to achieve privilege escalation and execute code with system-level permissions. | 2026-01-15 | 7.8 | CVE-2021-47767 | ExploitDB-50494 Vendor Homepage |
| 4Homepages--4images | 4images 1.9 contains a remote command execution vulnerability that allows authenticated administrators to inject reverse shell code through template editing functionality. Attackers can save malicious code in the template and execute arbitrary commands by accessing a specific categories.php endpoint with a crafted cat_id parameter. | 2026-01-13 | 8.8 | CVE-2022-50806 | ExploitDB-51147 Official 4images Software Download Page VulnCheck Advisory: 4images 1.9 - Remote Command Execution (RCE) |
| ABB--ABB Ability OPTIMAX | Incorrect Implementation of Authentication Algorithm vulnerability in ABB ABB Ability OPTIMAX.This issue affects ABB Ability OPTIMAX: 6.1, 6.2, from 6.3.0 before 6.3.1-251120, from 6.4.0 before 6.4.1-251120. | 2026-01-16 | 8.1 | CVE-2025-14510 | https://search.abb.com/library/Download.aspx?DocumentID=9AKK108472A1331&LanguageCode=en&DocumentPartId=&Action=Launch |
| Acer--Acer Backup Manager Module | Acer Backup Manager 3.0.0.99 contains an unquoted service path vulnerability in the NTI IScheduleSvc service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\NTI\Acer Backup Manager\ to inject malicious executables that would run with elevated LocalSystem privileges. | 2026-01-16 | 7.8 | CVE-2021-47826 | ExploitDB-49889 Acer Official Homepage VulnCheck Advisory: Acer Backup Manager Module 3.0.0.99 - 'IScheduleSvc.exe' Unquoted Service Path |
| Acer--Acer Updater Service | Acer Updater Service 1.2.3500.0 contains an unquoted service path vulnerability that allows local users to execute code with elevated system privileges. Attackers can exploit the unquoted path in C:\Program Files\Acer\Acer Updater\ to inject malicious executables that will run with LocalSystem permissions during service startup. | 2026-01-16 | 7.8 | CVE-2021-47825 | ExploitDB-49890 Acer Official Homepage VulnCheck Advisory: Acer Updater Service 1.2.3500.0 - 'UpdaterService.exe' Unquoted Service Path |
| Acer--ePowerSvc | Acer ePowerSvc 6.0.3008.0 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-16 | 7.8 | CVE-2021-47823 | ExploitDB-49900 Acer Official Homepage VulnCheck Advisory: ePowerSvc 6.0.3008.0 - 'ePowerSvc.exe' Unquoted Service Path |
| Adobe--Bridge | Bridge versions 15.1.2, 16.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21283 | https://helpx.adobe.com/security/products/bridge/apsb26-07.html |
| Adobe--Dreamweaver Desktop | Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | 2026-01-13 | 8.6 | CVE-2026-21267 | https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html |
| Adobe--Dreamweaver Desktop | Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | 2026-01-13 | 8.6 | CVE-2026-21268 | https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html |
| Adobe--Dreamweaver Desktop | Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | 2026-01-13 | 8.6 | CVE-2026-21271 | https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html |
| Adobe--Dreamweaver Desktop | Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system write. An attacker could leverage this vulnerability to manipulate or inject malicious data into files on the system. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | 2026-01-13 | 8.6 | CVE-2026-21272 | https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html |
| Adobe--Dreamweaver Desktop | Dreamweaver Desktop versions 21.6 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could leverage this vulnerability to bypass security measures and execute unauthorized code. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21274 | https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html |
| Adobe--Illustrator | Illustrator versions 29.8.3, 30.0 and earlier are affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. If the application uses a search path to locate critical resources such as programs, an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | 2026-01-13 | 8.6 | CVE-2026-21280 | https://helpx.adobe.com/security/products/illustrator/apsb26-03.html |
| Adobe--InCopy | InCopy versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21281 | https://helpx.adobe.com/security/products/incopy/apsb26-04.html |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21275 | https://helpx.adobe.com/security/products/indesign/apsb26-02.html |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21276 | https://helpx.adobe.com/security/products/indesign/apsb26-02.html |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21277 | https://helpx.adobe.com/security/products/indesign/apsb26-02.html |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21304 | https://helpx.adobe.com/security/products/indesign/apsb26-02.html |
| Adobe--Substance3D - Designer | Substance3D - Designer versions 15.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21307 | https://helpx.adobe.com/security/products/substance3d_designer/apsb26-13.html |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21298 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21299 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| Adobe--Substance3D - Painter | Substance3D - Painter versions 11.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21305 | https://helpx.adobe.com/security/products/substance3d_painter/apsb26-10.html |
| Adobe--Substance3D - Sampler | Substance3D - Sampler versions 5.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21306 | https://helpx.adobe.com/security/products/substance3d-sampler/apsb26-11.html |
| Adobe--Substance3D - Stager | Substance3D - Stager versions 3.1.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21287 | https://helpx.adobe.com/security/products/substance3d_stager/apsb26-09.html |
| Advantech--IoTSuite and IoT Edge Products | Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when it is exposed to the Internet. | 2026-01-12 | 10 | CVE-2025-52694 | https://www.csa.gov.sg/alerts-and-advisories/alerts/alerts-al-2026-001/ |
| agentfront--enclave | Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime. When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor. An attacker can intentionally trigger a host error, then climb the prototype chain. Using the host Function constructor, arbitrary JavaScript can be compiled and executed in the host context, fully bypassing the sandbox and granting access to sensitive resources such as process.env, filesystem, and network. This breaks enclave-vm's core security guarantee of isolating untrusted code. This vulnerability is fixed in 2.7.0. | 2026-01-13 | 10 | CVE-2026-22686 | https://github.com/agentfront/enclave/security/advisories/GHSA-7qm7-455j-5p63 https://github.com/agentfront/enclave/commit/ed8bc438b2cd6e6f0b5f2de321e5be6f0169b5a1 |
| ahmadgb--GeekyBot Generate AI Content Without Prompt, Chatbot and Lead Generation | The GeekyBot - Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the chat message field in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Chat History page. | 2026-01-14 | 7.2 | CVE-2025-15266 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b30e84db-c73f-4df2-9c88-c37a7e14c95b?source=cve https://wordpress.org/plugins/geeky-bot/ |
| Aimeos--Aimeos Laravel ecommerce platform | Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json api 'sort' parameter that allows attackers to inject malicious database queries. Attackers can manipulate the sort parameter to reveal table and column names by sending crafted GET requests to the jsonapi/review endpoint. | 2026-01-15 | 8.2 | CVE-2021-47763 | ExploitDB-50538 Vendor Homepage Aimeos Laravel E-Commerce Package |
| Aimone-Video-Converter--AimOne Video Converter | AimOne Video Converter 2.04 Build 103 contains a buffer overflow vulnerability in its registration form that causes application crashes. Attackers can generate a 7000-byte payload to trigger the denial of service and potentially exploit the software's registration mechanism. | 2026-01-13 | 9.8 | CVE-2023-54328 | ExploitDB-51196 AimOne Video Converter Software Informer Page Archived AimOne Software Website Vulnerability Reproduction Repository VulnCheck Advisory: AimOne Video Converter 2.04 Build 103 Buffer Overflow in Registration Form |
| Aiven-Open--bigquery-connector-for-apache-kafka | Kafka Connect BigQuery Connector is an implementation of a sink connector from Apache Kafka to Google BigQuery. Prior to 2.11.0, there is an arbitrary file read in Google BigQuery Sink connector. Aiven's Google BigQuery Kafka Connect Sink connector requires Google Cloud credential configurations for authentication to BigQuery services. During connector configuration, users can supply credential JSON files that are processed by Google authentication libraries. The service fails to validate externally-sourced credential configurations before passing them to the authentication libraries. An attacker can exploit this by providing a malicious credential configuration containing crafted credential_source.file paths or credential_source.url endpoints, resulting in arbitrary file reads or SSRF attacks. | 2026-01-16 | 7.7 | CVE-2026-23529 | https://github.com/Aiven-Open/bigquery-connector-for-apache-kafka/security/advisories/GHSA-3mg8-2g53-5gj4 https://github.com/Aiven-Open/bigquery-connector-for-apache-kafka/commit/20ea3921c6fe72d605a033c1943b20f49eaba981 https://docs.cloud.google.com/support/bulletins#gcp-2025-005 https://github.com/Aiven-Open/bigquery-connector-for-apache-kafka/releases/tag/v2.11.0 |
| ajseidl--AJS Footnotes | The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'note_list_class' and 'popup_display_effect_in' parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to update plugin settings and inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 7.2 | CVE-2025-15378 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4da167e0-c1cf-496f-9b14-35fc70386be1?source=cve https://plugins.trac.wordpress.org/browser/ajs-footnotes/tags/1.0/ajs_footnotes.php?marks=138,271,303#L138 |
| Algo Solutions--Algo 8028 | Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows authenticated attackers to execute arbitrary commands. Attackers can exploit the insecure 'source' parameter by injecting commands that are executed with root privileges, enabling remote code execution through a crafted POST request. | 2026-01-13 | 8.8 | CVE-2022-50909 | ExploitDB-50960 Algo Solutions Official Homepage Algo 8028 Firmware Downloads VulnCheck Advisory: Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated) |
| Altium--Altium 365 | A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post. Successful exploitation allows the attacker's payload to execute in the context of the victim's authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires user interaction to view a malicious forum post. | 2026-01-15 | 9 | CVE-2026-1009 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--Altium Enterprise Server | A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data. When an administrator views the affected workflow, the injected payload executes in the administrator's browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions. | 2026-01-15 | 8 | CVE-2026-1010 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--Altium Live | A stored cross-site scripting (XSS) vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques. The injected payload is persisted and executed when other users view the affected profile page, potentially allowing session token theft, phishing attacks, or malicious redirects. Exploitation requires an authenticated account and user interaction to view the crafted profile. | 2026-01-15 | 7.6 | CVE-2026-1008 | https://www.altium.com/platform/security-compliance/security-advisories |
| Ametys--Ametys CMS | Ametys CMS v4.4.1 contains a persistent cross-site scripting vulnerability in the link directory's input fields for external links. Attackers can inject malicious script code in link text and descriptions to execute persistent attacks that compromise user sessions and manipulate application modules. | 2026-01-13 | 7.2 | CVE-2022-50937 | ExploitDB-50692 Vulnerability Lab Advisory Official Ametys CMS Homepage VulnCheck Advisory: Ametys CMS v4.4.1 - Cross Site Scripting (XSS) |
| amitmerchant1990--Markdownify | Markdownify 1.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload crafted markdown files with embedded scripts that execute when the file is opened, potentially enabling remote code execution. | 2026-01-16 | 7.2 | CVE-2021-47837 | ExploitDB-49835 Markdownify GitHub Repository Proof of Concept Video VulnCheck Advisory: Markdownify 1.2.0 - Persistent Cross-Site Scripting |
| anomalyco--opencode | OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216. | 2026-01-12 | 8.8 | CVE-2026-22812 | https://github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh |
| appsmithorg--appsmith | Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker's domain, causing authentication tokens to be exposed and potentially leading to account takeover. This vulnerability is fixed in 1.93. | 2026-01-12 | 9.7 | CVE-2026-22794 | https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv https://github.com/appsmithorg/appsmith/commit/6f9ee6226bac13fb4b836940b557913fff78b633 |
| AVEVA--Process Optimization | The vulnerability, if exploited, could allow an unauthenticated miscreant to achieve remote code execution under OS system privileges of "taoimr" service, potentially resulting in complete compromise of the model application server. | 2026-01-16 | 10 | CVE-2025-61937 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA--Process Optimization | The vulnerability, if exploited, could allow an authenticated miscreant (Process Optimization Standard User) to tamper with queries in Captive Historian and achieve code execution under SQL Server administrative privileges, potentially resulting in complete compromise of the SQL Server. | 2026-01-16 | 8.4 | CVE-2025-61943 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA--Process Optimization | The vulnerability, if exploited, could allow an authenticated miscreant (OS standard user) to tamper with TCL Macro scripts and escalate privileges to OS system, potentially resulting in complete compromise of the model application server. | 2026-01-16 | 8.8 | CVE-2025-64691 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA--Process Optimization | The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to tamper with Process Optimization project files, embed code, and escalate their privileges to the identity of a victim user who subsequently interacts with the project files. | 2026-01-16 | 8.1 | CVE-2025-64729 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA--Process Optimization | The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to trick Process Optimization services into loading arbitrary code and escalate privileges to OS System, potentially resulting in complete compromise of the Model Application Server. | 2026-01-16 | 8.8 | CVE-2025-65118 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA--Process Optimization | The Process Optimization application suite leverages connection channels/protocols that by-default are not encrypted and could become subject to hijacking or data leakage in certain man-in-the-middle or passive inspection scenarios. | 2026-01-16 | 7.1 | CVE-2025-64769 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA--Process Optimization | The vulnerability, if exploited, could allow an authenticated miscreant (Process Optimization Designer User) to embed OLE objects into graphics, and escalate their privileges to the identity of a victim user who subsequently interacts with the graphical elements. | 2026-01-16 | 7.4 | CVE-2025-65117 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| Bdtask--Isshue Shopping Cart | Isshue Shopping Cart 3.5 contains a persistent cross-site scripting vulnerability in title input fields across stock, customer, and invoice modules. Attackers with privileged user accounts can inject malicious scripts that execute on preview, potentially enabling session hijacking and persistent phishing attacks. | 2026-01-15 | 7.2 | CVE-2021-47769 | ExploitDB-50490 Vulnerability-Lab Disclosure Official Product Homepage |
| Beehive Forum--Beehive Forum | Beehive Forum 1.5.2 contains a host header injection vulnerability in the forgot password functionality that allows attackers to manipulate password reset requests. Attackers can inject a malicious host header to intercept password reset tokens and change victim account passwords without direct authentication. | 2026-01-13 | 7.5 | CVE-2022-50910 | ExploitDB-50923 Beehive Forum Official Website Beehive Forum SourceForge Project Proof of Concept Imgur VulnCheck Advisory: Beehive Forum - Account Takeover |
| Brother--Brother BRAgent | Brother BRAgent 1.38 contains an unquoted service path vulnerability in the WBA_Agent_Client service running with LocalSystem privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Brother\BRAgent\ to inject and execute malicious code with elevated system permissions. | 2026-01-15 | 7.8 | CVE-2020-36928 | ExploitDB-50010 BRAgent Webpage VulnCheck Advisory: Brother BRAgent 1.38 - 'WBA_Agent_Client' Unquoted Service Path |
| Canon Inc.--Satera LBP670C Series | Buffer overflow in print job processing by WSD on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14231 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.--Satera LBP670C Series | Buffer overflow in XML processing of XPS file in Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14232 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.--Satera LBP670C Series | Invalid free in CPCA file deletion processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14233 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.--Satera LBP670C Series | Buffer overflow in CPCA list processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14234 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.--Satera LBP670C Series | Buffer overflow in XPS font fpgm data processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14235 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.--Satera LBP670C Series | Buffer overflow in Address Book attribute tag processing on Small Office Multifunction Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14236 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.--Satera LBP670C Series | Buffer overflow in XPS font parse processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14237 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| checkpoint--Hramony SASE | A local user can trigger Harmony SASE Windows client to write or delete files outside the intended certificate working directory. | 2026-01-14 | 7.5 | CVE-2025-9142 | https://support.checkpoint.com/results/sk/sk184557 |
| clevo--HotKey Clipboard | Clevo HotKey Clipboard 2.1.0.6 contains an unquoted service path vulnerability in the HKClipSvc service that allows local non-privileged users to potentially execute code with system privileges. Attackers can exploit the misconfigured service path to inject and execute arbitrary code by placing malicious executables in specific file system locations. | 2026-01-13 | 8.4 | CVE-2023-53984 | ExploitDB-51206 Archived Vendor Homepage VulnCheck Advisory: HotKey Clipboard 2.1.0.6 - Privilege Escalation Unquoted Service Path |
| Cmder--Cmder Console Emulator | Cmder Console Emulator 1.3.18 contains a buffer overflow vulnerability that allows attackers to trigger a denial of service condition through a maliciously crafted .cmd file. Attackers can create a specially constructed .cmd file with repeated characters to overwhelm the console emulator's buffer and crash the application. | 2026-01-15 | 9.8 | CVE-2021-47781 | ExploitDB-50401 Cmder GitHub Repository |
| Cobbr--Covenant | Covenant 0.1.3 - 0.5 contains a remote code execution vulnerability that allows attackers to craft malicious JWT tokens with administrative privileges. Attackers can generate forged tokens with admin roles and upload custom DLL payloads to execute arbitrary commands on the target system. | 2026-01-13 | 9.8 | CVE-2020-36911 | ExploitDB-51141 Vendor Homepage Covenant GitHub Repository Archived Researcher Blog Exploit Repository Archived Maintainer Patch Announcement VulnCheck Advisory: Covenant 0.5 - Remote Code Execution (RCE) |
| Cobiansoft--Cobian Backup | Cobian Backup 0.9 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the CobianReflectorService to inject malicious code that will execute with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50923 | ExploitDB-50810 Vendor Homepage Software Download Page VulnCheck Advisory: Cobian Backup 0.9 - Unquoted Service Path |
| code-projects--Online Music Site | A security flaw has been discovered in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Administrator/PHP/AdminUpdateUser.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-12 | 7.3 | CVE-2026-0852 | VDB-340447 | code-projects Online Music Site AdminUpdateUser.php sql injection VDB-340447 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734136 | code-projects ONLINE MUSIC SITE V1.0 SQL injection https://github.com/Learner636/CVE-smbmit/issues/2 https://code-projects.org/ |
| Connectify Inc--Connectify Hotspot | Connectify Hotspot 2018 contains an unquoted service path vulnerability in its ConnectifyService executable that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Connectify\ConnectifyService.exe' to inject malicious executables and escalate privileges. | 2026-01-13 | 8.4 | CVE-2022-50929 | ExploitDB-50764 Official Vendor Homepage VulnCheck Advisory: Connectify Hotspot 2018 'ConnectifyService' - Unquoted Service Path |
| ConnectWise--PSA | In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user's browser when the affected content is displayed. | 2026-01-16 | 8.7 | CVE-2026-0695 | https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix |
| Contpaqi--CONTPAQ AdminPAQ | CONTPAQi AdminPAQ 14.0.0 contains an unquoted service path vulnerability in the AppKeyLicenseServer service running with LocalSystem privileges. Attackers can exploit the unquoted path to inject malicious code in the service binary path, potentially executing arbitrary code with elevated system privileges during service startup. | 2026-01-13 | 8.4 | CVE-2022-50938 | ExploitDB-50690 CONTPAQi Official Software Download Page VulnCheck Advisory: CONTPAQi® AdminPAQ 14.0.0 - Unquoted Service Path |
| Cooler Master Technology Inc.--Cooler Master MasterPlus | CoolerMaster MasterPlus 1.8.5 contains an unquoted service path vulnerability in the MPService that allows local attackers to execute code with elevated system privileges. Attackers can drop a malicious executable in the service path and trigger code execution during service startup or system reboot. | 2026-01-13 | 8.4 | CVE-2022-50808 | ExploitDB-51159 CoolerMaster MasterPlus Official Homepage VulnCheck Advisory: CoolerMaster MasterPlus 1.8.5 - 'MPService' Unquoted Service Path |
| cotonti.com--Cotonti Siena | Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page. | 2026-01-15 | 7.2 | CVE-2021-47808 | ExploitDB-50016 Vendor Homepage Software Download VulnCheck Advisory: Cotonti Siena 0.9.19 - 'maintitle' Stored Cross-Site Scripting |
| croixhaug--Appointment Booking Calendar Simply Schedule Appointments Booking Plugin | The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-14 | 7.5 | CVE-2025-12166 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5214a399-21a4-4573-9840-1d5043781bc0?source=cve https://plugins.trac.wordpress.org/changeset/3408539/ |
| Cyberfox--Cyberfox Web Browser | Cyberfox Web Browser 52.9.1 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the search bar with excessive data. Attackers can generate a 9,000,000 byte payload and paste it into the search bar to trigger an application crash. | 2026-01-15 | 7.5 | CVE-2021-47784 | ExploitDB-50336 Archived Cyberfox Web Browser Homepage |
| D-Link--DIR-823X | A weakness has been identified in D-Link DIR-823X 250416. Affected by this issue is the function sub_412E7C of the file /goform/set_wifidog_settings. Executing a manipulation of the argument wd_enable can lead to command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-18 | 7.3 | CVE-2026-1125 | VDB-341717 | D-Link DIR-823X set_wifidog_settings sub_412E7C command injection VDB-341717 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734966 | D-Link DIR-823X Router V250416 Command Execution https://github.com/DavCloudz/cve/blob/main/D-link/DIR_823X/DIR-823X%20V250416%20Command%20Execution%20Vulnerability.md https://www.dlink.com/ |
| danny-avila--LibreChat | LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container through a single API request. This vulnerability is fixed in v0.8.2-rc2. | 2026-01-12 | 9.1 | CVE-2026-22252 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-cxhj-j78r-p88f https://github.com/danny-avila/LibreChat/commit/211b39f3113d4e6ecab84be0a83f4e9c9dea127f |
| daschmi--GetContentFromURL | The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the 'url' parameter of the [gcfu] shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-01-14 | 7.2 | CVE-2025-14613 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b83db6c7-09af-4707-a96b-ee551f27e3b7?source=cve https://plugins.trac.wordpress.org/browser/getcontentfromurl/trunk/classes/shortcode.class.php#L20 https://plugins.trac.wordpress.org/browser/getcontentfromurl/tags/1.0/classes/shortcode.class.php#L20 |
| dashboardbuilder--DASHBOARD BUILDER WordPress plugin for Charts and Graphs | The DASHBOARD BUILDER - WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for unauthenticated attackers to modify the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The modified SQL query is subsequently executed on the front-end when the shortcode is rendered, enabling arbitrary SQL injection and data exfiltration through the publicly visible chart output. | 2026-01-14 | 7.1 | CVE-2025-14615 | https://www.wordfence.com/threat-intel/vulnerabilities/id/106b31ed-d509-4551-a134-02193ab22fe1?source=cve https://plugins.trac.wordpress.org/browser/dashboard-builder/trunk/dashboardbuilder-admin.php#L158 https://plugins.trac.wordpress.org/browser/dashboard-builder/tags/1.5.7/dashboardbuilder-admin.php#L158 https://plugins.trac.wordpress.org/browser/dashboard-builder/trunk/dashboardbuilder.php#L51 https://plugins.trac.wordpress.org/browser/dashboard-builder/tags/1.5.7/dashboardbuilder.php#L51 |
| Dell--SupportAssist OS Recovery | Dell SupportAssist OS Recovery, versions prior to 5.5.15.1, contain a Creation of Temporary File With Insecure Permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | 2026-01-13 | 7.5 | CVE-2025-46685 | https://www.dell.com/support/kbdoc/en-us/000401506/dsa-2025-456 |
| Delta Electronics--DIAView | Delta Electronics DIAView has multiple vulnerabilities. | 2026-01-16 | 9.8 | CVE-2025-62581 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00001_DIAView%20Multiple%20Vulnerabilities%20(CVE-2025-62581,%20CVE-2025-62582).pdf |
| Delta Electronics--DIAView | Delta Electronics DIAView has multiple vulnerabilities. | 2026-01-16 | 9.8 | CVE-2025-62582 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00001_DIAView%20Multiple%20Vulnerabilities%20(CVE-2025-62581,%20CVE-2025-62582).pdf |
| Delta Electronics--DIAView | Delta Electronics DIAView has Command Injection vulnerability. | 2026-01-16 | 7.8 | CVE-2026-0975 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00002_DIAView%20-Exposed%20Dangerous%20Method%20Remote%20Code%20Execution%20(CVE-2026-0975).pdf |
| denoland--deno | Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path's extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6. | 2026-01-15 | 8.1 | CVE-2026-22864 | https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6 https://github.com/denoland/deno/releases/tag/v2.5.6 |
| Denver--Smart Wifi Camera | Denver SHC-150 Smart Wifi Camera contains a hardcoded telnet credential vulnerability that allows unauthenticated attackers to access a Linux shell. Attackers can connect to port 23 using the default credential to execute arbitrary commands on the camera's operating system. | 2026-01-15 | 9.8 | CVE-2021-47796 | ExploitDB-50160 Official Product Homepage VulnCheck Advisory: Denver Smart Wifi Camera SHC-150 - 'Telnet' Remote Code Execution (RCE) |
| dfir-iris--iris-web | Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to 2.4.24, the DFIR-IRIS datastore file management system has a vulnerability where mass assignment of the file_local_name field combined with path trust in the delete operation enables authenticated users to delete arbitrary filesystem paths. The vulnerability manifests through a three-step attack chain: authenticated users upload a file to the datastore, update the file's file_local_name field to point to an arbitrary filesystem path through mass assignment, then trigger the delete operation which removes the target file without path validation. This vulnerability is fixed in 2.4.24. | 2026-01-12 | 9.6 | CVE-2026-22783 | https://github.com/dfir-iris/iris-web/security/advisories/GHSA-qhqj-8qw6-wp8v https://github.com/dfir-iris/iris-web/commit/57c1b80494bac187893aebc6d9df1ce6e56485b7 |
| dharashah--Chikitsa Patient Management System | Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability in the backup restoration functionality. Authenticated attackers can upload a modified backup zip file with a malicious PHP shell to execute arbitrary system commands on the server. | 2026-01-15 | 8.8 | CVE-2021-47757 | ExploitDB-50572 Product Webpage Product GitHub Repository Product Sourceforge Page |
| dharashah--Chikitsa Patient Management System | Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious PHP plugins through the module upload functionality. Authenticated attackers can generate and upload a ZIP plugin with a PHP backdoor that enables arbitrary command execution on the server through a weaponized PHP script. | 2026-01-15 | 8.8 | CVE-2021-47758 | ExploitDB-50571 Product Webpage Product GitHub Repository Product Sourceforge Page |
| Diskboss--DiskBoss Service | DiskBoss Service 12.2.18 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path by placing malicious executables in potential path locations to gain system-level access during service startup. | 2026-01-16 | 7.8 | CVE-2021-47822 | ExploitDB-49899 Official Vendor Homepage VulnCheck Advisory: DiskBoss Service 12.2.18 - 'diskbsa.exe' Unquoted Service Path |
| Diskpulse--DiskPulse | DiskPulse Enterprise 13.6.14 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Pulse Enterprise\bin\diskpls.exe' to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2020-36927 | ExploitDB-50012 Vendor Homepage VulnCheck Advisory: DiskPulse 13.6.14 - Unquoted Service Path |
| Disksavvy--Disk Savvy | Disk Savvy 13.6.14 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in service binaries to inject malicious executables that will be run with elevated LocalSystem privileges. | 2026-01-15 | 7.8 | CVE-2021-47805 | ExploitDB-50024 Vendor Homepage VulnCheck Advisory: Disk Savvy 13.6.14 - 'Multiple' Unquoted Service Path |
| Disksorter--Disk Sorter Enterprise | Disk Sorter Enterprise 13.6.12 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe' to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2021-47809 | ExploitDB-50014 Vendor Homepage VulnCheck Advisory: Disk Sorter Enterprise 13.6.12 - 'Disk Sorter Enterprise' Unquoted Service Path |
| Disksorter--Disk Sorter Server | Disk Sorter Server 13.6.12 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Sorter Server\bin\disksrs.exe' to inject malicious executables and escalate privileges. | 2026-01-16 | 7.8 | CVE-2021-47847 | ExploitDB-50013 Vendor Homepage VulnCheck Advisory: Disk Sorter Server 13.6.12 - 'Disk Sorter Server' Unquoted Service Path |
| divisupreme--Supreme Modules Lite Divi Theme, Extra Theme and Divi Builder | The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2026-01-15 | 8.8 | CVE-2025-13062 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1819f2eb-51ef-4ba4-9137-ab64710fa6c8?source=cve https://plugins.trac.wordpress.org/changeset/3423427/supreme-modules-for-divi |
| docmost--docmost | Docmost is an open-source collaborative wiki and documentation software. From 0.21.0 to before 0.24.0, Docmost is vulnerable to Arbitrary File Write via Zip Import Feature (ZipSlip). In apps/server/src/integrations/import/utils/file.utils.ts, there are no validation on filename. This vulnerability is fixed in 0.24.0. | 2026-01-15 | 7.1 | CVE-2026-22249 | https://github.com/docmost/docmost/security/advisories/GHSA-54pm-hqxm-54wg https://github.com/docmost/docmost/pull/1753 https://github.com/docmost/docmost/commit/c3b350d943108552e20654580005cd6f6c78ab05 https://github.com/docmost/docmost/releases/tag/v0.24.0 |
| Dolibarr--CRM | Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the text, potentially enabling privilege escalation. | 2026-01-15 | 7.2 | CVE-2021-47779 | ExploitDB-50432 Official Dolibarr Vendor Homepage Dolibarr GitHub Repository VulnCheck Advisory: Dolibarr ERP-CRM 14.0.2 - Stored Cross-Site Scripting (XSS) / Privilege Escalation |
| donknap--dpanel | DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file. The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (../). And the helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot/jail. This vulnerability is fixed in 1.9.2. | 2026-01-15 | 8.1 | CVE-2025-66292 | https://github.com/donknap/dpanel/security/advisories/GHSA-vh2x-fw87-4fxq https://github.com/donknap/dpanel/commit/cbda0d90204e8212f2010774345c952e42069119 https://github.com/donknap/dpanel/releases/tag/v1.9.2 |
| Dupscout--Dup Scout | Dup Scout 13.5.28 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Dup Scout Server\bin\dupscts.exe' to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2021-47806 | ExploitDB-50025 Vendor Homepage VulnCheck Advisory: Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path |
| dupterminator--DupTerminator | DupTerminator 1.4.5639.37199 contains a denial of service vulnerability that allows attackers to crash the application by inputting a long character string in the Excluded text box. Attackers can generate a payload of 8000 repeated characters to trigger the application to stop working on Windows 10. | 2026-01-16 | 7.5 | CVE-2021-47818 | ExploitDB-49917 DupTerminator Project Homepage VulnCheck Advisory: DupTerminator 1.4.5639.37199 - Denial of Service |
| dvcrn--Markright | Markright 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to embed malicious payloads in markdown files. Attackers can upload specially crafted markdown files that execute arbitrary JavaScript when opened, potentially enabling remote code execution on the victim's system. | 2026-01-16 | 7.2 | CVE-2021-47838 | ExploitDB-49834 Markright GitHub Repository Proof of Concept Video VulnCheck Advisory: Markright 1.0 - Persistent Cross-Site Scripting |
| Dynojet--Dynojet Power Core | Dynojet Power Core 2.3.0 contains an unquoted service path vulnerability in the DJ.UpdateService that allows local authenticated users to potentially execute code with elevated privileges. Attackers can exploit the unquoted binary path by placing malicious executables in the service's file path to gain Local System access. | 2026-01-15 | 7.8 | CVE-2021-47773 | ExploitDB-50466 Official Vendor Homepage |
| E107--e107 CMS | e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to override arbitrary server files through path traversal. The vulnerability exists in the Media Manager's remote URL upload functionality (image.php) where the upload_caption parameter is not properly sanitized. An attacker with administrative privileges can use directory traversal sequences (../../../) in the upload_caption field to overwrite critical system files outside the intended upload directory. This can lead to complete compromise of the web application by overwriting configuration files, executable scripts, or other critical system components. The vulnerability was discovered by Hubert Wojciechowski and affects the image.php component in the admin interface. | 2026-01-13 | 7.2 | CVE-2022-50939 | ExploitDB-50910 Official Vendor Homepage Software Download Page VulnCheck Advisory: e107 CMS v3.2.1 - Upload Restriction Bypass with Path Traversal File Override |
| e107--e107 CMS | e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject malicious JavaScript code through the URL parameter that gets executed when users click outside the comment field after typing content. The second vulnerability involves an upload restriction bypass for authenticated administrators, allowing them to upload SVG files containing malicious code through the media manager's remote URL upload feature. This results in stored XSS when the uploaded SVG files are accessed. These vulnerabilities were discovered by Hubert Wojciechowski and affect the news.php and image.php components of the CMS. | 2026-01-13 | 9.8 | CVE-2022-50905 | ExploitDB-50910 Official Vendor Homepage Software Download Page VulnCheck Advisory: e107 CMS v3.2.1 - Reflected XSS via Comment Flow |
| e107--e107 CMS | e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. Attackers can upload malicious PHP files to parent directories by manipulating the upload URL parameter, enabling remote code execution through the Media Manager import feature. | 2026-01-13 | 7.2 | CVE-2022-50907 | ExploitDB-50910 Official e107 CMS Vendor Homepage e107 CMS Download Page VulnCheck Advisory: e107 CMS v3.2.1 - Admin Upload Restriction Bypass + RCE |
| e107--e107 CMS | e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server files through the Media Manager import functionality. Attackers can exploit the upload mechanism by manipulating the upload URL parameter to overwrite existing files like top.php in the web application directory. | 2026-01-13 | 7.2 | CVE-2022-50916 | ExploitDB-50910 Official Vendor Homepage Software Download Page VulnCheck Advisory: e107 CMS v3.2.1 - Upload restriction bypass (Authenticated [Admin])+ Server file override |
| EaseUS--EaseUS Data Recovery | EaseUS Data Recovery 15.1.0.0 contains an unquoted service path vulnerability in the EaseUS UPDATE SERVICE executable. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges. | 2026-01-13 | 8.4 | CVE-2022-50914 | ExploitDB-50886 EaseUS Official Homepage VulnCheck Advisory: EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path |
| Elastic--Kibana | External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads. | 2026-01-14 | 8.6 | CVE-2026-0532 | https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-05/384524 |
| Emerson--Emerson PAC Machine Edition | Emerson PAC Machine Edition 9.80 contains an unquoted service path vulnerability in the TrapiServer service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50930 | ExploitDB-50745 Emerson Official Homepage Software Download Link VulnCheck Advisory: Emerson PAC Machine Edition 9.80 Build 8695 - 'TrapiServer' Unquoted Service Path |
| En--Kingdia CD Extractor | Kingdia CD Extractor 3.0.2 contains a buffer overflow vulnerability in the registration name field that allows attackers to execute arbitrary code. Attackers can craft a malicious payload exceeding 256 bytes to overwrite Structured Exception Handler and gain remote code execution through a bind shell. | 2026-01-15 | 9.8 | CVE-2021-47774 | ExploitDB-50470 Software Download Page |
| envoyproxy--gateway | Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communicate with the control plane and gain access to all secrets that are used by Envoy proxy, e.g. TLS private keys and credentials used for downstream and upstream communication. This vulnerability is fixed in 1.5.7 and 1.6.2. | 2026-01-12 | 8.8 | CVE-2026-22771 | https://github.com/envoyproxy/gateway/security/advisories/GHSA-xrwg-mqj6-6m22 |
| Epic Games--Epic Games Store | A local privilege escalation vulnerability exists during the installation of Epic Games Store via the Microsoft Store. A low-privilege user can replace a DLL file during the installation process, which may result in unintended elevation of privileges. | 2026-01-15 | 8.8 | CVE-2025-61973 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2279 |
| Explorerplusplus--Explorer32++ | Explorer32++ 1.3.5.531 contains a buffer overflow vulnerability in Structured Exception Handler (SEH) records that allows attackers to execute arbitrary code. Attackers can exploit the vulnerability by providing a long file name argument over 396 characters to corrupt the SEH chain and potentially execute malicious code. | 2026-01-13 | 9.8 | CVE-2023-54334 | ExploitDB-51077 Archived Explorer++ Website VulnCheck Advisory: Explorer32++ 1.3.5.531 - Buffer overflow |
| Extplorer--eXtplorer | eXtplorer 2.1.14 contains an authentication bypass vulnerability that allows attackers to login without a password by manipulating the login request. Attackers can exploit this flaw to upload malicious PHP files and execute remote commands on the vulnerable file management system. | 2026-01-13 | 9.8 | CVE-2023-54335 | ExploitDB-51067 Official eXtplorer Product Homepage VulnCheck Advisory: eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE) |
| FeMiner--wms | A security vulnerability has been detected in FeMiner wms up to 9cad1f1b179a98b9547fd003c23b07c7594775fa. Affected by this vulnerability is an unknown functionality of the file /src/chkuser.php. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-17 | 7.3 | CVE-2026-1059 | VDB-341628 | FeMiner wms chkuser.php sql injection VDB-341628 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731236 | GitHub WMS (Warehouse Management System) V1.0 SQL Injection https://github.com/wangchaoxing/CVE/issues/1 |
| FmeAddons--Registration & Login with Mobile Phone Number for WooCommerce | The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity prior to authenticating them via the fma_lwp_set_session_php_fun() function. This makes it possible for unauthenticated attackers to authenticate as any user on the site, including administrators, without a valid password. | 2026-01-17 | 9.8 | CVE-2025-10484 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6aef6fbb-be8c-49e1-ada5-7b4aa8b2ff72?source=cve https://woocommerce.com/products/registration-login-with-mobile-phone-number/ |
| Fortinet--FortiFone | An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in Fortinet FortiFone 7.0.0 through 7.0.1, FortiFone 3.0.13 through 3.0.23 allows an unauthenticated attacker to obtain the device configuration via crafted HTTP or HTTPS requests. | 2026-01-13 | 9.3 | CVE-2025-47855 | https://fortiguard.fortinet.com/psirt/FG-IR-25-260 |
| Fortinet--FortiSIEM | An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSIEM 7.4.0, FortiSIEM 7.3.0 through 7.3.4, FortiSIEM 7.1.0 through 7.1.8, FortiSIEM 7.0.0 through 7.0.4, FortiSIEM 6.7.0 through 6.7.10 may allow an attacker to execute unauthorized code or commands via crafted TCP requests. | 2026-01-13 | 9.4 | CVE-2025-64155 | https://fortiguard.fortinet.com/psirt/FG-IR-25-772 |
| Fortinet--FortiSwitchManager | A heap-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4.0 through 6.4.16, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows attacker to execute unauthorized code or commands via specially crafted packets | 2026-01-13 | 7.4 | CVE-2025-25249 | https://fortiguard.fortinet.com/psirt/FG-IR-25-084 |
| Freeter--Freeter | Freeter 1.2.1 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads in custom widget titles and files. Attackers can craft malicious files with embedded scripts that execute when victims interact with the application, potentially enabling remote code execution. | 2026-01-16 | 7.2 | CVE-2021-47835 | ExploitDB-49833 Official Freeter Product Homepage Proof of Concept Video VulnCheck Advisory: Freeter 1.2.1 - Persistent Cross-Site Scripting |
| Gearboxcomputers--WifiHotSpot | WifiHotSpot 1.0.0.0 contains an unquoted service path vulnerability in its WifiHotSpotService.exe that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. | 2026-01-16 | 7.8 | CVE-2021-47833 | ExploitDB-49845 WiFi Hotspot Product Page VulnCheck Advisory: WifiHotSpot 1.0.0.0 - 'WifiHotSpotService.exe' Unquoted Service Path |
| getarcaneapp--arcane | Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane's updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manually or via scheduled update checks), Arcane reads the lifecycle label and executes its value as a shell command inside the container. This vulnerability is fixed in 1.13.0. | 2026-01-15 | 9.1 | CVE-2026-23520 | https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8 https://github.com/getarcaneapp/arcane/pull/1468 https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4 https://github.com/getarcaneapp/arcane/releases/tag/v1.13.0 |
| Getgrav--GravCMS | GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious custom jobs with system command execution. | 2026-01-15 | 7.5 | CVE-2021-47812 | ExploitDB-49973 Official Grav CMS Homepage VulnCheck Advisory: GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2) |
| Getoutline--Outline | Outline 1.6.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the OutlineService executable to inject malicious code that will be executed with LocalSystem permissions. | 2026-01-13 | 8.4 | CVE-2023-54331 | ExploitDB-51128 Official Outline Product Homepage VulnCheck Advisory: Outline 1.6.0 - Unquoted Service Path |
| Github--Sandboxie Plus | Sandboxie Plus 0.7.4 contains an unquoted service path vulnerability in the SbieSvc service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. | 2026-01-16 | 7.8 | CVE-2021-47832 | ExploitDB-49842 Sandboxie Plus GitHub Repository VulnCheck Advisory: Sandboxie Plus 0.7.4 - 'SbieSvc' Unquoted Service Path |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality. | 2026-01-14 | 7.7 | CVE-2025-11224 | https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/ GitLab Issue #573223 HackerOne Bug Bounty Report #3277291 |
| glpi-project--glpi | GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3. | 2026-01-15 | 7.5 | CVE-2025-64516 | https://github.com/glpi-project/glpi/security/advisories/GHSA-487h-7mxm-7r46 https://github.com/glpi-project/glpi/commit/51412a89d3174cfe22967b051d527febdbceab3c https://github.com/glpi-project/glpi/commit/ee7ee28e0645198311c0a9e0c4e4b712b8788e27 https://github.com/glpi-project/glpi/releases/tag/10.0.21 https://github.com/glpi-project/glpi/releases/tag/11.0.3 |
| glpi-project--glpi | GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3. | 2026-01-15 | 7.5 | CVE-2025-66417 | https://github.com/glpi-project/glpi/security/advisories/GHSA-p467-682w-9cc9 |
| Gotac--Police Statistics Database System | Police Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents by using a specific functionality. | 2026-01-16 | 9.8 | CVE-2026-1019 | https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html |
| Gotac--Police Statistics Database System | Police Statistics Database System developed by Gotac has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attacker to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2026-01-16 | 9.8 | CVE-2026-1021 | https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html |
| Gotac--Police Statistics Database System | Police Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing Unauthenticated remote attacker to exploit Absolute Path Traversal to download arbitrary system files. | 2026-01-16 | 7.5 | CVE-2026-1018 | https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html |
| Gotac--Statistics Database System | Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | 2026-01-16 | 7.5 | CVE-2026-1022 | https://www.twcert.org.tw/tw/cp-132-10639-813ad-1.html https://www.twcert.org.tw/en/cp-139-10640-0fd0b-2.html |
| Gotac--Statistics Database System | Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly exploit a specific functionality to query database contents. | 2026-01-16 | 7.5 | CVE-2026-1023 | https://www.twcert.org.tw/tw/cp-132-10639-813ad-1.html https://www.twcert.org.tw/en/cp-139-10640-0fd0b-2.html |
| Grocerycrud--Grocery crud | Grocery Crud 1.6.4 contains a SQL injection vulnerability in the order_by parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the order_by[] parameter in POST requests to the ajax_list endpoint to potentially extract or modify database information. | 2026-01-15 | 8.2 | CVE-2021-47811 | ExploitDB-49985 Vendor Homepage Software Download Page VulnCheck Advisory: Grocery crud 1.6.4 - 'order_by' SQL Injection |
| h3js--h3 | H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5. | 2026-01-15 | 8.9 | CVE-2026-23527 | https://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg https://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097 |
| HCL Software--MyXalytics | HCL MyXalytics v6.7 is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk | 2026-01-16 | 7.4 | CVE-2025-59870 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128115 |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Arbitrary file deletion vulnerability have been identified in a system function of mobility conductors running AOS-8 operating system. Successful exploitation of this vulnerability could allow an unauthenticated remote malicious actor to delete arbitrary files within the affected system and potentially result in denial-of-service conditions on affected devices. | 2026-01-13 | 8.2 | CVE-2025-37168 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | A stack overflow vulnerability exists in the AOS-10 web-based management interface of a Mobility Gateway. Successful exploitation could allow an authenticated malicious actor to execute arbitrary code as a privileged user on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37169 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37170 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37171 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37172 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | An improper input handling vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor with valid credentials to trigger unintended behavior on the affected system. | 2026-01-13 | 7.2 | CVE-2025-37173 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Authenticated arbitrary file write vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to create or modify arbitrary files and execute arbitrary commands as a privileged user on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37174 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Arbitrary file upload vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files as a privilege user and execute arbitrary commands on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37175 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--EdgeConnect SD-WAN Orchestrator | Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. | 2026-01-14 | 7.2 | CVE-2025-37181 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--EdgeConnect SD-WAN Orchestrator | Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. | 2026-01-14 | 7.2 | CVE-2025-37182 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--EdgeConnect SD-WAN Orchestrator | Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. | 2026-01-14 | 7.2 | CVE-2025-37183 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--Instant On | A vulnerability in the router mode configuration of HPE Instant On Access Points exposed certain network configuration details to unintended interfaces. A malicious actor could gain knowledge of internal network configuration details through inspecting impacted packets. | 2026-01-13 | 7.5 | CVE-2025-37165 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04988en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--Instant On | A vulnerability affecting HPE Networking Instant On Access Points has been identified where a device processing a specially crafted packet could enter a non-responsive state, in some cases requiring a hard reset to re-establish services. A malicious actor could leverage this vulnerability to conduct a Denial-of-Service attack on a target network. | 2026-01-13 | 7.5 | CVE-2025-37166 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04988en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--Virtual Intranet Access (VIA) | A local privilege-escalation vulnerability has been discovered in the HPE Aruba Networking Virtual Intranet Access (VIA) client. Successful exploitation of this vulnerability could allow a local attacker to achieve arbitrary code execution with root privileges. | 2026-01-13 | 7.8 | CVE-2025-37186 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04994en_us&docLocale=en_US |
| Hikvision--DS-96xxxNI-Hx | There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision NVR/DVR/CVR/IPC models. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device. | 2026-01-13 | 8.8 | CVE-2025-66177 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/buffer-overflow-vulnerabilities-in-some-hikvision-products/ |
| Hikvision--DS-K1T331 | There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision Access Control Products. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device. | 2026-01-13 | 8.8 | CVE-2025-66176 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/buffer-overflow-vulnerabilities-in-some-hikvision-products/ |
| honojs--hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono's JWK/JWKS JWT verification middleware allowed the JWT header's alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. As part of this fix, the JWT middleware now requires the alg option to be explicitly specified. This prevents algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header values. This vulnerability is fixed in 4.11.4. | 2026-01-13 | 8.2 | CVE-2026-22817 | https://github.com/honojs/hono/security/advisories/GHSA-f67f-6cw9-8mq4 https://github.com/honojs/hono/commit/cc0aa7ae327ed84cc391d29086dec2a3e44e7a1f |
| honojs--hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono's JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. The JWK/JWKS JWT verification middleware has been updated to require an explicit allowlist of asymmetric algorithms when verifying tokens. The middleware no longer derives the verification algorithm from untrusted JWT header values. This vulnerability is fixed in 4.11.4. | 2026-01-13 | 8.2 | CVE-2026-22818 | https://github.com/honojs/hono/security/advisories/GHSA-3vhc-576x-3qv4 https://github.com/honojs/hono/commit/190f6e28e2ca85ce3d1f2f54db1310f5f3eab134 |
| Httpdebugger--HTTPDebuggerPro | HTTPDebuggerPro 9.11 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables and gain elevated access to the system. | 2026-01-15 | 7.8 | CVE-2021-47762 | ExploitDB-50545 Official Product Homepage |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 8 | CVE-2025-68955 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 8 | CVE-2025-68956 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 8.4 | CVE-2025-68957 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 8 | CVE-2025-68958 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the video framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 8.4 | CVE-2025-68960 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| Huawei--HarmonyOS | Double free vulnerability in the multi-mode input module. Impact: Successful exploitation of this vulnerability may affect the input function. | 2026-01-14 | 7.8 | CVE-2025-68968 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| I-Funbox--iFunbox | iFunbox 4.2 contains an unquoted service path vulnerability in the Apple Mobile Device Service that allows local attackers to execute code with elevated privileges. Attackers can insert a malicious executable into the unquoted service path to run with LocalSystem privileges when the service restarts. | 2026-01-15 | 7.8 | CVE-2021-47803 | ExploitDB-50040 iFunbox Official Homepage VulnCheck Advisory: iFunbox 4.2 - 'Apple Mobile Device Service' Unquoted Service Path |
| ilwebmaster21--WOW21 | WOW21 5.0.1.9 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50921 | ExploitDB-50818 Archived Product Homepage VulnCheck Advisory: WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path |
| ImpressCMS--ImpressCMS | ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows attackers to upload potentially malicious files. Attackers can bypass file upload restrictions by using alternative file extensions .php2.php6.php7.phps.pht to execute arbitrary PHP code on the server. | 2026-01-13 | 9.8 | CVE-2022-50912 | ExploitDB-50890 Official ImpressCMS Homepage ImpressCMS GitHub Repository VulnCheck Advisory: ImpressCMS 1.4.4 - Unrestricted File Upload |
| Inbit--Inbit Messenger | Inbit Messenger 4.6.0 - 4.9.0 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by exploiting a stack overflow in the messenger's protocol. Attackers can send specially crafted XML packets to port 10883 with a malicious payload to trigger the vulnerability and execute commands with system privileges. | 2026-01-13 | 9.8 | CVE-2023-54329 | ExploitDB-51127 Archived Software Download Page Exploit Write-Up VulnCheck Advisory: Inbit Messenger 4.9.0 - Unauthenticated Remote Command Execution (RCE) |
| Inbit--Inbit Messenger | Inbit Messenger versions 4.6.0 to 4.9.0 contain a remote stack-based buffer overflow vulnerability that allows unauthenticated attackers to execute arbitrary code by sending malformed network packets. Attackers can craft a specially designed payload targeting the messenger's network handler to overwrite the Structured Exception Handler (SEH) and execute shellcode on vulnerable Windows systems. | 2026-01-13 | 9.8 | CVE-2023-54330 | ExploitDB-51126 Archived Software Download Page Exploit Write-Up VulnCheck Advisory: Inbit Messenger 4.9.0 - Unauthenticated Remote SEH Overflow |
| Infonetsoftware--Mediconta | Mediconta 3.7.27 contains an unquoted service path vulnerability in the servermedicontservice that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\medicont3\ to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2023-54336 | ExploitDB-51064 Vendor Homepage VulnCheck Advisory: Mediconta 3.7.27 - 'servermedicontservice' Unquoted Service Path |
| Insyde Software--InsydeH2O tools | The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. | 2026-01-14 | 7.8 | CVE-2025-12050 | https://www.insyde.com/security-pledge/sa-2025010/ |
| Insyde Software--InsydeH2O tools | The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. | 2026-01-14 | 7.8 | CVE-2025-12051 | https://www.insyde.com/security-pledge/sa-2025010/ |
| Insyde Software--InsydeH2O tools | The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. | 2026-01-14 | 7.8 | CVE-2025-12052 | https://www.insyde.com/security-pledge/sa-2025010/ |
| Insyde Software--InsydeH2O tools | The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. | 2026-01-14 | 7.8 | CVE-2025-12053 | https://www.insyde.com/security-pledge/sa-2025010/ |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Prior to 2.3.1.2, There is a heap-based buffer overflow in SIccCalcOp::Describe() at IccProfLib/IccMpeCalc.cpp. This vulnerability affects users of the iccDEV library who process ICC color profiles. The vulnerability is fixed in 2.3.1.2. | 2026-01-13 | 8.8 | CVE-2026-22861 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-vr49-3vf8-7j5h https://github.com/InternationalColorConsortium/iccDEV/pull/475 https://github.com/InternationalColorConsortium/iccDEV/pull/476 https://github.com/InternationalColorConsortium/iccDEV/commit/fa9a364c01fc2e59eb2291e1f9b1c1359b7d5329 |
| ITEC--TCQ | ITeC ITeCProteccioAppServer contains an unquoted service path vulnerability that allows local attackers to execute code with elevated system privileges. Attackers can insert a malicious executable in the service path to gain elevated access during service restart or system reboot. | 2026-01-13 | 8.4 | CVE-2022-50913 | ExploitDB-50902 Vendor Homepage VulnCheck Advisory: TCQ - 'ITeCProteccioAppServer.exe' Unquoted Service Path |
| itsourcecode--Society Management System | A flaw has been found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/delete_activity.php. Executing a manipulation of the argument activity_id can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-01-18 | 7.3 | CVE-2026-1119 | VDB-341711 | itsourcecode Society Management System delete_activity.php sql injection VDB-341711 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734290 | itsourcecode Society Management System V1.0 SQL injection https://github.com/AriazzzZ/CVE/issues/1 https://itsourcecode.com/ |
| IVT Corp--Bluetooth Application BlueSoleilCS | BlueSoleilCS 5.4.277 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path in 'C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe' to inject malicious executables and escalate privileges. | 2026-01-13 | 8.4 | CVE-2022-50928 | ExploitDB-50761 Archived IVT Corporation Website VulnCheck Advisory: Bluetooth Application 5.4.277 - 'BlueSoleilCS' Unquoted Service Path |
| jeroenpeters1986--Name Directory | The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 7.2 | CVE-2025-15283 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3c9de67e-24f7-4c4a-b187-405597b838c3?source=cve https://plugins.trac.wordpress.org/browser/name-directory/tags/1.30.3/shortcode.php?marks=38,41,69#L38 https://plugins.trac.wordpress.org/browser/name-directory/tags/1.30.3/admin.php?marks=927-928#L927 |
| jokkedk--Webgrind | Webgrind 1.1 contains a remote command execution vulnerability that allows unauthenticated attackers to inject OS commands via the dataFile parameter in index.php. Attackers can execute arbitrary system commands by manipulating the dataFile parameter, such as using payload '0%27%26calc.exe%26%27' to execute commands on the target system. | 2026-01-13 | 9.8 | CVE-2023-54339 | ExploitDB-51074 Webgrind GitHub Repository VulnCheck Advisory: Webgrind 1.1 - Remote Command Execution (RCE) via dataFile Parameter |
| jotron--StudyMD | StudyMD 0.3.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution. | 2026-01-16 | 7.2 | CVE-2021-47842 | ExploitDB-49832 StudyMD GitHub Repository Proof of Concept Video VulnCheck Advisory: StudyMD 0.3.2 - Persistent Cross-Site Scripting |
| Juniper Networks--Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the Juniper DHCP service (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows a DHCP client in one subnet to exhaust the address pools of other subnets, leading to a Denial of Service (DoS) on the downstream DHCP server. By default, the DHCP relay agent inserts its own Option 82 information when forwarding client requests, optionally replacing any Option 82 information provided by the client. When a specific DHCP DISCOVER is received in 'forward-only' mode with Option 82, the device should drop the message unless 'trust-option82' is configured. Instead, the DHCP relay forwards these packets to the DHCP server unmodified, which uses up addresses in the DHCP server's address pool, ultimately leading to address pool exhaustion. This issue affects Junos OS: * all versions before 21.2R3-S10, * from 21.4 before 21.4R3-S12, * all versions of 22.2, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R2-S2, * from 24.4 before 24.4R2, * from 25.2 before 25.2R1-S1, 25.2R2. Junos OS Evolved: * all versions before 21.4R3-S12-EVO, * all versions of 22.2-EVO, * from 22.4 before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 before 23.4R2-S6-EVO, * from 24.2 before 24.2R2-S2-EVO, * from 24.4 before 24.4R2-EVO, * from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO. | 2026-01-15 | 7.4 | CVE-2025-59960 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103149 |
| Juniper Networks--Junos OS | A Buffer Over-read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). When an affected device receives a BGP update with a set of specific optional transitive attributes over an established peering session, rpd will crash and restart when attempting to advertise the received information to another peer. This issue can only happen if one or both of the BGP peers of the receiving session are non-4-byte-AS capable as determined from the advertised capabilities during BGP session establishment. Junos OS and Junos OS Evolved default behavior is 4-byte-AS capable unless this has been specifically disabled by configuring: [ protocols bgp ... disable-4byte-as ] Established BGP sessions can be checked by executing: show bgp neighbor <IP address> | match "4 byte AS" This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-S6-EVO, * 24.2 versions before 24.2R2-S2-EVO, * 24.4 versions before 24.4R2-EVO. | 2026-01-15 | 7.5 | CVE-2025-60003 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103166 |
| Juniper Networks--Junos OS | A Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the SIP application layer gateway (ALG) of Juniper Networks Junos OS on SRX Series and MX Series with MX-SPC3 or MS-MPC allows an unauthenticated network-based attacker sending specific SIP messages over TCP to crash the flow management process, leading to a Denial of Service (DoS). On SRX Series, and MX Series with MX-SPC3 or MS-MPC service cards, receipt of multiple SIP messages causes the SIP headers to be parsed incorrectly, eventually causing a continuous loop and leading to a watchdog timer expiration, crashing the flowd process on SRX Series and MX Series with MX-SPC3, or mspmand process on MX Series with MS-MPC. This issue only occurs over TCP. SIP messages sent over UDP cannot trigger this issue. This issue affects Junos OS on SRX Series and MX Series with MX-SPC3 and MS-MPC: * all versions before 21.2R3-S10, * from 21.4 before 21.4R3-S12, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S1, * from 25.2 before 25.2R1-S1, 25.2R2. | 2026-01-15 | 7.5 | CVE-2026-21905 | https://supportportal.juniper.net/JSA106004 https://kb.juniper.net/JSA106004 |
| Juniper Networks--Junos OS | An Improper Handling of Exceptional Conditions vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated network-based attacker sending a specific ICMP packet through a GRE tunnel to cause the PFE to crash and restart. When PowerMode IPsec (PMI) and GRE performance acceleration are enabled and the device receives a specific ICMP packet, a crash occurs in the SRX PFE, resulting in traffic loss. PMI is enabled by default, and GRE performance acceleration can be enabled by running the configuration command shown below. PMI is a mode of operation that provides IPsec performance improvements using Vector Packet Processing. Note that PMI with GRE performance acceleration is only supported on specific SRX platforms. This issue affects Junos OS on the SRX Series: * all versions before 21.4R3-S12, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S5, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S1, * from 25.2 before 25.2R1-S1, 25.2R2. | 2026-01-15 | 7.5 | CVE-2026-21906 | https://supportportal.juniper.net/JSA106005 https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-powermode-ipsec-vpn.html https://kb.juniper.net/JSA106005 |
| Juniper Networks--Junos OS | A Use After Free vulnerability was identified in the 802.1X authentication daemon (dot1xd) of Juniper Networks Junos OS and Junos OS Evolved that could allow an authenticated, network-adjacent attacker flapping a port to crash the dot1xd process, leading to a Denial of Service (DoS), or potentially execute arbitrary code within the context of the process running as root. The issue is specific to the processing of a change in authorization (CoA) when a port bounce occurs. A pointer is freed but was then referenced later in the same code path. Successful exploitation is outside the attacker's direct control due to the specific timing of the two events required to execute the vulnerable code path. This issue affects systems with 802.1X authentication port-based network access control (PNAC) enabled. This issue affects: Junos OS: * from 23.2R2-S1 before 23.2R2-S5, * from 23.4R2 before 23.4R2-S6, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S1, * from 25.2 before 25.2R1-S2, 25.2R2; Junos OS Evolved: * from 23.2R2-S1 before 23.2R2-S5-EVO, * from 23.4R2 before 23.4R2-S6-EVO, * from 24.2 before 24.2R2-S3-EVO, * from 24.4 before 24.4R2-S1-EVO, * from 25.2 before 25.2R1-S2-EVO, 25.2R2-EVO. | 2026-01-15 | 7.1 | CVE-2026-21908 | https://supportportal.juniper.net/JSA106007 https://kb.juniper.net/JSA106007 |
| Juniper Networks--Junos OS | An Incorrect Initialization of Resource vulnerability in the Internal Device Manager (IDM) of Juniper Networks Junos OS on EX4000 models allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). On EX4000 models with 48 ports (EX4000-48T, EX4000-48P, EX4000-48MP) a high volume of traffic destined to the device will cause an FXPC crash and restart, which leads to a complete service outage until the device has automatically restarted. The following reboot reason can be seen in the output of 'show chassis routing-engine' and as a log message: reason=0x4000002 reason_string=0x4000002:watchdog + panic with core dump This issue affects Junos OS on EX4000-48T, EX4000-48P and EX4000-48MP: * 24.4 versions before 24.4R2, * 25.2 versions before 25.2R1-S2, 25.2R2. This issue does not affect versions before 24.4R1 as the first Junos OS version for the EX4000 models was 24.4R1. | 2026-01-15 | 7.5 | CVE-2026-21913 | https://supportportal.juniper.net/JSA106014 https://kb.juniper.net/JSA106014 |
| Juniper Networks--Junos OS | An Improper Locking vulnerability in the GTP plugin of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (Dos). If an SRX Series device receives a specifically malformed GPRS Tunnelling Protocol (GTP) Modify Bearer Request message, a lock is acquired and never released. This results in other threads not being able to acquire a lock themselves, causing a watchdog timeout leading to FPC crash and restart. This issue leads to a complete traffic outage until the device has automatically recovered. This issue affects Junos OS on SRX Series: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions before 25.2R1-S1, 25.2R2. | 2026-01-15 | 7.5 | CVE-2026-21914 | https://supportportal.juniper.net/JSA106015 https://kb.juniper.net/JSA106015 |
| Juniper Networks--Junos OS | An Improper Validation of Syntactic Correctness of Input vulnerability in the Web-Filtering module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If an SRX device configured for UTM Web-Filtering receives a specifically malformed SSL packet, this will cause an FPC crash and restart. This issue affects Junos OS on SRX Series: * 23.2 versions from 23.2R2-S2 before 23.2R2-S5, * 23.4 versions from 23.4R2-S1 before 23.4R2-S5, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R1-S3, 24.4R2. Earlier versions of Junos are also affected, but no fix is available. | 2026-01-15 | 7.5 | CVE-2026-21917 | https://supportportal.juniper.net/JSA105996 https://kb.juniper.net/JSA105996 |
| Juniper Networks--Junos OS | A Double Free vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on SRX and MX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). On all SRX and MX Series platforms, when during TCP session establishment a specific sequence of packets is encountered a double free happens. This causes flowd to crash and the respective FPC to restart. This issue affects Junos OS on SRX and MX Series: * all versions before 22.4R3-S7, * 23.2 versions before 23.2R2-S3, * 23.4 versions before 23.4R2-S4, * 24.2 versions before 24.2R2. | 2026-01-15 | 7.5 | CVE-2026-21918 | https://supportportal.juniper.net/JSA106018 https://kb.juniper.net/JSA106018 |
| Juniper Networks--Junos OS | An Unchecked Return Value vulnerability in the DNS module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If an SRX Series device configured for DNS processing, receives a specifically formatted DNS request flowd will crash and restart, which causes a service interruption until the process has recovered. This issue affects Junos OS on SRX Series: * 23.4 versions before 23.4R2-S5, * 24.2 versions before 24.2R2-S1, * 24.4 versions before 24.4R2. This issue does not affect Junos OS versions before 23.4R1. | 2026-01-15 | 7.5 | CVE-2026-21920 | https://supportportal.juniper.net/JSA106020 https://kb.juniper.net/JSA106020 |
| kalyan02--NanoCMS | NanoCMS 0.4 contains an authenticated file upload vulnerability that allows remote code execution through unvalidated page content creation. Authenticated attackers can upload PHP files with arbitrary code to the server's pages directory by exploiting the page creation mechanism without proper input sanitization. | 2026-01-13 | 8.8 | CVE-2022-50898 | ExploitDB-50997 NanoCMS GitHub Repository NanoCMS Exploit Archive VulnCheck Advisory: NanoCMS 0.4 - Remote Code Execution (RCE) (Authenticated) |
| kraftplugins--Demo Importer Plus | The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0. | 2026-01-17 | 7.5 | CVE-2025-14478 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b2971aa0-8287-4142-bd04-7aec1ed92e7b?source=cve https://plugins.trac.wordpress.org/browser/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php#L88 https://plugins.trac.wordpress.org/browser/demo-importer-plus/tags/2.0.6/inc/importers/class-demo-importer-plus-sites-helper.php#L88 https://plugins.trac.wordpress.org/changeset/3439643/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php |
| KYOCERA Document Solutions--Kyocera Command Center RX | Kyocera Command Center RX ECOSYS M2035dn contains a directory traversal vulnerability that allows unauthenticated attackers to read sensitive system files by manipulating file paths under the /js/ path. Attackers can exploit the issue by sending requests like /js/../../../../.../etc/passwd%00.jpg (null-byte appended traversal) to access critical files such as /etc/passwd and /etc/shadow. | 2026-01-13 | 7.5 | CVE-2022-50932 | ExploitDB-50738 Kyocera Command Center RX Official Product Page VulnCheck Advisory: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated) |
| LabRedesCefetRJ--WeGIA | WeGIA is a Web Manager for Charitable Institutions. Prior to 3.6.2, a Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WeGIA system, specifically within the html/memorando/insere_despacho.php file. The application fails to properly sanitize or encode user-supplied input via the id_memorando GET parameter before reflecting it into the HTML source (likely inside a <script> block or an attribute). This allows unauthenticated attackers to inject arbitrary JavaScript or HTML into the context of the user's browser session. This vulnerability is fixed in 3.6.2. | 2026-01-16 | 9.1 | CVE-2026-23722 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7hh-6qj7-mcqf |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authenticated SQL Injection vulnerability was identified in the Atendido_ocorrenciaControle endpoint via the id_memorando parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential arbitrary file reads in misconfigured environments. This vulnerability is fixed in 3.6.2. | 2026-01-16 | 7.2 | CVE-2026-23723 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xfmp-2hf9-gfjp https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| Laravel--Laravel Valet | Laravel Valet versions 1.1.4 to 2.0.3 contain a local privilege escalation vulnerability that allows users to modify the valet command with root privileges. Attackers can edit the symlinked valet command to execute arbitrary code with root permissions without additional authentication. | 2026-01-15 | 8.4 | CVE-2021-47756 | ExploitDB-50591 Laravel Valet Official Documentation VulnCheck Advisory: Laravel Valet 2.0.3 - Local Privilege Escalation (macOS) |
| Leawo--Leawo Prof. Media | Leawo Prof. Media 11.0.0.1 contains a denial of service vulnerability that allows attackers to crash the application by supplying an oversized payload in the activation keycode field. Attackers can generate a 6000-byte buffer of repeated characters to trigger an application crash when pasted into the registration interface. | 2026-01-15 | 7.5 | CVE-2021-47797 | ExploitDB-50153 Vendor Homepage VulnCheck Advisory: Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC) |
| lemonldap-ng--LemonLDAP::NG | In the portal in LemonLDAP::NG before 2.21.0, cross-site scripting (XSS) allows remote attackers to inject arbitrary web script or HTML (into the login page) via the tab parameter, for Choice authentication. | 2026-01-16 | 7.2 | CVE-2025-31510 | https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3341 |
| Lenovo--ThinkPlus FU100 | A vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to bypass ThinkPlus device authentication and enroll an untrusted fingerprint. | 2026-01-14 | 7.8 | CVE-2025-13455 | https://iknow.lenovo.com.cn/detail/436983 |
| Levelprograms--Kmaleon | Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerability in the 'tipocomb' parameter of kmaleonW.php that allows attackers to manipulate database queries. Attackers can exploit this vulnerability using boolean-based, error-based, and time-based blind SQL injection techniques to potentially extract or manipulate database information. | 2026-01-15 | 7.1 | CVE-2021-47766 | ExploitDB-50499 Archived Kmaleon Software Product Page |
| Litexmedia--Audio Conversion Wizard | Audio Conversion Wizard v2.01 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting memory with a specially crafted registration code. Attackers can generate a payload that overwrites the application's memory stack, potentially enabling remote code execution through a carefully constructed input buffer. | 2026-01-13 | 9.8 | CVE-2022-50922 | ExploitDB-50811 Audio Wizard Product Webpage VulnCheck Advisory: Audio Conversion Wizard v2.01 - Buffer Overflow |
| Litexmedia--YouTube Video Grabber | YouTube Video Grabber, now referred to as YouTube Downloader, 1.9.9.1 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting the Structured Exception Handler. Attackers can craft a malicious payload of 712 bytes with SEH manipulation to trigger a bind shell connection on a specified local port. | 2026-01-15 | 8.4 | CVE-2021-47775 | ExploitDB-50471 Product Webpage |
| Macro-Expert--Macro Expert | Macro Expert 4.7 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the improperly configured service path to inject malicious executables that will be run with LocalSystem permissions during service startup. | 2026-01-15 | 7.8 | CVE-2021-47780 | ExploitDB-50431 Macro Expert Official Website VulnCheck Advisory: Macro Expert 4.7 - Unquoted Service Path |
| Mailhog--Mailhog | Mailhog 1.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through email attachments. Attackers can send crafted emails with XSS payloads to execute arbitrary API calls, including message deletion and browser manipulation. | 2026-01-13 | 7.2 | CVE-2022-50908 | ExploitDB-50971 MailHog GitHub Repository Shodan Search Results for MailHog VulnCheck Advisory: Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS) |
| Malavida--Cain & Abel | Cain & Abel 4.9.56 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem permissions. | 2026-01-13 | 8.4 | CVE-2022-50933 | ExploitDB-50728 Official Software Download Page VulnCheck Advisory: Cain & Abel 4.9.56 - Unquoted Service Path |
| MCPJam--inspector | MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch. | 2026-01-16 | 9.8 | CVE-2026-23744 | https://github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6 https://github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7a |
| MegaTKC--Aero CMS | Aero CMS 0.0.1 contains a SQL injection vulnerability in the author parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, time-based, and UNION query techniques to extract sensitive database information and potentially compromise the system. | 2026-01-13 | 8.2 | CVE-2022-50895 | ExploitDB-51022 Archived AeroCMS GitHub Repository Vulnerability Research Repository VulnCheck Advisory: Aero CMS 0.0.1 - SQL Injection |
| Merit LILIN--DH032 | Certain DVR/NVR models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device. | 2026-01-12 | 8.8 | CVE-2026-0854 | https://www.twcert.org.tw/tw/cp-132-10624-6599c-1.html https://www.twcert.org.tw/en/cp-139-10623-4f523-2.html |
| Merit LILIN--P2 | Certain IP Camera models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device. | 2026-01-12 | 8.8 | CVE-2026-0855 | https://www.twcert.org.tw/tw/cp-132-10625-fac5c-1.html https://www.twcert.org.tw/en/cp-139-10626-afbe2-2.html |
| metagauss--RegistrationMagic Custom Registration Forms, User Registration, Payment, and User Login | The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting. This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further privilege escalation requires at least a subscriber user. | 2026-01-17 | 9.8 | CVE-2025-15403 | https://www.wordfence.com/threat-intel/vulnerabilities/id/68dd9f6f-ccee-4a27-bd21-2fb32b92cc62?source=cve https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/admin/controllers/class_rm_options_controller.php#L562 https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/admin/class_rm_admin.php#L487 https://plugins.trac.wordpress.org/changeset/3440797/custom-registration-form-builder-with-submission-manager#file2 |
| Microsoft--Azure Connected Machine Agent | Stack-based buffer overflow in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-21224 | Azure Connected Machine Agent Elevation of Privilege Vulnerability |
| Microsoft--Azure Core shared client library for Python | Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network. | 2026-01-13 | 7.5 | CVE-2026-21226 | Azure Core shared client library for Python Remote Code Execution Vulnerability |
| Microsoft--Microsoft 365 Apps for Enterprise | Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2026-01-13 | 8.4 | CVE-2026-20944 | Microsoft Word Remote Code Execution Vulnerability |
| Microsoft--Microsoft 365 Apps for Enterprise | Improper access control in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally. | 2026-01-13 | 7.8 | CVE-2026-20949 | Microsoft Excel Security Feature Bypass Vulnerability |
| Microsoft--Microsoft 365 Apps for Enterprise | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20956 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Microsoft Office 2019 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-01-13 | 8.4 | CVE-2026-20952 | Microsoft Office Remote Code Execution Vulnerability |
| Microsoft--Microsoft Office 2019 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-01-13 | 8.4 | CVE-2026-20953 | Microsoft Office Remote Code Execution Vulnerability |
| Microsoft--Microsoft Office 2019 | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20946 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Microsoft Power Apps | Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network. | 2026-01-16 | 8 | CVE-2026-20960 | Microsoft Power Apps Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 2026-01-13 | 8.8 | CVE-2026-20947 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 2026-01-13 | 8.8 | CVE-2026-20963 | Microsoft SharePoint Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20948 | Microsoft Word Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20951 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Server 2019 | Untrusted search path in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7 | CVE-2026-20943 | Microsoft Office Click-To-Run Elevation of Privilege Vulnerability |
| Microsoft--Microsoft SQL Server 2022 (GDR) | Missing authentication for critical function in SQL Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.2 | CVE-2026-20803 | Microsoft SQL Server Elevation of Privilege Vulnerability |
| Microsoft--Office Online Server | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20950 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Office Online Server | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20955 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Office Online Server | Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20957 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper input validation in Windows Server Update Service allows an unauthorized attacker to execute code over a network. | 2026-01-13 | 8.1 | CVE-2026-20856 | Windows Server Update Service (WSUS) Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2026-01-13 | 8.8 | CVE-2026-20868 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | External control of file name or path in Windows Telephony Service allows an authorized attacker to elevate privileges over an adjacent network. | 2026-01-13 | 8 | CVE-2026-20931 | Windows Telephony Service Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Incorrect privilege assignment in Windows Hello allows an unauthorized attacker to perform tampering locally. | 2026-01-13 | 7.7 | CVE-2026-20804 | Windows Hello Tampering Vulnerability |
| Microsoft--Windows 10 Version 1809 | Time-of-check time-of-use (toctou) race condition in Windows Kernel Memory allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20809 | Windows Kernel Memory Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Free of memory not on the heap in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20810 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Graphics Kernel allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20814 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Time-of-check time-of-use (toctou) race condition in Windows Installer allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20816 | Windows Installer Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20822 | Windows Graphics Component Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Tablet Windows User Interface (TWINUI) Subsystem allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20826 | Tablet Windows User Interface (TWINUI) Subsystem Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Time-of-check time-of-use (toctou) race condition in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20831 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Windows Remote Procedure Call Interface Definition Language (IDL) Elevation of Privilege Vulnerability | 2026-01-13 | 7.8 | CVE-2026-20832 | Windows Remote Procedure Call Interface Definition Language (IDL) Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Graphics Kernel allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20836 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20837 | Windows Media Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20840 | Windows NTFS Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper access control in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20843 | Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Clipboard Server allows an unauthorized attacker to elevate privileges locally. | 2026-01-13 | 7.4 | CVE-2026-20844 | Windows Clipboard Server Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20848 | Windows SMB Server Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Reliance on untrusted inputs in a security decision in Windows Kerberos allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20849 | Windows Kerberos Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Incorrect privilege assignment in Windows Hello allows an unauthorized attacker to perform tampering locally. | 2026-01-13 | 7.7 | CVE-2026-20852 | Windows Hello Tampering Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows WalletService allows an unauthorized attacker to elevate privileges locally. | 2026-01-13 | 7.4 | CVE-2026-20853 | Windows WalletService Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20858 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20860 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20861 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Connected Devices Platform Service (Cdpsvc) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20864 | Windows Connected Devices Platform Service Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20865 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20866 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20867 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Local Session Manager (LSM) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20869 | Windows Local Session Manager (LSM) Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20873 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20874 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Null pointer dereference in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network. | 2026-01-13 | 7.5 | CVE-2026-20875 | Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20877 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20918 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20919 | Windows SMB Server Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20921 | Windows SMB Server Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20923 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20924 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20926 | Windows SMB Server Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper access control in Windows HTTP.sys allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20929 | Windows HTTP.sys Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20934 | Windows SMB Server Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 22H2 | Heap-based buffer overflow in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20940 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Untrusted pointer dereference in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20857 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20938 | Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability |
| Microsoft--Windows Admin Center in Azure Portal | Improper verification of cryptographic signature in Windows Admin Center allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.5 | CVE-2026-20965 | Windows Admin Center Elevation of Privilege Vulnerability |
| Microsoft--Windows SDK | Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7 | CVE-2026-21219 | Inbox COM Objects (Global Memory) Remote Code Execution Vulnerability |
| Microsoft--Windows Server 2019 | Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network. | 2026-01-13 | 7.5 | CVE-2026-0386 | Windows Deployment Services Remote Code Execution Vulnerability |
| Microsoft--Windows Server 2022 | Access of resource using incompatible type ('type confusion') in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20811 | Win32k Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20817 | Windows Error Reporting Service Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20820 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Use after free in Windows DWM allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20842 | Microsoft DWM Core Library Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Double free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20863 | Win32k Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Use after free in Desktop Windows Manager allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20871 | Desktop Windows Manager Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Use after free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20920 | Win32k Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20922 | Windows NTFS Remote Code Execution Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Concurrent execution using shared resource with improper synchronization ('race condition') in Printer Association Object allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20808 | Windows File Explorer Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20815 | Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20830 | Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Use after free in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to execute code over a network. | 2026-01-13 | 7.5 | CVE-2026-20854 | Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20859 | Windows Kernel-Mode Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Use after free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20870 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20941 | Host Process for Windows Tasks Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-21221 | Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability |
| Millegpg--MilleGPG5 | MilleGPG5 5.7.2 contains a local privilege escalation vulnerability that allows authenticated users to modify service executable files in the MariaDB bin directory. Attackers can replace the mysqld.exe with a malicious executable, which will execute with system privileges when the computer restarts. | 2026-01-15 | 7.8 | CVE-2021-47761 | ExploitDB-50558 Vendor Homepage |
| mindsdb--mindsdb | MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB's storage, exposing sensitive data. The PUT handler in file.py directly joins user-controlled data into a filesystem path when the request body is JSON and source_type is not "url". Only multipart uploads and URL-sourced uploads receive sanitization; JSON uploads lack any call to clear_filename or equivalent checks. This vulnerability is fixed in 25.11.1. | 2026-01-12 | 8.1 | CVE-2025-68472 | https://github.com/mindsdb/mindsdb/security/advisories/GHSA-qqhf-pm3j-96g7 |
| MIT--Kerberos 5 | In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflow for a large update size to resize() in kdb_log.c. An authenticated attacker can cause an out-of-bounds write and kadmind daemon crash. | 2026-01-16 | 7.1 | CVE-2025-24528 | https://github.com/krb5/krb5/commit/78ceba024b64d49612375be4a12d1c066b0bfbd0 https://github.com/krb5/krb5/compare/krb5-1.21.3-final...krb5-1.22-final |
| Modular DS--Modular DS | Incorrect Privilege Assignment vulnerability in Modular DS allows Privilege Escalation.This issue affects Modular DS: from n/a through 2.5.1. | 2026-01-14 | 10 | CVE-2026-23550 | https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-monitor-update-and-backup-multiple-websites-plugin-2-5-1-privilege-escalation-vulnerability?_s_id=cve https://patchstack.com/articles/critical-privilege-escalation-vulnerability-in-modular-ds-plugin-affecting-40k-sites-exploited-in-the-wild/ https://help.modulards.com/en/article/modular-ds-security-release-modular-connector-252-dm3mv0/ |
| Moeditor--Moeditor | Moeditor 0.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload specially crafted markdown files with embedded JavaScript that execute when opened, potentially enabling remote code execution on the victim's system. | 2026-01-16 | 7.2 | CVE-2021-47840 | ExploitDB-49830 Moeditor Official Homepage Proof of Concept Video VulnCheck Advisory: Moeditor 0.2.0 - Persistent Cross-Site Scripting |
| Mp3-Avi-Mpeg-Wmv-Rm-To-Audio-Cd-Burner--Ether_MP3_CD_Burner | Ether MP3 CD Burner 1.3.8 contains a buffer overflow vulnerability in the registration name field that allows remote code execution. Attackers can craft a malicious payload to overwrite SEH handlers and execute a bind shell on port 3110 by exploiting improper input validation. | 2026-01-15 | 9.8 | CVE-2021-47785 | ExploitDB-50332 Software Download Link VulnCheck Advisory: Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH) |
| mrvladus--Errands | Errands before 46.2.10 does not verify TLS certificates for CalDAV servers. | 2026-01-12 | 8.2 | CVE-2025-71063 | https://github.com/mrvladus/Errands/issues/401 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123738 https://github.com/mrvladus/Errands/releases/tag/46.2.10 https://github.com/mrvladus/Errands/commit/04e567b432083fc798ea2249363ea6c83ff01099 https://github.com/mrvladus/Errands/compare/46.2.9...46.2.10 |
| n/a--EasyCMS | A vulnerability was identified in EasyCMS up to 1.6. This vulnerability affects unknown code of the file /UserAction.class.php. Such manipulation of the argument _order leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-17 | 7.3 | CVE-2026-1105 | VDB-341697 | EasyCMS UserAction.class.php sql injection VDB-341697 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731465 | https://github.com/TeamEasy/EasyCMS EasyCMS v1.6 SQL injection vulnerability https://github.com/ueh1013/VULN/issues/15 |
| N/A--Modular DS | Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from 2.5.2 before 2.6.0. | 2026-01-16 | 10 | CVE-2026-23800 | https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-plugin-2-5-2-privilege-escalation-vulnerability?_s_id=cve |
| n8n--n8n | Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system. The vulnerability can be exploited via the Code block by an authenticated user with basic permissions and can lead to a full n8n instance takeover on instances operating under "Internal" execution mode. If the instance is operating under the "External" execution mode (ex. n8n's official Docker image) - arbitrary code execution occurs inside a Sidecar container and not the main node, which significantly reduces the vulnerability impact. | 2026-01-18 | 8.5 | CVE-2026-0863 | https://research.jfrog.com/vulnerabilities/n8n-python-runner-sandbox-escape-jfsa-2026-001651077/ https://github.com/n8n-io/n8n/commit/b73a4283cb14e0f27ce19692326f362c7bf3da02 |
| National Oceanic and Atmospheric Administration (NOAA)--Live Access Server (LAS) | Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands. Fixed in a version of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24. | 2026-01-15 | 9.8 | CVE-2025-62193 | url url url url url url url |
| Noteburner--NoteBurner | NoteBurner 2.35 contains a buffer overflow vulnerability in the license code input field that allows attackers to crash the application. Attackers can generate a 6000-byte payload and paste it into the 'Name' and 'Code' fields to trigger an application crash. | 2026-01-15 | 9.8 | CVE-2021-47798 | ExploitDB-50154 Official Product Homepage VulnCheck Advisory: NoteBurner 2.35 - Denial Of Service (DoS) (PoC) |
| Nsauditor--Backup Key Recovery | Backup Key Recovery 2.2.7 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the registration code input field. Attackers can paste a large buffer of 256 repeated characters into the registration key field to trigger application instability and potential crash. | 2026-01-15 | 7.5 | CVE-2021-47813 | ExploitDB-49966 Vendor Homepage VulnCheck Advisory: Backup Key Recovery 2.2.7 - Denial of Service (PoC) |
| Nsauditor--NBMonitor | NBMonitor 1.6.8 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the registration code input field. Attackers can paste a 256-character buffer into the registration key field to trigger an application crash and potential system instability. | 2026-01-15 | 7.5 | CVE-2021-47814 | ExploitDB-49964 Vendor Homepage VulnCheck Advisory: NBMonitor 1.6.8 - Denial of Service (PoC) |
| Nsauditor--Nsauditor | Nsauditor 3.2.3 contains a denial of service vulnerability in the registration code input field that allows attackers to crash the application. Attackers can paste a large buffer of 256 repeated characters into the 'Key' field to trigger an application crash. | 2026-01-15 | 7.5 | CVE-2021-47815 | ExploitDB-49965 Vendor Homepage VulnCheck Advisory: Nsauditor 3.2.3 - Denial of Service (PoC) |
| NVIDIA--NSIGHT Graphics | NVIDIA NSIGHT Graphics for Linux contains a vulnerability where an attacker could cause command injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and denial of service. | 2026-01-14 | 7.8 | CVE-2025-33206 | https://nvd.nist.gov/vuln/detail/CVE-2025-33206 https://www.cve.org/CVERecord?id=CVE-2025-33206 https://nvidia.custhelp.com/app/answers/detail/a_id/5738 |
| Odinesolutions--Odine Solutions GateKeeper | Odine Solutions GateKeeper 1.0 contains a SQL injection vulnerability in the trafficCycle API endpoint that allows remote attackers to inject malicious database queries. Attackers can exploit the vulnerability by sending crafted payloads to the /rass/api/v1/trafficCycle/ endpoint to manipulate PostgreSQL database queries and potentially extract sensitive information. | 2026-01-15 | 8.2 | CVE-2021-47782 | ExploitDB-50381 Odine Solutions GateKeeper Product Homepage VulnCheck Advisory: Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection |
| OpenAgentPlatform--Dive | Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim's machine. This vulnerability is fixed in 0.13.0. | 2026-01-16 | 9.7 | CVE-2026-23523 | https://github.com/OpenAgentPlatform/Dive/security/advisories/GHSA-pjj5-f3wm-f9m8 https://github.com/OpenAgentPlatform/Dive/commit/a5162ac9eff366d8ea1215b8a47139a81a55a779 |
| OpenC3--cosmos | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From 5.0.0 to 6.10.1, OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval(). Because the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401). This vulnerability is fixed in 6.10.2. | 2026-01-13 | 10 | CVE-2025-68271 | https://github.com/OpenC3/cosmos/security/advisories/GHSA-w757-4qv9-mghp |
| Phoenix Contact--TC ROUTER 3002T-3G | An unauthenticated remote attacker can trick a high privileged user into uploading a malicious payload via the config-upload endpoint, leading to code injection as root. This results in a total loss of confidentiality, availability and integrity due to improper control of code generation ('Code Injection'). | 2026-01-13 | 8.8 | CVE-2025-41717 | https://certvde.com/de/advisories/VDE-2025-073 |
| Phphtmledit--CuteEditor | CuteEditor for PHP (now referred to as Rich Text Editor) 6.6 contains a directory traversal vulnerability in the browse template feature that allows attackers to write files to arbitrary web root directories. Attackers can exploit the ServerMapPath() function by renaming uploaded HTML files using directory traversal sequences to write files outside the intended template directory. | 2026-01-13 | 7.5 | CVE-2021-47751 | ExploitDB-50994 Vendor Homepage VulnCheck Advisory: CuteEditor for PHP 6.6 - Directory Traversal |
| Phpkf--phpKF CMS | phpKF CMS 3.00 Beta y6 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary code by bypassing file extension checks. Attackers can upload a PHP file disguised as a PNG, rename it, and execute system commands through a crafted web shell parameter. | 2026-01-15 | 9.8 | CVE-2021-47753 | ExploitDB-50610 Official Vendor Homepage Software Download Page |
| pimcore--pimcore | Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to database information disclosure. This vulnerability is fixed in 12.3.1 and 11.5.14. | 2026-01-14 | 8.8 | CVE-2026-23492 | https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3 |
| pimcore--pimcore | Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14. | 2026-01-15 | 8.6 | CVE-2026-23493 | https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h https://github.com/pimcore/pimcore/pull/18918 https://github.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601 https://github.com/pimcore/pimcore/releases/tag/v11.5.14 https://github.com/pimcore/pimcore/releases/tag/v12.3.1 |
| Pjo2--Tftpd32_SE | Tftpd32 SE 4.60 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be run with system-level permissions. | 2026-01-13 | 8.4 | CVE-2023-54338 | ExploitDB-51076 Vendor Homepage VulnCheck Advisory: Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path |
| plugins360--All-in-One Video Gallery | The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2026-01-16 | 8.8 | CVE-2025-12957 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ad2e1d91-03bd-4e47-b679-81c42414238b?source=cve https://plugins.trac.wordpress.org/changeset/3405593/all-in-one-video-gallery |
| Primera--PTPublisher | PTPublisher 2.3.4 contains an unquoted service path vulnerability in the PTProtect service that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Primera Technology\PTPublisher\UsbFlashDongleService.exe' to inject malicious executables and gain system-level access. | 2026-01-13 | 8.4 | CVE-2022-50915 | ExploitDB-50885 Primera Technology Official Homepage VulnCheck Advisory: PTPublisher 2.3.4 - Unquoted Service Path |
| Private Internet Access--Private Internet Access | Private Internet Access 3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50924 | ExploitDB-50804 Vendor Homepage Software Download Page VulnCheck Advisory: Private Internet Access 3.3 - 'pia-service' Unquoted Service Path |
| Progress Software--Flowmon ADS | A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.4 and 13.0.1 where an SQL injection vulnerability allows authenticated users to execute unintended SQL queries and commands. | 2026-01-13 | 8.8 | CVE-2025-13774 | https://community.progress.com/s/article/Flowmon-ADS-CVE-2025-13774 |
| Progress Software--LoadMaster | OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with "User Administration" permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters | 2026-01-13 | 8.4 | CVE-2025-13444 | https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 |
| Progress Software--LoadMaster | OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with "User Administration" permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters | 2026-01-13 | 8.4 | CVE-2025-13447 | https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 |
| Projeqtor--ProjeQtOr Project Management | ProjeQtOr Project Management 9.1.4 contains a file upload vulnerability that allows guest users to upload malicious PHP files with arbitrary code execution capabilities. Attackers can upload a PHP script through the profile attachment section and execute system commands by accessing the uploaded file with a specially crafted request parameter. | 2026-01-15 | 9.8 | CVE-2021-47819 | ExploitDB-49919 ProjeQtOr Official Website |
| ProtonVPN--ProtonVPN | ProtonVPN 1.26.0 contains an unquoted service path vulnerability in its WireGuard service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path by placing malicious executables in specific file system locations to gain elevated privileges during service startup. | 2026-01-13 | 8.4 | CVE-2022-50917 | ExploitDB-50837 ProtonVPN Official Website VulnCheck Advisory: ProtonVPN 1.26.0 - Unquoted Service Path |
| Prowise--Prowise Reflect | Prowise Reflect version 1.0.9 contains a remote keystroke injection vulnerability that allows attackers to send keyboard events through an exposed WebSocket on port 8082. Attackers can craft malicious web pages to inject keystrokes, opening applications and typing arbitrary text by sending specific WebSocket messages. | 2026-01-13 | 9.8 | CVE-2022-50925 | ExploitDB-50796 Prowise Official Homepage VulnCheck Advisory: Prowise Reflect v1.0.9 - Remote Keystroke Injection |
| pyasn1--pyasn1 | pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2. | 2026-01-16 | 7.5 | CVE-2026-23490 | https://github.com/pyasn1/pyasn1/security/advisories/GHSA-63vm-454h-vhhq https://github.com/pyasn1/pyasn1/commit/3908f144229eed4df24bd569d16e5991ace44970 https://github.com/pyasn1/pyasn1/releases/tag/v0.6.2 |
| Pysoft--Active WebCam | Active WebCam 11.5 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the misconfigured service path by placing malicious executables in specific directory locations to gain administrative access. | 2026-01-15 | 7.8 | CVE-2021-47790 | ExploitDB-50273 Software Download Page Vendor Homepage VulnCheck Advisory: Active WebCam 11.5 - Unquoted Service Path |
| Raimersoft--RarmaRadio | RarmaRadio 2.72.8 contains a denial of service vulnerability that allows attackers to crash the application by overflowing network configuration fields with large character buffers. Attackers can generate a 100,000 character buffer and paste it into multiple network settings fields to trigger application instability and potential crash. | 2026-01-16 | 7.5 | CVE-2021-47821 | ExploitDB-49906 Vendor Homepage VulnCheck Advisory: RarmaRadio 2.72.8 - Denial of Service |
| Red Hat--Red Hat OpenShift Dev Spaces (RHOSDS) 3.22 | A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333. | 2026-01-13 | 9 | CVE-2025-12548 | RHSA-2025:22620 RHSA-2025:22623 RHSA-2025:22652 https://access.redhat.com/security/cve/CVE-2025-12548 RHBZ#2408850 |
| Redragon--Redragon Gaming Mouse | Redragon Gaming Mouse driver contains a kernel-level vulnerability that allows attackers to trigger a denial of service by sending malformed IOCTL requests. Attackers can send a crafted 2000-byte buffer with specific byte patterns to the REDRAGON_MOUSE device to crash the kernel driver. | 2026-01-15 | 7.5 | CVE-2021-47786 | ExploitDB-50322 Vendor Download Page Vulnerability Research Repository VulnCheck Advisory: Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC) |
| Remotemouse--Remote Mouse | Remote Mouse 4.002 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the RemoteMouseService to inject malicious executables and gain administrative access. | 2026-01-15 | 7.8 | CVE-2021-47792 | ExploitDB-50258 Official Vendor Homepage VulnCheck Advisory: Remote Mouse 4.002 - Unquoted Service Path |
| Ribccs--Build Smart ERP | Build Smart ERP 21.0817 contains an unauthenticated SQL injection vulnerability in the 'eidValue' parameter of the login validation endpoint. Attackers can inject stacked SQL queries using payloads like ';WAITFOR DELAY '0:0:3'-- to manipulate database queries and potentially extract or modify database information. | 2026-01-15 | 8.2 | CVE-2021-47777 | ExploitDB-50445 Build Smart ERP Vendor Homepage |
| risesoft-y9--Digital-Infrastructure | A flaw has been found in risesoft-y9 Digital-Infrastructure up to 9.6.7. This affects an unknown function of the file source-code/src/main/java/net/risesoft/util/Y9PlatformUtil.java of the component REST Authenticate Endpoint. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-17 | 7.3 | CVE-2026-1050 | VDB-341603 | risesoft-y9 Digital-Infrastructure REST Authenticate Endpoint Y9PlatformUtil.java sql injection VDB-341603 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731010 | risesoft-y9 Digital-Infrastructure <=9.6.7 SQL Injection https://github.com/risesoft-y9/Digital-Infrastructure/issues/2 https://github.com/risesoft-y9/Digital-Infrastructure/issues/2#issue-3777863959 |
| RocketChat--Rocket.Chat | Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is exposed to any authenticated user, regardless of their role or permissions. This endpoint returns an OAuth application, as long as the user knows its ID, including potentially sensitive fields such as client_id and client_secret. This vulnerability is fixed in 6.12.0. | 2026-01-14 | 7.7 | CVE-2026-23477 | https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-g4wm-fg3c-g4p2 |
| roxy-wi--roxy-wi | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py line 87, where the grep parameter is used twice - once sanitized and once raw. This vulnerability is fixed in 8.2.8.2. | 2026-01-15 | 7.5 | CVE-2026-22265 | https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-mmmf-vh7m-rm47 https://github.com/roxy-wi/roxy-wi/commit/f040d3338c4ba6f66127487361592e32e0188eee https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.8.2 |
| Sandboxie--Sandboxie Plus | Sandboxie-Plus 5.50.2 contains an unquoted service path vulnerability in the SbieSvc Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges during service startup. | 2026-01-13 | 8.4 | CVE-2022-50920 | ExploitDB-50819 Official Sandboxie-Plus Product Homepage VulnCheck Advisory: Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path |
| Sandboxie-Plus--Sandboxie | Sandboxie 5.49.7 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the container folder input field. Attackers can paste a large buffer of repeated characters into the Sandbox container folder setting to trigger an application crash. | 2026-01-16 | 7.5 | CVE-2021-47831 | ExploitDB-49844 Sandboxie Official Homepage VulnCheck Advisory: Sandboxie 5.49.7 - Denial of Service |
| SAP_SE--SAP Application Server for ABAP and SAP NetWeaver RFCSDK | Due to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the system�s confidentiality, integrity, and availability. | 2026-01-13 | 8.4 | CVE-2026-0507 | https://me.sap.com/notes/3675151 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) | SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is not impacted. | 2026-01-13 | 8.1 | CVE-2026-0511 | https://me.sap.com/notes/3565506 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP HANA database | SAP HANA database is vulnerable to privilege escalation allowing an attacker with valid credentials of any user to switch to another user potentially gaining administrative access. This exploit could result in a total compromise of the system�s confidentiality, integrity, and availability. | 2026-01-13 | 8.8 | CVE-2026-0492 | https://me.sap.com/notes/3691059 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Landscape Transformation | SAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. | 2026-01-13 | 9.1 | CVE-2026-0491 | https://me.sap.com/notes/3697979 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP NetWeaver Application Server ABAP and ABAP Platform | Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or modify data accessible via FORMs and invoke system functionality exposed via FORMs, resulting in a high impact on integrity and availability, while confidentiality remains unaffected. | 2026-01-13 | 8.1 | CVE-2026-0506 | https://me.sap.com/notes/3688703 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP S/4HANA (Private Cloud and On-Premise) | SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. | 2026-01-13 | 9.1 | CVE-2026-0498 | https://me.sap.com/notes/3694242 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) | Due to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger), an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality, integrity, and availability of the application. | 2026-01-13 | 9.9 | CVE-2026-0501 | https://me.sap.com/notes/3687749 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Wily Introscope Enterprise Manager (WorkStation) | Due to the usage of vulnerable third party component in SAP Wily Introscope Enterprise Manager (WorkStation), an unauthenticated attacker could create a malicious JNLP (Java Network Launch Protocol) file accessible by a public facing URL. When a victim clicks on the URL the accessed Wily Introscope Server could execute OS commands on the victim's machine. This could completely compromising confidentiality, integrity and availability of the system. | 2026-01-13 | 9.6 | CVE-2026-0500 | https://me.sap.com/notes/3668679 https://url.sap/sapsecuritypatchday |
| shopware--shopware | Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1. | 2026-01-14 | 7.2 | CVE-2026-23498 | https://github.com/shopware/shopware/security/advisories/GHSA-7cw6-7h3h-v8pf https://github.com/shopware/shopware/commit/3966b05590e29432b8485ba47b4fcd14dd0b8475 |
| SICK AG--Incoming Goods Suite | A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources. | 2026-01-15 | 8.3 | CVE-2026-0713 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive. | 2026-01-15 | 8.3 | CVE-2026-22638 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher. | 2026-01-15 | 8.3 | CVE-2026-22643 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01 | 2026-01-15 | 7.6 | CVE-2026-0712 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--TDC-X401GL | An attacker may gain unauthorized access to the host filesystem, potentially allowing them to read and modify system data. | 2026-01-15 | 9.9 | CVE-2026-22907 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | Uploading unvalidated container images may allow remote attackers to gain full access to the system, potentially compromising its integrity and confidentiality. | 2026-01-15 | 9.1 | CVE-2026-22908 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | Certain system functions may be accessed without proper authorization, allowing attackers to start, stop, or delete installed applications, potentially disrupting system operations. | 2026-01-15 | 7.5 | CVE-2026-22909 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | The device is deployed with weak and publicly known default passwords for certain hidden user levels, increasing the risk of unauthorized access. This represents a high risk to the integrity of the system. | 2026-01-15 | 7.5 | CVE-2026-22910 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| Siemens--Industrial Edge Cloud Device (IECD) | Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that the attacker has learned the identity of a legitimate user. | 2026-01-13 | 10 | CVE-2025-40805 | https://cert-portal.siemens.com/productcert/html/ssa-014678.html https://cert-portal.siemens.com/productcert/html/ssa-001536.html |
| Siemens--SIMATIC ET 200AL IM 157-1 PN | A vulnerability has been identified in SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0) (All versions), SIMATIC ET 200MP IM 155-5 PN HF (6ES7155-5AA00-0AC0) (All versions >= V4.2.0), SIMATIC ET 200SP IM 155-6 MF HF (6ES7155-6MU00-0CN0) (All versions), SIMATIC ET 200SP IM 155-6 PN HA (incl. SIPLUS variants) (All versions < V1.3), SIMATIC ET 200SP IM 155-6 PN R1 (6ES7155-6AU00-0HM0) (All versions < V6.0.1), SIMATIC ET 200SP IM 155-6 PN/2 HF (6ES7155-6AU01-0CN0) (All versions >= V4.2.0), SIMATIC ET 200SP IM 155-6 PN/3 HF (6ES7155-6AU30-0CN0) (All versions < V4.2.2), SIMATIC PN/MF Coupler (6ES7158-3MU10-0XA0) (All versions), SIMATIC PN/PN Coupler (6ES7158-3AD10-0XA0) (All versions < V6.0.0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-2AC0) (All versions >= V4.2.0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-7AC0) (All versions >= V4.2.0), SIPLUS ET 200MP IM 155-5 PN HF T1 RAIL (6AG2155-5AA00-1AC0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-2CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-7CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF T1 RAIL (6AG2155-6AU01-1CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF TX RAIL (6AG2155-6AU01-4CN0) (All versions >= V4.2.0), SIPLUS NET PN/PN Coupler (6AG2158-3AD10-4XA0) (All versions < V6.0.0). Affected devices do not properly handle S7 protocol session disconnect requests. When receiving a valid S7 protocol Disconnect Request (COTP DR TPDU) on TCP port 102, the devices enter an improper session state. This could allow an attacker to cause the device to become unresponsive, leading to a denial-of-service condition that requires a power cycle to restore normal operation. | 2026-01-13 | 7.5 | CVE-2025-40944 | https://cert-portal.siemens.com/productcert/html/ssa-674753.html |
| Siemens--TeleControl Server Basic | A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.4). Affected application contains a local privilege escalation vulnerability that could allow an attacker to run arbitrary code with elevated privileges. | 2026-01-13 | 8.8 | CVE-2025-40942 | https://cert-portal.siemens.com/productcert/html/ssa-192617.html |
| Skyjos--Owlfiles File Manager | Owlfiles File Manager 12.0.1 contains a path traversal vulnerability in its built-in HTTP server that allows attackers to access system directories. Attackers can exploit the vulnerability by crafting GET requests with directory traversal sequences to access restricted system directories on the device. | 2026-01-13 | 7.5 | CVE-2022-50890 | ExploitDB-51036 Vendor Homepage Official App Store Listing VulnCheck Advisory: Owlfiles File Manager 12.0.1 - Path Traversal |
| SLIMS--Senayan Library Management System | Senayan Library Management System 9.0.0 contains a SQL injection vulnerability in the 'class' parameter that allows attackers to inject malicious SQL queries. Attackers can exploit the vulnerability by submitting crafted payloads to manipulate database queries and potentially extract sensitive information. | 2026-01-13 | 8.2 | CVE-2022-50805 | ExploitDB-51161 Senayan Library Management System Official Website Vulnerability Research Repository VulnCheck Advisory: Senayan Library Management System 9.0.0 - SQL Injection |
| Smartertools--SmarterTools SmarterTrack | SmarterTrack 7922 contains an information disclosure vulnerability in the Chat Management search form that reveals agent identification details. Attackers can access the vulnerable /Management/Chat/frmChatSearch.aspx endpoint to retrieve agents' first and last names along with their unique identifiers. | 2026-01-15 | 7.5 | CVE-2020-36926 | ExploitDB-50328 SmarterTools Official Homepage SmarterTrack Product Page VulnCheck Advisory: SmarterTools SmarterTrack 7922 -Information Disclosure |
| Smartftp--SmartFTP Client | SmartFTP Client 10.0.2909.0 contains multiple denial of service vulnerabilities that allow attackers to crash the application through specific input manipulation. Attackers can trigger crashes by entering malformed paths, using invalid IP addresses, or clearing connection history in the client's interface. | 2026-01-15 | 7.5 | CVE-2021-47791 | ExploitDB-50266 SmartFTP Official Homepage SmartFTP Download Page VulnCheck Advisory: SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service |
| SMCI--X12STW-F | There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X12STW-F . An attacker can update the system firmware with a specially crafted image. | 2026-01-16 | 7.2 | CVE-2025-12006 | https://www.supermicro.com/en/support/security_BMC_IPMI_Jan_2026 |
| SMCI--X13SEM-F | There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X13SEM-F . An attacker can update the system firmware with a specially crafted image. | 2026-01-16 | 7.2 | CVE-2025-12007 | https://www.supermicro.com/en/support/security_BMC_IPMI_Jan_2026 |
| SMEWebify--WebErpMesv2 | WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, the WebErpMesV2 application exposes multiple sensitive API endpoints without authentication middleware. An unauthenticated remote attacker can read business-critical data including companies, quotes, orders, tasks, and whiteboards. Limited write access allows creation of company records and full manipulation of collaboration whiteboards. This vulnerability is fixed in 1.19. | 2026-01-12 | 8.2 | CVE-2026-22788 | https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-pp68-5pc2-hv7w https://github.com/SMEWebify/WebErpMesv2/commit/3a7ab1c95d1d1c8f7c62c84bc87b3666ecd2fa23 |
| Softlink Education--Oliver Library Server | Oliver Library Server v5 contains a file download vulnerability that allows unauthenticated attackers to access arbitrary system files through unsanitized input in the FileServlet endpoint. Attackers can exploit the vulnerability by manipulating the 'fileName' parameter to download sensitive files from the server's filesystem. | 2026-01-15 | 9.8 | CVE-2021-47755 | ExploitDB-50599 Oliver Library Server Official Product Homepage |
| Splashtop--Splashtop | Splashtop 8.71.12001.0 contains an unquoted service path vulnerability in the Splashtop Software Updater Service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\Splashtop\Splashtop Software Updater\ to inject malicious executables and escalate privileges. | 2026-01-13 | 8.4 | CVE-2022-50693 | ExploitDB-51182 Splashtop Official Homepage VulnCheck Advisory: Splashtop 8.71.12001.0 - Unquoted Service Path |
| Splinterware--iDailyDiary | iDailyDiary 4.30 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the preferences tab name field. Attackers can paste a 2,000,000 character buffer into the default diary tab name to trigger an application crash. | 2026-01-16 | 7.5 | CVE-2021-47824 | ExploitDB-49898 Vendor Homepage VulnCheck Advisory: iDailyDiary 4.30 - Denial of Service (PoC) |
| Spy-Emergency--Spy Emergency | Spy Emergency 25.0.650 contains an unquoted service path vulnerability in its Windows service configurations that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted file paths in SpyEmergencyHealth.exe and SpyEmergencySrv.exe to inject malicious code during system startup or service restart. | 2026-01-16 | 7.8 | CVE-2021-47845 | ExploitDB-49997 Vendor Homepage VulnCheck Advisory: Spy Emergency 25.0.650 - Unquoted Service Path |
| stellarwp--Membership Plugin Restrict Content | The Membership Plugin - Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership. | 2026-01-16 | 8.2 | CVE-2025-14844 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0c28545d-c7cd-469f-bccf-90e8b52fd4e7?source=cve https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L848 https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L987 https://docs.stripe.com/api/setup_intents/object https://cwe.mitre.org/data/definitions/639.html https://plugins.trac.wordpress.org/changeset/3438168/restrict-content/tags/3.2.17/core/includes/gateways/stripe/functions.php |
| strongSwan--strongSwan | In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a malicious EAP-MSCHAPv2 server can send a crafted message of size 6 through 8, and cause an integer underflow that potentially results in a heap-based buffer overflow. | 2026-01-16 | 8.1 | CVE-2025-62291 | https://github.com/strongswan/strongswan/releases https://github.com/strongswan/strongswan/commits/master/src/libcharon/plugins/eap_mschapv2 https://www.strongswan.org/blog/2025/10/27/strongswan-vulnerability-%28cve-2025-62291%29.html |
| suitenumerique--docs | LaSuite Doc is a collaborative note taking, wiki and documentation platform. From 3.8.0 to 4.3.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Interlinking feature. When a user creates a link to another document within the editor, the URL of that link is not validated. An attacker with document editing privileges can inject a malicious javascript: URL that executes arbitrary code when other users click on the link. This vulnerability is fixed in 4.4.0. | 2026-01-15 | 8.7 | CVE-2026-22867 | https://github.com/suitenumerique/docs/security/advisories/GHSA-4rwv-ghwh-9rv6 https://github.com/suitenumerique/docs/commit/e807237dbedbc189230296b81c3aeccc1c04fa77 https://github.com/suitenumerique/docs/releases/tag/v4.4.0 |
| sumatrapdfreader--sumatrapdf | SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe without specifying an absolute path when using the Advanced Options setting. On Windows, this allows execution of a malicious notepad.exe placed in the application's installation directory, leading to arbitrary code execution. | 2026-01-14 | 8.6 | CVE-2026-23512 | https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-rqg5-gj63-x4mv https://github.com/sumatrapdfreader/sumatrapdf/commit/2762e02a8cd7cb779c934a44257aac56ab7de673 |
| Support--Brother BRPrint Auditor | Brother BRPrint Auditor 3.0.7 contains an unquoted service path vulnerability in its Windows service configurations that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted file paths in BrAuSvc and BRPA_Agent services to inject malicious executables and escalate privileges on the system. | 2026-01-15 | 7.8 | CVE-2020-36929 | ExploitDB-50005 Brother BRPrint Auditor Download Page (NL) Brother BRPrint Auditor Download Page (FR) VulnCheck Advisory: Brother BRPrint Auditor 3.0.7 - 'Multiple' Unquoted Service Path |
| sveltejs--devalue | Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2. | 2026-01-15 | 7.5 | CVE-2026-22774 | https://github.com/sveltejs/devalue/security/advisories/GHSA-vw5p-8cq8-m7mv https://github.com/sveltejs/devalue/commit/e46afa64dd2b25aa35fb905ba5d20cea63aabbf7 https://github.com/sveltejs/devalue/releases/tag/v5.6.2 |
| sveltejs--devalue | Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. This vulnerability is fixed in 5.6.2. | 2026-01-15 | 7.5 | CVE-2026-22775 | https://github.com/sveltejs/devalue/security/advisories/GHSA-g2pg-6438-jwpf https://github.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4 https://github.com/sveltejs/devalue/releases/tag/v5.6.2 |
| Sylkat-Tools--AWebServer GhostBuilding | AWebServer GhostBuilding 18 contains a denial of service vulnerability that allows remote attackers to overwhelm the server by sending multiple concurrent HTTP requests. Attackers can generate high-volume requests to multiple endpoints including /mysqladmin to potentially crash or render the service unresponsive. | 2026-01-15 | 7.5 | CVE-2021-47752 | ExploitDB-50629 Vendor Homepage Software Download Link |
| Syncbreeze--Sync Breeze | Sync Breeze 13.6.18 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in service binaries located in 'Program Files' directories to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2021-47807 | ExploitDB-50023 Vendor Homepage VulnCheck Advisory: Sync Breeze 13.6.18 - 'Multiple' Unquoted Service Path |
| Sysax--Sysax Multi Server | Sysax Multi Server 6.95 contains a denial of service vulnerability in the administrative password field that allows attackers to crash the application. Attackers can overwrite the password field with 800 bytes of repeated characters to trigger an application crash and disrupt server functionality. | 2026-01-13 | 7.5 | CVE-2023-54337 | ExploitDB-51066 Vendor Homepage VulnCheck Advisory: Sysax Multi Server 6.95 - 'Password' Denial of Service (PoC) |
| Sysgauge--SysGauge | SysGauge Server 7.9.18 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\SysGauge Server\bin\sysgaus.exe' to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2020-36930 | ExploitDB-50009 Vendor Homepage VulnCheck Advisory: SysGauge 7.9.18 - ' SysGauge Server' Unquoted Service Path |
| Tagstoo--Tagstoo | Tagstoo 2.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious payloads through files or custom tags. Attackers can execute arbitrary JavaScript code to spawn system processes, access files, and perform remote code execution on the victim's computer. | 2026-01-15 | 7.2 | CVE-2021-47843 | ExploitDB-49828 Tagstoo Official Homepage Proof of Concept Video |
| Tdarr--Tdarr | Tdarr 2.00.15 contains an unauthenticated remote code execution vulnerability in its Help terminal that allows attackers to inject and chain arbitrary commands. Attackers can exploit the lack of input filtering by chaining commands like `--help; curl .py | python` to execute remote code without authentication. | 2026-01-13 | 9.8 | CVE-2022-50919 | ExploitDB-50822 Official Vendor Homepage VulnCheck Advisory: Tdarr 2.00.15 - Command Injection |
| TeamSpeak--TeamSpeak | TeamSpeak 3.5.6 contains an insecure file permissions vulnerability that allows local attackers to replace executable files with malicious binaries. Attackers can replace system executables like ts3client_win32.exe with custom files to potentially gain SYSTEM or Administrator-level access. | 2026-01-13 | 8.4 | CVE-2022-50931 | ExploitDB-50743 TeamSpeak Official Vendor Homepage TeamSpeak Downloads Page VulnCheck Advisory: TeamSpeak 3.5.6 - Insecure File Permissions |
| Telcel--FLAME II MODEM USB | Flame II HSPA USB Modem contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Internet Telcel\ApplicationController.exe' to execute arbitrary code with elevated system privileges. | 2026-01-13 | 9.8 | CVE-2022-50935 | ExploitDB-50708 Archived Telcel Flame II MODEM USB Product Page VulnCheck Advisory: FLAME II MODEM USB - Unquoted Service Path |
| Telegram--Telegram Desktop | Telegram Desktop 2.9.2 contains a denial of service vulnerability that allows attackers to crash the application by sending an oversized message payload. Attackers can generate a 9 million byte buffer and paste it into the messaging interface to trigger an application crash. | 2026-01-15 | 7.5 | CVE-2021-47793 | ExploitDB-50247 Official Telegram Homepage VulnCheck Advisory: Telegram Desktop 2.9.2 - Denial of Service (PoC) |
| Tenable--Nessus Agent | A vulnerability has been identified in the installation/uninstallation of the Nessus Agent Tray App on Windows Hosts which could lead to escalation of privileges. | 2026-01-13 | 8.8 | CVE-2025-36640 | https://www.tenable.com/security/tns-2026-01 |
| Termix-SSH--Termix | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0. | 2026-01-12 | 8 | CVE-2026-22804 | https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35 |
| Testlink--TestLink | TestLink versions 1.16 through 1.19 contain an unauthenticated file download vulnerability in the attachmentdownload.php endpoint. Attackers can download arbitrary files by iterating file IDs through the 'id' parameter with 'skipCheck=1' to bypass access controls. | 2026-01-15 | 9.8 | CVE-2021-47760 | ExploitDB-50578 Official TestLink Product Homepage Archived Researcher Blog |
| The Browser Company of New York--Dia | Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site. | 2026-01-16 | 7.4 | CVE-2025-15032 | https://www.diabrowser.com/security/bulletins#CVE-2025-15032 |
| Thecus--Thecus N4800Eco Nas Server Control Panel | Thecus N4800Eco NAS Server Control Panel contains a command injection vulnerability that allows authenticated attackers to execute arbitrary system commands through user management endpoints. Attackers can inject commands via username and batch user creation parameters to execute shell commands with administrative privileges. | 2026-01-16 | 8.8 | CVE-2021-47816 | ExploitDB-49926 Thecus Official Vendor Homepage Thecus N4800Eco Product Page Researcher Blog VulnCheck Advisory: Thecus N4800Eco Nas Server Control Panel - Command Injection |
| Totalav--TotalAV | TotalAV 5.15.69 contains an unquoted service path vulnerability in multiple system services running with LocalSystem privileges. Attackers can place malicious executables in specific unquoted path segments to potentially gain SYSTEM-level access by exploiting the service path configuration. | 2026-01-15 | 7.8 | CVE-2021-47787 | ExploitDB-50314 TotalAV Official Homepage VulnCheck Advisory: TotalAV 5.15.69 - Unquoted Service Path |
| tridenttechnolabs--Shipping Rate By Cities | The Shipping Rate By Cities plugin for WordPress is vulnerable to SQL Injection via the 'city' parameter in all versions up to, and including, 2.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-14 | 7.5 | CVE-2025-14770 | https://www.wordfence.com/threat-intel/vulnerabilities/id/11e7e798-9fb9-4cff-a96f-a0003f203f5f?source=cve https://plugins.trac.wordpress.org/browser/shipping-rate-by-cities/trunk/shiprate-cities-method-class.php#L372 |
| Umbraco--Forms | In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply a malicious WSDL (aka Webservice) URL as a data source for remote code execution. | 2026-01-16 | 7.5 | CVE-2025-68924 | https://our.umbraco.com/packages/developer-tools/umbraco-forms/ https://github.com/advisories/GHSA-vrgw-pc9c-qrrc https://www.nuget.org/packages/UmbracoForms |
| vaghasia3--News and Blog Designer Bundle | The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. | 2026-01-14 | 9.8 | CVE-2025-14502 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e02683dc-0771-4bd5-bba3-2b5423da1c80?source=cve https://plugins.trac.wordpress.org/browser/news-and-blog-designer-bundle/trunk/includes/class-nbdb-ajax.php#L31 |
| vesparny--Marky | Marky 0.0.1 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution. | 2026-01-16 | 7.2 | CVE-2021-47839 | ExploitDB-49831 Marky GitHub Repository Proof of Concept Video VulnCheck Advisory: Marky 0.0.1 - Persistent Cross-Site Scripting |
| Vianeos--Vianeos OctoPUS | Vianeos OctoPUS 5 contains a time-based blind SQL injection vulnerability in the 'login_user' parameter during authentication requests. Attackers can exploit this vulnerability by crafting malicious POST requests with specially constructed SQL payloads that trigger database sleep functions to extract information. | 2026-01-15 | 8.2 | CVE-2021-47801 | ExploitDB-50078 Vendor Homepage Software Product Page VulnCheck Advisory: Vianeos OctoPUS 5 - 'login_user' SQLi |
| VIAVIWEB--VIAVIWEB Wallpaper Admin | VIAVIWEB Wallpaper Admin 1.0 contains an unauthenticated remote code execution vulnerability in the image upload functionality. Attackers can upload a malicious PHP file through the add_gallery_image.php endpoint to execute arbitrary code on the server. | 2026-01-13 | 9.8 | CVE-2022-50893 | ExploitDB-51033 Vendor Homepage VulnCheck Advisory: VIAVIWEB Wallpaper Admin 1.0 - Code Execution via Image Upload |
| VIAVIWEB--VIAVIWEB Wallpaper Admin | VIAVIWEB Wallpaper Admin 1.0 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the img_id parameter. Attackers can send GET requests to edit_gallery_image.php with malicious img_id values to extract database information. | 2026-01-13 | 9.8 | CVE-2022-50894 | ExploitDB-51033 Vendor Homepage VulnCheck Advisory: VIAVIWEB Wallpaper Admin 1.0 SQL Injection via edit_gallery_image.php |
| VIAVIWEB--VIAVIWEB Wallpaper Admin | VIAVIWEB Wallpaper Admin 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating login credentials. Attackers can exploit the login page by injecting 'admin' or 1=1-- - payload to gain unauthorized access to the administrative interface. | 2026-01-13 | 8.2 | CVE-2022-50892 | ExploitDB-51033 Vendor Homepage VulnCheck Advisory: VIAVIWEB Wallpaper Admin 1.0 - SQL Injection via Login Page |
| VIVE--VIVE Runtime Service | VIVE Runtime Service 1.0.0.4 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific system directories to gain LocalSystem access during service startup. | 2026-01-13 | 8.4 | CVE-2022-50918 | ExploitDB-50824 Official VIVE Homepage VIVE Developer Downloads VulnCheck Advisory: VIVE Runtime Service - 'ViveAgentService' Unquoted Service Path |
| Wago--WAGO 750-8212 PFC200 | WAGO 750-8212 PFC200 G2 2ETH RS firmware contains a privilege escalation vulnerability that allows attackers to manipulate user session cookies. Attackers can modify the cookie's 'name' and 'roles' parameters to elevate from ordinary user to administrative privileges without authentication. | 2026-01-13 | 9.8 | CVE-2022-50926 | ExploitDB-50793 Official Vendor Homepage VulnCheck Advisory: WAGO 750-8212 PFC200 G2 2ETH RS Privilege Escalation |
| Wbce--WBCE CMS | WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute arbitrary PHP code by crafting a specially designed zip file payload. | 2026-01-13 | 8.8 | CVE-2022-50936 | ExploitDB-50707 WBCE CMS Official Website WBCE CMS Downloads Page WBCE CMS GitHub Repository VulnCheck Advisory: WBCE CMS 1.5.2 - Remote Code Execution (RCE) (Authenticated) |
| WeblateOrg--wlc | wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2. | 2026-01-16 | 8.1 | CVE-2026-23535 | https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg https://github.com/WeblateOrg/wlc/pull/1128 https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f https://github.com/WeblateOrg/wlc/releases/tag/1.17.2 |
| Websitebaker--WebsiteBaker | WebsiteBaker 2.13.0 contains an authenticated remote code execution vulnerability that allows users with language editing permissions to execute arbitrary code. Attackers can exploit the language installation endpoint by manipulating language installation parameters to achieve remote code execution on the server. | 2026-01-15 | 8.8 | CVE-2021-47788 | ExploitDB-50310 WebsiteBaker Official Homepage VulnCheck Advisory: WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated) |
| WebSSH--WebSSH for iOS | WebSSH for iOS 14.16.10 contains a denial of service vulnerability in the mashREPL tool that allows attackers to crash the application by pasting malformed input. Attackers can trigger the vulnerability by copying a 300-character buffer of repeated 'A' characters into the mashREPL input field, causing the application to crash. | 2026-01-16 | 7.5 | CVE-2021-47827 | ExploitDB-49883 WebSSH iOS App Store Page VulnCheck Advisory: WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service |
| Weird-Solutions--BOOTP Turbo | BOOTP Turbo 2.0.0.1253 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path to execute arbitrary code with elevated LocalSystem privileges during system startup or reboot. | 2026-01-16 | 7.8 | CVE-2021-47828 | ExploitDB-49851 Vendor Homepage VulnCheck Advisory: BOOTP Turbo 2.0.0.1253 - 'bootpt.exe' Unquoted Service Path |
| Weird-Solutions--DHCP Broadband | DHCP Broadband 4.1.0.1503 contains an unquoted service path vulnerability in its service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path in 'C:\Program Files\DHCP Broadband 4\dhcpt.exe' to inject malicious code that will execute during service startup with LocalSystem permissions. | 2026-01-16 | 7.8 | CVE-2021-47829 | ExploitDB-49850 Vendor Homepage VulnCheck Advisory: DHCP Broadband 4.1.0.1503 - 'dhcpt.exe' Unquoted Service Path |
| Wibu--WibuKey Runtime | WibuKey Runtime 6.51 contains an unquoted service path vulnerability in the WkSvW32.exe service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe' to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2021-47810 | ExploitDB-49999 Vendor Homepage Software Download Page VulnCheck Advisory: WibuKey Runtime 6.51 - 'WkSvW32.exe' Unquoted Service Path |
| Wisecleaner--Wise Care | Wise Care 365 5.6.7.568 contains an unquoted service path vulnerability in the WiseBootAssistant service running with LocalSystem privileges. Attackers can exploit this by inserting a malicious executable in the service path, which will execute with elevated system privileges when the service restarts. | 2026-01-15 | 7.8 | CVE-2021-47804 | ExploitDB-50038 Official Vendor Homepage VulnCheck Advisory: Wise Care 365 5.6.7.568 - 'WiseBootAssistant' Unquoted Service Path |
| Wondershare--Wondershare Dr.Fone | Wondershare Dr.Fone 12.0.18 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the misconfigured service path to insert malicious code that will be executed with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50900 | ExploitDB-50813 Vendor Homepage VulnCheck Advisory: Wondershare Dr.Fone 12.0.18 - 'Wondershare InstallAssist' Unquoted Service Path |
| Wondershare--Wondershare Dr.Fone | Wondershare Dr.Fone 11.4.9 contains an unquoted service path vulnerability in the DFWSIDService that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\ to inject malicious executables that would run with LocalSystem privileges. | 2026-01-13 | 8.4 | CVE-2022-50901 | ExploitDB-50755 Vendor Homepage VulnCheck Advisory: Wondershare Dr.Fone 11.4.9 - 'DFWSIDService' Unquoted Service Path |
| Wondershare--Wondershare FamiSafe | Wondershare FamiSafe 1.0 contains an unquoted service path vulnerability in the FSService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Wondershare\FamiSafe\ to inject malicious code that would run with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50902 | ExploitDB-50757 Vendor Homepage VulnCheck Advisory: Wondershare FamiSafe 1.0 - 'FSService' Unquoted Service Path |
| Wondershare--Wondershare MobileTrans | Wondershare MobileTrans 3.5.9 contains an unquoted service path vulnerability in the ElevationService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path by placing malicious executables in specific filesystem locations that will be executed with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50903 | ExploitDB-50756 Vendor Homepage VulnCheck Advisory: Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path |
| Wondershare--Wondershare UBackit | Wondershare UBackit 2.0.5 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the wsbackup service to inject malicious executables that would run with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50904 | ExploitDB-50758 Vendor Homepage VulnCheck Advisory: Wondershare UBackit 2.0.5 - 'wsbackup' Unquoted Service Path |
| woosaai--Integration Opvius AI for WooCommerce | The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function processing user-supplied file paths without authentication checks, nonce verification, or path validation. This makes it possible for unauthenticated attackers to delete or download arbitrary files on the server via the `wsaw-log[]` POST parameter, which can be leveraged to delete critical files like `wp-config.php` or read sensitive configuration files. | 2026-01-14 | 9.8 | CVE-2025-14301 | https://www.wordfence.com/threat-intel/vulnerabilities/id/34612902-1a26-4759-bca6-b5aaffa25af4?source=cve https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L41 https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L25 https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L79 https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L160 |
| Wordpress--Social-Share-Buttons | Social-Share-Buttons 2.2.3 contains a critical SQL injection vulnerability in the project_id parameter that allows attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted POST requests with malicious SQL payloads to retrieve and potentially steal entire database contents. | 2026-01-13 | 8.2 | CVE-2023-54333 | ExploitDB-51116 WP Plugin Webpage Vulnerability Research Repository VulnCheck Advisory: Social-Share-Buttons 2.2.3 - SQL Injection via project_id Parameter |
| WorkOrder--WorkOrder CMS | WorkOrder CMS 0.1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login by manipulating username and password parameters. Attackers can inject malicious SQL queries using techniques like OR '1'='1' and stacked queries to access database information or execute administrative commands. | 2026-01-13 | 8.2 | CVE-2023-54340 | ExploitDB-51038 WorkOrder CMS GitHub Repository VulnCheck Advisory: WorkOrder CMS 0.1.0 - SQL Injection |
| Yenkee--Yenkee Hornet Gaming Mouse | Yenkee Hornet Gaming Mouse driver GM312Fltr.sys contains a buffer overrun vulnerability that allows attackers to crash the system by sending oversized input. Attackers can exploit the driver by sending a 2000-byte buffer through DeviceIoControl to trigger a kernel-level system crash. | 2026-01-15 | 7.5 | CVE-2021-47789 | ExploitDB-50311 Yenkee Vendor Webpage Quadron Research Lab Kernel Driver Bugs Repository VulnCheck Advisory: Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial of Service (PoC) |
| Yonyou--KSOA | A vulnerability has been found in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /worksheet/del_work.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 7.3 | CVE-2026-1120 | VDB-341712 | Yonyou KSOA HTTP GET Parameter del_work.jsp sql injection VDB-341712 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734535 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/6 |
| Yonyou--KSOA | A vulnerability was found in Yonyou KSOA 9.0. This affects an unknown function of the file /worksheet/del_workplan.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 7.3 | CVE-2026-1121 | VDB-341713 | Yonyou KSOA HTTP GET Parameter del_workplan.jsp sql injection VDB-341713 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734548 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/7 |
| Yonyou--KSOA | A vulnerability was determined in Yonyou KSOA 9.0. This impacts an unknown function of the file /worksheet/work_info.jsp of the component HTTP GET Parameter Handler. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 7.3 | CVE-2026-1122 | VDB-341714 | Yonyou KSOA HTTP GET Parameter work_info.jsp sql injection VDB-341714 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734549 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/8 |
| Yonyou--KSOA | A vulnerability was identified in Yonyou KSOA 9.0. Affected is an unknown function of the file /worksheet/work_mod.jsp of the component HTTP GET Parameter Handler. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 7.3 | CVE-2026-1123 | VDB-341715 | Yonyou KSOA HTTP GET Parameter work_mod.jsp sql injection VDB-341715 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734550 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/9 |
| Yonyou--KSOA | A security flaw has been discovered in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /worksheet/work_report.jsp of the component HTTP GET Parameter Handler. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 7.3 | CVE-2026-1124 | VDB-341716 | Yonyou KSOA HTTP GET Parameter work_report.jsp sql injection VDB-341716 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734551 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/10 |
| zalando--skipper | Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0. | 2026-01-16 | 8.8 | CVE-2026-23742 | https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714 https://github.com/zalando/skipper/releases/tag/v0.23.0 |
| Zeslecp--ZesleCP | ZesleCP 3.1.9 contains an authenticated remote code execution vulnerability that allows attackers to create malicious FTP accounts with shell injection payloads. Attackers can exploit the FTP account creation endpoint by injecting a reverse shell command that establishes a network connection to a specified listening host. | 2026-01-15 | 8.8 | CVE-2021-47794 | ExploitDB-50233 ZesleCP Official Website Exploit Demonstration Video VulnCheck Advisory: ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated) |
| Zohocorp--ManageEngine ADSelfService Plus | Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations. | 2026-01-13 | 9.1 | CVE-2025-11250 | https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-11250.html |
| Zohocorp--ManageEngine PAM360 | Zohocorp ManageEngine PAM360 versions before 8202; Password Manager Pro versions before 13221; Access Manager Plus versions prior to 4401 are vulnerable to an authorization issue in the initiate remote session functionality. | 2026-01-13 | 8.1 | CVE-2025-11669 | https://www.manageengine.com/privileged-access-management/advisory/cve-2025-11669.html |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 1Panel-dev--1Panel | 1Panel is an open-source, web-based control panel for Linux server management. A stored Cross-Site Scripting (XSS) vulnerability exists in the 1Panel App Store when viewing application details. Malicious scripts can execute in the context of the user's browser, potentially compromising session data or sensitive system interfaces. All versions of 1Panel up to and including v1.10.33-lts and v2.0.16 are affected. An attacker could publish a malicious application that, when loaded by users (locally or remotely), can execute arbitrary scripts. This may result in theft of user cookies, unauthorized access to system functions, or other actions that compromise the confidentiality, integrity, and availability of the system. The vulnerability is caused by insufficient sanitization of content rendered by the MdEditor component with the `previewOnly` attribute enabled. Specifically, the App Store renders application README content without proper XSS protection, allowing script execution during content rendering; and similar issues exist in system upgrade-related components, which can be fixed by implementing proper XSS sanitization in the MdEditor component. These vulnerabilities can be mitigated by applying proper XSS protection and sanitization when rendering content in the MdEditor component. Safe versions with a patch incorporated are v1.10.34-lts and v2.0.17. | 2026-01-18 | 6.4 | CVE-2026-23525 | https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-mg24-6h5c-9q42 |
| A-Plus Video Technologies--AP-RM864P | Certain NVR models developed by A-Plus Video Technologies has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access the debug page and obtain device status information. | 2026-01-12 | 5.3 | CVE-2026-0853 | https://www.twcert.org.tw/tw/cp-132-10620-527f1-1.html https://www.twcert.org.tw/en/cp-139-10621-55584-2.html |
| aankit--SpiceForms Form Builder | The SpiceForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spiceforms' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 6.4 | CVE-2025-12178 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d9a19e96-2ca4-4072-aa2e-ab01f1685911?source=cve https://plugins.trac.wordpress.org/browser/spiceforms-form-builder/tags/1.0/spiceform.php#L135 |
| abage--Sosh Share Buttons | The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'admin_page_content' function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-14 | 4.3 | CVE-2025-15377 | https://www.wordfence.com/threat-intel/vulnerabilities/id/38b8b563-10a4-4343-b95a-7d09cf6fd729?source=cve https://plugins.trac.wordpress.org/browser/sosh-share-buttons/tags/1.1.0/sosh.class.php#L138 |
| Adobe--Illustrator | Illustrator versions 29.8.3, 30.0 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21288 | https://helpx.adobe.com/security/products/illustrator/apsb26-03.html |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to access sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21278 | https://helpx.adobe.com/security/products/indesign/apsb26-02.html |
| Adobe--Substance3D - Designer | Substance3D - Designer versions 15.0.3 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21308 | https://helpx.adobe.com/security/products/substance3d_designer/apsb26-13.html |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21300 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21301 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21302 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21303 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| adoncreatives--Testimonials Creator | The Testimonials Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-14 | 4.4 | CVE-2025-14379 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3af18a17-81a0-4720-b222-153ab4ddf7d9?source=cve https://wordpress.org/plugins/testimonials-creator/ |
| akinloluwami--outray | Outray openSource ngrok alternative. Prior to 0.1.5, this vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts. This vulnerability is fixed in 0.1.5. | 2026-01-14 | 5.9 | CVE-2026-22819 | https://github.com/outray-tunnel/outray/security/advisories/GHSA-45hj-9x76-wp9g https://github.com/outray-tunnel/outray/commit/73e8a09575754fb4c395438680454b2ec064d1d6 |
| aliasvault--aliasvault | AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access. The issue involved incomplete validation of calling app identity, origin, and RP ID in the Android credential provider. This issue was fixed in AliasVault Android 0.25.3. | 2026-01-14 | 6.1 | CVE-2026-22694 | https://github.com/aliasvault/aliasvault/security/advisories/GHSA-mvg4-wvjv-332q https://github.com/aliasvault/aliasvault/issues/1440 https://github.com/aliasvault/aliasvault/pull/1441 https://github.com/aliasvault/aliasvault/commit/b3350473103d6138ab2b63ca130c211717eac67d https://github.com/aliasvault/aliasvault/releases/tag/0.25.3 |
| Altium--Altium Live | A stored cross-site scripting (XSS) vulnerability exists in the Altium Support Center AddComment endpoint due to missing server-side input sanitization. Although the client interface applies HTML escaping, the backend accepts and stores arbitrary HTML and JavaScript supplied via modified POST requests. The injected content is rendered verbatim when support cases are viewed by other users, including support staff with elevated privileges, allowing execution of arbitrary JavaScript in the victim's browser context. | 2026-01-15 | 6.1 | CVE-2026-1011 | https://www.altium.com/platform/security-compliance/security-advisories |
| AmauriC--tarteaucitron.js | tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.29.0, a Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter. This vulnerability is fixed in 1.29.0. | 2026-01-13 | 4.4 | CVE-2026-22809 | https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q5f6-qxm2-mcqm https://github.com/AmauriC/tarteaucitron.js/commit/f0bbdac2fdf3cd24a325fc0928c0d34abf1b7b52 |
| aplazopayment--Aplazo Payment Gateway | The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.2. This makes it possible for unauthenticated attackers to set any WooCommerce order to `pending payment` status. | 2026-01-14 | 5.3 | CVE-2025-15512 | https://www.wordfence.com/threat-intel/vulnerabilities/id/97b327cc-7a72-4cc3-a4db-a693469f6917?source=cve https://plugins.trac.wordpress.org/browser/aplazo-payment-gateway/tags/1.4.2/includes/module/class-aplazo-module.php#L206 |
| Arunna--Arunna | Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. Attackers can craft a malicious form to change user details, including passwords, email, and administrative privileges by tricking authenticated users into submitting the form. | 2026-01-15 | 5.3 | CVE-2021-47754 | ExploitDB-50608 Archived Researcher Blog Arunna GitHub Repository |
| Automattic--Jetpack | Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject malicious scripts through the post_id parameter. Attackers can craft malicious URLs with script payloads to execute arbitrary JavaScript in victims' browsers when they interact with the contact form page. | 2026-01-13 | 6.1 | CVE-2023-54332 | ExploitDB-51104 Jetpack WordPress Plugin Homepage VulnCheck Advisory: Jetpack 11.4 - Cross Site Scripting (XSS) |
| avahi--avahi | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes. | 2026-01-12 | 6.5 | CVE-2025-68468 | https://github.com/avahi/avahi/security/advisories/GHSA-cp79-r4x9-vf52 https://github.com/avahi/avahi/issues/683 https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a |
| avahi--avahi | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart. | 2026-01-12 | 6.5 | CVE-2025-68471 | https://github.com/avahi/avahi/security/advisories/GHSA-56rf-42xr-qmmg https://github.com/avahi/avahi/issues/678 https://github.com/avahi/avahi/commit/9c6eb53bf2e290aed84b1f207e3ce35c54cc0aa1 |
| avahi--avahi | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves. | 2026-01-12 | 5.5 | CVE-2025-68276 | https://github.com/avahi/avahi/security/advisories/GHSA-mhf3-865v-g5rc https://github.com/avahi/avahi/pull/806 https://github.com/avahi/avahi/commit/ede7048475c5d47d53890e3bc1350dda8e0b3688 |
| Awesome Motive--YouTube Feed Pro | The Feeds for YouTube Pro plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.6.0 via the 'sby_check_wp_submit' AJAX action. This is due to insufficient sanitization of user-supplied data and the use of that data in a file operation. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information, granted the 'Save Featured Images' setting is enabled and 'Disable WP Posts' is disabled. Note: This vulnerability only affects the Pro version of Feeds for YouTube. | 2026-01-17 | 5.9 | CVE-2025-12002 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e9f31ec5-c376-45b1-9ffe-35c80b89b60d?source=cve https://smashballoon.com/youtube-feed/ https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/sby-functions.php#L1047 https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/sby-functions.php#L1038 https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L25 https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L339 https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L383 |
| awesomesupport--Awesome Support WordPress HelpDesk & Support Plugin | The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce. | 2026-01-16 | 6.5 | CVE-2025-12641 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a5a8e4ca-c16b-4e9d-8ad2-5a671fdbc49a?source=cve https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-actions.php#L36 https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-actions.php#L66 https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-user.php#L1686 https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/themes/default/registration.php#L183 https://plugins.trac.wordpress.org/changeset/3435609/awesome-support/trunk/includes/functions-user.php?contextall=1 |
| axllent--mailpit | Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue. | 2026-01-18 | 5.3 | CVE-2026-23829 | https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c https://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534 https://github.com/axllent/mailpit/releases/tag/v1.28.3 |
| B2Evolution--b2evolution | b2evolution 7.2.2 contains a cross-site request forgery vulnerability that allows attackers to modify admin account details without authentication. Attackers can craft a malicious HTML form to submit unauthorized changes to user profiles by tricking victims into loading a specially crafted webpage. | 2026-01-15 | 5.3 | CVE-2021-47800 | ExploitDB-50081 Official Vendor Homepage Software Download Page B2Evolution GitHub Repository VulnCheck Advisory: b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF) |
| bastillion-io--Bastillion | A vulnerability has been found in bastillion-io Bastillion up to 4.0.1. This vulnerability affects unknown code of the file src/main/java/io/bastillion/manage/control/AuthKeysKtrl.java of the component Public Key Management System. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-17 | 4.7 | CVE-2026-1063 | VDB-341631 | bastillion-io Bastillion Public Key Management System AuthKeysKtrl.java command injection VDB-341631 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731303 | bastillion-io Bastillion <=4.0.1 Command Injection https://github.com/AnalogyC0de/public_exp/blob/main/archives/Bastillion/report1.md |
| bastillion-io--Bastillion | A vulnerability was found in bastillion-io Bastillion up to 4.0.1. This issue affects some unknown processing of the file src/main/java/io/bastillion/manage/control/SystemKtrl.java of the component System Management Module. Performing a manipulation results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-17 | 4.7 | CVE-2026-1064 | VDB-341632 | bastillion-io Bastillion System Management SystemKtrl.java command injection VDB-341632 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731308 | bastillion-io Bastillion SSH Key Manager <=4.0.1 Command Injection https://github.com/AnalogyC0de/public_exp/blob/main/archives/Bastillion/report2.md |
| bdthemes--Spin Wheel Interactive spinning wheel that offers coupons | The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes. | 2026-01-17 | 5.3 | CVE-2026-0808 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c023b91e-f633-41a6-b2d7-bcb3f1d026b7?source=cve https://plugins.trac.wordpress.org/browser/spin-wheel/trunk/includes/class-swp-ajax.php#L73 https://plugins.trac.wordpress.org/browser/spin-wheel/tags/2.0.2/includes/class-swp-ajax.php#L73 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3437726%40spin-wheel&new=3437726%40spin-wheel&sfp_email=&sfph_mail= |
| BlackBerry Ltd--QNX Software Development Platform | Null pointer dereference in the MsgRegisterEvent() system call could allow an attacker with local access and code execution abilities to crash the QNX Neutrino kernel. | 2026-01-13 | 6.2 | CVE-2025-8090 | https://support.blackberry.com/pkb/s/article/141027 |
| bplugins--Team Section Block Showcase Team Members with Layout Options | The Team Section Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user-supplied social network link URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-17 | 6.4 | CVE-2026-0833 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6348b119-a0dc-40ef-ae62-1de86dcefac7?source=cve https://plugins.trac.wordpress.org/browser/team-section/trunk/build/render.php#L3 https://plugins.trac.wordpress.org/browser/team-section/tags/1.1.0/build/render.php#L3 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3436953%40team-section&new=3436953%40team-section&sfp_email=&sfph_mail= |
| brechtvds--WP Recipe Maker | The WP Recipe Maker plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 10.2.2 via the api_get_post_summary function due to insufficient restrictions on which posts can be retrieved. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from posts they may not be able to edit or read otherwise. This also affects password protected, private, or draft posts that they should not have access to. | 2026-01-16 | 4.3 | CVE-2025-15527 | https://www.wordfence.com/threat-intel/vulnerabilities/id/96f77fdc-4e91-43c0-8bc6-7bb202945c7d?source=cve https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php#L48 https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php#L86 https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php#L172 https://plugins.trac.wordpress.org/changeset/3415263/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php?contextall=1&old=3402554&old_path=%2Fwp-recipe-maker%2Ftrunk%2Fincludes%2Fpublic%2Fapi%2Fclass-wprm-api-utilities.php |
| BYVoid--OpenCC | A weakness has been identified in BYVoid OpenCC up to 1.1.9. This vulnerability affects the function opencc::MaxMatchSegmentation of the file src/MaxMatchSegmentation.cpp. This manipulation causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. Patch name: 345c9a50ab07018f1b4439776bad78a0d40778ec. To fix this issue, it is recommended to deploy a patch. | 2026-01-18 | 5.3 | CVE-2025-15536 | VDB-341708 | BYVoid OpenCC MaxMatchSegmentation.cpp MaxMatchSegmentation heap-based overflow VDB-341708 | CTI Indicators (IOB, IOC, IOA) Submit #733347 | BYVoid OpenCC ver.1.1.9 and master-branch Heap-based Buffer Overflow https://github.com/BYVoid/OpenCC/issues/997 https://github.com/BYVoid/OpenCC/pull/1005 https://github.com/oneafter/1222/blob/main/repro https://github.com/BYVoid/OpenCC/commit/345c9a50ab07018f1b4439776bad78a0d40778ec |
| cakephp--cakephp | CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1. | 2026-01-16 | 5.4 | CVE-2026-23643 | https://github.com/cakephp/cakephp/security/advisories/GHSA-qh8m-9qxx-53m5 https://github.com/cakephp/cakephp/issues/19172 https://github.com/cakephp/cakephp/commit/c842e7f45d85696e6527d8991dd72f525ced955f https://bakery.cakephp.org/2026/01/14/cakephp_5212.html https://github.com/cakephp/cakephp/releases/tag/5.2.12 https://github.com/cakephp/cakephp/releases/tag/5.3.1 |
| cbutlerjr--WP-Members Membership Plugin | The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Multiple Checkbox and Multiple Select user profile fields in all versions up to, and including, 3.5.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-15 | 5.4 | CVE-2025-14448 | https://www.wordfence.com/threat-intel/vulnerabilities/id/89d1fa00-4757-4f86-bddb-a6a2dbcf9625?source=cve https://plugins.trac.wordpress.org/changeset/3418471/wp-members |
| Celestialsoftware--AbsoluteTelnet | AbsoluteTelnet 11.24 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating DialUp connection and license name fields. Attackers can generate a 1000-character payload and paste it into specific input fields to trigger application crashes and force unexpected termination. | 2026-01-15 | 6.2 | CVE-2021-47764 | ExploitDB-50511 Vendor Homepage |
| Celestialsoftware--AbsoluteTelnet | AbsoluteTelnet 11.24 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating username and error report fields. Attackers can trigger the crash by inserting 1000 characters into the username or email address fields, causing the application to become unresponsive. | 2026-01-15 | 6.2 | CVE-2021-47765 | ExploitDB-50510 Vendor Homepage |
| Chamilo--LMS | A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 5.4 | CVE-2026-1106 | VDB-341698 | Chamilo LMS Legal Consent SocialController.php deleteLegal improper authorization VDB-341698 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731510 | Chamilo LMS <= v2.0.0 Beta 1 SocialController IDOR - Legal Consent Data Manipulat https://note-hxlab.wetolink.com/share/w92t1Q0a74Gj |
| cijliu--librtsp | A security vulnerability has been detected in cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04. The affected element is the function rtsp_rely_dumps. The manipulation leads to buffer overflow. An attack has to be approached locally. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 5.3 | CVE-2026-1108 | VDB-341700 | cijliu librtsp rtsp_rely_dumps buffer overflow VDB-341700 | CTI Indicators (IOB, IOC, IOA) Submit #732598 | librtsp demo git-master-2ec1a81ad65280568a0c7c16420d7c10fde13b04 Buffer Overflow https://github.com/fizz-is-on-the-way/vuls_protocol/blob/main/librtsp_rtsp_rely_dumps/librtsp_rtsp_rely_dumps.md |
| cijliu--librtsp | A vulnerability was detected in cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04. The impacted element is the function rtsp_parse_request. The manipulation results in buffer overflow. Attacking locally is a requirement. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 5.3 | CVE-2026-1109 | VDB-341701 | cijliu librtsp rtsp_parse_request buffer overflow VDB-341701 | CTI Indicators (IOB, IOC, IOA) Submit #732599 | librtsp demo git-master-2ec1a81ad65280568a0c7c16420d7c10fde13b04 Buffer Overflow https://github.com/fizz-is-on-the-way/vuls_protocol/blob/main/librtsp_rtsp_parse_request/librtsp_rtsp_parse_request.md |
| cijliu--librtsp | A flaw has been found in cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04. This affects the function rtsp_parse_method. This manipulation causes buffer overflow. It is possible to launch the attack on the local host. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 5.3 | CVE-2026-1110 | VDB-341702 | cijliu librtsp rtsp_parse_method buffer overflow VDB-341702 | CTI Indicators (IOB, IOC, IOA) Submit #732603 | librtsp demo git-master-2ec1a81ad65280568a0c7c16420d7c10fde13b04 Buffer Overflow https://github.com/fizz-is-on-the-way/vuls_protocol/blob/main/librtsp_rtsp_parse_method/librtsp_rtsp_parse_method.md |
| Cinspiration--RDP Manager | RDP Manager 4.9.9.3 contains a denial of service vulnerability in connection input fields that allows local attackers to crash the application. Attackers can add oversized entries in Verbindungsname and Server fields to permanently freeze and crash the software, potentially requiring full reinstallation. | 2026-01-15 | 6.2 | CVE-2021-47771 | ExploitDB-50484 Archived Software Download Page Vulnerability-Lab Disclosure |
| Cisco--Cisco Evolved Programmable Network Manager (EPNM) | A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against users of the interface of an affected system. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious code into specific data fields in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker must have valid administrative credentials. | 2026-01-15 | 4.8 | CVE-2026-20075 | cisco-sa-epnm-pi-stored-xss-GEkX8yWK |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials. | 2026-01-15 | 4.8 | CVE-2026-20047 | cisco-sa-ise-xss-964cdxW5 |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials. | 2026-01-15 | 4.8 | CVE-2026-20076 | cisco-sa-ise-xss-9TDh2kx |
| codepeople--CP Image Store with Slideshow | The CP Image Store with Slideshow plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9 due to a logic error in the 'cpis_admin_init' function's permission check. This makes it possible for authenticated attackers, with Contributor-level access and above, to import arbitrary products via XML, if the XML file has already been uploaded to the server. | 2026-01-13 | 4.3 | CVE-2026-0684 | https://www.wordfence.com/threat-intel/vulnerabilities/id/28e48604-2aaf-4e02-9b1e-cebf5f0bfcf7?source=cve https://plugins.trac.wordpress.org/browser/cp-image-store/tags/1.1.9/cp-image-store.php#L826 https://plugins.trac.wordpress.org/changeset/3434716/ |
| ConnectWise--PSA | In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values. | 2026-01-16 | 6.5 | CVE-2026-0696 | https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix |
| creativemindssolutions--CM E-Mail Blacklist Simple email filtering for safer registration | The CM E-Mail Blacklist - Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'black_email' parameter in all versions up to, and including, 1.6.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-17 | 4.4 | CVE-2026-0691 | https://www.wordfence.com/threat-intel/vulnerabilities/id/821f4ea9-bc25-4d65-9058-5b77c4f1b230?source=cve https://plugins.trac.wordpress.org/browser/cm-email-blacklist/trunk/backend/views/settings/email_blacklist.phtml#L67 https://plugins.trac.wordpress.org/browser/cm-email-blacklist/tags/1.6.2/backend/views/settings/email_blacklist.phtml#L67 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440158%40cm-email-blacklist&new=3440158%40cm-email-blacklist&sfp_email=&sfph_mail= |
| crushpics--Crush.pics Image Optimizer Image Compression and Optimization | The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings including disabling auto-compression and changing image quality settings. | 2026-01-14 | 4.3 | CVE-2025-14482 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5e71bf15-aee0-4efc-a1c6-faad9f6e4f38?source=cve https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L66 https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L193 https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L30 |
| cubewp1211--CubeWP Framework | The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-17 | 6.4 | CVE-2025-8615 | https://www.wordfence.com/threat-intel/vulnerabilities/id/efc2baf0-38d9-44be-b439-3585b2f1d4a5?source=cve https://wordpress.org/plugins/cubewp-framework/#developers https://plugins.trac.wordpress.org/changeset/3362001#file10 |
| cubewp1211--CubeWP Framework | The CubeWP - All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. | 2026-01-17 | 5.3 | CVE-2025-12129 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2006dc4c-ec1a-45ab-94a3-1f86d80e70ca?source=cve https://plugins.trac.wordpress.org/changeset/3422640/cubewp-framework/trunk/cube/classes/class-cubewp-rest-api.php |
| cyberlord92--Integrate Dynamics 365 CRM | The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-17 | 4.4 | CVE-2026-0725 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6b16028a-0b69-422b-9471-32ea6edb93a0?source=cve https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/trunk/Wrappers/class-templatewrapper.php#L491 https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/tags/1.1.1/Wrappers/class-templatewrapper.php#L491 https://plugins.trac.wordpress.org/changeset/3438502/ |
| Dell--SupportAssist OS Recovery, | Dell SupportAssist OS Recovery, versions prior to 5.5.15.1, contain a Creation of Temporary File With Insecure Permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information Tampering. | 2026-01-13 | 6.6 | CVE-2025-46684 | https://www.dell.com/support/kbdoc/en-us/000401506/dsa-2025-456 |
| dfieldfl--WP Allowed Hosts | The WP Allowed Hosts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'allowed-hosts' parameter in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-14 | 4.4 | CVE-2026-0734 | https://www.wordfence.com/threat-intel/vulnerabilities/id/700e9d1c-a178-4033-8607-652178860211?source=cve https://plugins.trac.wordpress.org/browser/wp-allow-hosts/trunk/allowed-hosts.php#L170 https://plugins.trac.wordpress.org/browser/wp-allow-hosts/tags/1.0.8/allowed-hosts.php#L170 |
| e107--e107 CMS | e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files with embedded cross-site scripting (XSS) payloads that can execute arbitrary scripts when viewed. | 2026-01-13 | 4.8 | CVE-2022-50906 | ExploitDB-50910 Official Vendor Homepage Software Download Page VulnCheck Advisory: e107 CMS v3.2.1 - Admin Upload Restriction Bypass + Stored XSS |
| Elastic--Kibana | Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or complete unavailability occurs. | 2026-01-13 | 6.5 | CVE-2026-0530 | https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-03/384521 |
| Elastic--Kibana | Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users. | 2026-01-13 | 6.5 | CVE-2026-0531 | https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-04/384522 |
| Elastic--Kibana | Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed. | 2026-01-13 | 6.5 | CVE-2026-0543 | https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-08/384523 |
| Elastic--Metricbeat | Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data. | 2026-01-13 | 6.5 | CVE-2026-0528 | https://discuss.elastic.co/t/metricbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-01/384519 |
| Elastic--Packetbeat | Improper Validation of Array Index (CWE-129) in Packetbeat's MongoDB protocol parser can allow an attacker to cause Overflow Buffers (CAPEC-100) through specially crafted network traffic. This requires an attacker to send a malformed payload to a monitored network interface where MongoDB protocol parsing is enabled. | 2026-01-14 | 6.5 | CVE-2026-0529 | https://discuss.elastic.co/t/packetbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-02/384520 |
| electric-studio--Electric Studio Download Counter | The Electric Studio Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 4.4 | CVE-2026-0741 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a22bba3e-423a-4231-833b-c0be57a3bf7b?source=cve https://plugins.trac.wordpress.org/browser/electric-studio-download-counter/trunk/electric-studio-download-counter.php#L186 https://plugins.trac.wordpress.org/browser/electric-studio-download-counter/tags/2.4/electric-studio-download-counter.php#L186 https://plugins.trac.wordpress.org/browser/electric-studio-download-counter/trunk/electric-studio-download-counter.php#L202 https://plugins.trac.wordpress.org/browser/electric-studio-download-counter/tags/2.4/electric-studio-download-counter.php#L202 |
| EnterpriseDB--Postgres Enterprise Manager (PEM) | PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu. | 2026-01-16 | 6.5 | CVE-2026-0949 | https://www.enterprisedb.com/docs/security/advisories/cve20260949/ |
| espressif--esp-usb | Espressif ESP-IDF USB Host UVC Class Driver allows video streaming from USB cameras. Prior to 2.4.0, a vulnerability in the esp-usb UVC host implementation allows a malicious USB Video Class (UVC) device to trigger a stack buffer overflow during configuration-descriptor parsing. When UVC configuration-descriptor printing is enabled, the host prints detailed descriptor information provided by the connected USB device. A specially crafted UVC descriptor may advertise an excessively large length. Because this value is not validated before being copied into a fixed-size stack buffer, an attacker can overflow the buffer and corrupt memory. This vulnerability is fixed in 2.4.0. | 2026-01-12 | 6.8 | CVE-2025-68622 | https://github.com/espressif/esp-usb/security/advisories/GHSA-g65h-9ggq-9827 https://github.com/espressif/esp-usb/commit/77a38b15a17f6e3c7aeb620eb4aeaf61d5194cc0 https://components.espressif.com/components/espressif/usb_host_uvc/versions/2.4.0/changelog |
| espressif--esp-usb | Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, usb_class_request_get_descriptor() frees and reallocates hid_device->ctrl_xfer when an oversized descriptor is requested but continues to use the stale local pointer, leading to an immediate use-after-free when processing attacker-controlled Report Descriptor lengths. This vulnerability is fixed in 1.1.0. | 2026-01-12 | 6.8 | CVE-2025-68656 | https://github.com/espressif/esp-usb/security/advisories/GHSA-2pm2-62mr-c9x7 https://github.com/espressif/esp-usb/commit/81b37c96593c0bec92ef14c6ee6bf8cab8d8f660 https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog |
| espressif--esp-usb | Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, calls to hid_host_device_close() can free the same usb_transfer_t twice. The USB event callback and user code share the hid_iface_t state without locking, so both can tear down a READY interface simultaneously, corrupting heap metadata inside the ESP USB host stack. This vulnerability is fixed in 1.1.0. | 2026-01-12 | 6.4 | CVE-2025-68657 | https://github.com/espressif/esp-usb/security/advisories/GHSA-gp8r-qjfr-gqfv https://github.com/espressif/esp-usb/commit/cd28106e9f72ac2719682c06f94601f9f034390b https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog |
| floattechnologies--Float Payment Gateway | The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to mark any WooCommerce order as failed. | 2026-01-14 | 5.3 | CVE-2025-15513 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b2c7fb39-d128-4285-8bc3-1e192e1e1196?source=cve https://plugins.trac.wordpress.org/browser/float-gateway/tags/1.1.9/index.php#L477 |
| Fortinet--FortiClientEMS | An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiClientEMS 7.4.3 through 7.4.4, FortiClientEMS 7.4.0 through 7.4.1, FortiClientEMS 7.2.0 through 7.2.10, FortiClientEMS 7.0 all versions may allow an authenticated attacker with at least read-only admin permission to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. | 2026-01-13 | 6.8 | CVE-2025-59922 | https://fortiguard.fortinet.com/psirt/FG-IR-25-735 |
| Fortinet--FortiVoice | An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7 allows a privileged attacker to delete files from the underlying filesystem via crafted HTTP or HTTPs requests. | 2026-01-13 | 5.7 | CVE-2025-58693 | https://fortiguard.fortinet.com/psirt/FG-IR-25-778 |
| GeoNetwork--GeoNetwork | Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests. | 2026-01-13 | 6.5 | CVE-2022-50899 | ExploitDB-50982 GeoNetwork Official Homepage VulnCheck Advisory: Geonetwork 4.2.0 - XML External Entity (XXE) |
| Geovision--GeoVision Geowebserver | GeoVision GeoWebServer 5.3.3 contains multiple vulnerabilities including local file inclusion, cross-site scripting, and remote code execution through improper input sanitization. Attackers can exploit the WebStrings.srf endpoint by manipulating path traversal and injection parameters to access system files and execute malicious scripts. | 2026-01-15 | 6.2 | CVE-2021-47795 | ExploitDB-50211 GeoVision Cyber Security Page VulnCheck Advisory: GeoVision Geowebserver 5.3.3 - Local FIle Inclusion |
| Gotac--Police Statistics Database System | Police Statistics Database System developed by Gotac has a Absolute Path Traversal vulnerability, allowing unauthenticated remote attackers to enumerate the system file directory. | 2026-01-16 | 5.3 | CVE-2026-1020 | https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html |
| gothamdev--Gotham Block Extra Light | The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the 'ghostban' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2026-01-14 | 6.5 | CVE-2025-15020 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b194b241-d8f4-430c-b00c-d84190026bad?source=cve https://plugins.trac.wordpress.org/browser/gotham-block-extra-light/trunk/premium/ghostban.php?marks=56#L56 |
| gothamdev--Gotham Block Extra Light | The Gotham Block Extra Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-14 | 4.4 | CVE-2025-15021 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b4c36899-3c7b-41b6-a38d-86c8834b4c03?source=cve https://plugins.trac.wordpress.org/browser/gotham-block-extra-light/trunk/gothamblock.php?marks=463,470,495,500,504,519,564,578#L463 |
| guillaumev--LinkedIn SC | The LinkedIn SC plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'linkedin_sc_date_format', 'linkedin_sc_api_key', and 'linkedin_sc_secret_key' parameters in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. | 2026-01-14 | 4.4 | CVE-2026-0812 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1c4fd888-aeaf-4451-a151-8f884bc22f0b?source=cve https://plugins.trac.wordpress.org/browser/linkedin-sc/tags/1.1.9/linkedin-sc.php#L164 https://plugins.trac.wordpress.org/browser/linkedin-sc/trunk/linkedin-sc.php#L164 |
| gurayyarar--SnipCommand | SnipCommand 0.1.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into command snippets. Attackers can execute arbitrary code by embedding malicious JavaScript that triggers remote command execution through file or title inputs. | 2026-01-16 | 6.1 | CVE-2021-47841 | ExploitDB-49829 SnipCommand GitHub Repository Proof of Concept Video VulnCheck Advisory: SnipCommand 0.1.0 - Persistent Cross-Site Scripting |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | A command injection vulnerability in AOS-8 allows an authenticated privileged user to alter a package header to inject shell commands, potentially affecting the execution of internal operations. Successful exploit could allow an authenticated malicious actor to execute commands with the privileges of the impacted mechanism. | 2026-01-13 | 6.5 | CVE-2025-37176 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | An arbitrary file deletion vulnerability has been identified in the command-line interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation of this vulnerability could allow an authenticated remote malicious actor to delete arbitrary files within the affected system. | 2026-01-13 | 6.5 | CVE-2025-37177 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for handling certain data buffers. Due to insufficient validation of maximum buffer size values, the process may attempt to read beyond the intended memory region. Under specific conditions, this can result in a crash of the affected process and a potential denial-of-service of the compromised process. | 2026-01-13 | 5.3 | CVE-2025-37178 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for handling certain data buffers. Due to insufficient validation of maximum buffer size values, the process may attempt to read beyond the intended memory region. Under specific conditions, this can result in a crash of the affected process and a potential denial-of-service of the compromised process. | 2026-01-13 | 5.3 | CVE-2025-37179 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--EdgeConnect SD-WAN Orchestrator | A vulnerability exists in an Orchestrator service that could allow an unauthenticated remote attacker to bypass multi-factor authentication requirements. Successful exploitation could allow an attacker to create an admin user account without the necessary multi-factor authentication, thereby compromising the integrity of secured access to the system. | 2026-01-14 | 6.5 | CVE-2025-37184 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--EdgeConnect SD-WAN Orchestrator | Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface and thereby make unauthorized arbitrary configuration changes to the host. | 2026-01-14 | 5.5 | CVE-2025-37185 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US |
| Huawei--HarmonyOS | Permission verification bypass vulnerability in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 6.2 | CVE-2025-68959 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ https://consumer.huawei.com/en/support/bulletinvision/2026/1/ |
| Huawei--HarmonyOS | Data verification vulnerability in the HiView module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 6.2 | CVE-2025-68964 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ https://consumer.huawei.com/en/support/bulletinvision/2026/1/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the thermal management module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 6.8 | CVE-2025-68969 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| Huawei--HarmonyOS | Permission verification bypass vulnerability in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 6.1 | CVE-2025-68970 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ https://consumer.huawei.com/en/support/bulletinvision/2026/1/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 5.1 | CVE-2025-68961 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 5.1 | CVE-2025-68962 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| Huawei--HarmonyOS | Man-in-the-middle attack vulnerability in the Clone module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 5.7 | CVE-2025-68963 | https://consumer.huawei.com/en/support/bulletin/2026/1// |
| Huawei--HarmonyOS | Permission control vulnerability in the Notepad module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 5.1 | CVE-2025-68966 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinvision/2026/1/ |
| Huawei--HarmonyOS | Vulnerability of improper permission control in the print module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 5.7 | CVE-2025-68967 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| Huawei--HarmonyOS | Permission control vulnerability in the Notepad module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 4.7 | CVE-2025-68965 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinvision/2026/1/ |
| Istio--Istio | Istio through 1.28.2 allows iptables rule injection for changing firewall behavior via the traffic.sidecar.istio.io/excludeInterfaces annotation. NOTE: the reporter's position is "this doesn't represent a security vulnerability (pod creators can already exclude sidecar injection entirely)." | 2026-01-15 | 4.1 | CVE-2026-23766 | https://github.com/istio/istio/issues/58781 https://github.com/istio/istio/pull/58785 |
| itsourcecode--Society Management System | A vulnerability was detected in itsourcecode Society Management System 1.0. Impacted is an unknown function of the file /admin/add_activity.php. Performing a manipulation of the argument Title results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-01-18 | 6.3 | CVE-2026-1118 | VDB-341710 | itsourcecode Society Management System add_activity.php sql injection VDB-341710 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734289 | itsourcecode Society Management System V1.0 SQL injection https://github.com/AriazzzZ/CVE/issues/2 https://itsourcecode.com/ |
| jackdewey--Community Events | The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via the 'eventlist' parameter. | 2026-01-17 | 5.3 | CVE-2025-14029 | https://www.wordfence.com/threat-intel/vulnerabilities/id/098c3f4c-b6bc-462a-98ef-30e6a68d74cf?source=cve https://plugins.trac.wordpress.org/browser/community-events/trunk/community-events.php#L160 https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.5/community-events.php#L160 https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.5/community-events.php#L64 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3437116%40community-events&new=3437116%40community-events&sfp_email=&sfph_mail= |
| jersou--Markdown Explorer | Markdown Explorer 0.1.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through file uploads and editor inputs. Attackers can upload markdown files with embedded JavaScript payloads to execute remote commands and potentially gain system access. | 2026-01-16 | 6.1 | CVE-2021-47836 | ExploitDB-49826 Markdown Explorer GitHub Repository Proof of Concept Video VulnCheck Advisory: Markdown Explorer 0.1.1 - Persistent Cross-Site Scripting |
| jokkedk--Webgrind | Webgrind 1.1 and before contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts via the file parameter in index.php. The application does not sufficiently encode user-controlled inputs, allowing attackers to execute arbitrary JavaScript in victim's browsers by crafting malicious URLs. | 2026-01-13 | 6.1 | CVE-2023-54341 | ExploitDB-51074 Webgrind GitHub Repository VulnCheck Advisory: Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) via file Parameter |
| Juniper Networks--Junos OS | An Improper Handling of Exceptional Conditions vulnerability in packet processing of Juniper Networks Junos OS allows an unauthenticated, network-adjacent attacker sending a specifically malformed ICMP packet to cause an FPC to crash and restart, resulting in a Denial of Service (DoS). When an ICMP packet is received with a specifically malformed IP header value, the FPC receiving the packet crashes and restarts. Due to the specific type of malformed packet, adjacent upstream routers would not forward the packet, limiting the attack surface to adjacent networks. This issue only affects ICMPv4. ICMPv6 is not vulnerable to this issue. This issue affects Junos OS: * all versions before 21.2R3-S9, * from 21.4 before 21.4R3-S10, * from 22.2 before 22.2R3-S7, * from 22.3 before 22.3R3-S4, * from 22.4 before 22.4R3-S5, * from 23.2 before 23.2R2-S3, * from 23.4 before 23.4R2-S3, * from 24.2 before 24.2R1-S2, 24.2R2. | 2026-01-15 | 6.5 | CVE-2026-0203 | https://supportportal.juniper.net/JSA104294 https://kb.juniper.net/JSA104294 |
| Juniper Networks--Junos OS | A Stack-based Buffer Overflow vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS allows a network-based attacker, authenticated with low privileges to cause a Denial-of-Service (DoS). Subscribing to telemetry sensors at scale causes all FPC connections to drop, resulting in an FPC crash and restart. The issue was not seen when YANG packages for the specific sensors were installed. This issue affects Junos OS: * all versions before 22.4R3-S7, * 23.2 version before 23.2R2-S4, * 23.4 versions before 23.4R2. | 2026-01-15 | 6.5 | CVE-2026-21903 | https://supportportal.juniper.net/JSA106022 https://kb.juniper.net/JSA106022 |
| Juniper Networks--Junos OS | A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated attacker controlling an adjacent IS-IS neighbor to send a specific update packet causing a memory leak. Continued receipt and processing of these packets will exhaust all available memory, crashing rpd and creating a Denial of Service (DoS) condition. Memory usage can be monitored through the use of the 'show task memory detail' command. For example: user@junos> show task memory detail | match ted-infra TED-INFRA-COOKIE 25 1072 28 1184 229 user@junos> show task memory detail | match ted-infra TED-INFRA-COOKIE 31 1360 34 1472 307 This issue affects: Junos OS: * from 23.2 before 23.2R2, * from 23.4 before 23.4R1-S2, 23.4R2, * from 24.1 before 24.1R2; Junos OS Evolved: * from 23.2 before 23.2R2-EVO, * from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO, * from 24.1 before 24.1R2-EVO. This issue does not affect Junos OS versions before 23.2R1 or Junos OS Evolved versions before 23.2R1-EVO. | 2026-01-15 | 6.5 | CVE-2026-21909 | https://supportportal.juniper.net/JSA106008 https://kb.juniper.net/JSA106008 |
| Juniper Networks--Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on EX4k Series and QFX5k Series platforms allows an unauthenticated network-adjacent attacker flapping an interface to cause traffic between VXLAN Network Identifiers (VNIs) to drop, leading to a Denial of Service (DoS). On all EX4k and QFX5k platforms, a link flap in an EVPN-VXLAN configuration Link Aggregation Group (LAG) results in Inter-VNI traffic dropping when there are multiple load-balanced next-hop routes for the same destination. This issue is only applicable to systems that support EVPN-VXLAN Virtual Port-Link Aggregation Groups (VPLAG), such as the QFX5110, QFX5120, QFX5200, EX4100, EX4300, EX4400, and EX4650. Service can only be restored by restarting the affected FPC via the 'request chassis fpc restart slot <slot-number>' command. This issue affects Junos OS on EX4k and QFX5k Series: * all versions before 21.4R3-S12, * all versions of 22.2 * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S5, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2. | 2026-01-15 | 6.5 | CVE-2026-21910 | https://supportportal.juniper.net/JSA106009 https://kb.juniper.net/JSA106009 |
| Juniper Networks--Junos OS | A Use After Free vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker authenticated with low privileges to cause a Denial-of-Service (DoS). When telemetry collectors are frequently subscribing and unsubscribing to sensors continuously over a long period of time, telemetry-capable processes like chassisd, rpd or mib2d will crash and restart, which - depending on the process - can cause a complete outage until the system has recovered. This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-EVO. | 2026-01-15 | 6.5 | CVE-2026-21921 | https://supportportal.juniper.net/JSA106021 https://kb.juniper.net/JSA106021 |
| Juniper Networks--Junos OS | An Untrusted Pointer Dereference vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, authenticated attacker with low privileges to cause a Denial-of-Service (DoS). When the command 'show route < ( receive-protocol | advertising-protocol ) bgp > detail' is executed, and at least one of the routes in the intended output has specific attributes, this will cause an rpd crash and restart. 'show route ... extensive' is not affected. This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S5, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-S6-EVO, * 24.2 versions before 24.2R2-S2-EVO, * 24.4 versions before 24.4R2-EVO. | 2026-01-15 | 5.5 | CVE-2025-59959 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103148 |
| Juniper Networks--Junos OS | An Incorrect Permission Assignment for Critical Resource vulnerability in the Juniper DHCP daemon (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged user to write to the Unix socket used to manage the jdhcpd process, resulting in complete control over the resource. This vulnerability allows any low-privileged user logged into the system to connect to the Unix socket and issue commands to manage the DHCP service, in essence, taking administrative control of the local DHCP server or DHCP relay. This issue affects: Junos OS: * all versions before 21.2R3-S10, * all versions of 22.2, * from 21.4 before 21.4R3-S12, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R2-S2, * from 24.4 before 24.4R2, * from 25.2 before 25.2R1-S1, 25.2R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 before 23.4R2-S6-EVO, * from 24.2 before 24.2R2-S2-EVO, * from 24.4 before 24.4R2-EVO, * from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO. | 2026-01-15 | 5.5 | CVE-2025-59961 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103150 |
| Juniper Networks--Junos OS | A NULL Pointer Dereference vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS on MX, SRX and EX Series allows a local attacker with low privileges to cause a Denial-of-Service (DoS). When a user executes the 'show chassis' command with specifically crafted options, chassisd will crash and restart. Due to this all components but the Routing Engine (RE) in the chassis are reinitialized, which leads to a complete service outage, which the system automatically recovers from. This issue affects: Junos OS on MX, SRX and EX Series: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2. | 2026-01-15 | 5.5 | CVE-2025-60007 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103173 |
| Juniper Networks--Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause an availability impact for downstream devices. When an affected device receives a specific optional, transitive BGP attribute over an existing BGP session, it will be erroneously modified before propagation to peers. When the attribute is detected as malformed by the peers, these peers will most likely terminate the BGP sessions with the affected devices and thereby cause an availability impact due to the resulting routing churn. This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5 * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-S6-EVO, * 24.2 versions before 24.2R2-S2-EVO, * 24.4 versions before 24.4R2-EVO. | 2026-01-15 | 5.8 | CVE-2025-60011 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103161 |
| Juniper Networks--Junos OS | A Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in the method to collect FPC Ethernet firmware statistics of Juniper Networks Junos OS on MX10k Series allows a local, low-privileged attacker executing the 'show system firmware' CLI command to cause an LC480 or LC2101 line card to reset. On MX10k Series systems with LC480 or LC2101 line cards, repeated execution of the 'show system firmware' CLI command can cause the line card to crash and restart. Additionally, some time after the line card crashes, chassisd may also crash and restart, generating a core dump.This issue affects Junos OS on MX10k Series: * all versions before 21.2R3-S10, * from 21.4 before 21.4R3-S9, * from 22.2 before 22.2R3-S7, * from 22.4 before 22.4R3-S6, * from 23.2 before 23.2R2-S2, * from 23.4 before 23.4R2-S3, * from 24.2 before 24.2R2. | 2026-01-15 | 5.5 | CVE-2026-21912 | https://supportportal.juniper.net/JSA106011 https://kb.juniper.net/JSA106011 |
| Juniper Networks--Junos OS Evolved | An Incorrect Calculation vulnerability in the Layer 2 Control Protocol Daemon (l2cpd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-adjacent attacker flapping the management interface to cause the learning of new MACs over label-switched interfaces (LSI) to stop while generating a flood of logs, resulting in high CPU usage. When the issue is seen, the following log message will be generated: op:1 flag:0x6 mac:xx:xx:xx:xx:xx:xx bd:2 ifl:13302 reason:0(REASON_NONE) i-op:6(INTRNL_OP_HW_FORCE_DELETE) status:10 lstatus:10 err:26(GETIFBD_VALIDATE_FAILED) err-reason 4(IFBD_VALIDATE_FAIL_EPOCH_MISMATCH) hw_wr:0x4 ctxsync:0 fwdsync:0 rtt-id:51 p_ifl:0 fwd_nh:0 svlbnh:0 event:- smask:0x100000000 dmask:0x0 mplsmask 0x1 act:0x5800 extf:0x0 pfe-id 0 hw-notif-ifl 13302 programmed-ifl 4294967295 pseudo-vtep underlay-ifl-idx 0 stack:GET_MAC, ALLOCATE_MAC, GET_IFL, GET_IFF, GET_IFBD, STOP, This issue affects Junos OS Evolved: * all versions before 21.4R3-S7-EVO, * from 22.2 before 22.2R3-S4-EVO, * from 22.3 before 22.3R3-S3-EVO, * from 22.4 before 22.4R3-S2-EVO, * from 23.2 before 23.2R2-S1-EVO, * from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO. | 2026-01-15 | 6.5 | CVE-2026-21911 | https://supportportal.juniper.net/JSA106010 https://kb.juniper.net/JSA106010 |
| Juniper Networks--Junos Space | A Use of a Broken or Risky Cryptographic Algorithm vulnerability in the TLS/SSL server of Juniper Networks Junos Space allows the use of static key ciphers (ssl-static-key-ciphers), reducing the confidentiality of on-path traffic communicated across the connection. These ciphers also do not support Perfect Forward Secrecy (PFS), affecting the long-term confidentiality of encrypted communications.This issue affects all versions of Junos Space before 24.1R5. | 2026-01-15 | 5.9 | CVE-2026-21907 | https://supportportal.juniper.net/JSA106006 https://kb.juniper.net/JSA106006 |
| Juniper Networks--Paragon Automation (Pathfinder, Planner, Insights) | A clickjacking vulnerability exists in the web portal of Juniper Networks Paragon Automation (Pathfinder, Planner, Insights) due to the application's failure to set appropriate X-Frame-Options and X-Content-Type HTTP headers. This vulnerability allows an attacker to trick users into interacting with the interface under the attacker's control. This issue affects all versions of Paragon Automation (Pathfinder, Planner, Insights) before 24.1.1. | 2026-01-15 | 6.1 | CVE-2025-52987 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103145 |
| kalcaddle--kodbox | A vulnerability was detected in kalcaddle kodbox up to 1.61.10. This issue affects some unknown processing of the file /?explorer/index/zip of the component Compression Handler. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-17 | 6.3 | CVE-2026-1066 | VDB-341665 | kalcaddle kodbox Compression zip command injection VDB-341665 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731436 | kalcaddle kodbox <=1.61.10 Command Injection https://github.com/DReazer/CV3/blob/main/Krce.md |
| keesiemeijer--Related Posts by Taxonomy | The Related Posts by Taxonomy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'related_posts_by_tax' shortcode in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-16 | 6.4 | CVE-2026-0916 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0582fe7d-884c-4019-837a-861d36ccc842?source=cve https://plugins.trac.wordpress.org/browser/related-posts-by-taxonomy/tags/2.7.6/includes/functions.php#L259 |
| kimai--kimai | Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue. | 2026-01-18 | 6.8 | CVE-2026-23626 | https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg https://github.com/kimai/kimai/pull/5757 https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f https://github.com/kimai/kimai/releases/tag/2.46.0 |
| kiwicommerce--PDF Resume Parser | The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that is accessible to unauthenticated users and exposes SMTP configuration data including credentials. This makes it possible for unauthenticated attackers to extract sensitive SMTP credentials (username and password) from the WordPress configuration, which could be leveraged to compromise email accounts and potentially gain unauthorized access to other systems using the same credentials. | 2026-01-14 | 5.3 | CVE-2025-14464 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8a84bcc2-23e0-4624-89a4-7bbb1b34c498?source=cve https://plugins.trac.wordpress.org/browser/pdf-resume-parser/trunk/pdf-resume-parser.php#L309 https://plugins.trac.wordpress.org/browser/pdf-resume-parser/tags/1.0/pdf-resume-parser.php#L309 |
| kunzemarketing--Kunze Law | The Kunze Law plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's shortcode in all versions up to, and including, 2.1 due to the plugin fetching HTML content from a remote server and injecting it into pages without any sanitization or escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. Additional presence of a path traversal vulnerability in the shortcode name allows writing malicious HTML files to arbitrary writable locations on the server. | 2026-01-14 | 4.4 | CVE-2025-15486 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f7957619-e562-4043-920d-275c58684328?source=cve https://plugins.trac.wordpress.org/browser/kunze-law/tags/2.1/kunze-law.php#L406 https://plugins.trac.wordpress.org/browser/kunze-law/tags/2.1/kunze-law.php#L531 |
| Laborator--Kalium 3 | Creative WordPress & WooCommerce Theme | The Kalium 3 | Creative WordPress & WooCommerce Theme theme for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the kalium_vc_contact_form_request() function in all versions up to, and including, 3.29. This makes it possible for unauthenticated attackers to use the theme an an open mail relay and send email to arbitrary email addresses on the server's behalf. | 2026-01-15 | 5.3 | CVE-2025-12895 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0e65a794-1901-4e54-be4f-9422fe444057?source=cve https://themeforest.net/item/kalium-creative-theme-for-professionals/10860525 https://documentation.laborator.co/kb/kalium/kalium-changelog/ |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the "Atendido" selection dropdown. This vulnerability is fixed in 3.6.2. | 2026-01-16 | 4.3 | CVE-2026-23724 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-3r3q-8573-g3cq https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, The web application is vulnerable to clickjacking attacks. The WeGIA application does not send any defensive HTTP headers related to framing protection. In particular, X-Frame-Options is missing andContent-Security-Policy with frame-ancestors directive is not configured. Because of this, an attacker can load any WeGIA page inside a malicious HTML document, overlay deceptive elements, hide real buttons, or force accidental interaction with sensitive workflows. This vulnerability is fixed in 3.6.2. | 2026-01-16 | 4.3 | CVE-2026-23731 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-99qp-hjvh-c59q https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| Lenovo--ThinkPad L13 Gen 6 BIOS | A potential vulnerability was reported in the BIOS of L13 Gen 6, L13 Gen 6 2-in-1, L14 Gen 6, and L16 Gen 2 ThinkPads which could result in Secure Boot being disabled even when configured as "On" in the BIOS setup menu. This issue only affects systems where Secure Boot is set to User Mode. | 2026-01-14 | 6.5 | CVE-2026-0421 | https://support.lenovo.com/us/en/product_security/LEN-210688 |
| Lenovo--ThinkPlus FU100 | A potential vulnerability was reported in some ThinkPlus USB drives that could allow a user with physical access to read data stored on the drive. | 2026-01-14 | 6.8 | CVE-2025-13453 | https://iknow.lenovo.com.cn/detail/436983 |
| Lenovo--ThinkPlus FU100 | A potential vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to gain access to sensitive device information. | 2026-01-14 | 4.7 | CVE-2025-13454 | https://iknow.lenovo.com.cn/detail/436983 |
| Lenovo--Vantage | An improper link following vulnerability was reported in the SmartPerformanceAddin for Lenovo Vantage that could allow an authenticated local user to perform an arbitrary file deletion with elevated privileges. | 2026-01-14 | 5.5 | CVE-2025-13154 | https://support.lenovo.com/us/en/product_security/LEN-208293 |
| linknacional--Rede Ita for WooCommerce Payment PIX, Credit Card and Debit | The Rede Itaú for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possible for unauthenticated attackers to manipulate WooCommerce order statuses, either marking unpaid orders as paid, or failed. | 2026-01-16 | 5.3 | CVE-2026-0939 | https://www.wordfence.com/threat-intel/vulnerabilities/id/722c666b-913f-4289-82e6-30aa0a3abc2b?source=cve https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L45 https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L460 https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L710 |
| linknacional--Rede Ita for WooCommerce Payment PIX, Credit Card and Debit | The Rede Itaú for WooCommerce - Payment PIX, Credit Card and Debit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clearOrderLogs() function in all versions up to, and including, 5.1.2. This makes it possible for unauthenticated attackers to delete the Rede Order Logs metadata from all WooCommerce orders. | 2026-01-16 | 5.3 | CVE-2026-0942 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4927c060-f2b2-4916-b049-1442bba63e98?source=cve https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L42 https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L58 |
| lobehub--lobe-chat | LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed `electronAPI` IPC bridge, allowing attackers to run arbitrary system commands on the victim's machine. Version 2.0.0-next.180 patches the issue. | 2026-01-18 | 6.4 | CVE-2026-23733 | https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443 |
| logiceverest--Shipping Rates by City for WooCommerce | The Flat Shipping Rate by City for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'cities' parameter in all versions up to, and including, 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-14 | 4.9 | CVE-2026-0678 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4ada476b-6978-4c38-a5d3-67266a709a3e?source=cve https://plugins.trac.wordpress.org/browser/flat-shipping-rate-by-city-for-woocommerce/trunk/shipping-method-class.php#L154 https://plugins.trac.wordpress.org/browser/flat-shipping-rate-by-city-for-woocommerce/tags/1.0.3/shipping-method-class.php#L154 |
| lottiefile--LottieFiles Lottie block for Gutenberg | The LottieFiles - Lottie block for Gutenberg plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.0 via the `/wp-json/lottiefiles/v1/settings/` REST API endpoint. This makes it possible for unauthenticated attackers to retrieve the site owner's LottieFiles.com account credentials including their API access token and email address when the 'Share LottieFiles account with other WordPress users' option is enabled. | 2026-01-14 | 5.3 | CVE-2026-0717 | https://www.wordfence.com/threat-intel/vulnerabilities/id/19b159ca-4b41-48b4-880d-9b9dc44b3463?source=cve https://plugins.trac.wordpress.org/browser/lottiefiles/tags/3.0.0/src/common.php?marks=21,122#L21 |
| lwj--flow | A security vulnerability has been detected in lwj flow up to a3d2fe8133db9d3b50fda4f66f68634640344641. This affects the function uploadFile of the file \flow-master\flow-front-rest\src\main\java\com\dragon\flow\web\resource\flow\FormResource.java of the component SVG File Handler. The manipulation of the argument File leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-18 | 6.3 | CVE-2026-1126 | VDB-341718 | lwj flow SVG File FormResource.java uploadFile unrestricted upload VDB-341718 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735122 | https://gitee.com/lwj/flow flowable 1.0 Arbitrary File Upload https://gitee.com/lwj/flow/issues/IDIQSE |
| mailerlite--MailerLite WooCommerce integration | The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's integration settings, delete all plugin options, and drop the plugin's database tables (woo_mailerlite_carts and woo_mailerlite_jobs), resulting in complete loss of plugin data including customer abandoned cart information and sync job history. | 2026-01-16 | 6.5 | CVE-2026-1000 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e20deec4-f40c-4bd3-91f7-6a9d643a5520?source=cve https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/includes/WooMailerLite.php#L127 https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/admin/controllers/WooMailerLiteAdminSettingsController.php#L231 https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/includes/migrations/WooMailerLiteMigration.php#L33 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3415073%40woo-mailerlite%2Ftrunk&old=3399626%40woo-mailerlite%2Ftrunk&sfp_email=&sfph_mail= |
| makesweat--Makesweat | The Makesweat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'makesweat_clubid' setting in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 4.4 | CVE-2025-13627 | https://www.wordfence.com/threat-intel/vulnerabilities/id/88dec08d-cb27-4ea8-853e-0c12dd0a6ab6?source=cve https://it.wordpress.org/plugins/makesweat/ https://plugins.trac.wordpress.org/browser/makesweat/trunk/makesweat.php#L64 https://plugins.trac.wordpress.org/browser/makesweat/tags/0.1/makesweat.php#L64 https://plugins.trac.wordpress.org/browser/makesweat/trunk/makesweat.php#L85 https://plugins.trac.wordpress.org/browser/makesweat/tags/0.1/makesweat.php#L85 |
| mallsop--List Site Contributors | The List Site Contributors plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'alpha' parameter in versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-14 | 6.1 | CVE-2026-0594 | https://www.wordfence.com/threat-intel/vulnerabilities/id/026a2e0d-4d30-4133-9118-055026aa9f4a?source=cve https://plugins.trac.wordpress.org/browser/list-site-contributors/trunk/list-site-contributors.php#L435 https://plugins.trac.wordpress.org/browser/list-site-contributors/tags/1.1.8/list-site-contributors.php#L435 |
| Mattermost--Mattermost | Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops. | 2026-01-16 | 6.8 | CVE-2025-14435 | https://mattermost.com/security-updates |
| memsource--Phrase TMS Integration for WordPress | The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_delete_log' AJAX endpoint in all versions up to, and including, 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete log files. | 2026-01-17 | 4.3 | CVE-2025-12168 | https://www.wordfence.com/threat-intel/vulnerabilities/id/396f2426-7bc4-4221-bc48-920bec5af6e5?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426034%40memsource-connector&new=3426034%40memsource-connector&sfp_email=&sfph_mail= |
| metagauss--EventPrime Events Calendar, Bookings and Tickets | The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, email addresses, ticket details, payment information, and order keys when the API is enabled by an administrator. The vulnerability was partially patched in version 4.2.7.0. | 2026-01-13 | 5.3 | CVE-2025-14507 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4b170ed1-72ee-40b6-9882-e978d630f6bb?source=cve https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-eventprime-rest-api.php#L447 https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-eventprime-rest-api.php#L651 https://plugins.trac.wordpress.org/changeset/3422587/ https://plugins.trac.wordpress.org/changeset/3432454/ |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Server-side request forgery (ssrf) in Microsoft Office SharePoint allows an authorized attacker to disclose information over a network. | 2026-01-13 | 5.4 | CVE-2026-20958 | Microsoft SharePoint Information Disclosure Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-01-13 | 4.6 | CVE-2026-20959 | Microsoft SharePoint Server Spoofing Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper input validation in Windows LDAP - Lightweight Directory Access Protocol allows an authorized attacker to perform tampering over a network. | 2026-01-13 | 6.5 | CVE-2026-20812 | LDAP Tampering Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows Remote Procedure Call allows an unauthorized attacker to disclose information locally. | 2026-01-13 | 6.2 | CVE-2026-20821 | Remote Procedure Call Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to perform spoofing over a network. | 2026-01-13 | 6.5 | CVE-2026-20847 | Microsoft Windows File Explorer Spoofing Vulnerability |
| Microsoft--Windows 10 Version 1809 | External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. | 2026-01-13 | 6.5 | CVE-2026-20872 | NTLM Hash Disclosure Spoofing Vulnerability |
| Microsoft--Windows 10 Version 1809 | External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. | 2026-01-13 | 6.5 | CVE-2026-20925 | NTLM Hash Disclosure Spoofing Vulnerability |
| Microsoft--Windows 10 Version 1809 | Windows Secure Boot stores Microsoft certificates in the UEFI KEK and DB. These original certificates are approaching expiration, and devices containing affected certificate versions must update them to maintain Secure Boot functionality and avoid compromising security by losing security fixes related to Windows boot manager or Secure Boot. The operating system's certificate update protection mechanism relies on firmware components that might contain defects, which can cause certificate trust updates to fail or behave unpredictably. This leads to potential disruption of the Secure Boot trust chain and requires careful validation and deployment to restore intended security guarantees. Certificate Authority (CA) Location Purpose Expiration Date Microsoft Corporation KEK CA 2011 KEK Signs updates to the DB and DBX 06/24/2026 Microsoft Corporation UEFI CA 2011 DB Signs 3rd party boot loaders, Option ROMs, etc. 06/27/2026 Microsoft Windows Production PCA 2011 DB Signs the Windows Boot Manager 10/19/2026 For more information see this CVE and Windows Secure Boot certificate expiration and CA updates. | 2026-01-13 | 6.4 | CVE-2026-21265 | Secure Boot Certificate Expiration Security Feature Bypass Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20805 | Desktop Window Manager Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20823 | Windows File Explorer Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Protection mechanism failure in Windows Remote Assistance allows an unauthorized attacker to bypass a security feature locally. | 2026-01-13 | 5.5 | CVE-2026-20824 | Windows Remote Assistance Security Feature Bypass Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Tablet Windows User Interface (TWINUI) Subsystem allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20827 | Tablet Windows User Interface (TWINUI) Subsystem Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Out-of-bounds read in Windows TPM allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20829 | TPM Trustlet Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper access control in Windows Client-Side Caching (CSC) Service allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20839 | Windows Client-Side Caching (CSC) Service Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows Management Services allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20862 | Windows Management Services Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to deny service over a network. | 2026-01-13 | 5.3 | CVE-2026-20927 | Windows SMB Server Denial of Service Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20932 | Windows File Explorer Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20937 | Windows File Explorer Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20939 | Windows File Explorer Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper access control in Windows Hyper-V allows an authorized attacker to disclose information locally. | 2026-01-13 | 4.4 | CVE-2026-20825 | Windows Hyper-V Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Out-of-bounds read in Windows Internet Connection Sharing (ICS) allows an unauthorized attacker to disclose information with a physical attack. | 2026-01-13 | 4.6 | CVE-2026-20828 | Windows rndismp6.sys Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Absolute path traversal in Windows Shell allows an unauthorized attacker to perform spoofing with a physical attack. | 2026-01-13 | 4.6 | CVE-2026-20834 | Windows Spoofing Vulnerability |
| Microsoft--Windows 10 Version 1809 | Out-of-bounds read in Windows NDIS allows an authorized attacker to disclose information with a physical attack. | 2026-01-13 | 4.3 | CVE-2026-20936 | Windows NDIS Information Disclosure Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an unauthorized attacker to disclose information locally. | 2026-01-13 | 6.2 | CVE-2026-20935 | Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20819 | Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Use of uninitialized resource in Dynamic Root of Trust for Measurement (DRTM) allows an authorized attacker to disclose information locally. | 2026-01-13 | 4.4 | CVE-2026-20962 | Dynamic Root of Trust for Measurement (DRTM) Information Disclosure Vulnerability |
| Microsoft--Windows Server 2019 | Insertion of sensitive information into log file in Windows Kernel allows an unauthorized attacker to disclose information locally. | 2026-01-13 | 6.2 | CVE-2026-20818 | Windows Kernel Information Disclosure Vulnerability |
| Microsoft--Windows Server 2019 | Use of a broken or risky cryptographic algorithm in Windows Kerberos allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20833 | Windows Kerberos Information Disclosure Vulnerability |
| Microsoft--Windows Server 2022 | Generation of error message containing sensitive information in Windows Kernel allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20838 | Windows Kernel Information Disclosure Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Out-of-bounds read in Capability Access Management Service (camsvc) allows an unauthorized attacker to disclose information locally. | 2026-01-13 | 6.2 | CVE-2026-20851 | Capability Access Management Service (camsvc) Information Disclosure Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Heap-based buffer overflow in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 6.7 | CVE-2026-20876 | Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Out-of-bounds read in Capability Access Management Service (camsvc) allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20835 | Capability Access Management Service (camsvc) Information Disclosure Vulnerability |
| monetizemore--Advanced Ads Ad Manager & AdSense | The Advanced Ads - Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-17 | 4.9 | CVE-2025-12984 | https://www.wordfence.com/threat-intel/vulnerabilities/id/729e8a06-abaa-4468-8a80-1e5c6cbace92?source=cve https://plugins.trac.wordpress.org/browser/advanced-ads/tags/2.0.13/includes/admin/class-placement-list-table.php#L254 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429511%40advanced-ads&new=3429511%40advanced-ads&sfp_email=&sfph_mail= |
| mPDF--mPDF | mPDF 7.0 contains a local file inclusion vulnerability that allows attackers to read arbitrary system files by manipulating annotation file parameters. Attackers can generate URL-encoded or base64 payloads to include local files through crafted annotation content with file path specifications. | 2026-01-13 | 6.2 | CVE-2022-50897 | ExploitDB-50995 Official mPDF Project Homepage VulnCheck Advisory: mPDF 7.0 - Local File Inclusion |
| n/a--EyouCMS | A weakness has been identified in EyouCMS up to 1.7.1/5.0. Impacted is the function check_userinfo of the file Diyajax.php of the component Member Avatar Handler. Executing a manipulation of the argument viewfile can lead to unrestricted upload. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 6.3 | CVE-2026-1107 | VDB-341699 | EyouCMS Member Avatar Diyajax.php check_userinfo unrestricted upload VDB-341699 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731540 | Hainan Zanzan Network Technology Co. Eyoucms <=1.7.1 causing code execution due to file inclusion https://github.com/24-2021/vul3/blob/main/Eyoucms/Eyoucms%3D1.7.1%20check_userinfo%20api%20viewfile%20exists%2C%20causing%20code%20execution%20due%20to%20file%20inclusion.md https://github.com/24-2021/vul3/blob/main/Eyoucms/Eyoucms%3D1.7.1%20check_userinfo%20api%20viewfile%20exists%2C%20causing%20code%20execution%20due%20to%20file%20inclusion.md#poc |
| n/a--Mapnik | A security vulnerability has been detected in Mapnik up to 4.2.0. This issue affects the function mapnik::dbf_file::string_value of the file plugins/input/shape/dbfile.cpp. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-18 | 5.3 | CVE-2025-15537 | VDB-341709 | Mapnik dbfile.cpp string_value heap-based overflow VDB-341709 | CTI Indicators (IOB, IOC, IOA) Submit #733348 | mapnik Mapnik v4.2.0 and master-branch Heap-based Buffer Overflow https://github.com/mapnik/mapnik/issues/4543 https://github.com/oneafter/1218/blob/main/repro |
| n/a--net.sourceforge.plantuml:plantuml | Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG. | 2026-01-16 | 6.1 | CVE-2026-0858 | https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPLANTUML-14552230 https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd https://github.com/plantuml/plantuml/releases/tag/v1.2026.0 |
| n/a--Open5GS | A vulnerability has been found in Open5GS up to 2.7.6. Affected by this vulnerability is an unknown functionality of the component GTPv2 Bearer Response Handler. Such manipulation leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 98f76e98df35cd6a35e868aa62715db7f8141ac1. A patch should be applied to remediate this issue. | 2026-01-16 | 5.3 | CVE-2025-15528 | VDB-341595 | Open5GS GTPv2 Bearer Response denial of service VDB-341595 | CTI Indicators (IOB, IOC, TTP) Submit #728128 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4225 https://github.com/open5gs/open5gs/issues/4225#issue-3769531006 https://github.com/open5gs/open5gs/commit/98f76e98df35cd6a35e868aa62715db7f8141ac1 |
| n/a--Open5GS | A vulnerability was found in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c. Performing a manipulation results in denial of service. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named b19cf6a2dbf5d30811be4488bf059c865bd7d1d2. To fix this issue, it is recommended to deploy a patch. | 2026-01-16 | 5.3 | CVE-2025-15529 | VDB-341596 | Open5GS s5c-handler.c sgwc_s5c_handle_create_session_response denial of service VDB-341596 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #728130 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4226 https://github.com/open5gs/open5gs/issues/4226#issue-3769595366 https://github.com/open5gs/open5gs/commit/b19cf6a2dbf5d30811be4488bf059c865bd7d1d2 |
| n/a--Open5GS | A vulnerability was determined in Open5GS up to 2.7.6. This affects the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c. Executing a manipulation can lead to reachable assertion. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The issue report is flagged as already-fixed. | 2026-01-17 | 5.3 | CVE-2025-15530 | VDB-341597 | Open5GS s11-handler.c assertion VDB-341597 | CTI Indicators (IOB, IOC, IOA) Submit #728987 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4231 https://github.com/open5gs/open5gs/issues/4231#issue-3774187007 |
| n/a--Open5GS | A vulnerability was identified in Open5GS up to 2.7.5. This vulnerability affects the function sgwc_bearer_add of the file src/sgwc/context.c. The manipulation leads to reachable assertion. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The issue report is flagged as already-fixed. | 2026-01-17 | 5.3 | CVE-2025-15531 | VDB-341598 | Open5GS context.c sgwc_bearer_add assertion VDB-341598 | CTI Indicators (IOB, IOC, IOA) Submit #729339 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4233 https://github.com/open5gs/open5gs/issues/4233#issue-3776216182 |
| n/a--Open5GS | A security flaw has been discovered in Open5GS up to 2.7.5. This issue affects some unknown processing of the component Timer Handler. The manipulation results in resource consumption. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The patch is identified as c7c131f8d2cb1195ada5e0e691b6868ebcd8a845. It is best practice to apply a patch to resolve this issue. | 2026-01-17 | 5.3 | CVE-2025-15532 | VDB-341599 | Open5GS Timer resource consumption VDB-341599 | CTI Indicators (IOB, IOC, TTP) Submit #729354 | Open5GS SGWC v2.7.6 Denial of Service Submit #729357 | Open5GS SGWC v2.7.6 Denial of Service (Duplicate) https://github.com/open5gs/open5gs/issues/4220 https://github.com/open5gs/open5gs/issues/4221 https://github.com/open5gs/open5gs/issues/4220#issue-3766066853 https://github.com/open5gs/open5gs/commit/c7c131f8d2cb1195ada5e0e691b6868ebcd8a845 |
| n/a--Open5GS | A vulnerability was determined in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_downlink_data_notification_ack of the file src/sgwc/s11-handler.c of the component sgwc. This manipulation causes denial of service. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Patch name: b4707272c1caf6a7d4dca905694ea55557a0545f. To fix this issue, it is recommended to deploy a patch. The issue report is flagged as already-fixed. | 2026-01-18 | 5.3 | CVE-2025-15539 | VDB-341732 | Open5GS sgwc s11-handler.c sgwc_s11_handle_downlink_data_notification_ack denial of service VDB-341732 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735339 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4230 https://github.com/open5gs/open5gs/issues/4230#issue-3774173079 https://github.com/open5gs/open5gs/commit/b4707272c1caf6a7d4dca905694ea55557a0545f |
| n8n-io--n8n | n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node's IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured whitelist entry as a substring. This issue affected instances where workflow editors relied on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses were impacted. An attacker with a non-whitelisted IP could bypass restrictions if their IP shared a partial prefix with a trusted address, undermining the intended security boundary. This vulnerability is fixed in 2.2.0. | 2026-01-13 | 5.3 | CVE-2025-68949 | https://github.com/n8n-io/n8n/security/advisories/GHSA-w96v-gf22-crwp https://github.com/n8n-io/n8n/issues/23399 https://github.com/n8n-io/n8n/pull/23399 https://github.com/n8n-io/n8n/commit/11f8597d4ad69ea3b58941573997fdbc4de1fec5 |
| naa986--Payment Button for PayPal | The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processes checkout results without any authentication or server-side verification of the PayPal transaction. This makes it possible for unauthenticated attackers to create arbitrary orders on the site with any chosen transaction ID, payment status, product name, amount, or customer information via direct POST requests to the AJAX endpoint, granted they can bypass basic parameter validation. If email sending is enabled, the plugin will also trigger purchase receipt emails to any email address supplied in the request, leading to order database corruption and unauthorized outgoing emails without any real PayPal transaction taking place. | 2026-01-17 | 5.3 | CVE-2025-14463 | https://www.wordfence.com/threat-intel/vulnerabilities/id/814e50de-3690-4adf-bc01-a63cd71bd1cf?source=cve https://plugins.trac.wordpress.org/browser/wp-paypal/trunk/wp-paypal.php#L70 https://plugins.trac.wordpress.org/browser/wp-paypal/tags/1.2.3.41/wp-paypal.php#L70 https://plugins.trac.wordpress.org/browser/wp-paypal/trunk/wp-paypal-checkout.php#L249 https://plugins.trac.wordpress.org/browser/wp-paypal/tags/1.2.3.41/wp-paypal-checkout.php#L249 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3431974%40wp-paypal&new=3431974%40wp-paypal&sfp_email=&sfph_mail= |
| netcashpaynow--Netcash WooCommerce Payment Gateway | The Netcash WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_return_url function in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processing/completed. | 2026-01-14 | 5.3 | CVE-2025-14880 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6ca11df6-83e3-48b5-84b8-3f3e4f75ac4a?source=cve https://plugins.trac.wordpress.org/browser/netcash-pay-now-payment-gateway-for-woocommerce/tags/4.1.3/includes/class-wc-gateway-paynow.php#L1127 |
| ninjateam--WP Duplicate Page | The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, pages, and WooCommerce HPOS orders even when their role is explicitly excluded from the plugin's "Allowed User Roles" setting, potentially exposing sensitive information and allowing duplicate fulfillment of WooCommerce orders. | 2026-01-13 | 5.4 | CVE-2025-14001 | https://www.wordfence.com/threat-intel/vulnerabilities/id/60830ed8-3ab8-44e8-899c-7032a187da8b?source=cve https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.8/includes/Classes/ButtonDuplicate.php#L54 https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.8/includes/Classes/ButtonDuplicate.php#L79 https://plugins.trac.wordpress.org/changeset/3432233/ |
| nofearinc--WP-CRM System Manage Clients and Projects | The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status AJAX functions in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with subscriber level access and above, to enumerate CRM contact email addresses (PII disclosure) and modify CRM task statuses. | 2026-01-14 | 5.4 | CVE-2025-14854 | https://www.wordfence.com/threat-intel/vulnerabilities/id/da607df4-1dbb-4b1e-ace6-b339cf9e8512?source=cve https://plugins.trac.wordpress.org/browser/wp-crm-system/tags/3.4.5/includes/wcs-functions.php?marks=942-975#L942 https://plugins.trac.wordpress.org/browser/wp-crm-system/tags/3.4.5/includes/wcs-dashboard-task-list.php?marks=177-190#L177 |
| NSecsoft--NSecKrnl | NSecsoft 'NSecKrnl' is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes by issuing crafted IOCTL requests to the driver. | 2026-01-13 | 4.7 | CVE-2025-68947 | url url url url url |
| obridgeacademy--WPBlogSyn | The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's remote sync settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-14 | 4.3 | CVE-2025-14389 | https://www.wordfence.com/threat-intel/vulnerabilities/id/141137a4-609f-4ea9-beba-d37b48144c29?source=cve https://plugins.trac.wordpress.org/browser/wpblogsync/tags/1.0/blogsync.php#L14 |
| Open Asset Import Library--Assimp | A security vulnerability has been detected in Open Asset Import Library Assimp up to 6.0.2. Affected by this vulnerability is the function Assimp::LWOImporter::FindUVChannels of the file /src/assimp/code/AssetLib/LWO/LWOMaterial.cpp. Such manipulation leads to use after free. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. This and similar defects are tracked and handled via issue #6128. | 2026-01-18 | 5.3 | CVE-2025-15538 | VDB-341727 | Open Asset Import Library Assimp LWOMaterial.cpp FindUVChannels use after free VDB-341727 | CTI Indicators (IOB, IOC, IOA) Submit #735232 | Open Asset Import Library Assimp 6.0.2 Use After Free https://github.com/assimp/assimp/issues/6258 https://github.com/assimp/assimp/issues/6258#issuecomment-3070999530 https://github.com/user-attachments/files/21216542/assimp_poc10.zip |
| opencryptoki--opencryptoki | openCryptoki is a PKCS#11 library and tools for Linux and AIX. In 3.25.0 and 3.26.0, there is a heap buffer overflow vulnerability in the CKM_ECDH_AES_KEY_WRAP implementation allows an attacker with local access to cause out-of-bounds writes in the host process by supplying a compressed EC public key and invoking C_WrapKey. This can lead to heap corruption, or denial-of-service. | 2026-01-13 | 6.6 | CVE-2026-22791 | https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-26f5-3mwq-4wm7 https://github.com/opencryptoki/opencryptoki/commit/785d7577e1477d12fbe235554e7e7b24f2de34b7 https://github.com/opencryptoki/opencryptoki/commit/e37e9127deeeb7bf3c3c4d852c594256c57ec3a8 |
| OpenSC project--pam_pkcs11 | In OpenSC pam_pkcs11 before 0.6.13, pam_sm_authenticate() wrongly returns PAM_IGNORE in many error situations (such as an error triggered by a smartcard before login), allowing authentication bypass. | 2026-01-16 | 6.7 | CVE-2025-24531 | https://github.com/OpenSC/pam_pkcs11/security/advisories/GHSA-7mf6-rg36-qgch https://github.com/OpenSC/pam_pkcs11/releases https://www.openwall.com/lists/oss-security/2025/02/06/3 |
| opensourcepos--opensourcepos | Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. opensourcepos 3.4.0 and 3.4.1 has a stored XSS vulnerability exists in the Configuration (Information) functionality. An authenticated user with the permission "Configuration: Change OSPOS's Configuration" can inject a malicious JavaScript payload into the Company Name field when updating Information in Configuration. The malicious payload is stored and later triggered when a user accesses /sales/complete. First select Sales, and choose New Item to create an item, then click on Completed . Due to insufficient input validation and output encoding, the payload is rendered and executed in the user's browser, resulting in a stored XSS vulnerability. This vulnerability is fixed in 3.4.2. | 2026-01-13 | 4.3 | CVE-2025-68658 | https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-32r8-8r9r-9chw https://github.com/opensourcepos/opensourcepos/commit/849439c71eaa4c15857fb7c603297261c2ddc26d |
| paultgoodchild--Shield: Blocks Bots, Protects Users, and Prevents Security Breaches | The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disable Google Authenticator for any user. | 2026-01-16 | 4.3 | CVE-2025-15370 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d777014a-5397-4062-af39-7ea86589a0d0?source=cve https://plugins.trac.wordpress.org/browser/wp-simple-firewall/tags/21.0.8/src/lib/src/ActionRouter/Actions/MfaGoogleAuthToggle.php https://plugins.trac.wordpress.org/changeset/3438647/wp-simple-firewall |
| payhere--PayHere Payment Gateway Plugin for WooCommerce | The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to change the status of pending WooCommerce orders to paid/completed/on hold. | 2026-01-14 | 5.3 | CVE-2025-15475 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e0c92241-0bef-4f87-8478-4d805435f09d?source=cve https://plugins.trac.wordpress.org/browser/payhere-payment-gateway/tags/2.3.9/gateway/class-wcgatewaypayhere.php#L709 |
| perfitdev--Perfit WooCommerce | The Perfit WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. This is due to missing authorization checks on the `logout` function called via the `actions` function hooked to `admin_init`. This makes it possible for unauthenticated attackers to delete arbitrary plugin settings via the `action` parameter. | 2026-01-14 | 5.3 | CVE-2025-14173 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cb141b46-2585-4b58-8d91-0cdb275348a1?source=cve https://plugins.trac.wordpress.org/browser/perfit-woocommerce/trunk/includes/class-wcp-settings-tab.php#L102 https://plugins.trac.wordpress.org/browser/perfit-woocommerce/tags/1.0.1/includes/class-wcp-settings-tab.php#L102 |
| Phpwcms--Phpwcms | Phpwcms 1.9.30 contains a file upload vulnerability that allows authenticated attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG payloads through the multiple file upload feature to potentially execute cross-site scripting attacks on the platform. | 2026-01-15 | 5.4 | CVE-2021-47783 | ExploitDB-50363 Official Product Homepage VulnCheck Advisory: Phpwcms 1.9.30 - Arbitrary File Upload |
| pimcore--pimcore | Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This vulnerability is fixed in 5.2.2 and 6.1.1. | 2026-01-15 | 5.4 | CVE-2026-23496 | https://github.com/pimcore/pimcore/security/advisories/GHSA-4wg4-p27p-5q2r https://github.com/pimcore/web2print-tools/pull/108 https://github.com/pimcore/web2print-tools/commit/7714452a04b9f9b077752784af4b8d0b05e464a1 https://github.com/pimcore/web2print-tools/releases/tag/v5.2.2 https://github.com/pimcore/web2print-tools/releases/tag/v6.1.1 |
| pimcore--pimcore | Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This vulnerability is fixed in 12.3.1 and 11.5.14. | 2026-01-15 | 4.3 | CVE-2026-23494 | https://github.com/pimcore/pimcore/security/advisories/GHSA-m3r2-724c-pwgf https://github.com/pimcore/pimcore/pull/18893 https://github.com/pimcore/pimcore/releases/tag/v11.5.14 https://github.com/pimcore/pimcore/releases/tag/v12.3.1 |
| pimcore--pimcore | Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16. | 2026-01-15 | 4.3 | CVE-2026-23495 | https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909 https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16 https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3 |
| pnggroup--libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54. | 2026-01-12 | 6.1 | CVE-2026-22695 | https://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp https://github.com/pnggroup/libpng/issues/778 https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea https://github.com/pnggroup/libpng/commit/e4f7ad4ea2 |
| pnggroup--libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54. | 2026-01-12 | 6.8 | CVE-2026-22801 | https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8 |
| prasannasp--Short Link | The Short Link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'short_link_post_title' and 'short_link_page_title' parameters in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. | 2026-01-14 | 4.4 | CVE-2026-0813 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8623d2cc-dcdd-4453-9a86-669bdd44eae1?source=cve https://plugins.trac.wordpress.org/browser/short-link/tags/1.0/short-link.php#L118 https://plugins.trac.wordpress.org/browser/short-link/trunk/short-link.php#L118 |
| radykal--Fancy Product Designer | The Fancy Product Designer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.8. This is due to improper error handling in the PDF upload functionality that exposes server filesystem paths and stack traces in error messages. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | 2026-01-16 | 5.3 | CVE-2025-15526 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9b39b4ce-3885-4ea4-8cf0-84e66e7f6a12?source=cve https://support.fancyproductdesigner.com/support/discussions/topics/13000036024 |
| raysan5--raylib | A vulnerability was determined in raysan5 raylib up to 909f040. Affected by this vulnerability is the function GenImageFontAtlas of the file src/rtext.c. Executing a manipulation can lead to heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. This patch is called 5a3391fdce046bc5473e52afbd835dd2dc127146. Applying a patch is advised to resolve this issue. | 2026-01-18 | 5.3 | CVE-2025-15533 | VDB-341705 | raysan5 raylib rtext.c GenImageFontAtlas heap-based overflow VDB-341705 | CTI Indicators (IOB, IOC, IOA) Submit #733341 | raysan5 raylib 909f040 Heap-based Buffer Overflow Submit #733342 | raysan5 raylib 909f040 Heap-based Buffer Overflow (Duplicate) https://github.com/raysan5/raylib/issues/5433 https://github.com/raysan5/raylib/pull/5450 https://github.com/oneafter/1224/blob/main/hbf2 https://github.com/raysan5/raylib/commit/5a3391fdce046bc5473e52afbd835dd2dc127146 |
| raysan5--raylib | A vulnerability was identified in raysan5 raylib up to 909f040. Affected by this issue is the function LoadFontData of the file src/rtext.c. The manipulation leads to integer overflow. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The identifier of the patch is 5a3391fdce046bc5473e52afbd835dd2dc127146. It is suggested to install a patch to address this issue. | 2026-01-18 | 5.3 | CVE-2025-15534 | VDB-341706 | raysan5 raylib rtext.c LoadFontData integer overflow VDB-341706 | CTI Indicators (IOB, IOC, IOA) Submit #733343 | raysan5 raylib 909f040 Integer Overflow https://github.com/raysan5/raylib/issues/5436 https://github.com/raysan5/raylib/pull/5450 https://github.com/oneafter/1224/blob/main/segv1 https://github.com/raysan5/raylib/commit/5a3391fdce046bc5473e52afbd835dd2dc127146 |
| rebelcode--RSS Aggregator RSS Import, News Feeds, Feed to Post, and Autoblogging | The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'className' parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-16 | 6.1 | CVE-2025-14375 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3d2dde13-2940-478e-8e2b-baf60003754a?source=cve https://plugins.trac.wordpress.org/changeset/3439384/wp-rss-aggregator |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence. | 2026-01-14 | 6.5 | CVE-2025-14242 | RHSA-2026:0605 RHSA-2026:0606 RHSA-2026:0608 https://access.redhat.com/security/cve/CVE-2025-14242 RHBZ#2419826 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications. | 2026-01-15 | 5.9 | CVE-2026-0990 | https://access.redhat.com/security/cve/CVE-2026-0990 RHBZ#2429959 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libsoup's WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoup's WebSocket support with this configuration may be impacted. | 2026-01-13 | 4.8 | CVE-2026-0716 | https://access.redhat.com/security/cve/CVE-2026-0716 RHBZ#2427896 https://gitlab.gnome.org/GNOME/libsoup/-/issues/476 |
| rndsand81--Stopwords for comments | The Stopwords for comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the 'set_stopwords_for_comments' and 'delete_stopwords_for_comments' functions. This makes it possible for unauthenticated attackers to add or delete stopwords via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-14 | 4.3 | CVE-2025-15376 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dd8c45c7-dbb2-46ab-8e50-e02062587b00?source=cve https://plugins.trac.wordpress.org/browser/stopwords-for-comments/trunk/functions.php?marks=151,170#L151 |
| roxnor--GetGenie AI Content Writer with Keyword Research & SEO Tracking Tools | The GetGenie plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.0. This is due to the plugin not properly verifying that a user is authorized to delete a specific post. This makes it possible for authenticated attackers, with Author-level access and above, to delete any post on the WordPress site, including posts authored by other users. | 2026-01-16 | 4.3 | CVE-2026-1003 | https://www.wordfence.com/threat-intel/vulnerabilities/id/38ec647a-3c0c-4d3c-ba34-64c17803867b?source=cve https://plugins.trac.wordpress.org/browser/getgenie/trunk/app/Api/GetGenieChat.php#L153 https://plugins.trac.wordpress.org/changeset/3436920/ |
| saadiqbal--Quick Contact Form | The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details. | 2026-01-17 | 5.8 | CVE-2025-12718 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dc7ba538-a7ee-48c8-996c-b8db1934fdeb?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433286%40quick-contact-form&new=3433286%40quick-contact-form&sfp_email=&sfph_mail= |
| sablab--Internal Link Builder | The Internal Link Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-14 | 4.4 | CVE-2025-14725 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1febe071-b296-4958-a9e8-9be9391f2390?source=cve https://plugins.trac.wordpress.org/browser/internal-link-builder/trunk/InternalLinkBuilder.php#L133 |
| Sanluan--PublicCMS | A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation of the argument ids results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 5.4 | CVE-2026-1112 | VDB-341704 | Sanluan PublicCMS Trade Address Deletion Endpoint TradeAddressController.java delete improper authorization VDB-341704 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #732771 | publiccms PublicCMS <= V5.202506.d Insecure Direct Object Reference (IDOR) https://github.com/AnalogyC0de/public_exp/issues/4 |
| Sanluan--PublicCMS | A vulnerability has been found in Sanluan PublicCMS up to 5.202506.d. This impacts the function Save of the file com/publiccms/controller/admin/sys/TaskTemplateAdminController.java of the component Task Template Management Handler. Such manipulation of the argument path leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 4.7 | CVE-2026-1111 | VDB-341703 | Sanluan PublicCMS Task Template Management TaskTemplateAdminController.java save path traversal VDB-341703 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #732726 | publiccms PublicCMS <= V5.202506.d Remote Code Execution (RCE) https://github.com/AnalogyC0de/public_exp/issues/2 |
| SAP_SE--Business Server Pages Application (Product Designer Web UI) | SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application. | 2026-01-13 | 4.3 | CVE-2026-0497 | https://me.sap.com/notes/3677111 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Business Connector | Due to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to access or modify information related to the webclient, impacting confidentiality and integrity, with no effect on availability. | 2026-01-13 | 6.1 | CVE-2026-0514 | https://me.sap.com/notes/3666061 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP ERP Central Component and SAP S/4HANA (SAP EHS Management) | Due to missing authorization check in the SAP ERP Central Component (SAP ECC) and SAP S/4HANA (SAP EHS Management), an attacker could extract hardcoded clear-text credentials and bypass the password authentication check by manipulating user parameters. Upon successful exploitation, the attacker can access, modify or delete certain change pointer information within EHS objects in the application which might further affect the subsequent systems. This vulnerability leads to a low impact on confidentiality and integrity of the application with no affect on the availability. | 2026-01-13 | 6.4 | CVE-2026-0503 | https://me.sap.com/notes/3681523 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) | SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to upload any file (including script files) without proper file format validation. This has low impact on confidentiality, integrity and availability of the application. | 2026-01-13 | 6.6 | CVE-2026-0496 | https://me.sap.com/notes/3565506 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) | SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application. | 2026-01-13 | 5.1 | CVE-2026-0495 | https://me.sap.com/notes/3565506 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) | Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on behalf of an authenticated user causing low impact on integrity of the system. This has no impact on confidentiality and availability. | 2026-01-13 | 4.3 | CVE-2026-0493 | https://me.sap.com/notes/3655229 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) | Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted. | 2026-01-13 | 4.3 | CVE-2026-0494 | https://me.sap.com/notes/3655227 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP NetWeaver Enterprise Portal | SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts into a URL parameter. The scripts are reflected in the server response and executed in a user's browser when the crafted URL is visited, leading to theft of session information, manipulation of portal content, or user redirection, resulting in a low impact on the application's confidentiality and integrity, with no impact on availability. | 2026-01-13 | 6.1 | CVE-2026-0499 | https://me.sap.com/notes/3687372 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Supplier Relationship Management (SICF Handler in SRM Catalog) | Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This causes low impact on integrity of the application. Confidentiality and availability are not impacted. | 2026-01-13 | 4.7 | CVE-2026-0513 | https://me.sap.com/notes/3638716 https://url.sap/sapsecuritypatchday |
| SchedMD--Slurm | In SchedMD Slurm before 24.11.5, 24.05.8, and 23.11.11, the accounting system can allow a Coordinator to promote a user to Administrator. | 2026-01-16 | 4.2 | CVE-2025-43904 | https://www.schedmd.com/security-policy/ https://lists.schedmd.com/mailman3/hyperkitty/list/slurm-announce@lists.schedmd.com/message/B73QHKW6TKE2T5KDWVPIWNE5H4KWX667/ |
| Schlix--Schlix CMS | Schlix CMS 2.2.6-6 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into category titles. Attackers can create a new contact category with a script payload that will execute when the page is viewed by other users. | 2026-01-16 | 6.4 | CVE-2021-47834 | ExploitDB-49837 Vendor Homepage VulnCheck Advisory: Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated) |
| searchwiz--SearchWiz | The SearchWiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in search results in all versions up to, and including, 1.0.0. This is due to the plugin using `esc_attr()` instead of `esc_html()` when outputting post titles in search results. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in post titles that will execute whenever a user performs a search and views the search results page. | 2026-01-14 | 6.4 | CVE-2026-0694 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3e60a315-7f74-4d81-b6d2-ad3d40d489ef?source=cve https://plugins.trac.wordpress.org/browser/searchwiz/trunk/public/class-sw-ajax.php#L616 https://plugins.trac.wordpress.org/browser/searchwiz/tags/1.0.0/public/class-sw-ajax.php#L616 |
| shoheitanaka--PAYGENT for WooCommerce | The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the `/wp-json/paygent/v1/check/` endpoint. | 2026-01-17 | 5.3 | CVE-2025-14078 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9de42bd9-a1d2-48f2-a594-4013a9490e25?source=cve https://plugins.trac.wordpress.org/browser/woocommerce-for-paygent-payment-main/trunk/includes/gateways/paygent/class-wc-paygent-endpoint.php#L199 https://plugins.trac.wordpress.org/browser/woocommerce-for-paygent-payment-main/tags/2.4.2/includes/gateways/paygent/class-wc-paygent-endpoint.php#L199 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433179%40woocommerce-for-paygent-payment-main&new=3433179%40woocommerce-for-paygent-payment-main&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432342%40woocommerce-for-paygent-payment-main&new=3432342%40woocommerce-for-paygent-payment-main&sfp_email=&sfph_mail= |
| SICK AG--Incoming Goods Suite | The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript. | 2026-01-15 | 6.8 | CVE-2026-22637 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance. | 2026-01-15 | 5.5 | CVE-2026-22640 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources. | 2026-01-15 | 5 | CVE-2026-22641 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user's session and gain unauthorized access. | 2026-01-15 | 5.3 | CVE-2026-22644 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | The application discloses all used components, versions and license information to unauthenticated actors, giving attackers the opportunity to target known security vulnerabilities of used components. | 2026-01-15 | 5.3 | CVE-2026-22645 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01 | 2026-01-15 | 4.3 | CVE-2026-22639 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL | 2026-01-15 | 4.2 | CVE-2026-22642 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | Certain error messages returned by the application expose internal system details that should not be visible to end users, providing attackers with valuable reconnaissance information (like file paths, database errors, or software versions) that can be used to map the application's internal structure and discover other, more critical vulnerabilities. | 2026-01-15 | 4.3 | CVE-2026-22646 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--TDC-X401GL | Firmware update files may expose password hashes for system accounts, which could allow a remote attacker to recover credentials and gain unauthorized access to the device. | 2026-01-15 | 5.3 | CVE-2026-22911 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | Improper validation of a login parameter may allow attackers to redirect users to malicious websites after authentication. This can lead to various risk including stealing credentials from unsuspecting users. | 2026-01-15 | 4.3 | CVE-2026-22912 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | Improper handling of a URL parameter may allow attackers to execute code in a user's browser after login. This can lead to the extraction of sensitive data. | 2026-01-15 | 4.3 | CVE-2026-22913 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | An attacker with limited permissions may still be able to write files to specific locations on the device, potentially leading to system manipulation. | 2026-01-15 | 4.3 | CVE-2026-22914 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | An attacker with low privileges may be able to read files from specific directories on the device, potentially exposing sensitive information. | 2026-01-15 | 4.3 | CVE-2026-22915 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | An attacker with low privileges may be able to trigger critical system functions such as reboot or factory reset without proper restrictions, potentially leading to service disruption or loss of configuration. | 2026-01-15 | 4.3 | CVE-2026-22916 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | Improper input handling in a system endpoint may allow attackers to overload resources, causing a denial of service. | 2026-01-15 | 4.3 | CVE-2026-22917 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | An attacker may exploit missing protection against clickjacking by tricking users into performing unintended actions through maliciously crafted web pages, leading to the extraction of sensitive data. | 2026-01-15 | 4.3 | CVE-2026-22918 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| sigstore--fulcio | Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. This vulnerability is fixed in 1.8.5. | 2026-01-12 | 5.8 | CVE-2026-22772 | https://github.com/sigstore/fulcio/security/advisories/GHSA-59jp-pj84-45mr https://github.com/sigstore/fulcio/commit/eaae2f2be56df9dea5f9b439ec81bedae4c0978d |
| Skyjos--Owlfiles File Manager | Owlfiles File Manager 12.0.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the path parameter in HTTP server endpoints. Attackers can craft URLs targeting the download and list endpoints with embedded script tags to execute arbitrary JavaScript in users' browsers. | 2026-01-13 | 6.2 | CVE-2022-50891 | ExploitDB-51036 Vendor Homepage Official App Store Listing VulnCheck Advisory: Owlfiles File Manager 12.0.1 Cross-Site Scripting via HTTP Server |
| SMEWebify--WebErpMesv2 | WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, WebErpMesv2 contains a file upload validation bypass vulnerability in multiple controllers that allows authenticated users to upload arbitrary files, including PHP scripts, leading to Remote Code Execution (RCE). This vulnerability is identical in nature to CVE-2025-52130 but exists in different code locations that were not addressed by the original fix. This vulnerability is fixed in 1.19. | 2026-01-12 | 5.4 | CVE-2026-22789 | https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-64rv-f829-x6m4 https://github.com/SMEWebify/WebErpMesv2/commit/c9e7f4a85aeb774a0ea4b61ad57a51b941166b69 |
| smings--LEAV Last Email Address Validator | The LEAV Last Email Address Validator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions <= 1.7.1. This is due to missing or incorrect nonce validation on the display_settings_page function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-16 | 4.3 | CVE-2025-14853 | https://www.wordfence.com/threat-intel/vulnerabilities/id/93db56df-d21b-4788-84b2-7b28641b5a7a?source=cve https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L66 https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L2183 https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L257 |
| smub--All in One SEO Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic | The All in One SEO - Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token. | 2026-01-16 | 4.3 | CVE-2025-14384 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f47d53e1-42ac-425e-a6f2-901a6d26845d?source=cve https://plugins.trac.wordpress.org/changeset/3435276/all-in-one-seo-pack |
| socialchampio--SocialChamp with WordPress | The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing nonce validation on the wpsc_settings_tab_menu function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-14 | 4.3 | CVE-2025-14846 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bdbb660b-19aa-4c68-865c-0a51b85d1e5a?source=cve https://plugins.trac.wordpress.org/browser/auto-post-to-social-media-wp-to-social-champ/tags/1.3.3/admin/class-wp-socialchamp-settings-init.php#L157 |
| softwarepub--hermes | hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1. | 2026-01-12 | 5.9 | CVE-2026-22798 | https://github.com/softwarepub/hermes/security/advisories/GHSA-jm5j-jfrm-hm23 https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1 https://github.com/softwarepub/hermes/commit/90cb86acd026e7841f2539ae7a1b284a7f263514 |
| specialk--User Submitted Posts Enable Users to Submit Posts from the Front End | The User Submitted Posts - Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'usp_access' shortcode in all versions up to, and including, 20260110 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-16 | 6.4 | CVE-2026-0913 | https://www.wordfence.com/threat-intel/vulnerabilities/id/85bf7a1b-3c54-40c9-8f19-fcb9dd478a0e?source=cve https://plugins.trac.wordpress.org/browser/user-submitted-posts/tags/20251210/library/shortcode-access.php#L20 https://plugins.trac.wordpress.org/changeset/3439027/ |
| Spring--CLI VSCode Extension | The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine. | 2026-01-14 | 6.8 | CVE-2026-22718 | https://spring.io/security/cve-2026-22718 |
| stylemix--Cost Calculator Builder | The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the complete() function only verifying a nonce without checking user capabilities or order ownership. Since nonces are exposed to all visitors via window.ccb_nonces in the page source, any unauthenticated attacker can mark any order's payment status as "completed" without actual payment. | 2026-01-16 | 5.3 | CVE-2025-14757 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b8415e5f-17a4-425c-ac28-5dd886d1bcf1?source=cve https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.7/includes/classes/CCBOrderController.php#L408 https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.7/includes/classes/CCBAjaxAction.php#L98 https://plugins.trac.wordpress.org/changeset/3437516/cost-calculator-builder/trunk/includes/classes/CCBOrderController.php?old=3426823&old_path=cost-calculator-builder%2Ftrunk%2Fincludes%2Fclasses%2FCCBOrderController.php |
| sweetdaisy86--RepairBuddy Repair Shop CRM & Booking Plugin for WordPress | The RepairBuddy - Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wc_upload_and_save_signature_handler function in all versions up to, and including, 4.1116. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary signatures to any order in the system, potentially modifying order metadata and triggering unauthorized status changes. | 2026-01-17 | 5.3 | CVE-2026-0820 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1b2ad299-03b1-4b9e-a241-d2ad2d85c3ac?source=cve https://plugins.trac.wordpress.org/browser/computer-repair-shop/trunk/lib/includes/classes/class-wcrb_signature.php#L562 https://plugins.trac.wordpress.org/browser/computer-repair-shop/tags/4.1116/lib/includes/classes/class-wcrb_signature.php#L562 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3436356%40computer-repair-shop&new=3436356%40computer-repair-shop&sfp_email=&sfph_mail= |
| Syed Balkhi--WPForms | WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim's browser. | 2026-01-13 | 6.1 | CVE-2020-36919 | ExploitDB-51152 WPForms Lite Plugin Homepage VulnCheck Advisory: WPForms 1.7.8 - Cross-Site Scripting (XSS) |
| techknowprime--Responsive Accordion Slider | The Responsive Accordion Slider plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'resp_accordion_silder_save_images' function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify any slider's image metadata including titles, descriptions, alt text, and links. | 2026-01-14 | 4.3 | CVE-2026-0635 | https://www.wordfence.com/threat-intel/vulnerabilities/id/55cfb2c6-ca3f-45b7-8cd9-a5a1c3783ae0?source=cve https://plugins.trac.wordpress.org/browser/responsive-accordion-slider/tags/1.2.2/includes/admin/class-ras-admin.php#L101 |
| Testa--Testa | Testa 3.5.1 contains a reflected cross-site scripting vulnerability in the login.php redirect parameter that allows attackers to inject malicious scripts. Attackers can craft a specially encoded payload in the redirect parameter to execute arbitrary JavaScript in victim's browser context. | 2026-01-13 | 6.1 | CVE-2022-50896 | ExploitDB-51023 Archived Product Homepage VulnCheck Advisory: Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS) |
| thimpress--Thim Blocks | The Gutenberg Thim Blocks - Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server via the 'iconSVG' parameter, which can contain sensitive information such as wp-config.php. | 2026-01-17 | 6.5 | CVE-2025-13725 | https://www.wordfence.com/threat-intel/vulnerabilities/id/80de464f-a4b0-4aaf-8869-f8d29a422bdb?source=cve https://plugins.trac.wordpress.org/browser/thim-blocks/trunk/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L92 https://plugins.trac.wordpress.org/browser/thim-blocks/tags/1.0.1/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L92 https://plugins.trac.wordpress.org/browser/thim-blocks/trunk/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L97 https://plugins.trac.wordpress.org/browser/thim-blocks/tags/1.0.1/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L97 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3424998%40thim-blocks&new=3424998%40thim-blocks&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3419638%40thim-blocks&new=3419638%40thim-blocks&sfp_email=&sfph_mail= |
| thimpress--WP Hotel Booking | The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing a valid email address and a publicly accessible nonce. | 2026-01-17 | 5.3 | CVE-2025-14075 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1fc4eaec-b5d8-4707-9260-bac02a4b1866?source=cve https://plugins.trac.wordpress.org/browser/wp-hotel-booking/trunk/includes/class-wphb-ajax.php#L192 https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.2.7/includes/class-wphb-ajax.php#L192 https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.2.7/includes/class-wphb-ajax.php#L36 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429399%40wp-hotel-booking&new=3429399%40wp-hotel-booking&sfp_email=&sfph_mail= |
| thundernest--ImportExportTools NG | ImportExportTools NG 10.0.4 contains a persistent HTML injection vulnerability in the email export module that allows remote attackers to inject malicious HTML payloads. Attackers can send emails with crafted HTML in the subject that execute during HTML export, potentially compromising user data or session credentials. | 2026-01-15 | 6.1 | CVE-2021-47768 | ExploitDB-50496 ImportExportTools NG GitHub Repository Thunderbird Addon Page Vulnerability-Lab Disclosure |
| torstenbulk--DK PDF WordPress PDF Generator | The DK PDF - WordPress PDF Generator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3.0 via the 'addContentToMpdf' function. This makes it possible for authenticated attackers, author level and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-01-16 | 5 | CVE-2025-14793 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b062f72a-542c-4212-af83-4faefbf69bd7?source=cve https://plugins.trac.wordpress.org/browser/dk-pdf/trunk/modules/Frontend/WordPressIntegration.php?marks=22-25#L22 https://plugins.trac.wordpress.org/browser/dk-pdf/trunk/modules/PDF/Generator.php?marks=24-56#L24 https://plugins.trac.wordpress.org/browser/dk-pdf/tags/2.3.0/modules/PDF/DocumentBuilder.php#L213 https://plugins.trac.wordpress.org/browser/dk-pdf/tags/2.3.0/templates/dkpdf-index.php#L134 |
| traefik--traefik | Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7. | 2026-01-15 | 5.9 | CVE-2026-22045 | https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d https://github.com/traefik/traefik/releases/tag/v2.11.35 https://github.com/traefik/traefik/releases/tag/v3.6.7 |
| treeverse--lakeFS | lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request (e.g., through network interception, logs, or compromised systems) can replay that request until credentials are rotated, even after the request is intended to expire. This vulnerability is fixed in 1.75.0. | 2026-01-15 | 6.5 | CVE-2025-68671 | https://github.com/treeverse/lakeFS/security/advisories/GHSA-f2ph-gc9m-q55f https://github.com/treeverse/lakeFS/issues/9599 https://github.com/treeverse/lakeFS/commit/92966ae611d7f1a2bbe7fd56f9568c975aab2bd8 |
| Ttyplus--MTPutty | MTPutty 1.0.1.21 contains a sensitive information disclosure vulnerability that allows local attackers to view SSH connection passwords through Windows PowerShell process listing. Attackers can run a PowerShell command to retrieve the full command line of MTPutty processes, exposing plaintext SSH credentials. | 2026-01-15 | 6.2 | CVE-2021-47759 | ExploitDB-50574 Official MTPutty Product Homepage |
| Ubeeinteractive--Ubee EVW327 | Ubee EVW327 contains a cross-site request forgery vulnerability that allows attackers to enable remote access without user interaction. Attackers can craft a malicious webpage that automatically submits a form to change router remote access settings to port 8080 without the user's consent. | 2026-01-16 | 5.3 | CVE-2021-47820 | ExploitDB-49920 Ubee Interactive Official Homepage VulnCheck Advisory: Ubee EVW327 - 'Enable Remote Access' Cross-Site Request Forgery (CSRF) |
| umbraco--Umbraco | Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRemoteDashboardContent, and GetRemoteDashboardCss endpoints to trigger unauthorized server-side requests to external hosts. | 2026-01-15 | 5.3 | CVE-2021-47776 | ExploitDB-50462 Umbraco Official Homepage Umbraco CMS Release Notes |
| Vertiv--Cyclades Serial Console Server | Cyclades Serial Console Server 3.3.0 contains a local privilege escalation vulnerability due to overly permissive sudo privileges for the admin user and admin group. Attackers can exploit the default user configuration to gain root access by manipulating system binaries and leveraging unrestricted sudo permissions. | 2026-01-13 | 6.2 | CVE-2022-50927 | ExploitDB-50773 Vertiv Official Homepage VulnCheck Advisory: Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation |
| VideoLAN--VLC media player | mmstu.c in VideoLAN VLC media player before 3.0.22 allows an out-of-bounds read and denial of service via a crafted 0x01 response from an MMS server. | 2026-01-16 | 4.8 | CVE-2025-51602 | https://www.videolan.org/security/sb-vlc3022.html https://code.videolan.org/videolan/vlc/-/issues/29146 |
| Visual-Tools--Visual Tools DVR VX16 | Visual Tools DVR VX16 version 4.2.28 contains a local privilege escalation vulnerability in its Sudo configuration that allows attackers to gain root access. Attackers can exploit the unsafe Sudo settings by using mount commands to bind a shell, enabling unauthorized system-level privileges. | 2026-01-15 | 6.2 | CVE-2021-47799 | ExploitDB-50104 Official Vendor Homepage |
| vk011--Real Post Slider Lite | The Real Post Slider Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-14 | 4.4 | CVE-2026-0680 | https://www.wordfence.com/threat-intel/vulnerabilities/id/324fd823-8ec9-4187-8694-6160bad8e093?source=cve https://plugins.trac.wordpress.org/browser/real-post-slider-lite/trunk/real-post-slider-lite.php#L130 https://plugins.trac.wordpress.org/browser/real-post-slider-lite/tags/2.4/real-post-slider-lite.php#L130 |
| webbu--WMF Mobile Redirector | The WMF Mobile Redirector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 4.4 | CVE-2026-0739 | https://www.wordfence.com/threat-intel/vulnerabilities/id/037b5c2c-510a-4fa5-b489-cb0478603be2?source=cve https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/trunk/includes/options-page.php#L55 https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/tags/1.2/includes/options-page.php#L55 https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/trunk/includes/options-page.php#L62 https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/tags/1.2/includes/options-page.php#L62 |
| WeblateOrg--wlc | wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers. | 2026-01-12 | 5.3 | CVE-2026-22251 | https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766 https://github.com/WeblateOrg/wlc/pull/1098 https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797 |
| Wireshark Foundation--Wireshark | IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service | 2026-01-14 | 5.3 | CVE-2026-0959 | https://www.wireshark.org/security/wnpa-sec-2026-02.html GitLab Issue #20939 |
| Wireshark Foundation--Wireshark | BLF file parser crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service | 2026-01-14 | 5.5 | CVE-2026-0961 | https://www.wireshark.org/security/wnpa-sec-2026-01.html GitLab Issue #20880 |
| Wireshark Foundation--Wireshark | SOME/IP-SD protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service | 2026-01-14 | 5.3 | CVE-2026-0962 | https://www.wireshark.org/security/wnpa-sec-2026-03.html GitLab Issue #20945 |
| Wireshark Foundation--Wireshark | HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 allows denial of service | 2026-01-14 | 4.7 | CVE-2026-0960 | https://www.wireshark.org/security/wnpa-sec-2026-04.html GitLab Issue #20944 |
| wpcenter--AffiliateX Amazon Affiliate Plugin | The AffiliateX - Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_customization_settings AJAX action in versions 1.0.0 to 1.3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to store arbitrary JavaScript that executes whenever an AffiliateX block renders on the site. | 2026-01-15 | 6.4 | CVE-2025-13859 | https://www.wordfence.com/threat-intel/vulnerabilities/id/36d57b8d-7e62-413b-8ea9-87963b8cd469?source=cve https://plugins.trac.wordpress.org/changeset/3420957/affiliatex/trunk/includes/functions/AjaxFunctions.php https://plugins.trac.wordpress.org/changeset/3420957/affiliatex/trunk/includes/helpers/class-affiliatex-helpers.php |
| wpchill--Filr Secure document library | The Filr - Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload malicious HTML files containing JavaScript that will execute whenever a user accesses the uploaded file, granted they have permission to create or edit posts with the 'filr' post type. | 2026-01-17 | 4.4 | CVE-2025-14632 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c16c3a8d-bae1-4729-86c8-ec13481ff187?source=cve https://plugins.trac.wordpress.org/browser/filr-protection/trunk/src/class-filr-uploader.php#L14 https://plugins.trac.wordpress.org/browser/filr-protection/tags/1.2.10/src/class-filr-uploader.php#L14 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425333%40filr-protection&new=3425333%40filr-protection&sfp_email=&sfph_mail= |
| wpdevelop--Booking Calendar | The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other users. | 2026-01-16 | 4.3 | CVE-2025-14982 | https://www.wordfence.com/threat-intel/vulnerabilities/id/161d92e3-d255-4967-9449-be263a46bec8?source=cve https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__listing.php#L150 https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__sql.php#L722 https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__sql.php#L918 https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__listing.php#L158 https://plugins.trac.wordpress.org/browser/booking/trunk/core/wpbc-activation.php#L661 https://plugins.trac.wordpress.org/browser/booking/trunk/core/any/class-admin-menu.php#L22 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432649%40booking%2Ftrunk&old=3416518%40booking%2Ftrunk&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?old_path=%2Fbooking&old=3436482&new_path=%2Fbooking&new=3436482&sfp_email=&sfph_mail= |
| wpdevteam--Essential Addons for Elementor Popular Elementor Templates & Widgets | The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted. | 2026-01-16 | 5.3 | CVE-2026-1004 | https://www.wordfence.com/threat-intel/vulnerabilities/id/06ef9a21-e2b9-40c7-9de5-cff175fa10a5?source=cve https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L820 https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L64 https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L65 https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L832 https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L1439 https://github.com/WPDevelopers/essential-addons-for-elementor-lite/commit/4e43db06bcf12870cc3b185ed59b3fe2cd227945 |
| wpswings--Wallet System for WooCommerce Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments | The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to manipulate wallet withdrawal requests and arbitrarily increase their wallet balance or decrease other users' balances. | 2026-01-17 | 6.5 | CVE-2025-14450 | https://www.wordfence.com/threat-intel/vulnerabilities/id/466a5315-fc05-4b96-9dfd-17862fc406c5?source=cve https://plugins.trac.wordpress.org/browser/wallet-system-for-woocommerce/trunk/includes/class-wallet-system-ajaxhandler.php#L140 https://plugins.trac.wordpress.org/browser/wallet-system-for-woocommerce/tags/2.7.2/includes/class-wallet-system-ajaxhandler.php#L140 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3435898%40wallet-system-for-woocommerce&new=3435898%40wallet-system-for-woocommerce&sfp_email=&sfph_mail= |
| xiweicheng--TMS | A vulnerability was detected in xiweicheng TMS up to 2.28.0. Affected by this issue is the function Upload of the file src/main/java/com/lhjz/portal/controller/FileController.java. The manipulation of the argument filename results in unrestricted upload. The attack may be performed from remote. The exploit is now public and may be used. | 2026-01-17 | 6.3 | CVE-2026-1061 | VDB-341629 | xiweicheng TMS FileController.java upload unrestricted upload VDB-341629 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731240 | https://gitee.com/xiweicheng/tms/ Merchant Mall - Mall Development/TMS 1.0 Unrestricted Upload https://github.com/bkglfpp/CVE-md/blob/main/%E5%95%86%E6%88%B7%E5%95%86%E5%9F%8E%E2%80%94%E5%95%86%E5%9F%8E%E5%BC%80%E5%8F%91tms/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md |
| xiweicheng--TMS | A flaw has been found in xiweicheng TMS up to 2.28.0. This affects the function Summary of the file src/main/java/com/lhjz/portal/util/HtmlUtil.java. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2026-01-17 | 6.3 | CVE-2026-1062 | VDB-341630 | xiweicheng TMS HtmlUtil.java summary server-side request forgery VDB-341630 | CTI Indicators (IOB, IOC, IOA) Submit #731241 | https://gitee.com/xiweicheng/tms/ Merchant Mall - Mall Development/TMS 1.0 Server-Side Request Forgery Submit #731242 | https://gitee.com/xiweicheng/tms/ Merchant Mall - Mall Development/TMS 1.0 Server-Side Request Forgery (Duplicate) https://github.com/bkglfpp/CVE-md/blob/main/%E5%95%86%E6%88%B7%E5%95%86%E5%9F%8E%E2%80%94%E5%95%86%E5%9F%8E%E5%BC%80%E5%8F%91tms/SSRF%EF%BC%881%EF%BC%89.md https://github.com/bkglfpp/CVE-md/blob/main/%E5%95%86%E6%88%B7%E5%95%86%E5%9F%8E%E2%80%94%E5%95%86%E5%9F%8E%E5%BC%80%E5%8F%91tms/SSRF%EF%BC%882%EF%BC%89.md |
| Xmind--Xmind | Xmind 2020 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into mind mapping files or custom headers. Attackers can craft malicious files with embedded JavaScript that execute system commands when opened, enabling remote code execution through mouse interactions or file opening. | 2026-01-16 | 6.1 | CVE-2021-47844 | ExploitDB-49827 Official Xmind Product Homepage Proof of Concept Video VulnCheck Advisory: Xmind 2020 - Persistent Cross-Site Scripting |
| YouPHPTube--YouPHPTube | YouPHPTube <= 7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the 'lang' parameter in GET requests. Attackers can exploit the path traversal flaw in locale/function.php to include and view PHP files outside the intended directory by using directory traversal sequences. | 2026-01-13 | 6.2 | CVE-2021-47749 | ExploitDB-51101 Archived YouPHPTube Homepage VulnCheck Advisory: YouPHPTube <= 7.8 - Directory Traversal |
| YouPHPTube--YouPHPTube | YouPHPTube <= 7.8 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the redirectUri parameter in the signup page. Attackers can craft special signup URLs with embedded script tags to execute arbitrary JavaScript in victims' browsers when they access the signup page. | 2026-01-13 | 6.1 | CVE-2021-47750 | ExploitDB-51101 Archived YouPHPTube Homepage VulnCheck Advisory: YouPHPTube <= 7.8 - Cross-Site Scripting |
| zealopensource--User Registration Using Contact Form 7 | The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets. | 2026-01-17 | 5.3 | CVE-2025-12825 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b49978c1-9254-4229-8d32-e12896301f3d?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433276%40user-registration-using-contact-form-7&new=3433276%40user-registration-using-contact-form-7&sfp_email=&sfph_mail= |
| Zippy--Zstore | Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in victim's browser context. | 2026-01-13 | 6.1 | CVE-2023-53985 | ExploitDB-51207 Zstore/Zippy-CRM Product Homepage Zstore/Zippy-CRM GitHub Repository Vulnerability Reproduction Repository VulnCheck Advisory: Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS) |
| zitadel--zitadel | ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6. | 2026-01-15 | 5.3 | CVE-2026-23511 | https://github.com/zitadel/zitadel/security/advisories/GHSA-pvm5-9frx-264r https://github.com/zitadel/zitadel/commit/b85ab69e4679b0268e2b0e9b4cd04e934af10dd2 https://github.com/zitadel/zitadel/commit/c300d4cc6a2775ab17ddfe76492f24170f8b858d https://github.com/zitadel/zitadel/releases/tag/v3.4.6 https://github.com/zitadel/zitadel/releases/tag/v4.9.1 |
| Zohocorp--ManageEngine ADManager Plus | Zohocorp ManageEngine ADManager Plus versions below 7230 are vulnerable to Path Traversal in the User Management module | 2026-01-13 | 5.5 | CVE-2025-9435 | https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2025-9435.html |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| andy_moyle--Church Admin | The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-01-17 | 2.2 | CVE-2026-0682 | https://www.wordfence.com/threat-intel/vulnerabilities/id/77227fc5-7c38-476d-af4c-4b2ad3dd8420?source=cve https://plugins.trac.wordpress.org/browser/church-admin/trunk/includes/sermon-podcast.php#L1181 https://plugins.trac.wordpress.org/browser/church-admin/tags/5.0.27/includes/sermon-podcast.php#L1181 https://plugins.trac.wordpress.org/browser/church-admin/trunk/includes/functions.php#L6297 https://plugins.trac.wordpress.org/browser/church-admin/tags/5.0.27/includes/functions.php#L6297 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440847%40church-admin&new=3440847%40church-admin&sfp_email=&sfph_mail= |
| bestpractical--Request Tracker | Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used. | 2026-01-16 | 2.6 | CVE-2025-61873 | https://docs.bestpractical.com/release-notes/rt/index.html |
| Fortinet--FortiSandbox | A Server-Side Request Forgery (SSRF) vulnerability [CWE-918] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.4, FortiSandbox 4.4 all versions, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to proxy internal requests limited to plaintext endpoints only via crafted HTTP requests. | 2026-01-13 | 3.4 | CVE-2025-67685 | https://fortiguard.fortinet.com/psirt/FG-IR-25-783 |
| glenwpcoder--Drag and Drop Multiple File Upload for Contact Form 7 | The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated attackers to delete arbitrary uploaded files when the "Send attachments as links" setting is enabled. | 2026-01-15 | 3.7 | CVE-2025-14457 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1a182243-b24a-4c46-8b65-6b38d8509a51?source=cve https://plugins.trac.wordpress.org/changeset/3428236/drag-and-drop-multiple-file-upload-contact-form-7 |
| Lenovo--Tab M11 TB330FU TB330XU | A potential missing authentication vulnerability was reported in some Lenovo Tablets that could allow an unauthorized user with physical access to modify Control Center settings if the device is locked when the "Allow Control Center access when locked" option is disabled. | 2026-01-14 | 3.2 | CVE-2025-14058 | https://support.lenovo.com/us/en/product_security/LEN-207951 |
| Mattermost--Mattermost | Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens | 2026-01-16 | 3.1 | CVE-2025-14822 | https://mattermost.com/security-updates |
| n/a--LigeroSmart | A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketZoom. This manipulation of the argument TicketID causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-17 | 3.5 | CVE-2026-1048 | VDB-341600 | LigeroSmart index.pl cross site scripting VDB-341600 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729399 | LigeroSmart 6.1.26 Cross Site Scripting https://github.com/LigeroSmart/ligerosmart/issues/279 https://github.com/LigeroSmart/ligerosmart/issues/279#issue-3775562926 |
| n/a--LigeroSmart | A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. Such manipulation of the argument TicketID leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-17 | 3.5 | CVE-2026-1049 | VDB-341601 | LigeroSmart index.pl cross site scripting VDB-341601 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729402 | LigeroSmart 6.1.26 Cross Site Scripting https://github.com/LigeroSmart/ligerosmart/issues/280 https://github.com/LigeroSmart/ligerosmart/issues/280#issue-3776580352 |
| nicbarker--clay | A security flaw has been discovered in nicbarker clay up to 0.14. This affects the function Clay__MeasureTextCached in the library clay.h. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-18 | 3.3 | CVE-2025-15535 | VDB-341707 | nicbarker clay clay.h Clay__MeasureTextCached null pointer dereference VDB-341707 | CTI Indicators (IOB, IOC, IOA) Submit #733346 | nicbarker clay v0.14 and master-branch Memory Corruption https://github.com/nicbarker/clay/issues/566 https://github.com/oneafter/1215/blob/main/repro |
| nodejs--undici | Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0. | 2026-01-14 | 3.7 | CVE-2026-22036 | https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9 https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments, potentially bypassing proxy-level path filtering. This could expose administrative or sensitive endpoints that operators believe are not externally reachable. | 2026-01-15 | 3.7 | CVE-2026-0976 | https://access.redhat.com/security/cve/CVE-2026-0976 RHBZ#2429869 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk. | 2026-01-15 | 3.7 | CVE-2026-0989 | https://access.redhat.com/security/cve/CVE-2026-0989 RHBZ#2429933 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition. | 2026-01-15 | 2.9 | CVE-2026-0992 | https://access.redhat.com/security/cve/CVE-2026-0992 RHBZ#2429975 |
| SAP_SE--NW AS Java UME User Mapping | The User Management Engine (UME) in NetWeaver Application Server for Java (NW AS Java) utilizes an obsolete cryptographic algorithm for encrypting User Mapping data. This weakness could allow an attacker with high-privileged access to exploit the vulnerability under specific conditions potentially leading to partial disclosure of sensitive information.This has low impact on confidentiality with no impact on integrity and availability of the application. | 2026-01-13 | 3 | CVE-2026-0510 | https://me.sap.com/notes/3593356 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Identity Management | Due to insufficient input handling, the SAP Identity Management REST interface allows an authenticated administrator to submit specially crafted malicious REST requests that are processed by JNDI operations without adequate input neutralization. This may lead to limited disclosure or modification of data, resulting in low impact on confidentiality and integrity, with no impact on application availability. | 2026-01-13 | 3.8 | CVE-2026-0504 | https://me.sap.com/notes/3657998 https://url.sap/sapsecuritypatchday |
| SICK AG--TDC-X401GL | An attacker with administrative access may inject malicious content into the login page, potentially enabling cross-site scripting (XSS) attacks, leading to the extraction of sensitive data. | 2026-01-15 | 3.8 | CVE-2026-22919 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | The device's passwords have not been adequately salted, making them vulnerable to password extraction attacks. | 2026-01-15 | 3.7 | CVE-2026-22920 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| THM-Health--PILOS | PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery (CSRF) vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. The affected endpoint performs a destructive action but is exposed via an HTTP GET request. Although proper authorization checks are enforced and the endpoint cannot be triggered cross-site, the use of GET allows the action to be implicitly invoked through same-site content (e.g. embedded resources rendered within the application). As a result, an authenticated administrator who views crafted content within the application may unknowingly trigger the endpoint, causing all active video conferences on the server to be terminated without explicit intent or confirmation. This vulnerability is fixed in 4.10.0. | 2026-01-12 | 2.4 | CVE-2026-22800 | https://github.com/THM-Health/PILOS/security/advisories/GHSA-r24c-9p4j-rqw9 https://github.com/THM-Health/PILOS/commit/d9ab9bb7ac0a8581c25e24cb7db2152d40be4d1b |
| WeblateOrg--wlc | wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0. | 2026-01-12 | 2.5 | CVE-2026-22250 | https://github.com/WeblateOrg/wlc/security/advisories/GHSA-2mmv-7rrp-g8xh https://github.com/WeblateOrg/wlc/pull/1097 https://github.com/WeblateOrg/wlc/commit/a513864ec4daad00146e6d6e039559726e256fa3 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| AbhishekMali21--AbhishekMali21 | Multiple SQL Injection vulnerabilities exist in AbhishekMali21 GYM-MANAGEMENT-SYSTEM 1.0 via the 'name' parameter in (1) member_search.php, (2) trainer_search.php, and (3) gym_search.php, and via the 'id' parameter in (4) payment_search.php. An unauthenticated remote attacker can exploit these issues to inject malicious SQL commands, leading to unauthorized data extraction, authentication bypass, or modification of database contents. | 2026-01-12 | not yet calculated | CVE-2025-67146 | https://github.com/AbhishekMali21/GYM-MANAGEMENT-SYSTEM/issues/4 |
| AbhishekMali21--AbhishekMali21 | Multiple SQL Injection vulnerabilities exist in amansuryawanshi Gym-Management-System-PHP 1.0 via the 'name', 'email', and 'comment' parameters in (1) submit_contact.php, the 'username' and 'pass_key' parameters in (2) secure_login.php, and the 'login_id', 'pwfield', and 'login_key' parameters in (3) change_s_pwd.php. An unauthenticated or authenticated attacker can exploit these issues to bypass authentication, execute arbitrary SQL commands, modify database records, delete data, or escalate privileges to administrator level. | 2026-01-12 | not yet calculated | CVE-2025-67147 | https://github.com/amansuryawanshi/Gym-Management-System-PHP/issues/3 |
| Absolute Security--Secure Access | CVE-2026-0517 is a denial-of-service vulnerability in versions of Secure Access Server prior to 14.20. An attacker can send a specially crafted packet to a server and cause the server to crash | 2026-01-17 | not yet calculated | CVE-2026-0517 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-0517 |
| Absolute Security--Secure Access | CVE-2026-0518 is a cross-site scripting vulnerability in versions of Secure Access prior to 14.20. An attacker with administrative privileges can interfere with another administrator's use of the console. | 2026-01-17 | not yet calculated | CVE-2026-0518 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-0518 |
| Absolute Security--Secure Access | In Secure Access 12.70 and prior to 14.20, the logging subsystem may write an unredacted authentication token to logs under certain configurations. Any party with access to those logs could read the token and reuse it to access an integrated system. | 2026-01-17 | not yet calculated | CVE-2026-0519 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-0519 |
| Acora--Acora | A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a replay attack. | 2026-01-12 | not yet calculated | CVE-2025-63314 | http://ddsn.com http://acora.com https://github.com/padayali-JD/CVE-2025-63314 |
| adonisjs--lucid | @adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment vulnerability in AdonisJS Lucid which may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6. | 2026-01-13 | not yet calculated | CVE-2026-22814 | https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f |
| Airth--Airth | An issue in AIRTH SMART HOME AQI MONITOR Bootloader v.1.005 allows a physically proximate attacker to obtain sensitive information via the UART port of the BK7231N controller (Wi-Fi and BLE module) on the device is open to access | 2026-01-14 | not yet calculated | CVE-2025-67399 | http://airth.com https://github.com/rupeshsurve04/CVE-2025-67399/blob/main/AIRTH_SMART_HOME_AQI_MONITOR_CVE-2025-67399.pdf |
| akinloluwami--outray | Outray openSource ngrok alternative. Prior to 0.1.5, a TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan. This vulnerability is fixed in 0.1.5. | 2026-01-14 | not yet calculated | CVE-2026-22820 | https://github.com/outray-tunnel/outray/security/advisories/GHSA-3pqc-836w-jgr7 https://github.com/outray-tunnel/outray/commit/08c61495761349e7fd2965229c3faa8d7b1c1581 |
| alextselegidis--easyappointments | Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover. | 2026-01-15 | not yet calculated | CVE-2026-23622 | https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4-4685-vwrj |
| AltumCode--AltumCode | Cross Site Scripting vulnerability in 66biolinks by AltumCode v.61.0.1 allows an attacker to execute arbitrary code via a crafted favicon file | 2026-01-12 | not yet calculated | CVE-2025-66939 | https://66biolinks.com/ https://gist.github.com/Waqar-Arain/2a21b135a04e7804c124688ea1085875 |
| AMD--AMD EPYC 9004 Series Processors | Write what were condition within AMD CPUs may allow an admin-privileged attacker to modify the configuration of the CPU pipeline potentially resulting in the corruption of the stack pointer inside an SEV-SNP guest. | 2026-01-16 | not yet calculated | CVE-2025-29943 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3027.html |
| anomalyco--opencode | OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in 1.1.10. | 2026-01-12 | not yet calculated | CVE-2026-22813 | https://github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp |
| Anycomment--Anycomment | Cross Site Scripting vulnerability in Anycomment anycomment.io 0.4.4 allows a remote attacker to execute arbitrary code via the Anycomment comment section | 2026-01-15 | not yet calculated | CVE-2025-67025 | https://bdu.fstec.ru/vul/2023-08900 https://anycomment.io/site/changelog |
| Apache Software Foundation--Apache Airflow | In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue | 2026-01-16 | not yet calculated | CVE-2025-68438 | https://lists.apache.org/thread/55n7b4nlsz3vo5n4h5lrj9bfsk8ctyff |
| Apache Software Foundation--Apache Airflow | In Apache Airflow versions before 3.1.6, the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue | 2026-01-16 | not yet calculated | CVE-2025-68675 | https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5 |
| Apache Software Foundation--Apache bRPC | Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not validate the user-provided extra_options parameter and executes it as a command-line argument. Attackers can execute remote commands using the extra_options parameter.. Affected scenarios: Use the built-in bRPC heap profiler service to perform jemalloc memory profiling. How to Fix: we provide two methods, you can choose one of them: 1. Upgrade bRPC to version 1.15.0. 2. Apply this patch ( https://github.com/apache/brpc/pull/3101 ) manually. | 2026-01-16 | not yet calculated | CVE-2025-60021 | https://lists.apache.org/thread/xy51d2fx6drzhfp92xptsx5845q7b37m |
| Apache Software Foundation--Apache Camel Neo4j | Cypher Injection vulnerability in Apache Camel camel-neo4j component. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.3, from 4.15.0 before 4.17.0 Users are recommended to upgrade to version 4.10.8 for 4.10.x LTS and 4.14.3 for 4.14.x LTS and 4.17.0. | 2026-01-14 | not yet calculated | CVE-2025-66169 | https://camel.apache.org/security/CVE-2025-66169.html |
| Apple--iOS and iPadOS | The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1. An app may be able to corrupt coprocessor memory. | 2026-01-16 | not yet calculated | CVE-2024-44238 | https://support.apple.com/en-us/121563 |
| Apple--iOS and iPadOS | This issue was addressed through improved state management. This issue is fixed in iOS 18.1 and iPadOS 18.1. A user may be able to view restricted content from the lock screen. | 2026-01-16 | not yet calculated | CVE-2024-54556 | https://support.apple.com/en-us/121563 |
| Apple--iOS and iPadOS | A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. An app may be able to enumerate a user's installed apps. | 2026-01-16 | not yet calculated | CVE-2025-24089 | https://support.apple.com/en-us/122066 |
| Apple--iOS and iPadOS | A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. An app may be able to enumerate a user's installed apps. | 2026-01-16 | not yet calculated | CVE-2025-24090 | https://support.apple.com/en-us/122066 |
| Apple--macOS | This issue was addressed with improved permissions checking. This issue is fixed in macOS Sequoia 15.1. An app may be able to access user-sensitive data. | 2026-01-16 | not yet calculated | CVE-2024-44210 | https://support.apple.com/en-us/121564 |
| Apple--macOS | A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | 2026-01-16 | not yet calculated | CVE-2025-43508 | https://support.apple.com/en-us/125634 |
| Apple--Xcode | A permissions issue was addressed with additional restrictions. This issue is fixed in Xcode 16.3. An app may be able to bypass Privacy preferences. | 2026-01-16 | not yet calculated | CVE-2025-31186 | https://support.apple.com/en-us/122380 |
| Arm--Neoverse-N2 | In certain Arm CPUs, a CPP RCTX instruction executed on one Processing Element (PE) may inhibit TLB invalidation when a TLBI is issued to the PE, either by the same PE or another PE in the shareability domain. In this case, the PE may retain stale TLB entries which should have been invalidated by the TLBI. | 2026-01-14 | not yet calculated | CVE-2025-0647 | https://developer.arm.com/documentation/111546 |
| Assaf Parag--Poll, Survey & Quiz Maker Plugin by Opinion Stage | Poll, Survey & Quiz Maker Plugin by Opinion Stage Wordpress plugin versions prior to 19.6.25 contain a stored cross-site scripting (XSS) vulnerability via multiple parameters due to insufficient input validation and output escaping. An unauthenticated attacker can inject arbitrary script into content that executes when a victim views an affected page. | 2026-01-16 | not yet calculated | CVE-2019-25297 | https://wpscan.com/vulnerability/4ed1edd6-3813-44a3-bee7-f07c1774b679/ https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/social-polls-by-opinionstage/poll-survey-quiz-maker-plugin-by-opinion-stage-19625-unauthenticated-stored-cross-site-scripting https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-poll-survey-form-quiz-maker-by-opinionstage-cross-site-scripting-19-6-24/ https://wordpress.org/plugins/social-polls-by-opinionstage/ https://plugins.trac.wordpress.org/changeset/2158590/social-polls-by-opinionstage https://web.archive.org/web/20191020011448/https://www.pluginvulnerabilities.com/2019/09/16/hackers-may-already-be-targeting-this-persistent-xss-vulnerability-in-poll-survey-form-quiz-maker-by-opinionstage/ https://www.vulncheck.com/advisories/poll-survey-and-quiz-maker-plugin-by-opinion-stage-stored-xss |
| Automai--Automai | An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges | 2026-01-12 | not yet calculated | CVE-2025-46066 | https://www.automai.com/ https://gist.github.com/ZeroBreach-GmbH/4e325d09d08e16efb506076da2184f42 |
| Automai--Automai | An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges and obtain sensitive information via a crafted js file | 2026-01-12 | not yet calculated | CVE-2025-46067 | https://www.automai.com/ https://gist.github.com/ZeroBreach-GmbH/98204cff0065e611cf9e9acc3be59e03 |
| Automai--Automai | An issue in Automai Director v.25.2.0 allows a remote attacker to execute arbitrary code via the update mechanism | 2026-01-12 | not yet calculated | CVE-2025-46068 | https://www.automai.com/ https://gist.github.com/ZeroBreach-GmbH/00ea6cce1299e1d999b5d1faac4248f1 |
| Automai--Automai | An issue in Automai BotManager v.25.2.0 allows a remote attacker to execute arbitrary code via the BotManager.exe component | 2026-01-12 | not yet calculated | CVE-2025-46070 | https://www.automai.com/ https://gist.github.com/ZeroBreach-GmbH/776dd7e927d9b2f8ef10807abe124f8e |
| bee interactive--Livewire Filemanager | Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed. | 2026-01-16 | not yet calculated | CVE-2025-14894 | https://github.com/livewire-filemanager/filemanager https://hackingbydoing.wixsite.com/hackingbydoing/post/unauthenticated-rce-in-livewire-filemanager |
| Bluspark Global--BLUVOYIX | The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform. | 2026-01-14 | not yet calculated | CVE-2026-22236 | https://blusparkglobal.com/bluvoyix/ |
| Bluspark Global--BLUVOYIX | The vulnerability exists in BLUVOYIX due to the exposure of sensitive internal API documentation. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the APIs exposed by the documentation. Successful exploitation of this vulnerability could allow the attacker to cause damage to the targeted platform by abusing internal functionality. | 2026-01-14 | not yet calculated | CVE-2026-22237 | https://blusparkglobal.com/bluvoyix/ |
| Bluspark Global--BLUVOYIX | The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in to the newly-created admin user. | 2026-01-14 | not yet calculated | CVE-2026-22238 | https://blusparkglobal.com/bluvoyix/ |
| Bluspark Global--BLUVOYIX | The vulnerability exists in BLUVOYIX due to design flaws in the email sending API. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable email sending API. Successful exploitation of this vulnerability could allow the attacker to send unsolicited emails to anyone on behalf of the company. | 2026-01-14 | not yet calculated | CVE-2026-22239 | https://blusparkglobal.com/bluvoyix/ |
| Bluspark Global--BLUVOYIX | The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in using an exposed admin email address and password. | 2026-01-14 | not yet calculated | CVE-2026-22240 | https://blusparkglobal.com/bluvoyix/ |
| Broadcom--DX NetOps Spectrum | Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Path Traversal.This issue affects DX NetOps Spectrum: 24.3.8 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69267 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Reflected XSS.This issue affects DX NetOps Spectrum: 24.3.8 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69268 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows OS Command Injection.This issue affects DX NetOps Spectrum: 23.3.6 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69269 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Information Exposure Through Query Strings in GET Request vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Session Hijacking.This issue affects DX NetOps Spectrum: 24.3.8 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69270 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Insufficiently Protected Credentials vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 24.3.13 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69271 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Cleartext Transmission of Sensitive Information vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 21.2.1 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69272 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Improper Authentication vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Authentication Bypass.This issue affects DX NetOps Spectrum: 24.3.10 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69273 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Authorization Bypass Through User-Controlled Key vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Privilege Escalation.This issue affects DX NetOps Spectrum: 24.3.10 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69274 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Dependency on Vulnerable Third-Party Component vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows DOM-Based XSS.This issue affects DX NetOps Spectrum: 24.3.9 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69275 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Deserialization of Untrusted Data vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Object Injection.This issue affects DX NetOps Spectrum: 24.3.13 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69276 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| calcom--cal.com | Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7. | 2026-01-13 | not yet calculated | CVE-2026-23478 | https://github.com/calcom/cal.com/security/advisories/GHSA-7hg4-x4pr-3hrg |
| Chainlit--Chainlit | Chainlit versions prior to 2.8.5 contain an authorization bypass through user-controlled key vulnerability. If this vulnerability is exploited, threads may be viewed or thread ownership may be obtained by an attacker who can log in to the product. | 2026-01-14 | not yet calculated | CVE-2025-68492 | https://github.com/Chainlit/chainlit/releases https://jvn.jp/en/jp/JVN34964581/ |
| Chamillo--Chamillo | An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to view confidential information. This leads to profiling, impersonation, targeted attacks, and significant privacy risks. | 2026-01-16 | not yet calculated | CVE-2025-69581 | https://github.com/chamilo/chamilo-lms https://github.com/Rivek619/CVE-2025-69581 |
| Changjetong Information Technology Co., Ltd.--T+ | Changjetong T+ versions up to and including 16.x contain a .NET deserialization vulnerability in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This can result in execution of arbitrary commands in the context of the T+ application service account. Exploitation evidence was observed by the Shadowserver Foundation on 2023-08-19 (UTC). | 2026-01-15 | not yet calculated | CVE-2023-7334 | https://www.chanjetvip.com/product/goods/detail?id=6077e91b70fa071069139f62 https://www.freebuf.com/articles/web/381731.html https://blog.csdn.net/qq_53003652/article/details/134031230 https://blog.csdn.net/u010025272/article/details/131553591 https://github.com/MD-SEC/MDPOCS/blob/main/ChangJieTongTPlus_GetStoreWarehouseByStore_Rce_Poc.py https://www.vulncheck.com/advisories/changjetong-tplus-getstorewarehousebystore-deserialization-rce |
| cursor--cursor | Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user approval. This allows an attacker via indirect or direct prompt injection to poison the shell environment by setting, modifying, or removing environment variables that influence trusted commands. This vulnerability is fixed in 2.3. | 2026-01-14 | not yet calculated | CVE-2026-22708 | https://github.com/cursor/cursor/security/advisories/GHSA-82wg-qcm4-fp2w |
| Cyber Cafe--Cyber Cafe | A stored cross-site scripting (XSS) vulnerability exists in Cyber Cafe Management System v1.0. An authenticated attacker can inject arbitrary JavaScript code into the username parameter via the add-users.php endpoint. The injected payload is stored and executed in the victim s browser when the affected page is accessed. | 2026-01-15 | not yet calculated | CVE-2025-70890 | https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/ https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70890 |
| Cyber Cafe--Cyber Cafe | A stored cross-site scripting (XSS) vulnerability exists in Phpgurukul Cyber Cafe Management System v1.0 within the user management module. The application does not properly sanitize or encode user-supplied input submitted via the uadd parameter in the add-users.php endpoint. An authenticated attacker can inject arbitrary JavaScript code that is persistently stored in the database. The malicious payload is triggered when a privileged user clicks the View button on the view-allusers.php page. | 2026-01-15 | not yet calculated | CVE-2025-70891 | https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70891 |
| Cyber Cafe--Cyber Cafe | Phpgurukul Cyber Cafe Management System v1.0 contains a SQL Injection vulnerability in the user management module. The application fails to properly validate user-supplied input in the username parameter of the add-users.php endpoint. | 2026-01-15 | not yet calculated | CVE-2025-70892 | https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/ https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70892 |
| Cyber Cafe--Cyber Cafe | A time-based blind SQL Injection vulnerability exists in PHPGurukul Cyber Cafe Management System v1.0 within the adminprofile.php endpoint. The application fails to properly sanitize user-supplied input provided via the adminname parameter, allowing authenticated attackers to inject arbitrary SQL expressions. | 2026-01-15 | not yet calculated | CVE-2025-70893 | https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/ https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70893 |
| dask--distributed | Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel. This vulnerability is fixed in 2026.1.0. | 2026-01-16 | not yet calculated | CVE-2026-23528 | https://github.com/dask/distributed/security/advisories/GHSA-c336-7962-wfj2 https://github.com/dask/distributed/commit/ab72092a8a938923c2bb51a2cd14ca26614827fa |
| DataDog--guarddog | GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, GuardDog's safe_extract() function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data. This vulnerability is fixed in 2.7.1. | 2026-01-13 | not yet calculated | CVE-2026-22870 | https://github.com/DataDog/guarddog/security/advisories/GHSA-ffj4-jq7m-9g6v https://github.com/DataDog/guarddog/commit/c3fb07b4838945f42497e78b7a02bcfb1e63969b |
| DataDog--guarddog | GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, there is a path traversal vulnerability exists in GuardDog's safe_extract() function that allows malicious PyPI packages to write arbitrary files outside the intended extraction directory, leading to Arbitrary File Overwrite and Remote Code Execution on systems running GuardDog. This vulnerability is fixed in 2.7.1. | 2026-01-13 | not yet calculated | CVE-2026-22871 | https://github.com/DataDog/guarddog/security/advisories/GHSA-xg9w-vg3g-6m68 https://github.com/DataDog/guarddog/commit/9aa6a725b2c71d537d3c18d1c15621395ebb879c |
| defenseunicorns--pepr | Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the "getting started" experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC. This vulnerability is fixed in 1.0.5. | 2026-01-16 | not yet calculated | CVE-2026-23634 | https://github.com/defenseunicorns/pepr/security/advisories/GHSA-w54x-r83c-x79q https://github.com/defenseunicorns/pepr/releases/tag/v1.0.5 |
| denoland--deno | Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0. | 2026-01-15 | not yet calculated | CVE-2026-22863 | https://github.com/denoland/deno/security/advisories/GHSA-5379-f5hf-w38v https://github.com/denoland/deno/releases/tag/v2.6.0 |
| Drupal--Facebook Pixel | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1. | 2026-01-14 | not yet calculated | CVE-2025-14557 | https://www.herodevs.com/vulnerability-directory/cve-2025-14557 https://d7es.tag1.com/security-advisories/facebook-pixel-less-critical-cross-site-scripting |
| Drupal--Flag | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9. | 2026-01-14 | not yet calculated | CVE-2025-14556 | https://www.herodevs.com/vulnerability-directory/cve-2025-14556 https://d7es.tag1.com/security-advisories/flag-moderately-critical-cross-site-scripting-backdrop-sa-contrib-2025-011 |
| Eclipse Vert.x--Eclipse Vert.x | The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 Steps to reproduce Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html Mitgation Disabling Static Handler cache fixes the issue. StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false); | 2026-01-15 | not yet calculated | CVE-2026-1002 | https://github.com/eclipse-vertx/vert.x/pull/5895 |
| eigent-ai--eigent | Eigent is a multi-agent Workforce. A critical security vulnerability in the CI workflow (.github/workflows/ci.yml) allows arbitrary code execution from fork pull requests with repository write permissions. The vulnerable workflow uses pull_request_target trigger combined with checkout of untrusted PR code. An attacker can exploit this to steal credentials, post comments, push code, or create releases. | 2026-01-13 | not yet calculated | CVE-2026-22869 | https://github.com/eigent-ai/eigent/security/advisories/GHSA-gvh4-93cq-5xxp https://github.com/eigent-ai/eigent/pull/836 https://github.com/eigent-ai/eigent/pull/837 https://github.com/eigent-ai/eigent/commit/bf02500bbbab0f01cd0ed8e6dc21fe5683d6bfb5 |
| eKoopmans--html2pdf.js | html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in html2pdf.js@0.14.0. | 2026-01-14 | not yet calculated | CVE-2026-22787 | https://github.com/eKoopmans/html2pdf.js/security/advisories/GHSA-w8x4-x68c-m6fc https://github.com/eKoopmans/html2pdf.js/issues/865 https://github.com/eKoopmans/html2pdf.js/pull/877 https://github.com/eKoopmans/html2pdf.js/commit/988826e336035b39a8608182d7b73c0e3cd78c7b https://github.com/eKoopmans/html2pdf.js/releases/tag/v0.14.0 |
| Emaintenance--Crazy Bubble Tea | In Crazy Bubble Tea mobile application authenticated attacker can obtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Server does not verify the permissions required to obtain the data. This issue was fixed in version 915 (Android) and 7.4.1 (iOS). | 2026-01-14 | not yet calculated | CVE-2025-14317 | https://crazybubble.pl/aplikacja-crazy-bubble/ https://cert.pl/posts/2026/01/CVE-2025-14317 |
| emlog--emlog | Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint (/index.php?rest-api=upload) for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers (with a valid API key or admin session cookie) to upload arbitrary files (including malicious PHP scripts) to the server. An attacker can obtain the API key either by gaining administrator access to enable the REST API setting, or via information disclosure vulnerabilities in the application. Once uploaded, the malicious PHP file can be executed to gain remote code execution (RCE) on the target server, leading to full server compromise. | 2026-01-12 | not yet calculated | CVE-2026-22799 | https://github.com/emlog/emlog/security/advisories/GHSA-p837-mrw9-5x5j https://github.com/emlog/emlog/commit/429b02fda842254b9b9b39303e9161999c180560 |
| Enhancesoft--osTicket | Enhancesoft osTicket versions 1.18.3 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled. | 2026-01-12 | not yet calculated | CVE-2026-22200 | https://github.com/osTicket/osTicket/releases/tag/v1.18.3 https://github.com/osTicket/osTicket/commit/c59b067 https://www.vulncheck.com/advisories/osticket-pdf-export-arbitrary-file-read |
| Entrust Corporation--Instant Financial Issuance (IF) | Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service registers a TCP remoting channel with unsafe formatter/settings that permit untrusted remoting object invocation. A remote, unauthenticated attacker who can reach the remoting port can invoke exposed remoting objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known .NET Remoting exploitation techniques. This can lead to disclosure of sensitive installation and service-account data and compromise of the affected host. | 2026-01-15 | not yet calculated | CVE-2026-23746 | https://www.entrust.com/products/issuance-systems/instant/financial-card https://trustedcare.entrust.com/s/article/E26-001-NET-Remoting-Vulnerabilities-in-the-Smart-Card-Controller-Service-of-the-Instant-Financial-Issuance-On-Premise-Software https://www.vulncheck.com/advisories/entrust-ifi-smartcardcontroller-service-net-remoting-rce |
| Eptura Archibuss--Eptura Archibus | In Eptura Archibus 2024.03.01.109, the "Run script" and "Server File" components of the "Database Update Wizard" are vulnerable to directory traversal. | 2026-01-13 | not yet calculated | CVE-2025-25652 | https://eptura.com/our-platform/archibus/ https://packetstorm.news/files/id/213675 |
| Eramba-Eramba | A CORS misconfiguration in Eramba Community and Enterprise Editions v3.26.0 allows an attacker-controlled Origin header to be reflected in the Access-Control-Allow-Origin response along with Access-Control-Allow-Credentials: true. This permits malicious third-party websites to perform authenticated cross-origin requests against the Eramba API, including endpoints like /system-api/login and /system-api/user/me. The response includes sensitive user session data (ID, name, email, access groups), which is accessible to the attacker's JavaScript. This flaw enables full session hijack and data exfiltration without user interaction. Eramba versions 3.23.3 and earlier were tested and appear unaffected. The vulnerability is present in default installations, requiring no custom configuration. | 2026-01-13 | not yet calculated | CVE-2025-55462 | http://eramba.com https://discussions.eramba.org/t/release-3-28-0/7860 |
| esm-dev--esm.sh | esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue. | 2026-01-18 | not yet calculated | CVE-2026-23644 | https://github.com/esm-dev/esm.sh/security/advisories/GHSA-2657-3c98-63jq https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16 https://github.com/esm-dev/esm.sh/commit/c62ab83c589e7b421a0e1376d2a00a4e48161093 https://pkg.go.dev/vuln/GO-2025-4138 |
| ethereum--go-ethereum | go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8. | 2026-01-13 | not yet calculated | CVE-2026-22862 | https://github.com/ethereum/go-ethereum/security/advisories/GHSA-mr7q-c9w9-wh4h https://github.com/ethereum/go-ethereum/commit/abeb78c647e354ed922726a1d719ac7bc64a07e2 |
| ethereum--go-ethereum | go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8. | 2026-01-13 | not yet calculated | CVE-2026-22868 | https://github.com/ethereum/go-ethereum/security/advisories/GHSA-mq3p-rrmp-79jg https://github.com/ethereum/go-ethereum/commit/abeb78c647e354ed922726a1d719ac7bc64a07e2 |
| Flare Camera--Blurams | A vulnerability in the boot process of Blurams Flare Camera version 24.1114.151.929 and earlier allows a physically proximate attacker to hijack the boot mechanism and gain a bootloader shell via the UART interface. This is achieved by inducing a read error from the SPI flash memory during the boot, by shorting a data pin of the IC to ground. An attacker can then dump the entire firmware, leading to the disclosure of sensitive information including cryptographic keys and user configurations. | 2026-01-14 | not yet calculated | CVE-2025-65396 | http://blurams.com http://flare.com https://lessonsec.com/cve/cve-2025-65396/ |
| Flare Camera--Blurams | An insecure authentication mechanism in the safe_exec.sh startup script of Blurams Flare Camera version 24.1114.151.929 and earlier allows an attacker with physical access to the device to execute arbitrary commands with root privileges, if file /opt/images/public_key.der is not present in the file system. The vulnerability can be triggered by providing a maliciously crafted auth.ini file on the device's SD card. | 2026-01-14 | not yet calculated | CVE-2025-65397 | http://blurams.com http://flare.com https://lessonsec.com/cve/cve-2025-65397/ |
| flipped-aurora--gin-vue-admin | Gin-vue-admin is a backstage management system based on vue and gin. Gin-vue-admin <= v2.8.7 has a path traversal vulnerability in the breakpoint resume upload functionality. Attacker can upload any files on any directory. In the breakpoint_continue.go file, the MakeFile function accepts a fileName parameter through the /fileUploadAndDownload/breakpointContinueFinish API endpoint and directly concatenates it with the base directory path (./fileDir/) using os.OpenFile() without any validation for directory traversal sequences (e.g., ../). An attacker with file upload privileges could exploit this vulnerability. | 2026-01-12 | not yet calculated | CVE-2026-22786 | https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-3558-j79f-vvm6 https://github.com/flipped-aurora/gin-vue-admin/commit/2242f5d6e133e96d1b359ac019bf54fa0e975dd5 |
| frappe--lms | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In 2.44.0 and earlier, there is a stored XSS vulnerability where a specially crafted image filename could execute malicious JavaScript when rendered on course or jobs pages. | 2026-01-14 | not yet calculated | CVE-2026-23497 | https://github.com/frappe/lms/security/advisories/GHSA-78mq-3whw-69j5 https://github.com/frappe/lms/commit/e7ccf0a711d0e0ab5e6b28b7a1e4e0510b6b9543 |
| FreeImage--FreeImage | FreeImage 3.18.0 contains a Use After Free in PluginTARGA.cpp;loadRLE(). | 2026-01-14 | not yet calculated | CVE-2025-70968 | https://github.com/MiracleWolf/FreeimageCrash/tree/main |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race condition between the RDPGFX dynamic virtual channel thread and the SDL render thread leads to a heap use-after-free. Specifically, an escaped pointer to sdl->primary (SDL_Surface) is accessed after it has been freed during RDPGFX ResetGraphics handling. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22851 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8g87-6pvc-wh99 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22852 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9chc-g79v-4qq4 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR's NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22853 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47v9-p4gp-w5ch https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22854 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47vj-g3c3-3rmf https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when cbAttrLen does not match the actual NDR buffer length. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22855 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rwp3-g84r-6mx9 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use‑after‑free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22856 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-w842-c386-fxhv https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22857 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4gxq-jhq6-4cr8 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup table, causing out-of-bounds access. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22858 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qmqf-m84q-x896 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out‑of‑bounds read. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22859 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-56f5-76qv-2r36 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| Google--Android | In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user's conversations and location with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-01-15 | not yet calculated | CVE-2025-36911 | https://source.android.com/security/bulletin/pixel/2026-01-01 |
| Google--Google Devices | In cpm_fwtp_msg_handler of cpm/google/lib/tracepoint/cpm_fwtp_ipc.c, there is a possible memory overwrite due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-01-16 | not yet calculated | CVE-2025-48647 | https://source.android.com/docs/security/bulletin/pixel/2026/2026-01-01 |
| Google--Keras | Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape. | 2026-01-15 | not yet calculated | CVE-2026-0897 | https://github.com/keras-team/keras/pull/21880 |
| GPAC--GPAC | GPAC v2.4.0 was discovered to contain an out-of-bounds read in the oggdmx_parse_tags function. | 2026-01-15 | not yet calculated | CVE-2025-70298 | https://github.com/zakkanijia/POC/blob/main/dmx_ogg/GPAC_oggdmx_parse_tags_offbyone.md |
| GPAC--GPAC | A heap overflow in the avi_parse_input_file() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted AVI file. | 2026-01-15 | not yet calculated | CVE-2025-70299 | https://github.com/zakkanijia/POC/blob/main/gpac_avi/GPAC_AVI_indx_heap_overflow.md |
| GPAC--GPAC | A heap overflow in the ghi_dmx_declare_opid_bin() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-15 | not yet calculated | CVE-2025-70302 | https://github.com/zakkanijia/POC/blob/main/gpac_ghi/ghi.md |
| GPAC--GPAC | A heap overflow in the uncv_parse_config() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file. | 2026-01-15 | not yet calculated | CVE-2025-70303 | https://github.com/zakkanijia/POC/blob/main/gpac_uncv/GPAC_UNCV_CPAT.md |
| GPAC--GPAC | A buffer overflow in the vobsub_get_subpic_duration() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet. | 2026-01-15 | not yet calculated | CVE-2025-70304 | https://github.com/zakkanijia/POC/blob/main/gpac_vobsub/GPAC_vobsub.md |
| GPAC--GPAC | A stack overflow in the dmx_saf function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .saf file. | 2026-01-15 | not yet calculated | CVE-2025-70305 | https://github.com/zakkanijia/POC/blob/main/gpac_saf/GPAC_SAF.md |
| GPAC--GPAC | A stack overflow in the dump_ttxt_sample function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet. | 2026-01-15 | not yet calculated | CVE-2025-70307 | https://github.com/zakkanijia/POC/blob/main/gpac_boxDump/GPAC_tx3g.md |
| GPAC--GPAC | An out-of-bounds read in the GSF demuxer filter component of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .gsf file. | 2026-01-15 | not yet calculated | CVE-2025-70308 | https://github.com/zakkanijia/POC/blob/main/gpac_gsf/GPAC_gsf.md |
| GPAC--GPAC | A stack overflow in the pcmreframe_flush_packet function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted WAV file. | 2026-01-15 | not yet calculated | CVE-2025-70309 | https://github.com/zakkanijia/POC/blob/main/gpac_rawpcm/GPAC_RFPCM.md |
| GPAC--GPAC | A heap overflow in the vorbis_to_intern() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .ogg file. | 2026-01-15 | not yet calculated | CVE-2025-70310 | https://github.com/zakkanijia/POC/blob/main/gpac_dec_vorbis/GPAC_VORBIS.md |
| gradle--gradle | Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. If a Gradle build used an unresolvable host name, Gradle would continue to work as long as all dependencies could be resolved from another repository. An unresolvable host name could be caused by allowing a repository's domain name registration to lapse or typo-ing the real domain name. This behavior could allow an attacker to register a service under the host name used by the build and serve malicious artifacts. The attack requires the repository to be listed before others in the build configuration. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors. | 2026-01-16 | not yet calculated | CVE-2026-22816 | https://github.com/gradle/gradle/security/advisories/GHSA-w78c-w6vf-rw82 https://github.com/gradle/gradle/commit/e5707d0d8fce3d768c9c489004700d78eab1773a |
| gradle--gradle | Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. An exception like NoHttpResponseException can indicate transient errors. If the errors persist after a maximum number of retries, Gradle would continue to the next repository. This behavior could allow an attacker to disrupt the service of a repository and leverage another repository to serve malicious artifacts. This attack requires the attacker to have control over a repository after the disrupted repository. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors. | 2026-01-16 | not yet calculated | CVE-2026-22865 | https://github.com/gradle/gradle/security/advisories/GHSA-mqwm-5m85-gmcv |
| graphql-hive--graphql-modules | GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This vulnerability is fixed in 2.4.1 and 3.1.1. | 2026-01-16 | not yet calculated | CVE-2026-23735 | https://github.com/graphql-hive/graphql-modules/security/advisories/GHSA-53wg-r69p-v3r7 https://github.com/graphql-hive/graphql-modules/issues/2613 https://github.com/graphql-hive/graphql-modules/pull/2521 https://github.com/graphql-hive/graphql-modules/releases/tag/release-1768575025568 |
| Home Security System--D3D | D3D Wi-Fi Home Security System ZX-G12 v2.1.1 is vulnerable to RF replay attacks on the 433 MHz sensor communication channel. The system does not implement rolling codes, message authentication, or anti-replay protection, allowing an attacker within RF range to record valid alarm/control frames and replay them to trigger false alarms. | 2026-01-12 | not yet calculated | CVE-2025-65552 | http://d3d.com https://github.com/EmbdCDACHyd/CVE/tree/main/CVE-2025-65552 |
| Home Security System--D3D | D3D Wi-Fi Home Security System ZX-G12 v2.1.17 is susceptible to RF jamming on the 433 MHz alarm sensor channel. An attacker within RF range can transmit continuous interference to block sensor transmissions, resulting in missed alarms and loss of security monitoring. The device lacks jamming detection or mitigations, creating a denial-of-service condition that may lead to undetected intrusions or failure to trigger safety alerts. | 2026-01-12 | not yet calculated | CVE-2025-65553 | http://d3d.com https://github.com/EmbdCDACHyd/CVE/tree/main/CVE-2025-65553 |
| https://github.com/linrunner--TLP | A Improper Authentication vulnerability in TLP allows local users to arbitrarily control the power profile in use as well as the daemon's log settings.This issue affects TLP: from 1.9 before 1.9.1. | 2026-01-14 | not yet calculated | CVE-2025-67859 | https://security.opensuse.org/2026/01/07/tlp-polkit-authentication-bypass.html https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67859 |
| https://github.com/ShadowBlip--inputplumber | Polkit authentication dis isabled by default and a race condition in the Polkit authorization check in versions before v0.69.0 can lead to the same issues as in CVE-2025-66005. | 2026-01-14 | not yet calculated | CVE-2025-14338 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-14338 https://security.opensuse.org/2026/01/09/inputplumber-lack-of-dbus-auth.html |
| https://github.com/ShadowBlip--inputplumber | Lack of authorization of the InputManager D-Bus interface in InputPlumber versions before v0.63.0 can lead to local Denial-of-Service, information leak or even privilege escalation in the context of the currently active user session. | 2026-01-14 | not yet calculated | CVE-2025-66005 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66005 https://security.opensuse.org/2026/01/09/inputplumber-lack-of-dbus-auth.html |
| Hubert Imoveis--Hubert Imoveis | An arbitrary file upload vulnerability in the /utils/uploadFile component of Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows attackers to execute arbitrary code via uploading a crafted PDF file. | 2026-01-13 | not yet calculated | CVE-2025-65783 | http://hub.com http://hubert.com https://github.com/carlos-artmann/vulnerability-research/tree/main/CVE-2025-65783 |
| Hubert Imoveis--Hubert Imoveis | Insecure permissions in Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows authenticated attackers with low-level privileges to access other users' information via a crafted API request. | 2026-01-13 | not yet calculated | CVE-2025-65784 | http://hub.com http://hubert.com https://github.com/carlos-artmann/vulnerability-research/tree/main/CVE-2025-65784 |
| HumanSignal--label-studio | Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can trick a user/administrator into updating their custom_hotkeys) can inject JavaScript code that executes in other users' browsers when those users load any page using the templates/base.html template. Because the application exposes an API token endpoint (/api/current-user/token) to the browser and lacks robust CSRF protection on some API endpoints, the injected script may fetch the victim's API token or call token reset endpoints - enabling full account takeover and unauthorized API access. | 2026-01-12 | not yet calculated | CVE-2026-22033 | https://github.com/HumanSignal/label-studio/security/advisories/GHSA-2mq9-hm29-8qch https://github.com/HumanSignal/label-studio/pull/9084 https://github.com/HumanSignal/label-studio/commit/ea2462bf042bbf370b79445d02a205fbe547b505 |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of reference counting to cause a potential use after free. Improper reference counting on an internal resource caused scenario where potential for use after free was present. | 2026-01-13 | not yet calculated | CVE-2025-10865 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imagination Technologies--Graphics DDK | Intermediate register values of secure workloads can be exfiltrated in workloads scheduled from applications running in the non-secure environment of a platform. | 2026-01-13 | not yet calculated | CVE-2025-25176 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to subvert GPU HW to write to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform altering their behaviour. This attack can lead the GPU to perform write operations on restricted internal GPU buffers that can lead to a second order affect of corrupted arbitrary physical memory. | 2026-01-13 | not yet calculated | CVE-2025-58409 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of resources reference counting creating a potential use after free scenario. Improper resource management and reference counting on an internal resource caused scenario where potential write use after free was present. | 2026-01-13 | not yet calculated | CVE-2025-58411 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imaster--MEMS Events CRM | Imaster's MEMS Events CRM contains an SQL injection vulnerability in'keyword' parameter in '/memsdemo/exchange_offers.php'. | 2026-01-12 | not yet calculated | CVE-2025-41005 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-imaster-products |
| Imaster--MEMS Events CRM | Imaster's MEMS Events CRM contains an SQL injection vulnerability in 'phone' parameter in '/memsdemo/login.php'. | 2026-01-12 | not yet calculated | CVE-2025-41006 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-imaster-products |
| Imaster--Patient Record Management System | Imaster's Patient Record Management System contains a stored Cross-Site Scripting (XSS) vulnerability in the endpoint '/projects/hospital/admin/edit_patient.php'. By injecting a malicious script into the 'firstname' parameter, the JavaScript code is stored and executed every time a user accesses the patient list, allowing an attacker to execute arbitrary JavaScript in a victim's browser. | 2026-01-12 | not yet calculated | CVE-2025-41003 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-imaster-products |
| Imaster--Patient Record Management System | Imaster's Patient Records Management System is vulnerable to SQL Injection in the endpoint '/projects/hospital/admin/complaints.php' through the 'id' parameter. | 2026-01-12 | not yet calculated | CVE-2025-41004 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-imaster-products |
| InvoicePlane--InvoicePlane | An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing of single quotes. | 2026-01-15 | not yet calculated | CVE-2025-67082 | https://github.com/InvoicePlane/InvoicePlane https://www.helx.io/blog/advisory-invoice-plane/ |
| InvoicePlane--InvoicePlane | Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration. | 2026-01-15 | not yet calculated | CVE-2025-67083 | https://github.com/InvoicePlane/InvoicePlane https://www.helx.io/blog/advisory-invoice-plane/ |
| InvoicePlane--InvoicePlane | File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE). | 2026-01-15 | not yet calculated | CVE-2025-67084 | https://github.com/InvoicePlane/InvoicePlane https://www.helx.io/blog/advisory-invoice-plane/ |
| ippprint--Sagemcom | Buffer Overflow in the ippprint (Internet Printing Protocol) service in Sagemcom F@st 3686 MAGYAR_4.121.0 allows remote attacker to execute arbitrary code by sending a crafted HTTP request. | 2026-01-12 | not yet calculated | CVE-2025-29329 | http://sagemcom.com http://fst.com https://github.com/SilverS3c/Sagemcom-fast-3686-ippprint |
| isaacs--node-tar | node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3. | 2026-01-16 | not yet calculated | CVE-2026-23745 | https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97 https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e |
| Itflow--Itflow | An SQL injection vulnerability in Itflow through 25.06 has been identified in the "role_id" parameter when editing a profile. An attacker with admin account can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing on integer parameter. | 2026-01-15 | not yet calculated | CVE-2025-67081 | https://github.com/itflow-org/itflow https://www.helx.io/blog/advisory-itflow/ |
| KACE--KACE | Quest KACE Desktop Authority through 11.3.1 has Insecure Permissions on the Named Pipes used for inter-process communication | 2026-01-12 | not yet calculated | CVE-2025-67813 | https://quest.com https://support.quest.com/kb/4381743/quest-kace-desktop-authority-insecure-named-pipe-permissions-cve-2025-67813 |
| kashipara--kashipara | A SQL Injection was found in the /exam/user/profile.php page of kashipara Online Exam System V1.0, which allows remote attackers to execute arbitrary SQL command to get unauthorized database access via the rname, rcollage, rnumber, rgender and rpassword parameters in a POST HTTP request. | 2026-01-12 | not yet calculated | CVE-2025-51567 | https://github.com/0xBhushan/Writeups/blob/main/CVE/Kashipara/Online%20Exam%20System/SQL%20Injection-Profile%20Update.pdf |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/pet/adotantes/cadastro_adotante.php and html/pet/adotantes/informacao_adotantes.php endpoint of the WeGIA application. The application does not sanitize user-controlled input before rendering it inside the Adopters Information table, allowing persistent JavaScript injection. Any user who visits the page will have the payload executed automatically. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23725 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-c85q-4fwg-99gw https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, An Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoEntradaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23726 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-h7qx-j7g3-7fx3 https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoSaidaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23727 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-pmq9-8p4w-m4f3 https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=DestinoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23728 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-jf25-p56f-wpgh https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarDescricao and nomeClasse=ProdutoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23729 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w88p-v7h6-m728 https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=ProdutoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23730 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6gx4-6gwv-cxc3 https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LangChain AI--LangChain | LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service (ReDoS) vulnerability in the MRKLOutputParser.parse() method (libs/langchain/langchain/agents/mrkl/output_parser.py). The parser applies a backtracking-prone regular expression when extracting tool actions from model output. An attacker who can supply or influence the parsed text (for example via prompt injection in downstream applications that pass LLM output directly into MRKLOutputParser.parse()) can trigger excessive CPU consumption by providing a crafted payload, causing significant parsing delays and a denial-of-service condition. | 2026-01-12 | not yet calculated | CVE-2024-58340 | https://huntr.com/bounties/e7ece02c-d4bb-4166-8e08-6baf4f8845bb https://www.langchain.com/ https://github.com/langchain-ai/langchain https://www.vulncheck.com/advisories/langchain-mrkloutputparser-redos |
| Lemonsoft--WordPress add-on | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Lemonsoft WordPress add on allows Cross-Site Scripting (XSS).This issue affects WordPress add on: 2025.7.1. | 2026-01-13 | not yet calculated | CVE-2025-9427 | https://lemondoc.atlassian.net/wiki/spaces/LEMONSHOP/pages/754909038/Versiohistoria+-+Lemonsoft+integration+lis+osa |
| Libsndfile--Libsndfile | Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_init() function within the mpeg_l3_encode.c file. | 2026-01-14 | not yet calculated | CVE-2025-56226 | https://github.com/libsndfile/libsndfile/issues/1089 https://gist.github.com/Sisyphus-wang/f9e6e017b7d478bebee6e8187672abc8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: Verify inode mode when loading from disk syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when the S_IFMT bits of the 16bits "mode" field loaded from disk are corrupted. According to [1], the permissions field was treated as reserved in Mac OS 8 and 9. According to [2], the reserved field was explicitly initialized with 0, and that field must remain 0 as long as reserved. Therefore, when the "mode" field is not 0 (i.e. no longer reserved), the file must be S_IFDIR if dir == 1, and the file must be one of S_IFREG/S_IFLNK/S_IFCHR/ S_IFBLK/S_IFIFO/S_IFSOCK if dir == 0. | 2026-01-13 | not yet calculated | CVE-2025-68767 | https://git.kernel.org/stable/c/6f768724aabd5b321c5b8f15acdca11e4781cf32 https://git.kernel.org/stable/c/d92333c7a35856e419500e7eed72dac1afa404a5 https://git.kernel.org/stable/c/001f44982587ad462b3002ee40c75e8df67d597d https://git.kernel.org/stable/c/05ec9af3cc430683c97f76027e1c55ac6fd25c59 https://git.kernel.org/stable/c/edfb2e602b5ba5ca6bf31cbac20b366efb72b156 https://git.kernel.org/stable/c/91f114bffa36ce56d0e1f60a0a44fc09baaefc79 https://git.kernel.org/stable/c/005d4b0d33f6b4a23d382b7930f7a96b95b01f39 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: inet: frags: flush pending skbs in fqdir_pre_exit() We have been seeing occasional deadlocks on pernet_ops_rwsem since September in NIPA. The stuck task was usually modprobe (often loading a driver like ipvlan), trying to take the lock as a Writer. lockdep does not track readers for rwsems so the read wasn't obvious from the reports. On closer inspection the Reader holding the lock was conntrack looping forever in nf_conntrack_cleanup_net_list(). Based on past experience with occasional NIPA crashes I looked thru the tests which run before the crash and noticed that the crash follows ip_defrag.sh. An immediate red flag. Scouring thru (de)fragmentation queues reveals skbs sitting around, holding conntrack references. The problem is that since conntrack depends on nf_defrag_ipv6, nf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its netns exit hooks run _after_ conntrack's netns exit hook. Flush all fragment queue SKBs during fqdir_pre_exit() to release conntrack references before conntrack cleanup runs. Also flush the queues in timer expiry handlers when they discover fqdir->dead is set, in case packet sneaks in while we're running the pre_exit flush. The commit under Fixes is not exactly the culprit, but I think previously the timer firing would eventually unblock the spinning conntrack. | 2026-01-13 | not yet calculated | CVE-2025-68768 | https://git.kernel.org/stable/c/c70df25214ac9b32b53e18e6ae3b8f073ffa6903 https://git.kernel.org/stable/c/006a5035b495dec008805df249f92c22c89c3d2e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix return value of f2fs_recover_fsync_data() With below scripts, it will trigger panic in f2fs: mkfs.f2fs -f /dev/vdd mount /dev/vdd /mnt/f2fs touch /mnt/f2fs/foo sync echo 111 >> /mnt/f2fs/foo f2fs_io fsync /mnt/f2fs/foo f2fs_io shutdown 2 /mnt/f2fs umount /mnt/f2fs mount -o ro,norecovery /dev/vdd /mnt/f2fs or mount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0 F2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f F2FS-fs (vdd): Stopped filesystem due to reason: 0 F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1 Filesystem f2fs get_tree() didn't set fc->root, returned 1 ------------[ cut here ]------------ kernel BUG at fs/super.c:1761! Oops: invalid opcode: 0000 [#1] SMP PTI CPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:vfs_get_tree.cold+0x18/0x1a Call Trace: <TASK> fc_mount+0x13/0xa0 path_mount+0x34e/0xc50 __x64_sys_mount+0x121/0x150 do_syscall_64+0x84/0x800 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fa6cc126cfe The root cause is we missed to handle error number returned from f2fs_recover_fsync_data() when mounting image w/ ro,norecovery or ro,disable_roll_forward mount option, result in returning a positive error number to vfs_get_tree(), fix it. | 2026-01-13 | not yet calculated | CVE-2025-68769 | https://git.kernel.org/stable/c/e6ac31abd30e9fd2ef5f0819ce7f3f932be3b725 https://git.kernel.org/stable/c/0de4977a1eeafe9d77701e3c031a1bcdba389243 https://git.kernel.org/stable/c/9bc246018aaa3b46a7710428d0a2196c229f9d49 https://git.kernel.org/stable/c/a4c67d96f92eefcfa5596a08f069e77b743c5865 https://git.kernel.org/stable/c/473550e715654ad7612aa490d583cb7c25fe2ff3 https://git.kernel.org/stable/c/4560db9678a2c5952b6205fbca468c6805c2ba2a https://git.kernel.org/stable/c/01fba45deaddcce0d0b01c411435d1acf6feab7b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix XDP_TX path For XDP_TX action in bnxt_rx_xdp(), clearing of the event flags is not correct. __bnxt_poll_work() -> bnxt_rx_pkt() -> bnxt_rx_xdp() may be looping within NAPI and some event flags may be set in earlier iterations. In particular, if BNXT_TX_EVENT is set earlier indicating some XDP_TX packets are ready and pending, it will be cleared if it is XDP_TX action again. Normally, we will set BNXT_TX_EVENT again when we successfully call __bnxt_xmit_xdp(). But if the TX ring has no more room, the flag will not be set. This will cause the TX producer to be ahead but the driver will not hit the TX doorbell. For multi-buf XDP_TX, there is no need to clear the event flags and set BNXT_AGG_EVENT. The BNXT_AGG_EVENT flag should have been set earlier in bnxt_rx_pkt(). The visible symptom of this is that the RX ring associated with the TX XDP ring will eventually become empty and all packets will be dropped. Because this condition will cause the driver to not refill the RX ring seeing that the TX ring has forever pending XDP_TX packets. The fix is to only clear BNXT_RX_EVENT when we have successfully called __bnxt_xmit_xdp(). | 2026-01-13 | not yet calculated | CVE-2025-68770 | https://git.kernel.org/stable/c/4b83902a1e67ff327ab5c6c65021a03e72c081d6 https://git.kernel.org/stable/c/f17e0c1208485b24d61271bc1ddc8f2087e71561 https://git.kernel.org/stable/c/0373d5c387f24de749cc22e694a14b3a7c7eb515 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix kernel BUG in ocfs2_find_victim_chain syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the `cl_next_free_rec` field of the allocation chain list (next free slot in the chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec) condition in ocfs2_find_victim_chain() and panicking the kernel. To fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(), just before calling ocfs2_find_victim_chain(), the code block in it being executed when either of the following conditions is true: 1. `cl_next_free_rec` is equal to 0, indicating that there are no free chains in the allocation chain list 2. `cl_next_free_rec` is greater than `cl_count` (the total number of chains in the allocation chain list) Either of them being true is indicative of the fact that there are no chains left for usage. This is addressed using ocfs2_error(), which prints the error log for debugging purposes, rather than panicking the kernel. | 2026-01-13 | not yet calculated | CVE-2025-68771 | https://git.kernel.org/stable/c/1f77e5cd563e6387fdf3bb714fcda36cd88ac5e7 https://git.kernel.org/stable/c/d0fd1f732ea8063cecd07a3879b7d815c7ee71ed https://git.kernel.org/stable/c/b08a33d5f80efe6979a6e8f905c1a898910c21dd https://git.kernel.org/stable/c/96f1b074c98c20f55a3b23d2ab44d9fb0f619869 https://git.kernel.org/stable/c/e24aedae71652d4119049f1fbef6532ccbe3966d https://git.kernel.org/stable/c/7acc0390e0dd7474c4451d05465a677d55ad4268 https://git.kernel.org/stable/c/039bef30e320827bac8990c9f29d2a68cd8adb5f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid updating compression context during writeback Bai, Shuangpeng <sjb7183@psu.edu> reported a bug as below: Oops: divide error: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857 Call Trace: <TASK> f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3290 [inline] f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317 do_writepages+0x38e/0x640 mm/page-writeback.c:2634 filemap_fdatawrite_wbc mm/filemap.c:386 [inline] __filemap_fdatawrite_range mm/filemap.c:419 [inline] file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794 f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294 generic_write_sync include/linux/fs.h:3043 [inline] f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x7e9/0xe00 fs/read_write.c:686 ksys_write+0x19d/0x2d0 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The bug was triggered w/ below race condition: fsync setattr ioctl - f2fs_do_sync_file - file_write_and_wait_range - f2fs_write_cache_pages : inode is non-compressed : cc.cluster_size = F2FS_I(inode)->i_cluster_size = 0 - tag_pages_for_writeback - f2fs_setattr - truncate_setsize - f2fs_truncate - f2fs_fileattr_set - f2fs_setflags_common - set_compress_context : F2FS_I(inode)->i_cluster_size = 4 : set_inode_flag(inode, FI_COMPRESSED_FILE) - f2fs_compressed_file : return true - f2fs_all_cluster_page_ready : "pgidx % cc->cluster_size" trigger dividing 0 issue Let's change as below to fix this issue: - introduce a new atomic type variable .writeback in structure f2fs_inode_info to track the number of threads which calling f2fs_write_cache_pages(). - use .i_sem lock to protect .writeback update. - check .writeback before update compression context in f2fs_setflags_common() to avoid race w/ ->writepages. | 2026-01-13 | not yet calculated | CVE-2025-68772 | https://git.kernel.org/stable/c/ad26bfbc085c939b5dca77ff8c14798c06d151c4 https://git.kernel.org/stable/c/bcd0086ee5a2e88c1224ff2ec1e4a43c83efe5a0 https://git.kernel.org/stable/c/0bf1a02494c7eb5bd43445de4c83c8592e02c4bf https://git.kernel.org/stable/c/0df713a9c082a474c8b0bcf670edc8e98461d5a0 https://git.kernel.org/stable/c/10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: fsl-cpm: Check length parity before switching to 16 bit mode Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size") failed to make sure that the size is really even before switching to 16 bit mode. Until recently the problem went unnoticed because kernfs uses a pre-allocated bounce buffer of size PAGE_SIZE for reading EEPROM. But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API") introduced an additional dynamically allocated bounce buffer whose size is exactly the size of the transfer, leading to a buffer overrun in the fsl-cpm driver when that size is odd. Add the missing length parity verification and remain in 8 bit mode when the length is not even. | 2026-01-13 | not yet calculated | CVE-2025-68773 | https://git.kernel.org/stable/c/c8f1d35076b78df61ace737e41cc1f4b7b63236c https://git.kernel.org/stable/c/9c34a4a2ead00979d203a8c16bea87f0ef5291d8 https://git.kernel.org/stable/c/837a23a11e0f734f096c7c7b0778d0e625e3dc87 https://git.kernel.org/stable/c/3dd6d01384823e1bd8602873153d6fc4337ac4fe https://git.kernel.org/stable/c/743cebcbd1b2609ec5057ab474979cef73d1b681 https://git.kernel.org/stable/c/be0b613198e6bfa104ad520397cab82ad3ec1771 https://git.kernel.org/stable/c/1417927df8049a0194933861e9b098669a95c762 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create When sync() and link() are called concurrently, both threads may enter hfs_bnode_find() without finding the node in the hash table and proceed to create it. Thread A: hfsplus_write_inode() -> hfsplus_write_system_inode() -> hfs_btree_write() -> hfs_bnode_find(tree, 0) -> __hfs_bnode_create(tree, 0) Thread B: hfsplus_create_cat() -> hfs_brec_insert() -> hfs_bnode_split() -> hfs_bmap_alloc() -> hfs_bnode_find(tree, 0) -> __hfs_bnode_create(tree, 0) In this case, thread A creates the bnode, sets refcnt=1, and hashes it. Thread B also tries to create the same bnode, notices it has already been inserted, drops its own instance, and uses the hashed one without getting the node. ``` node2 = hfs_bnode_findhash(tree, cnid); if (!node2) { <- Thread A hash = hfs_bnode_hash(cnid); node->next_hash = tree->node_hash[hash]; tree->node_hash[hash] = node; tree->node_hash_cnt++; } else { <- Thread B spin_unlock(&tree->hash_lock); kfree(node); wait_event(node2->lock_wq, !test_bit(HFS_BNODE_NEW, &node2->flags)); return node2; } ``` However, hfs_bnode_find() requires each call to take a reference. Here both threads end up setting refcnt=1. When they later put the node, this triggers: BUG_ON(!atomic_read(&node->refcnt)) In this scenario, Thread B in fact finds the node in the hash table rather than creating a new one, and thus must take a reference. Fix this by calling hfs_bnode_get() when reusing a bnode newly created by another thread to ensure the refcount is updated correctly. A similar bug was fixed in HFS long ago in commit a9dc087fd3c4 ("fix missing hfs_bnode_get() in __hfs_bnode_create") but the same issue remained in HFS+ until now. | 2026-01-13 | not yet calculated | CVE-2025-68774 | https://git.kernel.org/stable/c/3b0fc7af50b896d0f3d104e70787ba1973bc0b56 https://git.kernel.org/stable/c/39e149d58ef4d7883cbf87448d39d51292fd342d https://git.kernel.org/stable/c/b68dc4134b18a3922cd33439ec614aad4172bc86 https://git.kernel.org/stable/c/b9d1c6bb5f19460074ce9862cb80be86b5fb0a50 https://git.kernel.org/stable/c/457f795e7abd7770de10216d7f9994a3f12a56d6 https://git.kernel.org/stable/c/5882e7c8cdbb5e254a69628b780acff89c78071e https://git.kernel.org/stable/c/152af114287851583cf7e0abc10129941f19466a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/handshake: duplicate handshake cancellations leak socket When a handshake request is cancelled it is removed from the handshake_net->hn_requests list, but it is still present in the handshake_rhashtbl until it is destroyed. If a second cancellation request arrives for the same handshake request, then remove_pending() will return false... and assuming HANDSHAKE_F_REQ_COMPLETED isn't set in req->hr_flags, we'll continue processing through the out_true label, where we put another reference on the sock and a refcount underflow occurs. This can happen for example if a handshake times out - particularly if the SUNRPC client sends the AUTH_TLS probe to the server but doesn't follow it up with the ClientHello due to a problem with tlshd. When the timeout is hit on the server, the server will send a FIN, which triggers a cancellation request via xs_reset_transport(). When the timeout is hit on the client, another cancellation request happens via xs_tls_handshake_sync(). Add a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel path so duplicate cancels can be detected. | 2026-01-13 | not yet calculated | CVE-2025-68775 | https://git.kernel.org/stable/c/011ae80c49d9bfa5b4336f8bd387cd25c7593663 https://git.kernel.org/stable/c/e1641177e7fb48a0a5a06658d4aab51da6656659 https://git.kernel.org/stable/c/3c330f1dee3cd92b57e19b9d21dc8ce5970b09be https://git.kernel.org/stable/c/15564bd67e2975002f2a8e9defee33e321d3183f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std but doesn't check if the allocation failed. If __pskb_copy() returns NULL, skb_clone() is called with a NULL pointer, causing a crash: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041 Code: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c RSP: 0018:ffffc9000d00f200 EFLAGS: 00010207 RAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480 RDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000 RBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee R10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000 R13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00 FS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0 Call Trace: <TASK> hsr_forward_do net/hsr/hsr_forward.c:-1 [inline] hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741 hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84 __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966 __netif_receive_skb_one_core net/core/dev.c:6077 [inline] __netif_receive_skb+0x72/0x380 net/core/dev.c:6192 netif_receive_skb_internal net/core/dev.c:6278 [inline] netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337 tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485 tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0449f8e1ff Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48 RSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff RDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8 RBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001 R13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003 </TASK> Add a NULL check immediately after __pskb_copy() to handle allocation failures gracefully. | 2026-01-13 | not yet calculated | CVE-2025-68776 | https://git.kernel.org/stable/c/3ce95a57d8a1f0e20b637cdeddaaed81831ca819 https://git.kernel.org/stable/c/c851e43b88b40bb7c20176c51cbf4f8c8d960dd9 https://git.kernel.org/stable/c/7be6d25f4d974e44918ba3a5d58ebb9d36879087 https://git.kernel.org/stable/c/8f289fa12926aae44347ca7d490e216555d8f255 https://git.kernel.org/stable/c/1742974c24a9c1f1fd2e5edca0cbaccb720b397a https://git.kernel.org/stable/c/6220d38a08f8837575cd8f830928b49a3a5a5095 https://git.kernel.org/stable/c/188e0fa5a679570ea35474575e724d8211423d17 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Input: ti_am335x_tsc - fix off-by-one error in wire_order validation The current validation 'wire_order[i] > ARRAY_SIZE(config_pins)' allows wire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds access when used as index in 'config_pins[wire_order[i]]'. Since config_pins has 4 elements (indices 0-3), the valid range for wire_order should be 0-3. Fix the off-by-one error by using >= instead of > in the validation check. | 2026-01-13 | not yet calculated | CVE-2025-68777 | https://git.kernel.org/stable/c/a7ff2360431561b56f559d3a628d1f096048d178 https://git.kernel.org/stable/c/136abe173a3cc2951d70c6e51fe7abdbadbb204b https://git.kernel.org/stable/c/08c0b561823a7026364efb38ed7f4a3af48ccfcd https://git.kernel.org/stable/c/bf95ec55805828c4f2b5241fb6b0c12388548570 https://git.kernel.org/stable/c/84e4d3543168912549271b34261f5e0f94952d6e https://git.kernel.org/stable/c/40e3042de43ffa0017a8460ff9b4cad7b8c7cb96 https://git.kernel.org/stable/c/248d3a73a0167dce15ba100477c3e778c4787178 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: don't log conflicting inode if it's a dir moved in the current transaction We can't log a conflicting inode if it's a directory and it was moved from one parent directory to another parent directory in the current transaction, as this can result an attempt to have a directory with two hard links during log replay, one for the old parent directory and another for the new parent directory. The following scenario triggers that issue: 1) We have directories "dir1" and "dir2" created in a past transaction. Directory "dir1" has inode A as its parent directory; 2) We move "dir1" to some other directory; 3) We create a file with the name "dir1" in directory inode A; 4) We fsync the new file. This results in logging the inode of the new file and the inode for the directory "dir1" that was previously moved in the current transaction. So the log tree has the INODE_REF item for the new location of "dir1"; 5) We move the new file to some other directory. This results in updating the log tree to included the new INODE_REF for the new location of the file and removes the INODE_REF for the old location. This happens during the rename when we call btrfs_log_new_name(); 6) We fsync the file, and that persists the log tree changes done in the previous step (btrfs_log_new_name() only updates the log tree in memory); 7) We have a power failure; 8) Next time the fs is mounted, log replay happens and when processing the inode for directory "dir1" we find a new INODE_REF and add that link, but we don't remove the old link of the inode since we have not logged the old parent directory of the directory inode "dir1". As a result after log replay finishes when we trigger writeback of the subvolume tree's extent buffers, the tree check will detect that we have a directory a hard link count of 2 and we get a mount failure. The errors and stack traces reported in dmesg/syslog are like this: [ 3845.729764] BTRFS info (device dm-0): start tree-log replay [ 3845.730304] page: refcount:3 mapcount:0 mapping:000000005c8a3027 index:0x1d00 pfn:0x11510c [ 3845.731236] memcg:ffff9264c02f4e00 [ 3845.731751] aops:btree_aops [btrfs] ino:1 [ 3845.732300] flags: 0x17fffc00000400a(uptodate|private|writeback|node=0|zone=2|lastcpupid=0x1ffff) [ 3845.733346] raw: 017fffc00000400a 0000000000000000 dead000000000122 ffff9264d978aea8 [ 3845.734265] raw: 0000000000001d00 ffff92650e6d4738 00000003ffffffff ffff9264c02f4e00 [ 3845.735305] page dumped because: eb page dump [ 3845.735981] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=6 ino=257, invalid nlink: has 2 expect no more than 1 for dir [ 3845.737786] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14881 owner 5 [ 3845.737789] BTRFS info (device dm-0): refs 4 lock_owner 0 current 30701 [ 3845.737792] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 [ 3845.737794] inode generation 3 transid 9 size 16 nbytes 16384 [ 3845.737795] block group 0 mode 40755 links 1 uid 0 gid 0 [ 3845.737797] rdev 0 sequence 2 flags 0x0 [ 3845.737798] atime 1764259517.0 [ 3845.737800] ctime 1764259517.572889464 [ 3845.737801] mtime 1764259517.572889464 [ 3845.737802] otime 1764259517.0 [ 3845.737803] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12 [ 3845.737805] index 0 name_len 2 [ 3845.737807] item 2 key (256 DIR_ITEM 2363071922) itemoff 16077 itemsize 34 [ 3845.737808] location key (257 1 0) type 2 [ 3845.737810] transid 9 data_len 0 name_len 4 [ 3845.737811] item 3 key (256 DIR_ITEM 2676584006) itemoff 16043 itemsize 34 [ 3845.737813] location key (258 1 0) type 2 [ 3845.737814] transid 9 data_len 0 name_len 4 [ 3845.737815] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34 [ 3845.737816] location key (257 1 0) type 2 [ ---truncated--- | 2026-01-13 | not yet calculated | CVE-2025-68778 | https://git.kernel.org/stable/c/d64f3834dffef80f0a9185a037617a54ed7f4bd2 https://git.kernel.org/stable/c/7359e1d39c78816ecbdb0cb4e93975794ce53973 https://git.kernel.org/stable/c/d478f50727c3ee46d0359f0d2ae114f70191816e https://git.kernel.org/stable/c/a35788ddf8df65837897ecbb0ddb2896b863159e https://git.kernel.org/stable/c/266273eaf4d99475f1ae57f687b3e42bc71ec6f0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Avoid unregistering PSP twice PSP is unregistered twice in: _mlx5e_remove -> mlx5e_psp_unregister mlx5e_nic_cleanup -> mlx5e_psp_unregister This leads to a refcount underflow in some conditions: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 2 PID: 1694 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0 [...] mlx5e_psp_unregister+0x26/0x50 [mlx5_core] mlx5e_nic_cleanup+0x26/0x90 [mlx5_core] mlx5e_remove+0xe6/0x1f0 [mlx5_core] auxiliary_bus_remove+0x18/0x30 device_release_driver_internal+0x194/0x1f0 bus_remove_device+0xc6/0x130 device_del+0x159/0x3c0 mlx5_rescan_drivers_locked+0xbc/0x2a0 [mlx5_core] [...] Do not directly remove psp from the _mlx5e_remove path, the PSP cleanup happens as part of profile cleanup. | 2026-01-13 | not yet calculated | CVE-2025-68779 | https://git.kernel.org/stable/c/e12c912f92ccea671b514caf371f28485714bb4b https://git.kernel.org/stable/c/35e93736f69963337912594eb3951ab320b77521 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched/deadline: only set free_cpus for online runqueues Commit 16b269436b72 ("sched/deadline: Modify cpudl::free_cpus to reflect rd->online") introduced the cpudl_set/clear_freecpu functions to allow the cpu_dl::free_cpus mask to be manipulated by the deadline scheduler class rq_on/offline callbacks so the mask would also reflect this state. Commit 9659e1eeee28 ("sched/deadline: Remove cpu_active_mask from cpudl_find()") removed the check of the cpu_active_mask to save some processing on the premise that the cpudl::free_cpus mask already reflected the runqueue online state. Unfortunately, there are cases where it is possible for the cpudl_clear function to set the free_cpus bit for a CPU when the deadline runqueue is offline. When this occurs while a CPU is connected to the default root domain the flag may retain the bad state after the CPU has been unplugged. Later, a different CPU that is transitioning through the default root domain may push a deadline task to the powered down CPU when cpudl_find sees its free_cpus bit is set. If this happens the task will not have the opportunity to run. One example is outlined here: https://lore.kernel.org/lkml/20250110233010.2339521-1-opendmb@gmail.com Another occurs when the last deadline task is migrated from a CPU that has an offlined runqueue. The dequeue_task member of the deadline scheduler class will eventually call cpudl_clear and set the free_cpus bit for the CPU. This commit modifies the cpudl_clear function to be aware of the online state of the deadline runqueue so that the free_cpus mask can be updated appropriately. It is no longer necessary to manage the mask outside of the cpudl_set/clear functions so the cpudl_set/clear_freecpu functions are removed. In addition, since the free_cpus mask is now only updated under the cpudl lock the code was changed to use the non-atomic __cpumask functions. | 2026-01-13 | not yet calculated | CVE-2025-68780 | https://git.kernel.org/stable/c/9019e399684e3cc68c4a3f050e268f74d69c1317 https://git.kernel.org/stable/c/fb36846cbcc936954f2ad2bffdff13d16c0be08a https://git.kernel.org/stable/c/91e448e69aca4bb0ba2e998eb3e555644db7322b https://git.kernel.org/stable/c/dbc61834b0412435df21c71410562d933e4eba49 https://git.kernel.org/stable/c/3ed049fbfb4d75b4e0b8ab54c934f485129d5dc8 https://git.kernel.org/stable/c/382748c05e58a9f1935f5a653c352422375566ea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal The delayed work item otg_event is initialized in fsl_otg_conf() and scheduled under two conditions: 1. When a host controller binds to the OTG controller. 2. When the USB ID pin state changes (cable insertion/removal). A race condition occurs when the device is removed via fsl_otg_remove(): the fsl_otg instance may be freed while the delayed work is still pending or executing. This leads to use-after-free when the work function fsl_otg_event() accesses the already freed memory. The problematic scenario: (detach thread) | (delayed work) fsl_otg_remove() | kfree(fsl_otg_dev) //FREE| fsl_otg_event() | og = container_of(...) //USE | og-> //USE Fix this by calling disable_delayed_work_sync() in fsl_otg_remove() before deallocating the fsl_otg structure. This ensures the delayed work is properly canceled and completes execution prior to memory deallocation. This bug was identified through static analysis. | 2026-01-13 | not yet calculated | CVE-2025-68781 | https://git.kernel.org/stable/c/4476c73bbbb09b13a962176fca934b32d3954a2e https://git.kernel.org/stable/c/319f7a85b3c4e34ac2fe083eb146fe129a556317 https://git.kernel.org/stable/c/69f9a0701abc3d1f8225074c56c27e6c16a37222 https://git.kernel.org/stable/c/2e7c47e2eb3cfeadf78a1ccbac8492c60d508f23 https://git.kernel.org/stable/c/41ca62e3e21e48c2903b3b45e232cf4f2ff7434f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: target: Reset t_task_cdb pointer in error case If allocation of cmd->t_task_cdb fails, it remains NULL but is later dereferenced in the 'err' path. In case of error, reset NULL t_task_cdb value to point at the default fixed-size buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2026-01-13 | not yet calculated | CVE-2025-68782 | https://git.kernel.org/stable/c/6cac97b12bdab04832e0416d049efcd0d48d303b https://git.kernel.org/stable/c/45fd86b444105c8bd07a763f58635c87e5dc7aea https://git.kernel.org/stable/c/8727663ded659aad55eef21e3864ebf5a4796a96 https://git.kernel.org/stable/c/0260ad551b0815eb788d47f32899fbcd65d6f128 https://git.kernel.org/stable/c/0d36db68fdb8a3325386fd9523b67735f944e1f3 https://git.kernel.org/stable/c/8edbb9e371af186b4cf40819dab65fafe109df4d https://git.kernel.org/stable/c/5053eab38a4c4543522d0c320c639c56a8b59908 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-mixer: us16x08: validate meter packet indices get_meter_levels_from_urb() parses the 64-byte meter packets sent by the device and fills the per-channel arrays meter_level[], comp_level[] and master_level[] in struct snd_us16x08_meter_store. Currently the function derives the channel index directly from the meter packet (MUB2(meter_urb, s) - 1) and uses it to index those arrays without validating the range. If the packet contains a negative or out-of-range channel number, the driver may write past the end of these arrays. Introduce a local channel variable and validate it before updating the arrays. We reject negative indices, limit meter_level[] and comp_level[] to SND_US16X08_MAX_CHANNELS, and guard master_level[] updates with ARRAY_SIZE(master_level). | 2026-01-13 | not yet calculated | CVE-2025-68783 | https://git.kernel.org/stable/c/53461710a95e15ac1f6542450943a492ecf8e550 https://git.kernel.org/stable/c/2168866396bd28ec4f3c8da0fbc7d08b5bd4f053 https://git.kernel.org/stable/c/cde47f4ccad6751ac36b7471572ddf38ee91870c https://git.kernel.org/stable/c/2f21a7cbaaa93926f5be15bc095b9c57c35748d9 https://git.kernel.org/stable/c/a8ad320efb663be30b794e3dd3e829301c0d0ed3 https://git.kernel.org/stable/c/eaa95228b8a56c4880a182c0350d67922b22408f https://git.kernel.org/stable/c/5526c1c6ba1d0913c7dfcbbd6fe1744ea7c55f1e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: fix a UAF problem in xattr repair The xchk_setup_xattr_buf function can allocate a new value buffer, which means that any reference to ab->value before the call could become a dangling pointer. Fix this by moving an assignment to after the buffer setup. | 2026-01-13 | not yet calculated | CVE-2025-68784 | https://git.kernel.org/stable/c/1e2d3aa19c7962b9474b22893160cb460494c45f https://git.kernel.org/stable/c/d29ed9ff972afe17c215cab171761d7a15d7063f https://git.kernel.org/stable/c/5990fd756943836978ad184aac980e2b36ab7e01 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix middle attribute validation in push_nsh() action The push_nsh() action structure looks like this: OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...)) The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested() inside nsh_key_put_from_nlattr(). But nothing checks if the attribute in the middle is OK. We don't even check that this attribute is the OVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data() calls - first time directly while calling validate_push_nsh() and the second time as part of the nla_for_each_nested() macro, which isn't safe, potentially causing invalid memory access if the size of this attribute is incorrect. The failure may not be noticed during validation due to larger netlink buffer, but cause trouble later during action execution where the buffer is allocated exactly to the size: BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch] Read of size 184 at addr ffff88816459a634 by task a.out/22624 CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary) Call Trace: <TASK> dump_stack_lvl+0x51/0x70 print_address_description.constprop.0+0x2c/0x390 kasan_report+0xdd/0x110 kasan_check_range+0x35/0x1b0 __asan_memcpy+0x20/0x60 nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch] push_nsh+0x82/0x120 [openvswitch] do_execute_actions+0x1405/0x2840 [openvswitch] ovs_execute_actions+0xd5/0x3b0 [openvswitch] ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch] genl_family_rcv_msg_doit+0x1d6/0x2b0 genl_family_rcv_msg+0x336/0x580 genl_rcv_msg+0x9f/0x130 netlink_rcv_skb+0x11f/0x370 genl_rcv+0x24/0x40 netlink_unicast+0x73e/0xaa0 netlink_sendmsg+0x744/0xbf0 __sys_sendto+0x3d6/0x450 do_syscall_64+0x79/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Let's add some checks that the attribute is properly sized and it's the only one attribute inside the action. Technically, there is no real reason for OVS_KEY_ATTR_NSH to be there, as we know that we're pushing an NSH header already, it just creates extra nesting, but that's how uAPI works today. So, keeping as it is. | 2026-01-13 | not yet calculated | CVE-2025-68785 | https://git.kernel.org/stable/c/d0c135b8bbbcf92836068fd395bebeb7ae6c7bef https://git.kernel.org/stable/c/3bc2efff20a38b2c7ca18317649715df0dd62ced https://git.kernel.org/stable/c/1b569db9c2f28b599e40050524aae5f7332bc294 https://git.kernel.org/stable/c/10ffc558246f2c75619aedda0921906095e46702 https://git.kernel.org/stable/c/2ecfc4433acdb149eafd7fb22d7fd4adf90b25e9 https://git.kernel.org/stable/c/c999153bfb2d1d9b295b7010d920f2a7c6d7595f https://git.kernel.org/stable/c/5ace7ef87f059d68b5f50837ef3e8a1a4870c36e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: skip lock-range check on equal size to avoid size==0 underflow When size equals the current i_size (including 0), the code used to call check_lock_range(filp, i_size, size - 1, WRITE), which computes `size - 1` and can underflow for size==0. Skip the equal case. | 2026-01-13 | not yet calculated | CVE-2025-68786 | https://git.kernel.org/stable/c/52fcbb92e0d3acfd1448b2a43b6595d540da5295 https://git.kernel.org/stable/c/da29cd197246c85c0473259f1cad897d9d28faea https://git.kernel.org/stable/c/a6f4cfa3783804336491e0edcb250c25f9b59d33 https://git.kernel.org/stable/c/571204e4758a528fbd67330bd4b0dfbdafb33dd8 https://git.kernel.org/stable/c/5d510ac31626ed157d2182149559430350cf2104 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netrom: Fix memory leak in nr_sendmsg() syzbot reported a memory leak [1]. When function sock_alloc_send_skb() return NULL in nr_output(), the original skb is not freed, which was allocated in nr_sendmsg(). Fix this by freeing it before return. [1] BUG: memory leak unreferenced object 0xffff888129f35500 (size 240): comm "syz.0.17", pid 6119, jiffies 4294944652 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ..........R(.... backtrace (crc 1456a3e4): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4983 [inline] slab_alloc_node mm/slub.c:5288 [inline] kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340 __alloc_skb+0x203/0x240 net/core/skbuff.c:660 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671 sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965 sock_alloc_send_skb include/net/sock.h:1859 [inline] nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] sock_write_iter+0x293/0x2a0 net/socket.c:1195 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x45d/0x710 fs/read_write.c:686 ksys_write+0x143/0x170 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f | 2026-01-13 | not yet calculated | CVE-2025-68787 | https://git.kernel.org/stable/c/f77e538ac4e3adb1882d5bccb7bfdc111b5963d3 https://git.kernel.org/stable/c/09efbf54eeaecebe882af603c9939a4b1bb9567e https://git.kernel.org/stable/c/73839497bbde5cd4fd02bbd9c8bc2640780ae65d https://git.kernel.org/stable/c/156a0f6341dce634a825db49ca20b48b1ae9bcc1 https://git.kernel.org/stable/c/8d1ccba4b171cd504ecfa47349cb9864fc9d687c https://git.kernel.org/stable/c/51f5fbc1681bdcffcc7d18bf3dfdb2b1278d3977 https://git.kernel.org/stable/c/613d12dd794e078be8ff3cf6b62a6b9acf7f4619 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fsnotify: do not generate ACCESS/MODIFY events on child for special files inotify/fanotify do not allow users with no read access to a file to subscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the same user to subscribe for watching events on children when the user has access to the parent directory (e.g. /dev). Users with no read access to a file but with read access to its parent directory can still stat the file and see if it was accessed/modified via atime/mtime change. The same is not true for special files (e.g. /dev/null). Users will not generally observe atime/mtime changes when other users read/write to special files, only when someone sets atime/mtime via utimensat(). Align fsnotify events with this stat behavior and do not generate ACCESS/MODIFY events to parent watchers on read/write of special files. The events are still generated to parent watchers on utimensat(). This closes some side-channels that could be possibly used for information exfiltration [1]. [1] https://snee.la/pdf/pubs/file-notification-attacks.pdf | 2026-01-13 | not yet calculated | CVE-2025-68788 | https://git.kernel.org/stable/c/df2711544b050aba703e6da418c53c7dc5d443ca https://git.kernel.org/stable/c/859bdf438f01d9aa7f84b09c1202d548c7cad9e8 https://git.kernel.org/stable/c/6a7d7d96eeeab7af2bd01afbb3d9878a11a13d91 https://git.kernel.org/stable/c/e0643d46759db8b84c0504a676043e5e341b6c81 https://git.kernel.org/stable/c/82f7416bcbd951549e758d15fc1a96a5afc2e900 https://git.kernel.org/stable/c/7a93edb23bcf07a3aaf8b598edfc2faa8fbcc0b6 https://git.kernel.org/stable/c/635bc4def026a24e071436f4f356ea08c0eed6ff |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (ibmpex) fix use-after-free in high/low store The ibmpex_high_low_store() function retrieves driver data using dev_get_drvdata() and uses it without validation. This creates a race condition where the sysfs callback can be invoked after the data structure is freed, leading to use-after-free. Fix by adding a NULL check after dev_get_drvdata(), and reordering operations in the deletion path to prevent TOCTOU. | 2026-01-13 | not yet calculated | CVE-2025-68789 | https://git.kernel.org/stable/c/3ce9b7ae9d4d148672b35147aaf7987a4f82bb94 https://git.kernel.org/stable/c/533ead425f8109b02fecc7e72d612b8898ec347a https://git.kernel.org/stable/c/fa37adcf1d564ef58b9dfb01b6c36d35c5294bad https://git.kernel.org/stable/c/68d62e5bebbd118b763e8bb210d5cf2198ef450c https://git.kernel.org/stable/c/5aa2139201667c1f644601e4529c4acd6bf8db5a https://git.kernel.org/stable/c/6946c726c3f4c36f0f049e6f97e88c510b15f65d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix double unregister of HCA_PORTS component Clear hca_devcom_comp in device's private data after unregistering it in LAG teardown. Otherwise a slightly lagging second pass through mlx5_unload_one() might try to unregister it again and trip over use-after-free. On s390 almost all PCI level recovery events trigger two passes through mxl5_unload_one() - one through the poll_health() method and one through mlx5_pci_err_detected() as callback from generic PCI error recovery. While testing PCI error recovery paths with more kernel debug features enabled, this issue reproducibly led to kernel panics with the following call chain: Unable to handle kernel pointer dereference in virtual kernel address space Failing address: 6b6b6b6b6b6b6000 TEID: 6b6b6b6b6b6b6803 ESOP-2 FSI Fault in home space mode while using kernel ASCE. AS:00000000705c4007 R3:0000000000000024 Oops: 0038 ilc:3 [#1]SMP CPU: 14 UID: 0 PID: 156 Comm: kmcheck Kdump: loaded Not tainted 6.18.0-20251130.rc7.git0.16131a59cab1.300.fc43.s390x+debug #1 PREEMPT Krnl PSW : 0404e00180000000 0000020fc86aa1dc (__lock_acquire+0x5c/0x15f0) R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 0000000000000000 0000020f00000001 6b6b6b6b6b6b6c33 0000000000000000 0000000000000000 0000000000000000 0000000000000001 0000000000000000 0000000000000000 0000020fca28b820 0000000000000000 0000010a1ced8100 0000010a1ced8100 0000020fc9775068 0000018fce14f8b8 0000018fce14f7f8 Krnl Code: 0000020fc86aa1cc: e3b003400004 lg %r11,832 0000020fc86aa1d2: a7840211 brc 8,0000020fc86aa5f4 *0000020fc86aa1d6: c09000df0b25 larl %r9,0000020fca28b820 >0000020fc86aa1dc: d50790002000 clc 0(8,%r9),0(%r2) 0000020fc86aa1e2: a7840209 brc 8,0000020fc86aa5f4 0000020fc86aa1e6: c0e001100401 larl %r14,0000020fca8aa9e8 0000020fc86aa1ec: c01000e25a00 larl %r1,0000020fca2f55ec 0000020fc86aa1f2: a7eb00e8 aghi %r14,232 Call Trace: __lock_acquire+0x5c/0x15f0 lock_acquire.part.0+0xf8/0x270 lock_acquire+0xb0/0x1b0 down_write+0x5a/0x250 mlx5_detach_device+0x42/0x110 [mlx5_core] mlx5_unload_one_devl_locked+0x50/0xc0 [mlx5_core] mlx5_unload_one+0x42/0x60 [mlx5_core] mlx5_pci_err_detected+0x94/0x150 [mlx5_core] zpci_event_attempt_error_recovery+0xcc/0x388 | 2026-01-13 | not yet calculated | CVE-2025-68790 | https://git.kernel.org/stable/c/d2495f529d60e8e8c43e6ad524089c38b8be7bc4 https://git.kernel.org/stable/c/6a107cfe9c99a079e578a4c5eb70038101a3599f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fuse: missing copy_finish in fuse-over-io-uring argument copies Fix a possible reference count leak of payload pages during fuse argument copies. [Joanne: simplified error cleanup] | 2026-01-13 | not yet calculated | CVE-2025-68791 | https://git.kernel.org/stable/c/b79938863f436960eff209130f025c4bd3026bf8 https://git.kernel.org/stable/c/6e0d7f7f4a43ac8868e98c87ecf48805aa8c24dd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tpm2-sessions: Fix out of range indexing in name_size 'name_size' does not have any range checks, and it just directly indexes with TPM_ALG_ID, which could lead into memory corruption at worst. Address the issue by only processing known values and returning -EINVAL for unrecognized values. Make also 'tpm_buf_append_name' and 'tpm_buf_fill_hmac_session' fallible so that errors are detected before causing any spurious TPM traffic. End also the authorization session on failure in both of the functions, as the session state would be then by definition corrupted. | 2026-01-13 | not yet calculated | CVE-2025-68792 | https://git.kernel.org/stable/c/47e676ce4d68f461dfcab906f6aeb254f7276deb https://git.kernel.org/stable/c/04a3aa6e8c5f878cc51a8a1c90b6d3c54079bc43 https://git.kernel.org/stable/c/6e9722e9a7bfe1bbad649937c811076acf86e1fd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix a job->pasid access race in gpu recovery Avoid a possible UAF in GPU recovery due to a race between the sched timeout callback and the tdr work queue. The gpu recovery function calls drm_sched_stop() and later drm_sched_start(). drm_sched_start() restarts the tdr queue which will eventually free the job. If the tdr queue frees the job before time out callback completes, the job will be freed and we'll get a UAF when accessing the pasid. Cache it early to avoid the UAF. Example KASAN trace: [ 493.058141] BUG: KASAN: slab-use-after-free in amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.067530] Read of size 4 at addr ffff88b0ce3f794c by task kworker/u128:1/323 [ 493.074892] [ 493.076485] CPU: 9 UID: 0 PID: 323 Comm: kworker/u128:1 Tainted: G E 6.16.0-1289896.2.zuul.bf4f11df81c1410bbe901c4373305a31 #1 PREEMPT(voluntary) [ 493.076493] Tainted: [E]=UNSIGNED_MODULE [ 493.076495] Hardware name: TYAN B8021G88V2HR-2T/S8021GM2NR-2T, BIOS V1.03.B10 04/01/2019 [ 493.076500] Workqueue: amdgpu-reset-dev drm_sched_job_timedout [gpu_sched] [ 493.076512] Call Trace: [ 493.076515] <TASK> [ 493.076518] dump_stack_lvl+0x64/0x80 [ 493.076529] print_report+0xce/0x630 [ 493.076536] ? _raw_spin_lock_irqsave+0x86/0xd0 [ 493.076541] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 493.076545] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.077253] kasan_report+0xb8/0xf0 [ 493.077258] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.077965] amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.078672] ? __pfx_amdgpu_device_gpu_recover+0x10/0x10 [amdgpu] [ 493.079378] ? amdgpu_coredump+0x1fd/0x4c0 [amdgpu] [ 493.080111] amdgpu_job_timedout+0x642/0x1400 [amdgpu] [ 493.080903] ? pick_task_fair+0x24e/0x330 [ 493.080910] ? __pfx_amdgpu_job_timedout+0x10/0x10 [amdgpu] [ 493.081702] ? _raw_spin_lock+0x75/0xc0 [ 493.081708] ? __pfx__raw_spin_lock+0x10/0x10 [ 493.081712] drm_sched_job_timedout+0x1b0/0x4b0 [gpu_sched] [ 493.081721] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 493.081725] process_one_work+0x679/0xff0 [ 493.081732] worker_thread+0x6ce/0xfd0 [ 493.081736] ? __pfx_worker_thread+0x10/0x10 [ 493.081739] kthread+0x376/0x730 [ 493.081744] ? __pfx_kthread+0x10/0x10 [ 493.081748] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 493.081751] ? __pfx_kthread+0x10/0x10 [ 493.081755] ret_from_fork+0x247/0x330 [ 493.081761] ? __pfx_kthread+0x10/0x10 [ 493.081764] ret_from_fork_asm+0x1a/0x30 [ 493.081771] </TASK> (cherry picked from commit 20880a3fd5dd7bca1a079534cf6596bda92e107d) | 2026-01-13 | not yet calculated | CVE-2025-68793 | https://git.kernel.org/stable/c/dac58c012c47cadf337a35eb05d44498c43e5cd0 https://git.kernel.org/stable/c/77f73253015cbc7893fca1821ac3eae9eb4bc943 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iomap: adjust read range correctly for non-block-aligned positions iomap_adjust_read_range() assumes that the position and length passed in are block-aligned. This is not always the case however, as shown in the syzbot generated case for erofs. This causes too many bytes to be skipped for uptodate blocks, which results in returning the incorrect position and length to read in. If all the blocks are uptodate, this underflows length and returns a position beyond the folio. Fix the calculation to also take into account the block offset when calculating how many bytes can be skipped for uptodate blocks. | 2026-01-13 | not yet calculated | CVE-2025-68794 | https://git.kernel.org/stable/c/82b60ffbb532d919959702768dca04c3c0500ae5 https://git.kernel.org/stable/c/12053695c8ef5410e8cc6c9ed4c0db9cd9c82b3e https://git.kernel.org/stable/c/142194fb21afe964d2d194cab1fc357cbf87e899 https://git.kernel.org/stable/c/7aa6bc3e8766990824f66ca76c19596ce10daf3e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ethtool: Avoid overflowing userspace buffer on stats query The ethtool -S command operates across three ioctl calls: ETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and ETHTOOL_GSTATS for the values. If the number of stats changes between these calls (e.g., due to device reconfiguration), userspace's buffer allocation will be incorrect, potentially leading to buffer overflow. Drivers are generally expected to maintain stable stat counts, but some drivers (e.g., mlx5, bnx2x, bna, ksz884x) use dynamic counters, making this scenario possible. Some drivers try to handle this internally: - bnad_get_ethtool_stats() returns early in case stats.n_stats is not equal to the driver's stats count. - micrel/ksz884x also makes sure not to write anything beyond stats.n_stats and overflow the buffer. However, both use stats.n_stats which is already assigned with the value returned from get_sset_count(), hence won't solve the issue described here. Change ethtool_get_strings(), ethtool_get_stats(), ethtool_get_phy_stats() to not return anything in case of a mismatch between userspace's size and get_sset_size(), to prevent buffer overflow. The returned n_stats value will be equal to zero, to reflect that nothing has been returned. This could result in one of two cases when using upstream ethtool, depending on when the size change is detected: 1. When detected in ethtool_get_strings(): # ethtool -S eth2 no stats available 2. When detected in get stats, all stats will be reported as zero. Both cases are presumably transient, and a subsequent ethtool call should succeed. Other than the overflow avoidance, these two cases are very evident (no output/cleared stats), which is arguably better than presenting incorrect/shifted stats. I also considered returning an error instead of a "silent" response, but that seems more destructive towards userspace apps. Notes: - This patch does not claim to fix the inherent race, it only makes sure that we do not overflow the userspace buffer, and makes for a more predictable behavior. - RTNL lock is held during each ioctl, the race window exists between the separate ioctl calls when the lock is released. - Userspace ethtool always fills stats.n_stats, but it is likely that these stats ioctls are implemented in other userspace applications which might not fill it. The added code checks that it's not zero, to prevent any regressions. | 2026-01-13 | not yet calculated | CVE-2025-68795 | https://git.kernel.org/stable/c/3df375a1e75483b7d973c3cc2e46aa374db8428b https://git.kernel.org/stable/c/f9dc0f45d2cd0189ce666288a29d2cc32c2e44d5 https://git.kernel.org/stable/c/4afcb985355210e1688560dc47e64b94dad35d71 https://git.kernel.org/stable/c/ca9983bc3a1189bd72f9ae449d925a66b2616326 https://git.kernel.org/stable/c/7bea09f60f2ad5d232e2db8f1c14e850fd3fd416 https://git.kernel.org/stable/c/4066b5b546293f44cd6d0e84ece6e3ee7ff27093 https://git.kernel.org/stable/c/7b07be1ff1cb6c49869910518650e8d0abc7d25f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid updating zero-sized extent in extent cache As syzbot reported: F2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0] ------------[ cut here ]------------ kernel BUG at fs/f2fs/extent_cache.c:678! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678 Call Trace: <TASK> f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085 f2fs_do_zero_range fs/f2fs/file.c:1657 [inline] f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737 f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030 vfs_fallocate+0x669/0x7e0 fs/open.c:342 ioctl_preallocate fs/ioctl.c:289 [inline] file_ioctl+0x611/0x780 fs/ioctl.c:-1 do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576 __do_sys_ioctl fs/ioctl.c:595 [inline] __se_sys_ioctl+0x82/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f07bc58eec9 In error path of f2fs_zero_range(), it may add a zero-sized extent into extent cache, it should be avoided. | 2026-01-13 | not yet calculated | CVE-2025-68796 | https://git.kernel.org/stable/c/9c07bd262c13ca922adad6e7613d48505f97f548 https://git.kernel.org/stable/c/72c58a82e6fb7b327e8701f5786c70c3edc56188 https://git.kernel.org/stable/c/e50b81c50fcbe63f50405bb40f262162ff32af88 https://git.kernel.org/stable/c/efe3371001f50a2d6f746b50bdc6f9f26b2089ec https://git.kernel.org/stable/c/4f244c64efe628d277b916f47071adf480eb8646 https://git.kernel.org/stable/c/bac23833220a1f8fe8dfab7e16efa20ff64d7589 https://git.kernel.org/stable/c/7c37c79510329cd951a4dedf3f7bf7e2b18dccec |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: char: applicom: fix NULL pointer dereference in ac_ioctl Discovered by Atuin - Automated Vulnerability Discovery Engine. In ac_ioctl, the validation of IndexCard and the check for a valid RamIO pointer are skipped when cmd is 6. However, the function unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the end. If cmd is 6, IndexCard may reference a board that does not exist (where RamIO is NULL), leading to a NULL pointer dereference. Fix this by skipping the readb access when cmd is 6, as this command is a global information query and does not target a specific board context. | 2026-01-13 | not yet calculated | CVE-2025-68797 | https://git.kernel.org/stable/c/5a6240804fb7bbd4f5f6e706955248a6f4c1abbc https://git.kernel.org/stable/c/d1b0452280029d05a98c75631131ee61c0b0d084 https://git.kernel.org/stable/c/0b8b353e09888bccee405e0dd6feafb60360f478 https://git.kernel.org/stable/c/d285517429a75423789e6408653e57b6fdfc8e54 https://git.kernel.org/stable/c/74883565c621eec6cd2e35fe6d27454cf2810c23 https://git.kernel.org/stable/c/f83e3e9f89181b42f6076a115d767a7552c4a39e https://git.kernel.org/stable/c/82d12088c297fa1cef670e1718b3d24f414c23f7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/x86/amd: Check event before enable to avoid GPF On AMD machines cpuc->events[idx] can become NULL in a subtle race condition with NMI->throttle->x86_pmu_stop(). Check event for NULL in amd_pmu_enable_all() before enable to avoid a GPF. This appears to be an AMD only issue. Syzkaller reported a GPF in amd_pmu_enable_all. INFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143 msecs Oops: general protection fault, probably for non-canonical address 0xdffffc0000000034: 0000 PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000001a0-0x00000000000001a7] CPU: 0 UID: 0 PID: 328415 Comm: repro_36674776 Not tainted 6.12.0-rc1-syzk RIP: 0010:x86_pmu_enable_event (arch/x86/events/perf_event.h:1195 arch/x86/events/core.c:1430) RSP: 0018:ffff888118009d60 EFLAGS: 00010012 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000034 RSI: 0000000000000000 RDI: 00000000000001a0 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002 R13: ffff88811802a440 R14: ffff88811802a240 R15: ffff8881132d8601 FS: 00007f097dfaa700(0000) GS:ffff888118000000(0000) GS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200001c0 CR3: 0000000103d56000 CR4: 00000000000006f0 Call Trace: <IRQ> amd_pmu_enable_all (arch/x86/events/amd/core.c:760 (discriminator 2)) x86_pmu_enable (arch/x86/events/core.c:1360) event_sched_out (kernel/events/core.c:1191 kernel/events/core.c:1186 kernel/events/core.c:2346) __perf_remove_from_context (kernel/events/core.c:2435) event_function (kernel/events/core.c:259) remote_function (kernel/events/core.c:92 (discriminator 1) kernel/events/core.c:72 (discriminator 1)) __flush_smp_call_function_queue (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/csd.h:64 kernel/smp.c:135 kernel/smp.c:540) __sysvec_call_function_single (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./arch/x86/include/asm/trace/irq_vectors.h:99 arch/x86/kernel/smp.c:272) sysvec_call_function_single (arch/x86/kernel/smp.c:266 (discriminator 47) arch/x86/kernel/smp.c:266 (discriminator 47)) </IRQ> | 2026-01-13 | not yet calculated | CVE-2025-68798 | https://git.kernel.org/stable/c/49324a0c40f7e9bae1bd0362d23fc42232e14621 https://git.kernel.org/stable/c/6e41d9ec8d7cc3f01b9ba785e05f0ebef8b3b37f https://git.kernel.org/stable/c/e1028fb38b328084bc683a4efb001c95d3108573 https://git.kernel.org/stable/c/43c2e5c2acaae50e99d1c20a5a46e367c442fb3b https://git.kernel.org/stable/c/866cf36bfee4fba6a492d2dcc5133f857e3446b0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: caif: fix integer underflow in cffrml_receive() The cffrml_receive() function extracts a length field from the packet header and, when FCS is disabled, subtracts 2 from this length without validating that len >= 2. If an attacker sends a malicious packet with a length field of 0 or 1 to an interface with FCS disabled, the subtraction causes an integer underflow. This can lead to memory exhaustion and kernel instability, potential information disclosure if padding contains uninitialized kernel memory. Fix this by validating that len >= 2 before performing the subtraction. | 2026-01-13 | not yet calculated | CVE-2025-68799 | https://git.kernel.org/stable/c/f407f1c9f45bbf5c99fd80b3f3f4a94fdbe35691 https://git.kernel.org/stable/c/c54091eec6fed19e94182aa05dd6846600a642f7 https://git.kernel.org/stable/c/785c7be6361630070790f6235b696da156ac71b3 https://git.kernel.org/stable/c/f818cd472565f8b0c2c409b040e0121c5cf8592c https://git.kernel.org/stable/c/4ec29714aa4e0601ea29d2f02b461fc0ac92c2c3 https://git.kernel.org/stable/c/21fdcc00656a60af3c7aae2dea8dd96abd35519c https://git.kernel.org/stable/c/8a11ff0948b5ad09b71896b7ccc850625f9878d1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Cited commit added a dedicated mutex (instead of RTNL) to protect the multicast route list, so that it will not change while the driver periodically traverses it in order to update the kernel about multicast route stats that were queried from the device. One instance of list entry deletion (during route replace) was missed and it can result in a use-after-free [1]. Fix by acquiring the mutex before deleting the entry from the list and releasing it afterwards. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum] Read of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043 CPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full) Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017 Workqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum] Call Trace: <TASK> dump_stack_lvl+0xba/0x110 print_report+0x174/0x4f5 kasan_report+0xdf/0x110 mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 29933: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum] mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 Freed by task 29933: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3b/0x70 __kasan_slab_free+0x43/0x70 kfree+0x14e/0x700 mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum] mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 | 2026-01-13 | not yet calculated | CVE-2025-68800 | https://git.kernel.org/stable/c/b957366f5611bbaba03dd10ef861283347ddcc88 https://git.kernel.org/stable/c/6e367c361a523a4b54fe618215c64a0ee189caf0 https://git.kernel.org/stable/c/37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73 https://git.kernel.org/stable/c/5f2831fc593c2b2efbff7dd0dd7441cec76adcd5 https://git.kernel.org/stable/c/216afc198484fde110ebeafc017992266f4596ce https://git.kernel.org/stable/c/4049a6ace209f4ed150429f86ae796d7d6a4c22b https://git.kernel.org/stable/c/8ac1dacec458f55f871f7153242ed6ab60373b90 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_router: Fix neighbour use-after-free We sometimes observe use-after-free when dereferencing a neighbour [1]. The problem seems to be that the driver stores a pointer to the neighbour, but without holding a reference on it. A reference is only taken when the neighbour is used by a nexthop. Fix by simplifying the reference counting scheme. Always take a reference when storing a neighbour pointer in a neighbour entry. Avoid taking a referencing when the neighbour is used by a nexthop as the neighbour entry associated with the nexthop already holds a reference. Tested by running the test that uncovered the problem over 300 times. Without this patch the problem was reproduced after a handful of iterations. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x2d4/0x310 Read of size 8 at addr ffff88817f8e3420 by task ip/3929 CPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full) Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023 Call Trace: <TASK> dump_stack_lvl+0x6f/0xa0 print_address_description.constprop.0+0x6e/0x300 print_report+0xfc/0x1fb kasan_report+0xe4/0x110 mlxsw_sp_neigh_entry_update+0x2d4/0x310 mlxsw_sp_router_rif_gone_sync+0x35f/0x510 mlxsw_sp_rif_destroy+0x1ea/0x730 mlxsw_sp_inetaddr_port_vlan_event+0xa1/0x1b0 __mlxsw_sp_inetaddr_lag_event+0xcc/0x130 __mlxsw_sp_inetaddr_event+0xf5/0x3c0 mlxsw_sp_router_netdevice_event+0x1015/0x1580 notifier_call_chain+0xcc/0x150 call_netdevice_notifiers_info+0x7e/0x100 __netdev_upper_dev_unlink+0x10b/0x210 netdev_upper_dev_unlink+0x79/0xa0 vrf_del_slave+0x18/0x50 do_set_master+0x146/0x7d0 do_setlink.isra.0+0x9a0/0x2880 rtnl_newlink+0x637/0xb20 rtnetlink_rcv_msg+0x6fe/0xb90 netlink_rcv_skb+0x123/0x380 netlink_unicast+0x4a3/0x770 netlink_sendmsg+0x75b/0xc90 __sock_sendmsg+0xbe/0x160 ____sys_sendmsg+0x5b2/0x7d0 ___sys_sendmsg+0xfd/0x180 __sys_sendmsg+0x124/0x1c0 do_syscall_64+0xbb/0xfd0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 [...] Allocated by task 109: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7b/0x90 __kmalloc_noprof+0x2c1/0x790 neigh_alloc+0x6af/0x8f0 ___neigh_create+0x63/0xe90 mlxsw_sp_nexthop_neigh_init+0x430/0x7e0 mlxsw_sp_nexthop_type_init+0x212/0x960 mlxsw_sp_nexthop6_group_info_init.constprop.0+0x81f/0x1280 mlxsw_sp_nexthop6_group_get+0x392/0x6a0 mlxsw_sp_fib6_entry_create+0x46a/0xfd0 mlxsw_sp_router_fib6_replace+0x1ed/0x5f0 mlxsw_sp_router_fib6_event_work+0x10a/0x2a0 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20 Freed by task 154: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free_bulk.part.0+0x1eb/0x5e0 kvfree_rcu_bulk+0x1f2/0x260 kfree_rcu_work+0x130/0x1b0 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20 Last potentially related work creation: kasan_save_stack+0x30/0x50 kasan_record_aux_stack+0x8c/0xa0 kvfree_call_rcu+0x93/0x5b0 mlxsw_sp_router_neigh_event_work+0x67d/0x860 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20 | 2026-01-13 | not yet calculated | CVE-2025-68801 | https://git.kernel.org/stable/c/a2dfe6758fc63e542105bee8b17a3a7485684db0 https://git.kernel.org/stable/c/9e0a0d9eeb0dbeba2c83fa837885b19b8b9230fc https://git.kernel.org/stable/c/c437fbfd4382412598cdda1f8e2881b523668cc2 https://git.kernel.org/stable/c/4a3c569005f42ab5e5b2ad637132a33bf102cc08 https://git.kernel.org/stable/c/ed8141b206bdcfd5d0b92c90832eeb77b7a60a0a https://git.kernel.org/stable/c/675c5aeadf6472672c472dc0f26401e4fcfbf254 https://git.kernel.org/stable/c/8b0e69763ef948fb872a7767df4be665d18f5fd4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Limit num_syncs to prevent oversized allocations The exec and vm_bind ioctl allow userspace to specify an arbitrary num_syncs value. Without bounds checking, a very large num_syncs can force an excessively large allocation, leading to kernel warnings from the page allocator as below. Introduce DRM_XE_MAX_SYNCS (set to 1024) and reject any request exceeding this limit. " ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1217 at mm/page_alloc.c:5124 __alloc_frozen_pages_noprof+0x2f8/0x2180 mm/page_alloc.c:5124 ... Call Trace: <TASK> alloc_pages_mpol+0xe4/0x330 mm/mempolicy.c:2416 ___kmalloc_large_node+0xd8/0x110 mm/slub.c:4317 __kmalloc_large_node_noprof+0x18/0xe0 mm/slub.c:4348 __do_kmalloc_node mm/slub.c:4364 [inline] __kmalloc_noprof+0x3d4/0x4b0 mm/slub.c:4388 kmalloc_noprof include/linux/slab.h:909 [inline] kmalloc_array_noprof include/linux/slab.h:948 [inline] xe_exec_ioctl+0xa47/0x1e70 drivers/gpu/drm/xe/xe_exec.c:158 drm_ioctl_kernel+0x1f1/0x3e0 drivers/gpu/drm/drm_ioctl.c:797 drm_ioctl+0x5e7/0xc50 drivers/gpu/drm/drm_ioctl.c:894 xe_drm_ioctl+0x10b/0x170 drivers/gpu/drm/xe/xe_device.c:224 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xbb/0x380 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... " v2: Add "Reported-by" and Cc stable kernels. v3: Change XE_MAX_SYNCS from 64 to 1024. (Matt & Ashutosh) v4: s/XE_MAX_SYNCS/DRM_XE_MAX_SYNCS/ (Matt) v5: Do the check at the top of the exec func. (Matt) (cherry picked from commit b07bac9bd708ec468cd1b8a5fe70ae2ac9b0a11c) | 2026-01-13 | not yet calculated | CVE-2025-68802 | https://git.kernel.org/stable/c/e281d1fd6903a081ef023c341145ae92258e38d2 https://git.kernel.org/stable/c/1d200017f55f829b9e376093bd31dfbec92081de https://git.kernel.org/stable/c/8e461304009135270e9ccf2d7e2dfe29daec9b60 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFSD: NFSv4 file creation neglects setting ACL An NFSv4 client that sets an ACL with a named principal during file creation retrieves the ACL afterwards, and finds that it is only a default ACL (based on the mode bits) and not the ACL that was requested during file creation. This violates RFC 8881 section 6.4.1.3: "the ACL attribute is set as given". The issue occurs in nfsd_create_setattr(), which calls nfsd_attrs_valid() to determine whether to call nfsd_setattr(). However, nfsd_attrs_valid() checks only for iattr changes and security labels, but not POSIX ACLs. When only an ACL is present, the function returns false, nfsd_setattr() is skipped, and the POSIX ACL is never applied to the inode. Subsequently, when the client retrieves the ACL, the server finds no POSIX ACL on the inode and returns one generated from the file's mode bits rather than returning the originally-specified ACL. | 2026-01-13 | not yet calculated | CVE-2025-68803 | https://git.kernel.org/stable/c/c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3d https://git.kernel.org/stable/c/75f91534f9acdfef77f8fa094313b7806f801725 https://git.kernel.org/stable/c/60dbdef2ebc2317266a385e4debdb1bb0e57afe1 https://git.kernel.org/stable/c/381261f24f4e4b41521c0e5ef5cc0b9a786a9862 https://git.kernel.org/stable/c/bf4e671c651534a307ab2fabba4926116beef8c3 https://git.kernel.org/stable/c/214b396480061cbc8b16f2c518b2add7fbfa5192 https://git.kernel.org/stable/c/913f7cf77bf14c13cfea70e89bcb6d0b22239562 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver After unbinding the driver, another kthread `cros_ec_console_log_work` is still accessing the device, resulting an UAF and crash. The driver doesn't unregister the EC device in .remove() which should shutdown sub-devices synchronously. Fix it. | 2026-01-13 | not yet calculated | CVE-2025-68804 | https://git.kernel.org/stable/c/27037916db38e6b78a0242031d3b93d997b84020 https://git.kernel.org/stable/c/e1da6e399df976dd04c7c73ec008bc81da368a95 https://git.kernel.org/stable/c/8dc1f5a85286290dbf04dd5951d020570f49779b https://git.kernel.org/stable/c/393b8f9bedc7806acb9c47cefdbdb223b4b6164b https://git.kernel.org/stable/c/4701493ba37654b3c38b526f6591cf0b02aa172f https://git.kernel.org/stable/c/24a2062257bbdfc831de5ed21c27b04b5bdf2437 https://git.kernel.org/stable/c/944edca81e7aea15f83cf9a13a6ab67f711e8abd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fuse: fix io-uring list corruption for terminated non-committed requests When a request is terminated before it has been committed, the request is not removed from the queue's list. This leaves a dangling list entry that leads to list corruption and use-after-free issues. Remove the request from the queue's list for terminated non-committed requests. | 2026-01-13 | not yet calculated | CVE-2025-68805 | https://git.kernel.org/stable/c/a6d1f1ace16d0e777a85f84267160052d3499b6e https://git.kernel.org/stable/c/95c39eef7c2b666026c69ab5b30471da94ea2874 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix buffer validation by including null terminator size in EA length The smb2_set_ea function, which handles Extended Attributes (EA), was performing buffer validation checks that incorrectly omitted the size of the null terminating character (+1 byte) for EA Name. This patch fixes the issue by explicitly adding '+ 1' to EaNameLength where the null terminator is expected to be present in the buffer, ensuring the validation accurately reflects the total required buffer size. | 2026-01-13 | not yet calculated | CVE-2025-68806 | https://git.kernel.org/stable/c/cae52c592a07e1d3fa3338a5f064a374a5f26750 https://git.kernel.org/stable/c/a28a375a5439eb474e9f284509a407efb479c925 https://git.kernel.org/stable/c/d26af6d14da43ab92d07bc60437c62901dc522e6 https://git.kernel.org/stable/c/6dc8cf6e7998ef7aeb9383a4c2904ea5d22fa2e4 https://git.kernel.org/stable/c/95d7a890e4b03e198836d49d699408fd1867cb55 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: block: fix race between wbt_enable_default and IO submission When wbt_enable_default() is moved out of queue freezing in elevator_change(), it can cause the wbt inflight counter to become negative (-1), leading to hung tasks in the writeback path. Tasks get stuck in wbt_wait() because the counter is in an inconsistent state. The issue occurs because wbt_enable_default() could race with IO submission, allowing the counter to be decremented before proper initialization. This manifests as: rq_wait[0]: inflight: -1 has_waiters: True rwb_enabled() checks the state, which can be updated exactly between wbt_wait() (rq_qos_throttle()) and wbt_track()(rq_qos_track()), then the inflight counter will become negative. And results in hung task warnings like: task:kworker/u24:39 state:D stack:0 pid:14767 Call Trace: rq_qos_wait+0xb4/0x150 wbt_wait+0xa9/0x100 __rq_qos_throttle+0x24/0x40 blk_mq_submit_bio+0x672/0x7b0 ... Fix this by: 1. Splitting wbt_enable_default() into: - __wbt_enable_default(): Returns true if wbt_init() should be called - wbt_enable_default(): Wrapper for existing callers (no init) - wbt_init_enable_default(): New function that checks and inits WBT 2. Using wbt_init_enable_default() in blk_register_queue() to ensure proper initialization during queue registration 3. Move wbt_init() out of wbt_enable_default() which is only for enabling disabled wbt from bfq and iocost, and wbt_init() isn't needed. Then the original lock warning can be avoided. 4. Removing the ELEVATOR_FLAG_ENABLE_WBT_ON_EXIT flag and its handling code since it's no longer needed This ensures WBT is properly initialized before any IO can be submitted, preventing the counter from going negative. | 2026-01-13 | not yet calculated | CVE-2025-68807 | https://git.kernel.org/stable/c/f55201fb3becff6a903fd29f4d1147cc7e91eb0c https://git.kernel.org/stable/c/9869d3a6fed381f3b98404e26e1afc75d680cbf9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: vidtv: initialize local pointers upon transfer of memory ownership vidtv_channel_si_init() creates a temporary list (program, service, event) and ownership of the memory itself is transferred to the PAT/SDT/EIT tables through vidtv_psi_pat_program_assign(), vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign(). The problem here is that the local pointer where the memory ownership transfer was completed is not initialized to NULL. This causes the vidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and in the flow that jumps to free_eit, the memory that was freed by vidtv_psi_*_table_destroy() can be accessed again by vidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it is freed once again. Therefore, to prevent use-after-free and double-free vulnerability, local pointers must be initialized to NULL when transferring memory ownership. | 2026-01-13 | not yet calculated | CVE-2025-68808 | https://git.kernel.org/stable/c/c342e294dac4988c8ada759b2f057246e48c5108 https://git.kernel.org/stable/c/12ab6ebb37789b84073e83e4d9b14a5e0d133323 https://git.kernel.org/stable/c/3caa18d35f1dabe85a3dd31bc387f391ac9f9b4e https://git.kernel.org/stable/c/fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8 https://git.kernel.org/stable/c/a69c7fd603bf5ad93177394fbd9711922ee81032 https://git.kernel.org/stable/c/30f4d4e5224a9e44e9ceb3956489462319d804ce https://git.kernel.org/stable/c/98aabfe2d79f74613abc2b0b1cef08f97eaf5322 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: vfs: fix race on m_flags in vfs_cache ksmbd maintains delete-on-close and pending-delete state in ksmbd_inode->m_flags. In vfs_cache.c this field is accessed under inconsistent locking: some paths read and modify m_flags under ci->m_lock while others do so without taking the lock at all. Examples: - ksmbd_query_inode_status() and __ksmbd_inode_close() use ci->m_lock when checking or updating m_flags. - ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(), ksmbd_clear_inode_pending_delete() and ksmbd_fd_set_delete_on_close() used to read and modify m_flags without ci->m_lock. This creates a potential data race on m_flags when multiple threads open, close and delete the same file concurrently. In the worst case delete-on-close and pending-delete bits can be lost or observed in an inconsistent state, leading to confusing delete semantics (files that stay on disk after delete-on-close, or files that disappear while still in use). Fix it by: - Making ksmbd_query_inode_status() look at m_flags under ci->m_lock after dropping inode_hash_lock. - Adding ci->m_lock protection to all helpers that read or modify m_flags (ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(), ksmbd_clear_inode_pending_delete(), ksmbd_fd_set_delete_on_close()). - Keeping the existing ci->m_lock protection in __ksmbd_inode_close(), and moving the actual unlink/xattr removal outside the lock. This unifies the locking around m_flags and removes the data race while preserving the existing delete-on-close behaviour. | 2026-01-13 | not yet calculated | CVE-2025-68809 | https://git.kernel.org/stable/c/5adad9727a815c26013b0d41cfee92ffa7d4037c https://git.kernel.org/stable/c/ccc78781041589ea383e61d5d7a1e9a31b210b93 https://git.kernel.org/stable/c/ee63729760f5b61a66f345c54dc4c7514e62383d https://git.kernel.org/stable/c/991f8a79db99b14c48d20d2052c82d65b9186cad |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot Reject attempts to disable KVM_MEM_GUEST_MEMFD on a memslot that was initially created with a guest_memfd binding, as KVM doesn't support toggling KVM_MEM_GUEST_MEMFD on existing memslots. KVM prevents enabling KVM_MEM_GUEST_MEMFD, but doesn't prevent clearing the flag. Failure to reject the new memslot results in a use-after-free due to KVM not unbinding from the guest_memfd instance. Unbinding on a FLAGS_ONLY change is easy enough, and can/will be done as a hardening measure (in anticipation of KVM supporting dirty logging on guest_memfd at some point), but fixing the use-after-free would only address the immediate symptom. ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x362/0x400 [kvm] Write of size 8 at addr ffff8881111ae908 by task repro/745 CPU: 7 UID: 1000 PID: 745 Comm: repro Not tainted 6.18.0-rc6-115d5de2eef3-next-kasan #3 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dump_stack_lvl+0x51/0x60 print_report+0xcb/0x5c0 kasan_report+0xb4/0xe0 kvm_gmem_release+0x362/0x400 [kvm] __fput+0x2fa/0x9d0 task_work_run+0x12c/0x200 do_exit+0x6ae/0x2100 do_group_exit+0xa8/0x230 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0x737/0x740 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f581f2eac31 </TASK> Allocated by task 745 on cpu 6 at 9.746971s: kasan_save_stack+0x20/0x40 kasan_save_track+0x13/0x50 __kasan_kmalloc+0x77/0x90 kvm_set_memory_region.part.0+0x652/0x1110 [kvm] kvm_vm_ioctl+0x14b0/0x3290 [kvm] __x64_sys_ioctl+0x129/0x1a0 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 745 on cpu 6 at 9.747467s: kasan_save_stack+0x20/0x40 kasan_save_track+0x13/0x50 __kasan_save_free_info+0x37/0x50 __kasan_slab_free+0x3b/0x60 kfree+0xf5/0x440 kvm_set_memslot+0x3c2/0x1160 [kvm] kvm_set_memory_region.part.0+0x86a/0x1110 [kvm] kvm_vm_ioctl+0x14b0/0x3290 [kvm] __x64_sys_ioctl+0x129/0x1a0 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 | 2026-01-13 | not yet calculated | CVE-2025-68810 | https://git.kernel.org/stable/c/89dbbe6ff323fc34659621a577fe0af913f47386 https://git.kernel.org/stable/c/cb51bef465d8ec60a968507330e01020e35dc127 https://git.kernel.org/stable/c/9935df5333aa503a18de5071f53762b65c783c4c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: svcrdma: use rc_pageoff for memcpy byte offset svc_rdma_copy_inline_range added rc_curpage (page index) to the page base instead of the byte offset rc_pageoff. Use rc_pageoff so copies land within the current page. Found by ZeroPath (https://zeropath.com) | 2026-01-13 | not yet calculated | CVE-2025-68811 | https://git.kernel.org/stable/c/e8623e9c451e23d84b870811f42fd872b4089ef6 https://git.kernel.org/stable/c/2a77c8dd49bccf0ca232be7c836cec1209abb8da https://git.kernel.org/stable/c/a8ee9099f30654917aa68f55d707b5627e1dbf77 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: Add sanity check for stop streaming Add sanity check in iris_vb2_stop_streaming. If inst->state is already IRIS_INST_ERROR, we should skip the stream_off operation because it would still send packets to the firmware. In iris_kill_session, inst->state is set to IRIS_INST_ERROR and session_close is executed, which will kfree(inst_hfi_gen2->packet). If stop_streaming is called afterward, it will cause a crash. [bod: remove qcom from patch title] | 2026-01-13 | not yet calculated | CVE-2025-68812 | https://git.kernel.org/stable/c/f8b136296722e258ec43237a35f72c92a6d4501a https://git.kernel.org/stable/c/ad699fa78b59241c9d71a8cafb51525f3dab04d4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipvs: fix ipv4 null-ptr-deref in route error path The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure() without ensuring skb->dev is set, leading to a NULL pointer dereference in fib_compute_spec_dst() when ipv4_link_failure() attempts to send ICMP destination unreachable messages. The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") started calling __ip_options_compile() from ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst() which dereferences skb->dev. An attempt was made to fix the NULL skb->dev dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev) dereference by using a fallback device. The fix was incomplete because fib_compute_spec_dst() later in the call chain still accesses skb->dev directly, which remains NULL when IPVS calls dst_link_failure(). The crash occurs when: 1. IPVS processes a packet in NAT mode with a misconfigured destination 2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route 3. The error path calls dst_link_failure(skb) with skb->dev == NULL 4. ipv4_link_failure() → ipv4_send_dest_unreach() → __ip_options_compile() → fib_compute_spec_dst() 5. fib_compute_spec_dst() dereferences NULL skb->dev Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before calling dst_link_failure(). KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f] CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2 RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233 RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285 Call Trace: <TASK> spec_dst_fill net/ipv4/ip_options.c:232 spec_dst_fill net/ipv4/ip_options.c:229 __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330 ipv4_send_dest_unreach net/ipv4/route.c:1252 ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265 dst_link_failure include/net/dst.h:437 __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412 ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764 | 2026-01-13 | not yet calculated | CVE-2025-68813 | https://git.kernel.org/stable/c/dd72a93c80408f06327dd2d956eb1a656d0b5903 https://git.kernel.org/stable/c/312d7cd88882fc6cadcc08b02287497aaaf94bcd https://git.kernel.org/stable/c/cdeff10851c37a002d87a035818ebd60fdb74447 https://git.kernel.org/stable/c/4729ff0581fbb7ad098b6153b76b6f5aac94618a https://git.kernel.org/stable/c/25ab24df31f7af843c96a38e0781b9165216e1a8 https://git.kernel.org/stable/c/689a627d14788ad772e0fa24c2e57a23dbc7ce90 https://git.kernel.org/stable/c/ad891bb3d079a46a821bf2b8867854645191bab0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring: fix filename leak in __io_openat_prep() __io_openat_prep() allocates a struct filename using getname(). However, for the condition of the file being installed in the fixed file table as well as having O_CLOEXEC flag set, the function returns early. At that point, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this, the memory for the newly allocated struct filename is not cleaned up, causing a memory leak. Fix this by setting the REQ_F_NEED_CLEANUP for the request just after the successful getname() call, so that when the request is torn down, the filename will be cleaned up, along with other resources needing cleanup. | 2026-01-13 | not yet calculated | CVE-2025-68814 | https://git.kernel.org/stable/c/2420ef01b2e836fbc05a0a8c73a1016504eb0458 https://git.kernel.org/stable/c/8f44c4a550570cd5903625133f938c6b51310c9b https://git.kernel.org/stable/c/18b99fa603d0df5e1c898699c17d3b92ddc80746 https://git.kernel.org/stable/c/e232269d511566b1f80872256a48593acc1becf4 https://git.kernel.org/stable/c/7fbfb85b05bc960cc50e09d03e5e562131e48d45 https://git.kernel.org/stable/c/b14fad555302a2104948feaff70503b64c80ac01 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Remove drr class from the active list if it changes to strict Whenever a user issues an ets qdisc change command, transforming a drr class into a strict one, the ets code isn't checking whether that class was in the active list and removing it. This means that, if a user changes a strict class (which was in the active list) back to a drr one, that class will be added twice to the active list [1]. Doing so with the following commands: tc qdisc add dev lo root handle 1: ets bands 2 strict 1 tc qdisc add dev lo parent 1:2 handle 20: \ tbf rate 8bit burst 100b latency 1s tc filter add dev lo parent 1: basic classid 1:2 ping -c1 -W0.01 -s 56 127.0.0.1 tc qdisc change dev lo root handle 1: ets bands 2 strict 2 tc qdisc change dev lo root handle 1: ets bands 2 strict 1 ping -c1 -W0.01 -s 56 127.0.0.1 Will trigger the following splat with list debug turned on: [ 59.279014][ T365] ------------[ cut here ]------------ [ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0. [ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220 [ 59.280860][ T365] Modules linked in: [ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary) [ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220 [ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 <0f> 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44 ... [ 59.288812][ T365] Call Trace: [ 59.289056][ T365] <TASK> [ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80 [ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0 [ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10 [ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240 [ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10 [ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.292313][ T365] ? trace_contention_end+0xc8/0x110 [ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0 Fix this by always checking and removing an ets class from the active list when changing it to strict. [1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663 | 2026-01-13 | not yet calculated | CVE-2025-68815 | https://git.kernel.org/stable/c/58fdce6bc005e964f1dbc3ca716f5fe0f68839a2 https://git.kernel.org/stable/c/02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87 https://git.kernel.org/stable/c/8067db5c95aab9461d23117679338cd8869831fa https://git.kernel.org/stable/c/2f125ebe47d6369e562f3cbd9b6227cff51eaf34 https://git.kernel.org/stable/c/cca2ed931b734fe48139bc6f020e47367346630f https://git.kernel.org/stable/c/43d9a530c8c094d137159784e7c951c65f11ec6c https://git.kernel.org/stable/c/b1e125ae425aba9b45252e933ca8df52a843ec70 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fw_tracer, Validate format string parameters Add validation for format string parameters in the firmware tracer to prevent potential security vulnerabilities and crashes from malformed format strings received from firmware. The firmware tracer receives format strings from the device firmware and uses them to format trace messages. Without proper validation, bad firmware could provide format strings with invalid format specifiers (e.g., %s, %p, %n) that could lead to crashes, or other undefined behavior. Add mlx5_tracer_validate_params() to validate that all format specifiers in trace strings are limited to safe integer/hex formats (%x, %d, %i, %u, %llx, %lx, etc.). Reject strings containing other format types that could be used to access arbitrary memory or cause crashes. Invalid format strings are added to the trace output for visibility with "BAD_FORMAT: " prefix. | 2026-01-13 | not yet calculated | CVE-2025-68816 | https://git.kernel.org/stable/c/95624b731c490a4b849844269193a233d6d556a0 https://git.kernel.org/stable/c/768d559f466cdd72849110a7ecd76a21d52dcfe3 https://git.kernel.org/stable/c/38ac688b52ef26a88f8bc4fe26d24fdd0ff91e5d https://git.kernel.org/stable/c/8ac688c0e430dab19f6a9b70df94b1f635612c1a https://git.kernel.org/stable/c/45bd283b1d69e2c97cddcb9956f0e0261fc4efd7 https://git.kernel.org/stable/c/8c35c2448086870509ede43947845be0833251f0 https://git.kernel.org/stable/c/b35966042d20b14e2d83330049f77deec5229749 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Under high concurrency, A tree-connection object (tcon) is freed on a disconnect path while another path still holds a reference and later executes *_put()/write on it. | 2026-01-13 | not yet calculated | CVE-2025-68817 | https://git.kernel.org/stable/c/d092de8a26c952379ded8e6b0bda31d89befac1a https://git.kernel.org/stable/c/d64977495e44855f2b28d8ce56107c963a7a50e4 https://git.kernel.org/stable/c/21a3d01fc6db5129f81edb0ab7cb94fd758bcbea https://git.kernel.org/stable/c/063cbbc6f595ea36ad146e1b7d2af820894beb21 https://git.kernel.org/stable/c/b39a1833cc4a2755b02603eec3a71a85e9dff926 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9. The commit being reverted added code to __qla2x00_abort_all_cmds() to call sp->done() without holding a spinlock. But unlike the older code below it, this new code failed to check sp->cmd_type and just assumed TYPE_SRB, which results in a jump to an invalid pointer in target-mode with TYPE_TGT_CMD: qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success 0000000009f7a79b qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h. qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event 0x8002 occurred qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery - ha=0000000058183fda. BUG: kernel NULL pointer dereference, address: 0000000000000000 PF: supervisor instruction fetch in kernel mode PF: error_code(0x0010) - not-present page PGD 0 P4D 0 Oops: 0010 [#1] SMP CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1 Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206 RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000 RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0 RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045 R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40 R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400 FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die+0x4d/0x8b ? page_fault_oops+0x91/0x180 ? trace_buffer_unlock_commit_regs+0x38/0x1a0 ? exc_page_fault+0x391/0x5e0 ? asm_exc_page_fault+0x22/0x30 __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst] qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst] qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst] qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst] qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst] kthread+0xa8/0xd0 </TASK> Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within lock") added the spinlock back, because not having the lock caused a race and a crash. But qla2x00_abort_srb() in the switch below already checks for qla2x00_chip_is_down() and handles it the same way, so the code above the switch is now redundant and still buggy in target-mode. Remove it. | 2026-01-13 | not yet calculated | CVE-2025-68818 | https://git.kernel.org/stable/c/b04b3733fff7e94566386b962e4795550fbdfd3d https://git.kernel.org/stable/c/50b097d92c99f718831b8b349722bc79f718ba1b https://git.kernel.org/stable/c/c5c37a821bd1708f26a9522b4a6f47b9f7a20003 https://git.kernel.org/stable/c/e9e601b7df58ba0c667baf30263331df2c02ffe1 https://git.kernel.org/stable/c/b10ebbfd59a535c8d22f4ede6e8389622ce98dc0 https://git.kernel.org/stable/c/1c728951bc769b795d377852eae1abddad88635d https://git.kernel.org/stable/c/b57fbc88715b6d18f379463f48a15b560b087ffe |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() rlen value is a user-controlled value, but dtv5100_i2c_msg() does not check the size of the rlen value. Therefore, if it is set to a value larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data. Therefore, we need to add proper range checking to prevent this vuln. | 2026-01-13 | not yet calculated | CVE-2025-68819 | https://git.kernel.org/stable/c/c2c293ea7b61f12cdaad1e99a5b4efc58c88960a https://git.kernel.org/stable/c/c2305b4c5fc15e20ac06c35738e0578eb4323750 https://git.kernel.org/stable/c/61f214a878e96e2a8750bf96a98f78c658dba60c https://git.kernel.org/stable/c/4a54d8fcb093761e4c56eb211cf4e39bf8401fa1 https://git.kernel.org/stable/c/fe3e129ab49806aaaa3f22067ebc75c2dfbe4658 https://git.kernel.org/stable/c/ac92151ff2494130d9fc686055d6bbb9743a673e https://git.kernel.org/stable/c/b91e6aafe8d356086cc621bc03e35ba2299e4788 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: xattr: fix null pointer deref in ext4_raw_inode() If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED), iloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all() lacks error checking, this will lead to a null pointer dereference in ext4_raw_inode(), called right after ext4_get_inode_loc(). Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2026-01-13 | not yet calculated | CVE-2025-68820 | https://git.kernel.org/stable/c/b72a3476f0c97d02f63a6e9fff127348d55436f6 https://git.kernel.org/stable/c/3d8d22e75f7edfa0b30ff27330fd6a1285d594c3 https://git.kernel.org/stable/c/190ad0f22ba49f1101182b80e3af50ca2ddfe72f https://git.kernel.org/stable/c/b5d942922182e82724b7152cb998f540132885ec https://git.kernel.org/stable/c/5b154e901fda2e98570b8f426a481f5740097dc2 https://git.kernel.org/stable/c/ce5f54c065a4a7cbb92787f4f140917112350142 https://git.kernel.org/stable/c/b97cb7d6a051aa6ebd57906df0e26e9e36c26d14 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fuse: fix readahead reclaim deadlock Commit e26ee4efbc79 ("fuse: allocate ff->release_args only if release is needed") skips allocating ff->release_args if the server does not implement open. However in doing so, fuse_prepare_release() now skips grabbing the reference on the inode, which makes it possible for an inode to be evicted from the dcache while there are inflight readahead requests. This causes a deadlock if the server triggers reclaim while servicing the readahead request and reclaim attempts to evict the inode of the file being read ahead. Since the folio is locked during readahead, when reclaim evicts the fuse inode and fuse_evict_inode() attempts to remove all folios associated with the inode from the page cache (truncate_inode_pages_range()), reclaim will block forever waiting for the lock since readahead cannot relinquish the lock because it is itself blocked in reclaim: >>> stack_trace(1504735) folio_wait_bit_common (mm/filemap.c:1308:4) folio_lock (./include/linux/pagemap.h:1052:3) truncate_inode_pages_range (mm/truncate.c:336:10) fuse_evict_inode (fs/fuse/inode.c:161:2) evict (fs/inode.c:704:3) dentry_unlink_inode (fs/dcache.c:412:3) __dentry_kill (fs/dcache.c:615:3) shrink_kill (fs/dcache.c:1060:12) shrink_dentry_list (fs/dcache.c:1087:3) prune_dcache_sb (fs/dcache.c:1168:2) super_cache_scan (fs/super.c:221:10) do_shrink_slab (mm/shrinker.c:435:9) shrink_slab (mm/shrinker.c:626:10) shrink_node (mm/vmscan.c:5951:2) shrink_zones (mm/vmscan.c:6195:3) do_try_to_free_pages (mm/vmscan.c:6257:3) do_swap_page (mm/memory.c:4136:11) handle_pte_fault (mm/memory.c:5562:10) handle_mm_fault (mm/memory.c:5870:9) do_user_addr_fault (arch/x86/mm/fault.c:1338:10) handle_page_fault (arch/x86/mm/fault.c:1481:3) exc_page_fault (arch/x86/mm/fault.c:1539:2) asm_exc_page_fault+0x22/0x27 Fix this deadlock by allocating ff->release_args and grabbing the reference on the inode when preparing the file for release even if the server does not implement open. The inode reference will be dropped when the last reference on the fuse file is dropped (see fuse_file_put() -> fuse_release_end()). | 2026-01-13 | not yet calculated | CVE-2025-68821 | https://git.kernel.org/stable/c/cbbf3f1bb9f834bb2acbb61ddca74363456e19cd https://git.kernel.org/stable/c/4703bc0e8cd3409acb1476a70cb5b7ff943cf39a https://git.kernel.org/stable/c/cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f https://git.kernel.org/stable/c/fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6 https://git.kernel.org/stable/c/e0d6de83a4cc22bbac72713f3a58121af36cc411 https://git.kernel.org/stable/c/bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Input: alps - fix use-after-free bugs caused by dev3_register_work The dev3_register_work delayed work item is initialized within alps_reconnect() and scheduled upon receipt of the first bare PS/2 packet from an external PS/2 device connected to the ALPS touchpad. During device detachment, the original implementation calls flush_workqueue() in psmouse_disconnect() to ensure completion of dev3_register_work. However, the flush_workqueue() in psmouse_disconnect() only blocks and waits for work items that were already queued to the workqueue prior to its invocation. Any work items submitted after flush_workqueue() is called are not included in the set of tasks that the flush operation awaits. This means that after flush_workqueue() has finished executing, the dev3_register_work could still be scheduled. Although the psmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(), the scheduling of dev3_register_work remains unaffected. The race condition can occur as follows: CPU 0 (cleanup path) | CPU 1 (delayed work) psmouse_disconnect() | psmouse_set_state() | flush_workqueue() | alps_report_bare_ps2_packet() alps_disconnect() | psmouse_queue_work() kfree(priv); // FREE | alps_register_bare_ps2_mouse() | priv = container_of(work...); // USE | priv->dev3 // USE Add disable_delayed_work_sync() in alps_disconnect() to ensure that dev3_register_work is properly canceled and prevented from executing after the alps_data structure has been deallocated. This bug is identified by static analysis. | 2026-01-13 | not yet calculated | CVE-2025-68822 | https://git.kernel.org/stable/c/ed8c61b89be0c45f029228b2913d5cf7b5cda1a7 https://git.kernel.org/stable/c/a9c115e017b2c633d25bdfe6709dda6fc36f08c2 https://git.kernel.org/stable/c/bf40644ef8c8a288742fa45580897ed0e0289474 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ublk: fix deadlock when reading partition table When one process(such as udev) opens ublk block device (e.g., to read the partition table via bdev_open()), a deadlock[1] can occur: 1. bdev_open() grabs disk->open_mutex 2. The process issues read I/O to ublk backend to read partition table 3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request() runs bio->bi_end_io() callbacks 4. If this triggers fput() on file descriptor of ublk block device, the work may be deferred to current task's task work (see fput() implementation) 5. This eventually calls blkdev_release() from the same context 6. blkdev_release() tries to grab disk->open_mutex again 7. Deadlock: same task waiting for a mutex it already holds The fix is to run blk_update_request() and blk_mq_end_request() with bottom halves disabled. This forces blkdev_release() to run in kernel work-queue context instead of current task work context, and allows ublk server to make forward progress, and avoids the deadlock. [axboe: rewrite comment in ublk] | 2026-01-13 | not yet calculated | CVE-2025-68823 | https://git.kernel.org/stable/c/0460e09a614291f06c008443f47393c37b7358e7 https://git.kernel.org/stable/c/c258f5c4502c9667bccf5d76fa731ab9c96687c1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: hns3: using the num_tqps in the vf driver to apply for resources Currently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp is allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to min(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller than hdev->num_tqps, which causes some hdev->htqp[i] to remain uninitialized in hclgevf_knic_setup(). Thus, this patch allocates hdev->htqp and kinfo->tqp using hdev->num_tqps, ensuring that the lengths of hdev->htqp and kinfo->tqp are consistent and that all elements are properly initialized. | 2026-01-13 | not yet calculated | CVE-2025-71064 | https://git.kernel.org/stable/c/c149decd8c18ae6acdd7a6041d74507835cf26e6 https://git.kernel.org/stable/c/bcefdb288eedac96fd2f583298927e9c6c481489 https://git.kernel.org/stable/c/6cd8a2930df850f4600fe8c57d0662b376520281 https://git.kernel.org/stable/c/1956d47a03eb625951e9e070db39fe2590e27510 https://git.kernel.org/stable/c/429f946a7af3fbf08761d218746cd4afa80a7954 https://git.kernel.org/stable/c/62f28d79a6186a602a9d926a2dbb5b12b6867df7 https://git.kernel.org/stable/c/c2a16269742e176fccdd0ef9c016a233491a49ad |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid potential deadlock As Jiaming Zhang and syzbot reported, there is potential deadlock in f2fs as below: Chain exists of: &sbi->cp_rwsem --> fs_reclaim --> sb_internal#2 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- rlock(sb_internal#2); lock(fs_reclaim); lock(sb_internal#2); rlock(&sbi->cp_rwsem); *** DEADLOCK *** 3 locks held by kswapd0/73: #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:7015 [inline] #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x951/0x2800 mm/vmscan.c:7389 #1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_trylock_shared fs/super.c:562 [inline] #1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_cache_scan+0x91/0x4b0 fs/super.c:197 #2: ffff888011840610 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x8d9/0x1b60 fs/f2fs/inode.c:890 stack backtrace: CPU: 0 UID: 0 PID: 73 Comm: kswapd0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043 check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175 check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908 __lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868 down_read+0x46/0x2e0 kernel/locking/rwsem.c:1537 f2fs_down_read fs/f2fs/f2fs.h:2278 [inline] f2fs_lock_op fs/f2fs/f2fs.h:2357 [inline] f2fs_do_truncate_blocks+0x21c/0x10c0 fs/f2fs/file.c:791 f2fs_truncate_blocks+0x10a/0x300 fs/f2fs/file.c:867 f2fs_truncate+0x489/0x7c0 fs/f2fs/file.c:925 f2fs_evict_inode+0x9f2/0x1b60 fs/f2fs/inode.c:897 evict+0x504/0x9c0 fs/inode.c:810 f2fs_evict_inode+0x1dc/0x1b60 fs/f2fs/inode.c:853 evict+0x504/0x9c0 fs/inode.c:810 dispose_list fs/inode.c:852 [inline] prune_icache_sb+0x21b/0x2c0 fs/inode.c:1000 super_cache_scan+0x39b/0x4b0 fs/super.c:224 do_shrink_slab+0x6ef/0x1110 mm/shrinker.c:437 shrink_slab_memcg mm/shrinker.c:550 [inline] shrink_slab+0x7ef/0x10d0 mm/shrinker.c:628 shrink_one+0x28a/0x7c0 mm/vmscan.c:4955 shrink_many mm/vmscan.c:5016 [inline] lru_gen_shrink_node mm/vmscan.c:5094 [inline] shrink_node+0x315d/0x3780 mm/vmscan.c:6081 kswapd_shrink_node mm/vmscan.c:6941 [inline] balance_pgdat mm/vmscan.c:7124 [inline] kswapd+0x147c/0x2800 mm/vmscan.c:7389 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> The root cause is deadlock among four locks as below: kswapd - fs_reclaim --- Lock A - shrink_one - evict - f2fs_evict_inode - sb_start_intwrite --- Lock B - iput - evict - f2fs_evict_inode - sb_start_intwrite --- Lock B - f2fs_truncate - f2fs_truncate_blocks - f2fs_do_truncate_blocks - f2fs_lock_op --- Lock C ioctl - f2fs_ioc_commit_atomic_write - f2fs_lock_op --- Lock C - __f2fs_commit_atomic_write - __replace_atomic_write_block - f2fs_get_dnode_of_data - __get_node_folio - f2fs_check_nid_range - f2fs_handle_error - f2fs_record_errors - f2fs_down_write --- Lock D open - do_open - do_truncate - security_inode_need_killpriv - f2fs_getxattr - lookup_all_xattrs - f2fs_handle_error - f2fs_record_errors - f2fs_down_write --- Lock D - f2fs_commit_super - read_mapping_folio - filemap_alloc_folio_noprof - prepare_alloc_pages - fs_reclaim_acquire --- Lock A In order to a ---truncated--- | 2026-01-13 | not yet calculated | CVE-2025-71065 | https://git.kernel.org/stable/c/8bd6dff8b801abaa362272894bda795bf0cf1307 https://git.kernel.org/stable/c/6c3bab5c6261aa22c561ef56b7365959a90e7d91 https://git.kernel.org/stable/c/86a85a7b622e6e8dba69810257733ce5eab5ed55 https://git.kernel.org/stable/c/ca8b201f28547e28343a6f00a6e91fa8c09572fe |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change zdi-disclosures@trendmicro.com says: The vulnerability is a race condition between `ets_qdisc_dequeue` and `ets_qdisc_change`. It leads to UAF on `struct Qdisc` object. Attacker requires the capability to create new user and network namespace in order to trigger the bug. See my additional commentary at the end of the analysis. Analysis: static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, struct netlink_ext_ack *extack) { ... // (1) this lock is preventing .change handler (`ets_qdisc_change`) //to race with .dequeue handler (`ets_qdisc_dequeue`) sch_tree_lock(sch); for (i = nbands; i < oldbands; i++) { if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) list_del_init(&q->classes[i].alist); qdisc_purge_queue(q->classes[i].qdisc); } WRITE_ONCE(q->nbands, nbands); for (i = nstrict; i < q->nstrict; i++) { if (q->classes[i].qdisc->q.qlen) { // (2) the class is added to the q->active list_add_tail(&q->classes[i].alist, &q->active); q->classes[i].deficit = quanta[i]; } } WRITE_ONCE(q->nstrict, nstrict); memcpy(q->prio2band, priomap, sizeof(priomap)); for (i = 0; i < q->nbands; i++) WRITE_ONCE(q->classes[i].quantum, quanta[i]); for (i = oldbands; i < q->nbands; i++) { q->classes[i].qdisc = queues[i]; if (q->classes[i].qdisc != &noop_qdisc) qdisc_hash_add(q->classes[i].qdisc, true); } // (3) the qdisc is unlocked, now dequeue can be called in parallel // to the rest of .change handler sch_tree_unlock(sch); ets_offload_change(sch); for (i = q->nbands; i < oldbands; i++) { // (4) we're reducing the refcount for our class's qdisc and // freeing it qdisc_put(q->classes[i].qdisc); // (5) If we call .dequeue between (4) and (5), we will have // a strong UAF and we can control RIP q->classes[i].qdisc = NULL; WRITE_ONCE(q->classes[i].quantum, 0); q->classes[i].deficit = 0; gnet_stats_basic_sync_init(&q->classes[i].bstats); memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats)); } return 0; } Comment: This happens because some of the classes have their qdiscs assigned to NULL, but remain in the active list. This commit fixes this issue by always removing the class from the active list before deleting and freeing its associated qdisc Reproducer Steps (trimmed version of what was sent by zdi-disclosures@trendmicro.com) ``` DEV="${DEV:-lo}" ROOT_HANDLE="${ROOT_HANDLE:-1:}" BAND2_HANDLE="${BAND2_HANDLE:-20:}" # child under 1:2 PING_BYTES="${PING_BYTES:-48}" PING_COUNT="${PING_COUNT:-200000}" PING_DST="${PING_DST:-127.0.0.1}" SLOW_TBF_RATE="${SLOW_TBF_RATE:-8bit}" SLOW_TBF_BURST="${SLOW_TBF_BURST:-100b}" SLOW_TBF_LAT="${SLOW_TBF_LAT:-1s}" cleanup() { tc qdisc del dev "$DEV" root 2>/dev/null } trap cleanup EXIT ip link set "$DEV" up tc qdisc del dev "$DEV" root 2>/dev/null || true tc qdisc add dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2 tc qdisc add dev "$DEV" parent 1:2 handle "$BAND2_HANDLE" \ tbf rate "$SLOW_TBF_RATE" burst "$SLOW_TBF_BURST" latency "$SLOW_TBF_LAT" tc filter add dev "$DEV" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2 tc -s qdisc ls dev $DEV ping -I "$DEV" -f -c "$PING_COUNT" -s "$PING_BYTES" -W 0.001 "$PING_DST" \ >/dev/null 2>&1 & tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 0 tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2 tc -s qdisc ls dev $DEV tc qdisc del dev "$DEV" parent ---truncated--- | 2026-01-13 | not yet calculated | CVE-2025-71066 | https://git.kernel.org/stable/c/062d5d544e564473450d72e6af83077c2b2ff7c3 https://git.kernel.org/stable/c/c7f6e7cc14df72b997258216e99d897d2df0dbbd https://git.kernel.org/stable/c/a75d617a4ef08682f5cfaadc01d5141c87e019c9 https://git.kernel.org/stable/c/9987cda315c08f63a02423fa2f9a1f6602c861a0 https://git.kernel.org/stable/c/06bfb66a7c8b45e3fed01351a4b087410ae5ef39 https://git.kernel.org/stable/c/45466141da3c98a0c5fa88be0bc14b4b6a4bd75c https://git.kernel.org/stable/c/ce052b9402e461a9aded599f5b47e76bc727f7de |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs: set dummy blocksize to read boot_block when mounting When mounting, sb->s_blocksize is used to read the boot_block without being defined or validated. Set a dummy blocksize before attempting to read the boot_block. The issue can be triggered with the following syz reproducer: mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x0) r4 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x121403, 0x0) ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, &(0x7f0000000980)=0x4000) mount(&(0x7f0000000140)=@nullb, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000000)='ntfs3\x00', 0x2208004, 0x0) syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0) Here, the ioctl sets the bdev block size to 16384. During mount, get_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)), but since block_size(bdev) > PAGE_SIZE, sb_set_blocksize() leaves sb->s_blocksize at zero. Later, ntfs_init_from_boot() attempts to read the boot_block while sb->s_blocksize is still zero, which triggers the bug. [almaz.alexandrovich@paragon-software.com: changed comment style, added return value handling] | 2026-01-13 | not yet calculated | CVE-2025-71067 | https://git.kernel.org/stable/c/44a38eb4f7876513db5a1bccde74de9bc4389d43 https://git.kernel.org/stable/c/4fff9a625da958a33191c8553a03283786f9f417 https://git.kernel.org/stable/c/b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a https://git.kernel.org/stable/c/d1693a7d5a38acf6424235a6070bcf5b186a360d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: svcrdma: bound check rq_pages index in inline path svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without verifying rc_curpage stays within the allocated page array. Add guards before the first use and after advancing to a new page. | 2026-01-13 | not yet calculated | CVE-2025-71068 | https://git.kernel.org/stable/c/a22316f5e9a29e4b92030bd8fb9435fe0eb1d5c9 https://git.kernel.org/stable/c/7ba826aae1d43212f3baa53a2175ad949e21926e https://git.kernel.org/stable/c/5f140b525180c628db8fa6c897f138194a2de417 https://git.kernel.org/stable/c/da1ccfc4c452541584a4eae89e337cfa21be6d5a https://git.kernel.org/stable/c/d1bea0ce35b6095544ee82bb54156fc62c067e58 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: invalidate dentry cache on failed whiteout creation F2FS can mount filesystems with corrupted directory depth values that get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT operations are performed on such directories, f2fs_rename performs directory modifications (updating target entry and deleting source entry) before attempting to add the whiteout entry via f2fs_add_link. If f2fs_add_link fails due to the corrupted directory structure, the function returns an error to VFS, but the partial directory modifications have already been committed to disk. VFS assumes the entire rename operation failed and does not update the dentry cache, leaving stale mappings. In the error path, VFS does not call d_move() to update the dentry cache. This results in new_dentry still pointing to the old inode (new_inode) which has already had its i_nlink decremented to zero. The stale cache causes subsequent operations to incorrectly reference the freed inode. This causes subsequent operations to use cached dentry information that no longer matches the on-disk state. When a second rename targets the same entry, VFS attempts to decrement i_nlink on the stale inode, which may already have i_nlink=0, triggering a WARNING in drop_nlink(). Example sequence: 1. First rename (RENAME_WHITEOUT): file2 → file1 - f2fs updates file1 entry on disk (points to inode 8) - f2fs deletes file2 entry on disk - f2fs_add_link(whiteout) fails (corrupted directory) - Returns error to VFS - VFS does not call d_move() due to error - VFS cache still has: file1 → inode 7 (stale!) - inode 7 has i_nlink=0 (already decremented) 2. Second rename: file3 → file1 - VFS uses stale cache: file1 → inode 7 - Tries to drop_nlink on inode 7 (i_nlink already 0) - WARNING in drop_nlink() Fix this by explicitly invalidating old_dentry and new_dentry when f2fs_add_link fails during whiteout creation. This forces VFS to refresh from disk on subsequent operations, ensuring cache consistency even when the rename partially succeeds. Reproducer: 1. Mount F2FS image with corrupted i_current_depth 2. renameat2(file2, file1, RENAME_WHITEOUT) 3. renameat2(file3, file1, 0) 4. System triggers WARNING in drop_nlink() | 2026-01-13 | not yet calculated | CVE-2025-71069 | https://git.kernel.org/stable/c/7f2bae0c881aa1e0a6318756df692cc13df2cc83 https://git.kernel.org/stable/c/3d95ed8cf980fdfa67a3ab9491357521ae576168 https://git.kernel.org/stable/c/64587ab4d1f16fc94f70e04fa87b2e3f69f8a7bb https://git.kernel.org/stable/c/3d65e27e57aaa9d66709fda4cbfb62a87c04a3f5 https://git.kernel.org/stable/c/c89845fae250efdd59c1d4ec60e9e1c652cee4b6 https://git.kernel.org/stable/c/0dde30753c1e8648665dbe069d814e540ce2fd37 https://git.kernel.org/stable/c/d33f89b34aa313f50f9a512d58dd288999f246b0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ublk: clean up user copy references on ublk server exit If a ublk server process releases a ublk char device file, any requests dispatched to the ublk server but not yet completed will retain a ref value of UBLK_REFCOUNT_INIT. Before commit e63d2228ef83 ("ublk: simplify aborting ublk request"), __ublk_fail_req() would decrement the reference count before completing the failed request. However, that commit optimized __ublk_fail_req() to call __ublk_complete_rq() directly without decrementing the request reference count. The leaked reference count incorrectly allows user copy and zero copy operations on the completed ublk request. It also triggers the WARN_ON_ONCE(refcount_read(&io->ref)) warnings in ublk_queue_reinit() and ublk_deinit_queue(). Commit c5c5eb24ed61 ("ublk: avoid ublk_io_release() called after ublk char dev is closed") already fixed the issue for ublk devices using UBLK_F_SUPPORT_ZERO_COPY or UBLK_F_AUTO_BUF_REG. However, the reference count leak also affects UBLK_F_USER_COPY, the other reference-counted data copy mode. Fix the condition in ublk_check_and_reset_active_ref() to include all reference-counted data copy modes. This ensures that any ublk requests still owned by the ublk server when it exits have their reference counts reset to 0. | 2026-01-13 | not yet calculated | CVE-2025-71070 | https://git.kernel.org/stable/c/13456b4f1033d911f8bf3a0a1195656f293ba0f6 https://git.kernel.org/stable/c/daa24603d9f0808929514ee62ced30052ca7221c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: fix use-after-free on probe deferral The driver is dropping the references taken to the larb devices during probe after successful lookup as well as on errors. This can potentially lead to a use-after-free in case a larb device has not yet been bound to its driver so that the iommu driver probe defers. Fix this by keeping the references as expected while the iommu driver is bound. | 2026-01-13 | not yet calculated | CVE-2025-71071 | https://git.kernel.org/stable/c/896ec55da3b90bdb9fc04fedc17ad8c359b2eee5 https://git.kernel.org/stable/c/5c04217d06a1161aaf36267e9d971ab6f847d5a7 https://git.kernel.org/stable/c/1ef70a0b104ae8011811f60bcfaa55ff49385171 https://git.kernel.org/stable/c/f6c08d3aa441bbc1956e9d65f1cbb89113a5aa8a https://git.kernel.org/stable/c/de83d4617f9fe059623e97acf7e1e10d209625b5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: shmem: fix recovery on rename failures maple_tree insertions can fail if we are seriously short on memory; simple_offset_rename() does not recover well if it runs into that. The same goes for simple_offset_rename_exchange(). Moreover, shmem_whiteout() expects that if it succeeds, the caller will progress to d_move(), i.e. that shmem_rename2() won't fail past the successful call of shmem_whiteout(). Not hard to fix, fortunately - mtree_store() can't fail if the index we are trying to store into is already present in the tree as a singleton. For simple_offset_rename_exchange() that's enough - we just need to be careful about the order of operations. For simple_offset_rename() solution is to preinsert the target into the tree for new_dir; the rest can be done without any potentially failing operations. That preinsertion has to be done in shmem_rename2() rather than in simple_offset_rename() itself - otherwise we'd need to deal with the possibility of failure after successful shmem_whiteout(). | 2026-01-13 | not yet calculated | CVE-2025-71072 | https://git.kernel.org/stable/c/4b0fe71fb3965d0db83cdfc2f4fe0b3227d70113 https://git.kernel.org/stable/c/4642686699a46718d7f2fb5acd1e9d866a9d9cca https://git.kernel.org/stable/c/e1b4c6a58304fd490124cc2b454d80edc786665c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending work before freeing device lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work handler lkkbd_reinit() dereferences the lkkbd structure and its serio/input_dev fields. lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd structure without preventing the reinit work from being queued again until serio_close() returns. This can allow the work handler to run after the structure has been freed, leading to a potential use-after-free. Use disable_work_sync() instead of cancel_work_sync() to ensure the reinit work cannot be re-queued, and call it both in lkkbd_disconnect() and in lkkbd_connect() error paths after serio_open(). | 2026-01-13 | not yet calculated | CVE-2025-71073 | https://git.kernel.org/stable/c/3a7cd1397c209076c371d53bf39a55c138f62342 https://git.kernel.org/stable/c/cffc4e29b1e2d44ab094cf142d7c461ff09b9104 https://git.kernel.org/stable/c/e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: functionfs: fix the open/removal races ffs_epfile_open() can race with removal, ending up with file->private_data pointing to freed object. There is a total count of opened files on functionfs (both ep0 and dynamic ones) and when it hits zero, dynamic files get removed. Unfortunately, that removal can happen while another thread is in ffs_epfile_open(), but has not incremented the count yet. In that case open will succeed, leaving us with UAF on any subsequent read() or write(). The root cause is that ffs->opened is misused; atomic_dec_and_test() vs. atomic_add_return() is not a good idea, when object remains visible all along. To untangle that * serialize openers on ffs->mutex (both for ep0 and for dynamic files) * have dynamic ones use atomic_inc_not_zero() and fail if we had zero ->opened; in that case the file we are opening is doomed. * have the inodes of dynamic files marked on removal (from the callback of simple_recursive_removal()) - clear ->i_private there. * have open of dynamic ones verify they hadn't been already removed, along with checking that state is FFS_ACTIVE. | 2026-01-13 | not yet calculated | CVE-2025-71074 | https://git.kernel.org/stable/c/b49c766856fb5901490de577e046149ebf15e39d https://git.kernel.org/stable/c/e5bf5ee266633cb18fff6f98f0b7d59a62819eee |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: aic94xx: fix use-after-free in device removal path The asd_pci_remove() function fails to synchronize with pending tasklets before freeing the asd_ha structure, leading to a potential use-after-free vulnerability. When a device removal is triggered (via hot-unplug or module unload), race condition can occur. The fix adds tasklet_kill() before freeing the asd_ha structure, ensuring all scheduled tasklets complete before cleanup proceeds. | 2026-01-13 | not yet calculated | CVE-2025-71075 | https://git.kernel.org/stable/c/c8f6f88cd1df35155258285c4f43268b361819df https://git.kernel.org/stable/c/278455a82245a572aeb218a6212a416a98e418de https://git.kernel.org/stable/c/b3e655e52b98a1d3df41c8e42035711e083099f8 https://git.kernel.org/stable/c/e354793a7ab9bb0934ea699a9d57bcd1b48fc27b https://git.kernel.org/stable/c/a41dc180b6e1229ae49ca290ae14d82101c148c3 https://git.kernel.org/stable/c/751c19635c2bfaaf2836a533caa3663633066dcf https://git.kernel.org/stable/c/f6ab594672d4cba08540919a4e6be2e202b60007 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Limit num_syncs to prevent oversized allocations The OA open parameters did not validate num_syncs, allowing userspace to pass arbitrarily large values, potentially leading to excessive allocations. Add check to ensure that num_syncs does not exceed DRM_XE_MAX_SYNCS, returning -EINVAL when the limit is violated. v2: use XE_IOCTL_DBG() and drop duplicated check. (Ashutosh) (cherry picked from commit e057b2d2b8d815df3858a87dffafa2af37e5945b) | 2026-01-13 | not yet calculated | CVE-2025-71076 | https://git.kernel.org/stable/c/b963636331fb4f3f598d80492e2fa834757198eb https://git.kernel.org/stable/c/338849090ee610ff6d11e5e90857d2c27a4121ab https://git.kernel.org/stable/c/f8dd66bfb4e184c71bd26418a00546ebe7f5c17a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tpm: Cap the number of PCR banks tpm2_get_pcr_allocation() does not cap any upper limit for the number of banks. Cap the limit to eight banks so that out of bounds values coming from external I/O cause on only limited harm. | 2026-01-13 | not yet calculated | CVE-2025-71077 | https://git.kernel.org/stable/c/8ceee7288152bc121a6bf92997261838c78bfe06 https://git.kernel.org/stable/c/275c686f1e3cc056ec66c764489ec1fe1e51b950 https://git.kernel.org/stable/c/ceb70d31da5671d298bad94ae6c20e4bbb800f96 https://git.kernel.org/stable/c/d88481653d74d622d1d0d2c9bad845fc2cc6fd23 https://git.kernel.org/stable/c/b69492161c056d36789aee42a87a33c18c8ed5e1 https://git.kernel.org/stable/c/858344bc9210bea9ab2bdc7e9e331ba84c164e50 https://git.kernel.org/stable/c/faf07e611dfa464b201223a7253e9dc5ee0f3c9e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/64s/slb: Fix SLB multihit issue during SLB preload On systems using the hash MMU, there is a software SLB preload cache that mirrors the entries loaded into the hardware SLB buffer. This preload cache is subject to periodic eviction - typically after every 256 context switches - to remove old entry. To optimize performance, the kernel skips switch_mmu_context() in switch_mm_irqs_off() when the prev and next mm_struct are the same. However, on hash MMU systems, this can lead to inconsistencies between the hardware SLB and the software preload cache. If an SLB entry for a process is evicted from the software cache on one CPU, and the same process later runs on another CPU without executing switch_mmu_context(), the hardware SLB may retain stale entries. If the kernel then attempts to reload that entry, it can trigger an SLB multi-hit error. The following timeline shows how stale SLB entries are created and can cause a multi-hit error when a process moves between CPUs without a MMU context switch. CPU 0 CPU 1 ----- ----- Process P exec swapper/1 load_elf_binary begin_new_exc activate_mm switch_mm_irqs_off switch_mmu_context switch_slb /* * This invalidates all * the entries in the HW * and setup the new HW * SLB entries as per the * preload cache. */ context_switch sched_migrate_task migrates process P to cpu-1 Process swapper/0 context switch (to process P) (uses mm_struct of Process P) switch_mm_irqs_off() switch_slb load_slb++ /* * load_slb becomes 0 here * and we evict an entry from * the preload cache with * preload_age(). We still * keep HW SLB and preload * cache in sync, that is * because all HW SLB entries * anyways gets evicted in * switch_slb during SLBIA. * We then only add those * entries back in HW SLB, * which are currently * present in preload_cache * (after eviction). */ load_elf_binary continues... setup_new_exec() slb_setup_new_exec() sched_switch event sched_migrate_task migrates process P to cpu-0 context_switch from swapper/0 to Process P switch_mm_irqs_off() /* * Since both prev and next mm struct are same we don't call * switch_mmu_context(). This will cause the HW SLB and SW preload * cache to go out of sync in preload_new_slb_context. Because there * was an SLB entry which was evicted from both HW and preload cache * on cpu-1. Now later in preload_new_slb_context(), when we will try * to add the same preload entry again, we will add this to the SW * preload cache and then will add it to the HW SLB. Since on cpu-0 * this entry was never invalidated, hence adding this entry to the HW * SLB will cause a SLB multi-hit error. */ load_elf_binary cont ---truncated--- | 2026-01-13 | not yet calculated | CVE-2025-71078 | https://git.kernel.org/stable/c/01324c0328181b94cf390bda22ff91c75126ea57 https://git.kernel.org/stable/c/2e9a95d60f1df7b57618fd5ef057aef331575bd2 https://git.kernel.org/stable/c/c9f865022a1823d814032a09906e91e4701a35fc https://git.kernel.org/stable/c/b13a3dbfa196af68eae2031f209743735ad416bf https://git.kernel.org/stable/c/895123c309a34d2cfccf7812b41e17261a3a6f37 https://git.kernel.org/stable/c/4ae1e46d8a290319f33f71a2710a1382ba5431e8 https://git.kernel.org/stable/c/00312419f0863964625d6dcda8183f96849412c6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write A deadlock can occur between nfc_unregister_device() and rfkill_fop_write() due to lock ordering inversion between device_lock and rfkill_global_mutex. The problematic lock order is: Thread A (rfkill_fop_write): rfkill_fop_write() mutex_lock(&rfkill_global_mutex) rfkill_set_block() nfc_rfkill_set_block() nfc_dev_down() device_lock(&dev->dev) <- waits for device_lock Thread B (nfc_unregister_device): nfc_unregister_device() device_lock(&dev->dev) rfkill_unregister() mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutex This creates a classic ABBA deadlock scenario. Fix this by moving rfkill_unregister() and rfkill_destroy() outside the device_lock critical section. Store the rfkill pointer in a local variable before releasing the lock, then call rfkill_unregister() after releasing device_lock. This change is safe because rfkill_fop_write() holds rfkill_global_mutex while calling the rfkill callbacks, and rfkill_unregister() also acquires rfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will wait for any ongoing callback to complete before proceeding, and device_del() is only called after rfkill_unregister() returns, preventing any use-after-free. The similar lock ordering in nfc_register_device() (device_lock -> rfkill_global_mutex via rfkill_register) is safe because during registration the device is not yet in rfkill_list, so no concurrent rfkill operations can occur on this device. | 2026-01-13 | not yet calculated | CVE-2025-71079 | https://git.kernel.org/stable/c/2e0831e9fc46a06daa6d4d8d57a2738e343130c3 https://git.kernel.org/stable/c/e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012 https://git.kernel.org/stable/c/ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5 https://git.kernel.org/stable/c/6b93c8ab6f6cda8818983a4ae3fcf84b023037b4 https://git.kernel.org/stable/c/8fc4632fb508432895430cd02b38086bdd649083 https://git.kernel.org/stable/c/f3a8a7c1aa278f2378b2f3a10500c6674dffdfda https://git.kernel.org/stable/c/1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT On PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the current task can be preempted. Another task running on the same CPU may then execute rt6_make_pcpu_route() and successfully install a pcpu_rt entry. When the first task resumes execution, its cmpxchg() in rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer NULL, triggering the BUG_ON(prev). It's easy to reproduce it by adding mdelay() after rt6_get_pcpu_route(). Using preempt_disable/enable is not appropriate here because ip6_rt_pcpu_alloc() may sleep. Fix this by handling the cmpxchg() failure gracefully on PREEMPT_RT: free our allocation and return the existing pcpu_rt installed by another task. The BUG_ON is replaced by WARN_ON_ONCE for non-PREEMPT_RT kernels where such races should not occur. | 2026-01-13 | not yet calculated | CVE-2025-71080 | https://git.kernel.org/stable/c/1dc33ad0867325f8d2c6d7b2a6f542d4f3121f66 https://git.kernel.org/stable/c/787515ccb2292f82eb0876993129154629a49651 https://git.kernel.org/stable/c/1adaea51c61b52e24e7ab38f7d3eba023b2d050d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: stm32: sai: fix OF node leak on probe The reference taken to the sync provider OF node when probing the platform device is currently only dropped if the set_sync() callback fails during DAI probe. Make sure to drop the reference on platform probe failures (e.g. probe deferral) and on driver unbind. This also avoids a potential use-after-free in case the DAI is ever reprobed without first rebinding the platform driver. | 2026-01-13 | not yet calculated | CVE-2025-71081 | https://git.kernel.org/stable/c/7daa50a2157e41c964b745ab1dc378b5b3b626d1 https://git.kernel.org/stable/c/acda653169e180b1d860dbb6bc5aceb105858394 https://git.kernel.org/stable/c/4054a3597d047f3fe87864ef87f399b5d523e6c0 https://git.kernel.org/stable/c/bae74771fc5d3b2a9cf6f5aa64596083d032c4a3 https://git.kernel.org/stable/c/3752afcc6d80d5525e236e329895ba2cb93bcb26 https://git.kernel.org/stable/c/23261f0de09427367e99f39f588e31e2856a690e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: revert use of devm_kzalloc in btusb This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file"). In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This ties the lifetime of all the btusb data to the binding of a driver to one interface, INTF. In a driver that binds to other interfaces, ISOC and DIAG, this is an accident waiting to happen. The issue is revealed in btusb_disconnect(), where calling usb_driver_release_interface(&btusb_driver, data->intf) will have devm free the data that is also being used by the other interfaces of the driver that may not be released yet. To fix this, revert the use of devm and go back to freeing memory explicitly. | 2026-01-13 | not yet calculated | CVE-2025-71082 | https://git.kernel.org/stable/c/fff9206b0907252a41eb12b7c1407b9347df18b1 https://git.kernel.org/stable/c/cca0e9206e3bcc63cd3e72193e60149165d493cc https://git.kernel.org/stable/c/c0ecb3e4451fe94f4315e6d09c4046dfbc42090b https://git.kernel.org/stable/c/1e54c19eaf84ba652c4e376571093e58e144b339 https://git.kernel.org/stable/c/fdf7c640fb8a44a59b0671143d8c2f738bc48003 https://git.kernel.org/stable/c/252714f1e8bdd542025b16321c790458014d6880 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Avoid NULL pointer deref for evicted BOs It is possible for a BO to exist that is not currently associated with a resource, e.g. because it has been evicted. When devcoredump tries to read the contents of all BOs for dumping, we need to expect this as well -- in this case, ENODATA is recorded instead of the buffer contents. | 2026-01-13 | not yet calculated | CVE-2025-71083 | https://git.kernel.org/stable/c/47a85604a761005d255ae38115ee630cc6931756 https://git.kernel.org/stable/c/4b9944493c6d92d7b29cfd83aaf3deb842b8da79 https://git.kernel.org/stable/c/3d004f7341d4898889801ebb2ef61ffca610dd6f https://git.kernel.org/stable/c/5a81095d3e1b521ac7cfe3b14d5f149bace3d6e0 https://git.kernel.org/stable/c/b94182b3d7228aec18d069cba56d5982e9bfe1b1 https://git.kernel.org/stable/c/491adc6a0f9903c32b05f284df1148de39e8e644 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/cm: Fix leaking the multicast GID table reference If the CM ID is destroyed while the CM event for multicast creating is still queued the cancel_work_sync() will prevent the work from running which also prevents destroying the ah_attr. This leaks a refcount and triggers a WARN: GID entry ref leak for dev syz1 index 2 ref=573 WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline] WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886 Destroy the ah_attr after canceling the work, it is safe to call this twice. | 2026-01-13 | not yet calculated | CVE-2025-71084 | https://git.kernel.org/stable/c/d5ce588a9552878859a4d44b70b724216c188a5f https://git.kernel.org/stable/c/abf38398724ecc888f62c678d288da40d11878af https://git.kernel.org/stable/c/ab668a58c4a2ccb6d54add7a76f2f955d15d0196 https://git.kernel.org/stable/c/c0acdee513239e1d6e1b490f56be0e6837dfd162 https://git.kernel.org/stable/c/5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3 https://git.kernel.org/stable/c/3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5 https://git.kernel.org/stable/c/57f3cb6c84159d12ba343574df2115fb18dd83ca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure that delta = headroom - skb_headroom(skb) is never negative, otherwise we will trigger a BUG_ON in pskb_expand_head(). However, if headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta becomes negative, and pskb_expand_head() is passed a negative value for nhead. Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing "negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() by only using skb_cow() to grow headroom. PoC: Using `netlabelctl` tool: netlabelctl map del default netlabelctl calipso add pass doi:7 netlabelctl map add default address:0::1/128 protocol:calipso,7 Then run the following PoC: int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); // setup msghdr int cmsg_size = 2; int cmsg_len = 0x60; struct msghdr msg; struct sockaddr_in6 dest_addr; struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, sizeof(struct cmsghdr) + cmsg_len); msg.msg_name = &dest_addr; msg.msg_namelen = sizeof(dest_addr); msg.msg_iov = NULL; msg.msg_iovlen = 0; msg.msg_control = cmsg; msg.msg_controllen = cmsg_len; msg.msg_flags = 0; // setup sockaddr dest_addr.sin6_family = AF_INET6; dest_addr.sin6_port = htons(31337); dest_addr.sin6_flowinfo = htonl(31337); dest_addr.sin6_addr = in6addr_loopback; dest_addr.sin6_scope_id = 31337; // setup cmsghdr cmsg->cmsg_len = cmsg_len; cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_HOPOPTS; char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80 sendmsg(fd, &msg, 0); | 2026-01-13 | not yet calculated | CVE-2025-71085 | https://git.kernel.org/stable/c/86f365897068d09418488165a68b23cb5baa37f2 https://git.kernel.org/stable/c/6b7522424529556c9cbc15e15e7bd4eeae310910 https://git.kernel.org/stable/c/2bb759062efa188ea5d07242a43e5aa5464bbae1 https://git.kernel.org/stable/c/c53aa6a5086f03f19564096ee084a202a8c738c0 https://git.kernel.org/stable/c/bf3709738d8a8cc6fa275773170c5c29511a0b24 https://git.kernel.org/stable/c/73744ad5696dce0e0f43872aba8de6a83d6ad570 https://git.kernel.org/stable/c/58fc7342b529803d3c221101102fe913df7adb83 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array index in rose_kill_by_device() rose_kill_by_device() collects sockets into a local array[] and then iterates over them to disconnect sockets bound to a device being brought down. The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to an invalid socket pointer dereference and also leaks references taken via sock_hold(). Fix the index to use i. | 2026-01-13 | not yet calculated | CVE-2025-71086 | https://git.kernel.org/stable/c/819fb41ae54960f66025802400c9d3935eef4042 https://git.kernel.org/stable/c/ed2639414d43ba037f798eaf619e878309310451 https://git.kernel.org/stable/c/1418c12cd3bba79dc56b57b61c99efe40f579981 https://git.kernel.org/stable/c/9f6185a32496834d6980b168cffcccc2d6b17280 https://git.kernel.org/stable/c/b409ba9e1e63ccf3ab4cc061e33c1f804183543e https://git.kernel.org/stable/c/92d900aac3a5721fb54f3328f1e089b44a861c38 https://git.kernel.org/stable/c/6595beb40fb0ec47223d3f6058ee40354694c8e4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iavf: fix off-by-one issues in iavf_config_rss_reg() There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory [1] and out-of-bounds writes to device registers. Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), the loop upper bounds were: i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX which is safe since the value is the last valid index. That commit changed the bounds to: i <= adapter->rss_{key,lut}_size / 4 where `rss_{key,lut}_size / 4` is the number of dwords, so the last valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=` accesses one element past the end. Fix the issues by using `<` instead of `<=`, ensuring we do not exceed the bounds. [1] KASAN splat about rss_key_size off-by-one BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800 Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63 CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: iavf iavf_watchdog_task Call Trace: <TASK> dump_stack_lvl+0x6f/0xb0 print_report+0x170/0x4f3 kasan_report+0xe1/0x1a0 iavf_config_rss+0x619/0x800 iavf_watchdog_task+0x2be7/0x3230 process_one_work+0x7fd/0x1420 worker_thread+0x4d1/0xd40 kthread+0x344/0x660 ret_from_fork+0x249/0x320 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 63: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_noprof+0x246/0x6f0 iavf_watchdog_task+0x28fc/0x3230 process_one_work+0x7fd/0x1420 worker_thread+0x4d1/0xd40 kthread+0x344/0x660 ret_from_fork+0x249/0x320 ret_from_fork_asm+0x1a/0x30 The buggy address belongs to the object at ffff888102c50100 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes to the right of allocated 52-byte region [ffff888102c50100, ffff888102c50134) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50 flags: 0x200000000000000(node=0|zone=2) page_type: f5(slab) raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc ^ ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc | 2026-01-13 | not yet calculated | CVE-2025-71087 | https://git.kernel.org/stable/c/ceb8459df28d22c225a82d74c0f725f2a935d194 https://git.kernel.org/stable/c/5bb18bfd505ca1affbca921462c350095a6c798c https://git.kernel.org/stable/c/d7369dc8dd7cbf5cee3a22610028d847b6f02982 https://git.kernel.org/stable/c/18de0e41d69d97fab10b91fecf10ae78a5e43232 https://git.kernel.org/stable/c/f36de3045d006e6d9be1be495f2ed88d1721e752 https://git.kernel.org/stable/c/3095228e1320371e143835d0cebeef1a8a754c66 https://git.kernel.org/stable/c/6daa2893f323981c7894c68440823326e93a7d61 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: fallback earlier on simult connection Syzkaller reports a simult-connect race leading to inconsistent fallback status: WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Modules linked in: CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 <0f> 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6 RSP: 0018:ffffc900006cf338 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007 R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900 R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0 Call Trace: <TASK> tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197 tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922 tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672 tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918 ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500 dst_input include/net/dst.h:471 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6092 process_backlog+0x442/0x15e0 net/core/dev.c:6444 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494 napi_poll net/core/dev.c:7557 [inline] net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684 handle_softirqs+0x216/0x8e0 kernel/softirq.c:579 run_ksoftirqd kernel/softirq.c:968 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160 kthread+0x3c2/0x780 kernel/kthread.c:463 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> The TCP subflow can process the simult-connect syn-ack packet after transitioning to TCP_FIN1 state, bypassing the MPTCP fallback check, as the sk_state_change() callback is not invoked for * -> FIN_WAIT1 transitions. That will move the msk socket to an inconsistent status and the next incoming data will hit the reported splat. Close the race moving the simult-fallback check at the earliest possible stage - that is at syn-ack generation time. About the fixes tags: [2] was supposed to also fix this issue introduced by [3]. [1] is required as a dependence: it was not explicitly marked as a fix, but it is one and it has already been backported before [3]. In other words, this commit should be backported up to [3], including [2] and [1] if that's not already there. | 2026-01-13 | not yet calculated | CVE-2025-71088 | https://git.kernel.org/stable/c/b5f46a08269265e2f5e87d855287d6d22de0a32b https://git.kernel.org/stable/c/c9bf315228287653522894df9d851e9b43db9516 https://git.kernel.org/stable/c/79f80a7a47849ef1b3c25a0bedcc448b9cb551c1 https://git.kernel.org/stable/c/25f1ae942c097b7ae4ce5c2b9c6fefb8e3672b86 https://git.kernel.org/stable/c/71154bbe49423128c1c8577b6576de1ed6836830 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-after-free or write-after-free condition, potentially leading to privilege escalation or data corruption. This solution introduces a deferred freeing mechanism for kernel page table pages, which provides a safe window to notify the IOMMU to invalidate its caches before the page is reused. This patch (of 8): In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. The x86 architecture maps the kernel's virtual address space into the upper portion of every process's page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries. The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU's internal caches to retain stale entries for kernel VA. Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables. Currently, SVA contexts are unprivileged and cannot access kernel mappings. However, the IOMMU will still walk kernel-only page tables all the way down to the leaf entries, where it realizes the mapping is for the kernel and errors out. This means the IOMMU still caches these intermediate page table entries, making the described vulnerability a real concern. Disable SVA on x86 architecture until the IOMMU can receive notification to flush the paging cache before freeing the CPU kernel page table pages. | 2026-01-13 | not yet calculated | CVE-2025-71089 | https://git.kernel.org/stable/c/240cd7f2812cc25496b12063d11c823618f364e9 https://git.kernel.org/stable/c/c2c3f1a3fd74ef16cf115f0c558616a13a8471b4 https://git.kernel.org/stable/c/c341dee80b5df49a936182341b36395c831c2661 https://git.kernel.org/stable/c/72f98ef9a4be30d2a60136dd6faee376f780d06c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: fix nfsd_file reference leak in nfsd4_add_rdaccess_to_wrdeleg() nfsd4_add_rdaccess_to_wrdeleg() unconditionally overwrites fp->fi_fds[O_RDONLY] with a newly acquired nfsd_file. However, if the client already has a SHARE_ACCESS_READ open from a previous OPEN operation, this action overwrites the existing pointer without releasing its reference, orphaning the previous reference. Additionally, the function originally stored the same nfsd_file pointer in both fp->fi_fds[O_RDONLY] and fp->fi_rdeleg_file with only a single reference. When put_deleg_file() runs, it clears fi_rdeleg_file and calls nfs4_file_put_access() to release the file. However, nfs4_file_put_access() only releases fi_fds[O_RDONLY] when the fi_access[O_RDONLY] counter drops to zero. If another READ open exists on the file, the counter remains elevated and the nfsd_file reference from the delegation is never released. This potentially causes open conflicts on that file. Then, on server shutdown, these leaks cause __nfsd_file_cache_purge() to encounter files with an elevated reference count that cannot be cleaned up, ultimately triggering a BUG() in kmem_cache_destroy() because there are still nfsd_file objects allocated in that cache. | 2026-01-13 | not yet calculated | CVE-2025-71090 | https://git.kernel.org/stable/c/c07dc84ed67c5a182273171639bacbbb87c12175 https://git.kernel.org/stable/c/8072e34e1387d03102b788677d491e2bcceef6f5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: team: fix check for port enabled in team_queue_override_port_prio_changed() There has been a syzkaller bug reported recently with the following trace: list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:59! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59 Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286 RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000 RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005 RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230 R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480 FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0 Call Trace: <TASK> __list_del_entry_valid include/linux/list.h:132 [inline] __list_del_entry include/linux/list.h:223 [inline] list_del_rcu include/linux/rculist.h:178 [inline] __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline] __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline] team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline] team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534 team_option_set drivers/net/team/team_core.c:376 [inline] team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653 genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684 __sys_sendmsg+0x16d/0x220 net/socket.c:2716 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The problem is in this flow: 1) Port is enabled, queue_id != 0, in qom_list 2) Port gets disabled -> team_port_disable() -> team_queue_override_port_del() -> del (removed from list) 3) Port is disabled, queue_id != 0, not in any list 4) Priority changes -> team_queue_override_port_prio_changed() -> checks: port disabled && queue_id != 0 -> calls del - hits the BUG as it is removed already To fix this, change the check in team_queue_override_port_prio_changed() so it returns early if port is not enabled. | 2026-01-13 | not yet calculated | CVE-2025-71091 | https://git.kernel.org/stable/c/25029e813c4aae5fcf7118e8dd5c56e382b9a1a3 https://git.kernel.org/stable/c/f820e438b8ec2a8354e70e75145f05fe45500d97 https://git.kernel.org/stable/c/53a727a8bfd78c739e130a781192d0f6f8e03d39 https://git.kernel.org/stable/c/6bfb62b6010a16112dcae52f490e5e0e6abe12a3 https://git.kernel.org/stable/c/107d245f84cb4f55f597d31eda34b42a2b7d6952 https://git.kernel.org/stable/c/b71187648ef2349254673d0523fdf96d1fe3d758 https://git.kernel.org/stable/c/932ac51d9953eaf77a1252f79b656d4ca86163c6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats() Commit ef56081d1864 ("RDMA/bnxt_re: RoCE related hardware counters update") added three new counters and placed them after BNXT_RE_OUT_OF_SEQ_ERR. BNXT_RE_OUT_OF_SEQ_ERR acts as a boundary marker for allocating hardware statistics with different num_counters values on chip_gen_p5_p7 devices. As a result, BNXT_RE_NUM_STD_COUNTERS are used when allocating hw_stats, which leads to an out-of-bounds write in bnxt_re_copy_err_stats(). The counters BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and BNXT_RE_RESP_REMOTE_ACCESS_ERRS are applicable to generic hardware, not only p5/p7 devices. Fix this by moving these counters before BNXT_RE_OUT_OF_SEQ_ERR so they are included in the generic counter set. | 2026-01-13 | not yet calculated | CVE-2025-71092 | https://git.kernel.org/stable/c/369a161c48723f60f06f3510b82ea7d96d0499ab https://git.kernel.org/stable/c/9b68a1cc966bc947d00e4c0df7722d118125aa37 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: e1000: fix OOB in e1000_tbi_should_accept() In e1000_tbi_should_accept() we read the last byte of the frame via 'data[length - 1]' to evaluate the TBI workaround. If the descriptor- reported length is zero or larger than the actual RX buffer size, this read goes out of bounds and can hit unrelated slab objects. The issue is observed from the NAPI receive path (e1000_clean_rx_irq): ================================================================== BUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790 Read of size 1 at addr ffff888014114e54 by task sshd/363 CPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0x5a/0x74 print_address_description+0x7b/0x440 print_report+0x101/0x200 kasan_report+0xc1/0xf0 e1000_tbi_should_accept+0x610/0x790 e1000_clean_rx_irq+0xa8c/0x1110 e1000_clean+0xde2/0x3c10 __napi_poll+0x98/0x380 net_rx_action+0x491/0xa20 __do_softirq+0x2c9/0x61d do_softirq+0xd1/0x120 </IRQ> <TASK> __local_bh_enable_ip+0xfe/0x130 ip_finish_output2+0x7d5/0xb00 __ip_queue_xmit+0xe24/0x1ab0 __tcp_transmit_skb+0x1bcb/0x3340 tcp_write_xmit+0x175d/0x6bd0 __tcp_push_pending_frames+0x7b/0x280 tcp_sendmsg_locked+0x2e4f/0x32d0 tcp_sendmsg+0x24/0x40 sock_write_iter+0x322/0x430 vfs_write+0x56c/0xa60 ksys_write+0xd1/0x190 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f511b476b10 Code: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24 RSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10 RDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003 RBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00 R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003 </TASK> Allocated by task 1: __kasan_krealloc+0x131/0x1c0 krealloc+0x90/0xc0 add_sysfs_param+0xcb/0x8a0 kernel_add_sysfs_param+0x81/0xd4 param_sysfs_builtin+0x138/0x1a6 param_sysfs_init+0x57/0x5b do_one_initcall+0x104/0x250 do_initcall_level+0x102/0x132 do_initcalls+0x46/0x74 kernel_init_freeable+0x28f/0x393 kernel_init+0x14/0x1a0 ret_from_fork+0x22/0x30 The buggy address belongs to the object at ffff888014114000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1620 bytes to the right of 2048-byte region [ffff888014114000, ffff888014114800] The buggy address belongs to the physical page: page:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110 head:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x100000000010200(slab|head|node=0|zone=1) raw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000 raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected ================================================================== This happens because the TBI check unconditionally dereferences the last byte without validating the reported length first: u8 last_byte = *(data + length - 1); Fix by rejecting the frame early if the length is zero, or if it exceeds adapter->rx_buffer_len. This preserves the TBI workaround semantics for valid frames and prevents touching memory beyond the RX buffer. | 2026-01-13 | not yet calculated | CVE-2025-71093 | https://git.kernel.org/stable/c/4ccfa56f272241e8d8e2c38191fdbb03df489d80 https://git.kernel.org/stable/c/278b7cfe0d4da7502c7fd679b15032f014c92892 https://git.kernel.org/stable/c/ad7a2a45e2417ac54089926b520924f8f0d91aea https://git.kernel.org/stable/c/2c4c0c09f9648ba766d399917d420d03e7b3e1f8 https://git.kernel.org/stable/c/26c8bebc2f25288c2bcac7bc0a7662279a0e817c https://git.kernel.org/stable/c/ee7c125fb3e8b04dd46510130b9fc92380e5d578 https://git.kernel.org/stable/c/9c72a5182ed92904d01057f208c390a303f00a0f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: validate PHY address before use The ASIX driver reads the PHY address from the USB device via asix_read_phy_addr(). A malicious or faulty device can return an invalid address (>= PHY_MAX_ADDR), which causes a warning in mdiobus_get_phy(): addr 207 out of range WARNING: drivers/net/phy/mdio_bus.c:76 Validate the PHY address in asix_read_phy_addr() and remove the now-redundant check in ax88172a.c. | 2026-01-13 | not yet calculated | CVE-2025-71094 | https://git.kernel.org/stable/c/fc96018f09f8d30586ca6582c5045a84eafef146 https://git.kernel.org/stable/c/f5f4f30f3811d37e1aa48667c36add74e5a8d99f https://git.kernel.org/stable/c/38722e69ee64dbb020028c93898d25d6f4c0e0b2 https://git.kernel.org/stable/c/98a12c2547a44a5f03f35c108d2022cc652cbc4d https://git.kernel.org/stable/c/bf8a0f3b787ca7c5889bfca12c60c483041fbee3 https://git.kernel.org/stable/c/a1e077a3f76eea0dc671ed6792e7d543946227e8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix the crash issue for zero copy XDP_TX action There is a crash issue when running zero copy XDP_TX action, the crash log is shown below. [ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 [ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP [ 216.301694] Call trace: [ 216.304130] dcache_clean_poc+0x20/0x38 (P) [ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 [ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400 [ 216.317701] __stmmac_xdp_run_prog+0x164/0x368 [ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00 [ 216.326576] __napi_poll+0x40/0x218 [ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt For XDP_TX action, the xdp_buff is converted to xdp_frame by xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame depends on the memory type of the xdp_buff. For page pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy XSK pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the memory type and always uses the page pool type, this leads to invalid mappings and causes the crash. Therefore, check the xdp_buff memory type in stmmac_xdp_xmit_back() to fix this issue. | 2026-01-13 | not yet calculated | CVE-2025-71095 | https://git.kernel.org/stable/c/3f7823219407f2f18044c2b72366a48810c5c821 https://git.kernel.org/stable/c/4d0ceb7677e1c4616afb96abb4518f70b65abb0d https://git.kernel.org/stable/c/45ee0462b88396a0bd1df1991f801c89994ea72b https://git.kernel.org/stable/c/5e5988736a95b1de7f91b10ac2575454b70e4897 https://git.kernel.org/stable/c/a48e232210009be50591fdea8ba7c07b0f566a13 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a LS_NLA_TYPE_DGID attribute, it is invalid if it does not. Use the nl parsing logic properly and call nla_parse_deprecated() to fill the nlattrs array and then directly index that array to get the data for the DGID. Just fail if it is NULL. Remove the for loop searching for the nla, and squash the validation and parsing into one function. Fixes an uninitialized read from the stack triggered by userspace if it does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE query. BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline] BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 hex_byte_pack include/linux/hex.h:13 [inline] ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509 ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633 pointer+0xc09/0x1bd0 lib/vsprintf.c:2542 vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930 vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279 vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426 vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465 vprintk+0x36/0x50 kernel/printk/printk_safe.c:82 _printk+0x17e/0x1b0 kernel/printk/printk.c:2475 ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline] ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141 rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline] rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x333/0x3d0 net/socket.c:729 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671 __sys_sendmsg+0x1aa/0x300 net/socket.c:2703 __compat_sys_sendmsg net/compat.c:346 [inline] __do_compat_sys_sendmsg net/compat.c:353 [inline] __se_compat_sys_sendmsg net/compat.c:350 [inline] __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350 ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3 | 2026-01-13 | not yet calculated | CVE-2025-71096 | https://git.kernel.org/stable/c/376f46c8983458ead26cac83aa897a0b78491831 https://git.kernel.org/stable/c/bfe10318fc23e0b3f1d0a18dad387d29473a624d https://git.kernel.org/stable/c/45532638de5da24c201aa2a9b3dd4b054064de7b https://git.kernel.org/stable/c/9d85524789c2f17c0e87de8d596bcccc3683a1fc https://git.kernel.org/stable/c/acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec https://git.kernel.org/stable/c/0b948afc1ded88b3562c893114387f34389eeb94 https://git.kernel.org/stable/c/a7b8e876e0ef0232b8076972c57ce9a7286b47ca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix reference count leak when using error routes with nexthop objects When a nexthop object is deleted, it is marked as dead and then fib_table_flush() is called to flush all the routes that are using the dead nexthop. The current logic in fib_table_flush() is to only flush error routes (e.g., blackhole) when it is called as part of network namespace dismantle (i.e., with flush_all=true). Therefore, error routes are not flushed when their nexthop object is deleted: # ip link add name dummy1 up type dummy # ip nexthop add id 1 dev dummy1 # ip route add 198.51.100.1/32 nhid 1 # ip route add blackhole 198.51.100.2/32 nhid 1 # ip nexthop del id 1 # ip route show blackhole 198.51.100.2 nhid 1 dev dummy1 As such, they keep holding a reference on the nexthop object which in turn holds a reference on the nexthop device, resulting in a reference count leak: # ip link del dev dummy1 [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2 Fix by flushing error routes when their nexthop is marked as dead. IPv6 does not suffer from this problem. | 2026-01-13 | not yet calculated | CVE-2025-71097 | https://git.kernel.org/stable/c/5de7ad7e18356e39e8fbf7edd185a5faaf4f385a https://git.kernel.org/stable/c/33ff5c207c873215e54e6176624ed57423cb7dea https://git.kernel.org/stable/c/30386e090c49e803c0616a7147e43409c32a2b0e https://git.kernel.org/stable/c/5979338c83012110ccd45cae6517591770bfe536 https://git.kernel.org/stable/c/ee4183501ea556dca31f5ffd8690aa9fd25b609f https://git.kernel.org/stable/c/e3fc381320d04e4a74311e576a86cac49a16fc43 https://git.kernel.org/stable/c/ac782f4e3bfcde145b8a7f8af31d9422d94d172a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ip6_gre: make ip6gre_header() robust Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ip6gre device. [1] skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:213 ! <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 neigh_output include/net/neighbour.h:556 [inline] ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 | 2026-01-13 | not yet calculated | CVE-2025-71098 | https://git.kernel.org/stable/c/17e7386234f740f3e7d5e58a47b5847ea34c3bc2 https://git.kernel.org/stable/c/41a1a3140aff295dee8063906f70a514548105e8 https://git.kernel.org/stable/c/adee129db814474f2f81207bd182bf343832a52e https://git.kernel.org/stable/c/1717357007db150c2d703f13f5695460e960f26c https://git.kernel.org/stable/c/5fe210533e3459197eabfdbf97327dacbdc04d60 https://git.kernel.org/stable/c/91a2b25be07ce1a7549ceebbe82017551d2eec92 https://git.kernel.org/stable/c/db5b4e39c4e63700c68a7e65fc4e1f1375273476 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl() In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping metrics_lock. Since this lock protects the lifetime of oa_config, an attacker could guess the id and call xe_oa_remove_config_ioctl() with perfect timing, freeing oa_config before we dereference it, leading to a potential use-after-free. Fix this by caching the id in a local variable while holding the lock. v2: (Matt A) - Dropped mutex_unlock(&oa->metrics_lock) ordering change from xe_oa_remove_config_ioctl() (cherry picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31) | 2026-01-13 | not yet calculated | CVE-2025-71099 | https://git.kernel.org/stable/c/c6d30b65b7a44dac52ad49513268adbf19eab4a2 https://git.kernel.org/stable/c/7cdb9a9da935c687563cc682155461fef5f9b48d https://git.kernel.org/stable/c/dcb171931954c51a1a7250d558f02b8f36570783 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() TID getting from ieee80211_get_tid() might be out of range of array size of sta_entry->tids[], so check TID is less than MAX_TID_COUNT. Othwerwise, UBSAN warn: UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30 index 10 is out of range for type 'rtl_tid_data [9]' | 2026-01-13 | not yet calculated | CVE-2025-71100 | https://git.kernel.org/stable/c/9765d6eb8298b07d499cdf9ef7c237d3540102d6 https://git.kernel.org/stable/c/90a15ff324645aa806d81fa349497cd964861b66 https://git.kernel.org/stable/c/dd39edb445f07400e748da967a07d5dca5c5f96e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing The hp_populate_*_elements_from_package() functions in the hp-bioscfg driver contain out-of-bounds array access vulnerabilities. These functions parse ACPI packages into internal data structures using a for loop with index variable 'elem' that iterates through enum_obj/integer_obj/order_obj/password_obj/string_obj arrays. When processing multi-element fields like PREREQUISITES and ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array elements using expressions like 'enum_obj[elem + reqs]' and 'enum_obj[elem + pos_values]' within nested loops. The bug is that the bounds check only validated elem, but did not consider the additional offset when accessing elem + reqs or elem + pos_values. The fix changes the bounds check to validate the actual accessed index. | 2026-01-13 | not yet calculated | CVE-2025-71101 | https://git.kernel.org/stable/c/cf7ae870560b988247a4bbbe5399edd326632680 https://git.kernel.org/stable/c/db4c26adf7117b1a4431d1197ae7109fee3230ad https://git.kernel.org/stable/c/79cab730dbaaac03b946c7f5681bd08c986e2abd https://git.kernel.org/stable/c/e44c42c830b7ab36e3a3a86321c619f24def5206 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scs: fix a wrong parameter in __scs_magic __scs_magic() needs a 'void *' variable, but a 'struct task_struct *' is given. 'task_scs(tsk)' is the starting address of the task's shadow call stack, and '__scs_magic(task_scs(tsk))' is the end address of the task's shadow call stack. Here should be '__scs_magic(task_scs(tsk))'. The user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE is enabled, the shadow call stack usage checking function (scs_check_usage) would scan an incorrect memory range. This could lead 1. **Inaccurate stack usage reporting**: The function would calculate wrong usage statistics for the shadow call stack, potentially showing incorrect value in kmsg. 2. **Potential kernel crash**: If the value of __scs_magic(tsk)is greater than that of __scs_magic(task_scs(tsk)), the for loop may access unmapped memory, potentially causing a kernel panic. However, this scenario is unlikely because task_struct is allocated via the slab allocator (which typically returns lower addresses), while the shadow call stack returned by task_scs(tsk) is allocated via vmalloc(which typically returns higher addresses). However, since this is purely a debugging feature (CONFIG_DEBUG_STACK_USAGE), normal production systems should be not unaffected. The bug only impacts developers and testers who are actively debugging stack usage with this configuration enabled. | 2026-01-14 | not yet calculated | CVE-2025-71102 | https://git.kernel.org/stable/c/1727e8bd69103a68963a5613a0ddb6d8d37df5d3 https://git.kernel.org/stable/c/cfdf6250b63b953b1d8e60814c8ca96c6f9d1c8c https://git.kernel.org/stable/c/57ba40b001be27786d0570dd292289df748b306b https://git.kernel.org/stable/c/062774439d442882b44f5eab8c256ad3423ef284 https://git.kernel.org/stable/c/9ef28943471a16e4f9646bc3e8e2de148e7d8d7b https://git.kernel.org/stable/c/a19fb3611e4c06624fc0f83ef19f4fb8d57d4751 https://git.kernel.org/stable/c/08bd4c46d5e63b78e77f2605283874bbe868ab19 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: adreno: fix deferencing ifpc_reglist when not declared On plaforms with an a7xx GPU not supporting IFPC, the ifpc_reglist if still deferenced in a7xx_patch_pwrup_reglist() which causes a kernel crash: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 ... pc : a6xx_hw_init+0x155c/0x1e4c [msm] lr : a6xx_hw_init+0x9a8/0x1e4c [msm] ... Call trace: a6xx_hw_init+0x155c/0x1e4c [msm] (P) msm_gpu_hw_init+0x58/0x88 [msm] adreno_load_gpu+0x94/0x1fc [msm] msm_open+0xe4/0xf4 [msm] drm_file_alloc+0x1a0/0x2e4 [drm] drm_client_init+0x7c/0x104 [drm] drm_fbdev_client_setup+0x94/0xcf0 [drm_client_lib] drm_client_setup+0xb4/0xd8 [drm_client_lib] msm_drm_kms_post_init+0x2c/0x3c [msm] msm_drm_init+0x1a4/0x228 [msm] msm_drm_bind+0x30/0x3c [msm] ... Check the validity of ifpc_reglist before deferencing the table to setup the register values. Patchwork: https://patchwork.freedesktop.org/patch/688944/ | 2026-01-14 | not yet calculated | CVE-2025-71103 | https://git.kernel.org/stable/c/19648135e904bce447d368ecb6136e5da809639c https://git.kernel.org/stable/c/129049d4fe22c998ae9fd1ec479fbb4ed5338c15 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer When advancing the target expiration for the guest's APIC timer in periodic mode, set the expiration to "now" if the target expiration is in the past (similar to what is done in update_target_expiration()). Blindly adding the period to the previous target expiration can result in KVM generating a practically unbounded number of hrtimer IRQs due to programming an expired timer over and over. In extreme scenarios, e.g. if userspace pauses/suspends a VM for an extended duration, this can even cause hard lockups in the host. Currently, the bug only affects Intel CPUs when using the hypervisor timer (HV timer), a.k.a. the VMX preemption timer. Unlike the software timer, a.k.a. hrtimer, which KVM keeps running even on exits to userspace, the HV timer only runs while the guest is active. As a result, if the vCPU does not run for an extended duration, there will be a huge gap between the target expiration and the current time the vCPU resumes running. Because the target expiration is incremented by only one period on each timer expiration, this leads to a series of timer expirations occurring rapidly after the vCPU/VM resumes. More critically, when the vCPU first triggers a periodic HV timer expiration after resuming, advancing the expiration by only one period will result in a target expiration in the past. As a result, the delta may be calculated as a negative value. When the delta is converted into an absolute value (tscdeadline is an unsigned u64), the resulting value can overflow what the HV timer is capable of programming. I.e. the large value will exceed the VMX Preemption Timer's maximum bit width of cpu_preemption_timer_multi + 32, and thus cause KVM to switch from the HV timer to the software timer (hrtimers). After switching to the software timer, periodic timer expiration callbacks may be executed consecutively within a single clock interrupt handler, because hrtimers honors KVM's request for an expiration in the past and immediately re-invokes KVM's callback after reprogramming. And because the interrupt handler runs with IRQs disabled, restarting KVM's hrtimer over and over until the target expiration is advanced to "now" can result in a hard lockup. E.g. the following hard lockup was triggered in the host when running a Windows VM (only relevant because it used the APIC timer in periodic mode) after resuming the VM from a long suspend (in the host). NMI watchdog: Watchdog detected hard LOCKUP on cpu 45 ... RIP: 0010:advance_periodic_target_expiration+0x4d/0x80 [kvm] ... RSP: 0018:ff4f88f5d98d8ef0 EFLAGS: 00000046 RAX: fff0103f91be678e RBX: fff0103f91be678e RCX: 00843a7d9e127bcc RDX: 0000000000000002 RSI: 0052ca4003697505 RDI: ff440d5bfbdbd500 RBP: ff440d5956f99200 R08: ff2ff2a42deb6a84 R09: 000000000002a6c0 R10: 0122d794016332b3 R11: 0000000000000000 R12: ff440db1af39cfc0 R13: ff440db1af39cfc0 R14: ffffffffc0d4a560 R15: ff440db1af39d0f8 FS: 00007f04a6ffd700(0000) GS:ff440db1af380000(0000) knlGS:000000e38a3b8000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000d5651feff8 CR3: 000000684e038002 CR4: 0000000000773ee0 PKRU: 55555554 Call Trace: <IRQ> apic_timer_fn+0x31/0x50 [kvm] __hrtimer_run_queues+0x100/0x280 hrtimer_interrupt+0x100/0x210 ? ttwu_do_wakeup+0x19/0x160 smp_apic_timer_interrupt+0x6a/0x130 apic_timer_interrupt+0xf/0x20 </IRQ> Moreover, if the suspend duration of the virtual machine is not long enough to trigger a hard lockup in this scenario, since commit 98c25ead5eda ("KVM: VMX: Move preemption timer <=> hrtimer dance to common x86"), KVM will continue using the software timer until the guest reprograms the APIC timer in some way. Since the periodic timer does not require frequent APIC timer register programming, the guest may continue to use the software timer in ---truncated--- | 2026-01-14 | not yet calculated | CVE-2025-71104 | https://git.kernel.org/stable/c/786ed625c125c5cd180d6aaa37e653e3e4ffb8d9 https://git.kernel.org/stable/c/d2da0df7bbc4fb4fd7d0a1da704f81a09c72fe73 https://git.kernel.org/stable/c/807dbe8f3862fa7c164155857550ce94b36a11b9 https://git.kernel.org/stable/c/7b54ccef865e0aa62e4871d4ada2ba4b9dcb8bed https://git.kernel.org/stable/c/e746e51947053a02af2ea964593dc4887108d379 https://git.kernel.org/stable/c/e23f46f1a971c73dad2fd63e1408696114ddebe2 https://git.kernel.org/stable/c/18ab3fc8e880791aa9f7c000261320fc812b5465 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: use global inline_xattr_slab instead of per-sb slab cache As Hong Yun reported in mailing list: loop7: detected capacity change from 0 to 131072 ------------[ cut here ]------------ kmem_cache of name 'f2fs_xattr_entry-7:7' already exists WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline] WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307 CPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline] RIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307 Call Trace: __kmem_cache_create include/linux/slab.h:353 [inline] f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline] f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843 f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918 get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692 vfs_get_tree+0x43/0x140 fs/super.c:1815 do_new_mount+0x201/0x550 fs/namespace.c:3808 do_mount fs/namespace.c:4136 [inline] __do_sys_mount fs/namespace.c:4347 [inline] __se_sys_mount+0x298/0x2f0 fs/namespace.c:4324 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug can be reproduced w/ below scripts: - mount /dev/vdb /mnt1 - mount /dev/vdc /mnt2 - umount /mnt1 - mounnt /dev/vdb /mnt1 The reason is if we created two slab caches, named f2fs_xattr_entry-7:3 and f2fs_xattr_entry-7:7, and they have the same slab size. Actually, slab system will only create one slab cache core structure which has slab name of "f2fs_xattr_entry-7:3", and two slab caches share the same structure and cache address. So, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will decrease reference count of slab cache, rather than release slab cache entirely, since there is one more user has referenced the cache. Then, if we try to create slab cache w/ name "f2fs_xattr_entry-7:3" again, slab system will find that there is existed cache which has the same name and trigger the warning. Let's changes to use global inline_xattr_slab instead of per-sb slab cache for fixing. | 2026-01-14 | not yet calculated | CVE-2025-71105 | https://git.kernel.org/stable/c/93d30fe19660dec6bf1bd3d5c186c1c737b21aa5 https://git.kernel.org/stable/c/474cc3ed37436ddfd63cac8dbffe3b1e219e9100 https://git.kernel.org/stable/c/72ce19dfed162da6e430467333b2da70471d08a4 https://git.kernel.org/stable/c/be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a https://git.kernel.org/stable/c/1eb0b130196bcbc56c5c80c83139fa70c0aa82c5 https://git.kernel.org/stable/c/e6d828eae00ec192e18c2ddaa2fd32050a96048a https://git.kernel.org/stable/c/1f27ef42bb0b7c0740c5616ec577ec188b8a1d05 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs: PM: Fix reverse check in filesystems_freeze_callback() The freeze_all_ptr check in filesystems_freeze_callback() introduced by commit a3f8f8662771 ("power: always freeze efivarfs") is reverse which quite confusingly causes all file systems to be frozen when filesystem_freeze_enabled is false. On my systems it causes the WARN_ON_ONCE() in __set_task_frozen() to trigger, most likely due to an attempt to freeze a file system that is not ready for that. Add a logical negation to the check in question to reverse it as appropriate. | 2026-01-14 | not yet calculated | CVE-2025-71106 | https://git.kernel.org/stable/c/b107196729ff6b9d6cde0a71f49c1243def43328 https://git.kernel.org/stable/c/222047f68e8565c558728f792f6fef152a1d4d51 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: ensure node page reads complete before f2fs_put_super() finishes Xfstests generic/335, generic/336 sometimes crash with the following message: F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1 ------------[ cut here ]------------ kernel BUG at fs/f2fs/super.c:1939! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none) Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:f2fs_put_super+0x3b3/0x3c0 Call Trace: <TASK> generic_shutdown_super+0x7e/0x190 kill_block_super+0x1a/0x40 kill_f2fs_super+0x9d/0x190 deactivate_locked_super+0x30/0xb0 cleanup_mnt+0xba/0x150 task_work_run+0x5c/0xa0 exit_to_user_mode_loop+0xb7/0xc0 do_syscall_64+0x1ae/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> ---[ end trace 0000000000000000 ]--- It appears that sometimes it is possible that f2fs_put_super() is called before all node page reads are completed. Adding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem. | 2026-01-14 | not yet calculated | CVE-2025-71107 | https://git.kernel.org/stable/c/c3031cf2b61f1508662fc95ef9ad505cb0882a5f https://git.kernel.org/stable/c/3b15d5f12935e9e25f9a571e680716bc9ee61025 https://git.kernel.org/stable/c/0b36fae23621a09e772c8adf918b9011158f8511 https://git.kernel.org/stable/c/297baa4aa263ff8f5b3d246ee16a660d76aa82c4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Handle incorrect num_connectors capability The UCSI spec states that the num_connectors field is 7 bits, and the 8th bit is reserved and should be set to zero. Some buggy FW has been known to set this bit, and it can lead to a system not booting. Flag that the FW is not behaving correctly, and auto-fix the value so that the system boots correctly. Found on Lenovo P1 G8 during Linux enablement program. The FW will be fixed, but seemed worth addressing in case it hit platforms that aren't officially Linux supported. | 2026-01-14 | not yet calculated | CVE-2025-71108 | https://git.kernel.org/stable/c/07c8d2a109d847775b3b4e2c3294c8e1eea75432 https://git.kernel.org/stable/c/58941bbb0050e365a98c64f1fc4a9a0ac127dba6 https://git.kernel.org/stable/c/f72f97d0aee4a993a35f2496bca5efd24827235d https://git.kernel.org/stable/c/914605b0de8128434eafc9582445306830748b93 https://git.kernel.org/stable/c/3042a57a8e8bce4a3100c3f6f03dc372aab24943 https://git.kernel.org/stable/c/132fe187e0d940f388f839fe2cde9b84106ad20d https://git.kernel.org/stable/c/30cd2cb1abf4c4acdb1ddb468c946f68939819fb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits Since commit e424054000878 ("MIPS: Tracing: Reduce the overhead of dynamic Function Tracer"), the macro UASM_i_LA_mostly has been used, and this macro can generate more than 2 instructions. At the same time, the code in ftrace assumes that no more than 2 instructions can be generated, which is why it stores them in an int[2] array. However, as previously noted, the macro UASM_i_LA_mostly (and now UASM_i_LA) causes a buffer overflow when _mcount is beyond 32 bits. This leads to corruption of the variables located in the __read_mostly section. This corruption was observed because the variable __cpu_primary_thread_mask was corrupted, causing a hang very early during boot. This fix prevents the corruption by avoiding the generation of instructions if they could exceed 2 instructions in length. Fortunately, insn_la_mcount is only used if the instrumented code is located outside the kernel code section, so dynamic ftrace can still be used, albeit in a more limited scope. This is still preferable to corrupting memory and/or crashing the kernel. | 2026-01-14 | not yet calculated | CVE-2025-71109 | https://git.kernel.org/stable/c/e3e33ac2eb69d595079a1a1e444c2fb98efdd42d https://git.kernel.org/stable/c/7f39b9d0e86ed6236b9a5fb67616ab1f76c4f150 https://git.kernel.org/stable/c/36dac9a3dda1f2bae343191bc16b910c603cac25 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/slub: reset KASAN tag in defer_free() before accessing freed memory When CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free() before defer_free(). On ARM64 with MTE (Memory Tagging Extension), kasan_slab_free() poisons the memory and changes the tag from the original (e.g., 0xf3) to a poison tag (0xfe). When defer_free() then tries to write to the freed object to build the deferred free list via llist_add(), the pointer still has the old tag, causing a tag mismatch and triggering a KASAN use-after-free report: BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc mm/slub.c:6537 Write at addr f3f000000854f020 by task kworker/u8:6/983 Pointer tag: [f3], memory tag: [fe] Fix this by calling kasan_reset_tag() before accessing the freed memory. This is safe because defer_free() is part of the allocator itself and is expected to manipulate freed memory for bookkeeping purposes. | 2026-01-14 | not yet calculated | CVE-2025-71110 | https://git.kernel.org/stable/c/65d4e5af2a2e82f4fc50d8259aee208fbc6b2c1d https://git.kernel.org/stable/c/53ca00a19d345197a37a1bf552e8d1e7b091666c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83791d) Convert macros to functions to avoid TOCTOU The macro FAN_FROM_REG evaluates its arguments multiple times. When used in lockless contexts involving shared driver data, this leads to Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially causing divide-by-zero errors. Convert the macro to a static function. This guarantees that arguments are evaluated only once (pass-by-value), preventing the race conditions. Additionally, in store_fan_div, move the calculation of the minimum limit inside the update lock. This ensures that the read-modify-write sequence operates on consistent data. Adhere to the principle of minimal changes by only converting macros that evaluate arguments multiple times and are used in lockless contexts. | 2026-01-14 | not yet calculated | CVE-2025-71111 | https://git.kernel.org/stable/c/3dceb68f6ad33156032ef4da21a93d84059cca6d https://git.kernel.org/stable/c/bf5b03227f2e6d4360004886d268f9df8993ef8f https://git.kernel.org/stable/c/f2b579a0c37c0df19603d719894a942a295f634a https://git.kernel.org/stable/c/f94800fbc26ccf7c81eb791707b038a57aa39a18 https://git.kernel.org/stable/c/a9fb6e8835a22f5796c1182ed612daed3fd273af https://git.kernel.org/stable/c/c8cf0c2bdcccc6634b6915ff793b844e12436680 https://git.kernel.org/stable/c/670d7ef945d3a84683594429aea6ab2cdfa5ceb4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: hns3: add VLAN id validation before using Currently, the VLAN id may be used without validation when receive a VLAN configuration mailbox from VF. The length of vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause out-of-bounds memory access once the VLAN id is bigger than or equal to VLAN_N_VID. Therefore, VLAN id needs to be checked to ensure it is within the range of VLAN_N_VID. | 2026-01-14 | not yet calculated | CVE-2025-71112 | https://git.kernel.org/stable/c/46c7d9fe8dd869ea5de666aba8c1ec1061ca44a8 https://git.kernel.org/stable/c/42c91dfa772c57de141e5a55a187ac760c0fd7e1 https://git.kernel.org/stable/c/00e56a7706e10b3d00a258d81fcb85a7e96372d6 https://git.kernel.org/stable/c/b7b4f3bf118f51b67691a55b464f04452e5dc6fc https://git.kernel.org/stable/c/95cca255a7a5ad782639ff0298c2a486707d1046 https://git.kernel.org/stable/c/91a51d01be5c9f82c12c2921ca5cceaa31b67128 https://git.kernel.org/stable/c/6ef935e65902bfed53980ad2754b06a284ea8ac1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - zero initialize memory allocated via sock_kmalloc Several crypto user API contexts and requests allocated with sock_kmalloc() were left uninitialized, relying on callers to set fields explicitly. This resulted in the use of uninitialized data in certain error paths or when new fields are added in the future. The ACVP patches also contain two user-space interface files: algif_kpp.c and algif_akcipher.c. These too rely on proper initialization of their context structures. A particular issue has been observed with the newly added 'inflight' variable introduced in af_alg_ctx by commit: 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests") Because the context is not memset to zero after allocation, the inflight variable has contained garbage values. As a result, af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when the garbage value was interpreted as true: https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209 The check directly tests ctx->inflight without explicitly comparing against true/false. Since inflight is only ever set to true or false later, an uninitialized value has triggered -EBUSY failures. Zero-initializing memory allocated with sock_kmalloc() ensures inflight and other fields start in a known state, removing random issues caused by uninitialized data. | 2026-01-14 | not yet calculated | CVE-2025-71113 | https://git.kernel.org/stable/c/e125c8e346e4eb7b3e854c862fcb4392bc13ddba https://git.kernel.org/stable/c/543bf004e4eafbb302b1e6c78570d425d2ca13a0 https://git.kernel.org/stable/c/f81244fd6b14fecfa93b66b6bb1d59f96554e550 https://git.kernel.org/stable/c/84238876e3b3b262cf62d5f4d1338e983fb27010 https://git.kernel.org/stable/c/5a4b65523608974a81edbe386f8a667a3e10c726 https://git.kernel.org/stable/c/51a5ab36084f3251ef87eda3e6a6236f6488925e https://git.kernel.org/stable/c/6f6e309328d53a10c0fe1f77dec2db73373179b6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: via_wdt: fix critical boot hang due to unnamed resource allocation The VIA watchdog driver uses allocate_resource() to reserve a MMIO region for the watchdog control register. However, the allocated resource was not given a name, which causes the kernel resource tree to contain an entry marked as "<BAD>" under /proc/iomem on x86 platforms. During boot, this unnamed resource can lead to a critical hang because subsequent resource lookups and conflict checks fail to handle the invalid entry properly. | 2026-01-14 | not yet calculated | CVE-2025-71114 | https://git.kernel.org/stable/c/1d56025a3af50db0f3da2792f41eb9943eee5324 https://git.kernel.org/stable/c/c7b986adc9e9336066350542ac5a2005d305ae78 https://git.kernel.org/stable/c/47c910965c936724070d2a8094a4c3ed8f452856 https://git.kernel.org/stable/c/d2c7c90aca7b37f60f16b2bedcfeb16204f2f35d https://git.kernel.org/stable/c/f7b6370d0fbee06a867037d675797a606cb62e57 https://git.kernel.org/stable/c/c6a2dd4f2e4e6cbdfe7a1618160281af897b75db https://git.kernel.org/stable/c/7aa31ee9ec92915926e74731378c009c9cc04928 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: um: init cpu_tasks[] earlier This is currently done in uml_finishsetup(), but e.g. with KCOV enabled we'll crash because some init code can call into e.g. memparse(), which has coverage annotations, and then the checks in check_kcov_mode() crash because current is NULL. Simply initialize the cpu_tasks[] array statically, which fixes the crash. For the later SMP work, it seems to have not really caused any problems yet, but initialize all of the entries anyway. | 2026-01-14 | not yet calculated | CVE-2025-71115 | https://git.kernel.org/stable/c/dbbf6d47130674640cd12a0781a0fb2a575d0e44 https://git.kernel.org/stable/c/7b5d4416964c07c902163822a30a622111172b01 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encoded length of ceph_pg_pool envelope is less than what is expected for a particular encoding version, out-of-bounds reads may ensue because the only bounds check that is there is based on that length value. This patch adds explicit bounds checks for each field that is decoded or skipped. | 2026-01-14 | not yet calculated | CVE-2025-71116 | https://git.kernel.org/stable/c/d061be4c8040ffb1110d537654a038b8b6ad39d2 https://git.kernel.org/stable/c/145d140abda80e33331c5781d6603014fa75d258 https://git.kernel.org/stable/c/c82e39ff67353a5a6cbc07b786b8690bd2c45aaa https://git.kernel.org/stable/c/e927ab132b87ba3f076705fc2684d94b24201ed1 https://git.kernel.org/stable/c/5d0d8c292531fe356c4e94dcfdf7d7212aca9957 https://git.kernel.org/stable/c/2acb8517429ab42146c6c0ac1daed1f03d2fd125 https://git.kernel.org/stable/c/8c738512714e8c0aa18f8a10c072d5b01c83db39 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: block: Remove queue freezing from several sysfs store callbacks Freezing the request queue from inside sysfs store callbacks may cause a deadlock in combination with the dm-multipath driver and the queue_if_no_path option. Additionally, freezing the request queue slows down system boot on systems where sysfs attributes are set synchronously. Fix this by removing the blk_mq_freeze_queue() / blk_mq_unfreeze_queue() calls from the store callbacks that do not strictly need these callbacks. Add the __data_racy annotation to request_queue.rq_timeout to suppress KCSAN data race reports about the rq_timeout reads. This patch may cause a small delay in applying the new settings. For all the attributes affected by this patch, I/O will complete correctly whether the old or the new value of the attribute is used. This patch affects the following sysfs attributes: * io_poll_delay * io_timeout * nomerges * read_ahead_kb * rq_affinity Here is an example of a deadlock triggered by running test srp/002 if this patch is not applied: task:multipathd Call Trace: <TASK> __schedule+0x8c1/0x1bf0 schedule+0xdd/0x270 schedule_preempt_disabled+0x1c/0x30 __mutex_lock+0xb89/0x1650 mutex_lock_nested+0x1f/0x30 dm_table_set_restrictions+0x823/0xdf0 __bind+0x166/0x590 dm_swap_table+0x2a7/0x490 do_resume+0x1b1/0x610 dev_suspend+0x55/0x1a0 ctl_ioctl+0x3a5/0x7e0 dm_ctl_ioctl+0x12/0x20 __x64_sys_ioctl+0x127/0x1a0 x64_sys_call+0xe2b/0x17d0 do_syscall_64+0x96/0x3a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> task:(udev-worker) Call Trace: <TASK> __schedule+0x8c1/0x1bf0 schedule+0xdd/0x270 blk_mq_freeze_queue_wait+0xf2/0x140 blk_mq_freeze_queue_nomemsave+0x23/0x30 queue_ra_store+0x14e/0x290 queue_attr_store+0x23e/0x2c0 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3b2/0x630 vfs_write+0x4fd/0x1390 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x276/0x17d0 do_syscall_64+0x96/0x3a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> | 2026-01-14 | not yet calculated | CVE-2025-71117 | https://git.kernel.org/stable/c/3997b3147c7b68b0308378fa95a766015f8ceb1c https://git.kernel.org/stable/c/935a20d1bebf6236076785fac3ff81e3931834e9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ACPICA: Avoid walking the Namespace if start_node is NULL Although commit 0c9992315e73 ("ACPICA: Avoid walking the ACPI Namespace if it is not there") fixed the situation when both start_node and acpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed on Honor Magicbook 14 Pro [1]. That happens due to the access to the member of parent_node in acpi_ns_get_next_node(). The NULL pointer dereference will always happen, no matter whether or not the start_node is equal to ACPI_ROOT_OBJECT, so move the check of start_node being NULL out of the if block. Unfortunately, all the attempts to contact Honor have failed, they refused to provide any technical support for Linux. The bad DSDT table's dump could be found on GitHub [2]. DMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025 [ rjw: Subject adjustment, changelog edits ] | 2026-01-14 | not yet calculated | CVE-2025-71118 | https://git.kernel.org/stable/c/b84edef48cc8afb41150949a87dcfa81bc95b53e https://git.kernel.org/stable/c/ecb296286c8787895625bd4c53e9478db4ae139c https://git.kernel.org/stable/c/7f9b951ed11842373851dd3c91860778356d62d3 https://git.kernel.org/stable/c/1bc34293dfbd266c29875206849b4f8e8177e6df https://git.kernel.org/stable/c/0d8bb08126920fd4b12dbf32d9250757c9064b36 https://git.kernel.org/stable/c/f91dad0a3b381244183ffbea4cec5a7a69d6f41e https://git.kernel.org/stable/c/9d6c58dae8f6590c746ac5d0012ffe14a77539f0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/kexec: Enable SMT before waking offline CPUs If SMT is disabled or a partial SMT state is enabled, when a new kernel image is loaded for kexec, on reboot the following warning is observed: kexec: Waking offline cpu 228. WARNING: CPU: 0 PID: 9062 at arch/powerpc/kexec/core_64.c:223 kexec_prepare_cpus+0x1b0/0x1bc [snip] NIP kexec_prepare_cpus+0x1b0/0x1bc LR kexec_prepare_cpus+0x1a0/0x1bc Call Trace: kexec_prepare_cpus+0x1a0/0x1bc (unreliable) default_machine_kexec+0x160/0x19c machine_kexec+0x80/0x88 kernel_kexec+0xd0/0x118 __do_sys_reboot+0x210/0x2c4 system_call_exception+0x124/0x320 system_call_vectored_common+0x15c/0x2ec This occurs as add_cpu() fails due to cpu_bootable() returning false for CPUs that fail the cpu_smt_thread_allowed() check or non primary threads if SMT is disabled. Fix the issue by enabling SMT and resetting the number of SMT threads to the number of threads per core, before attempting to wake up all present CPUs. | 2026-01-14 | not yet calculated | CVE-2025-71119 | https://git.kernel.org/stable/c/7cccd82a0e4aad192fd74fc60e61ed9aed5857a3 https://git.kernel.org/stable/c/d790ef0c4819424ee0c2f448c0a8154c5ca369d1 https://git.kernel.org/stable/c/f0c0a681ffb77b8c5290c88c02d968199663939b https://git.kernel.org/stable/c/0d5c9e901ad40bd39b38e119c0454b52d7663930 https://git.kernel.org/stable/c/c2296a1e42418556efbeb5636c4fa6aa6106713a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL. The code unconditionally evaluates page_address(in_token->pages[0]) for the initial memcpy, which can dereference NULL even when the copy length is 0. Guard the first memcpy so it only runs when length > 0. | 2026-01-14 | not yet calculated | CVE-2025-71120 | https://git.kernel.org/stable/c/a8f1e445ce3545c90d69c9e8ff8f7821825fe810 https://git.kernel.org/stable/c/4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d https://git.kernel.org/stable/c/f9e53f69ac3bc4ef568b08d3542edac02e83fefd https://git.kernel.org/stable/c/7452d53f293379e2c38cfa8ad0694aa46fc4788b https://git.kernel.org/stable/c/a2c6f25ab98b423f99ccd94874d655b8bcb01a19 https://git.kernel.org/stable/c/1c8bb965e9b0559ff0f5690615a527c30f651dd8 https://git.kernel.org/stable/c/d4b69a6186b215d2dc1ebcab965ed88e8d41768d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: parisc: Do not reprogram affinitiy on ASP chip The ASP chip is a very old variant of the GSP chip and is used e.g. in HP 730 workstations. When trying to reprogram the affinity it will crash with a HPMC as the relevant registers don't seem to be at the usual location. Let's avoid the crash by checking the sversion. Also note, that reprogramming isn't necessary either, as the HP730 is a just a single-CPU machine. | 2026-01-14 | not yet calculated | CVE-2025-71121 | https://git.kernel.org/stable/c/845a92b74cf7a730200532ecb4482981cec9d006 https://git.kernel.org/stable/c/7a146f34e5be96330467397c9fd9d3d851b2cbbe https://git.kernel.org/stable/c/4d0858bbeea12a50bfb32137f74d4b74917ebadd https://git.kernel.org/stable/c/e09fd2eb6d4c993ee9eaae556cb51e30ec1042df https://git.kernel.org/stable/c/60560d13ff368415c96a0c1247bea16d427c0641 https://git.kernel.org/stable/c/c8f810e20f4bbe50b49f73429d9fa6efad00623e https://git.kernel.org/stable/c/dca7da244349eef4d78527cafc0bf80816b261f5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED syzkaller found it could overflow math in the test infrastructure and cause a WARN_ON by corrupting the reserved interval tree. This only effects test kernels with CONFIG_IOMMUFD_TEST. Validate the user input length in the test ioctl. | 2026-01-14 | not yet calculated | CVE-2025-71122 | https://git.kernel.org/stable/c/4cc829d61f10c20523fd4085c1546e741a792a97 https://git.kernel.org/stable/c/e6c122cffcbb2e84d321ec8ba0e38ce8e7c10925 https://git.kernel.org/stable/c/b166b8e0a381429fefd9180e67fbc834b3cee82f https://git.kernel.org/stable/c/e6a973af11135439de32ece3b9cbe3bfc043bea8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix string copying in parse_apply_sb_mount_options() strscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term string of possibly bigger size. Commit 0efc5990bca5 ("string.h: Introduce memtostr() and memtostr_pad()") provides additional information in that regard. So if this happens, the following warning is observed: strnlen: detected buffer overflow: 65 byte read of buffer size 64 WARNING: CPU: 0 PID: 28655 at lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Modules linked in: CPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 Not tainted 6.12.54-syzkaller-00144-g5f0270f1ba00 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Call Trace: <TASK> __fortify_panic+0x1f/0x30 lib/string_helpers.c:1039 strnlen include/linux/fortify-string.h:235 [inline] sized_strscpy include/linux/fortify-string.h:309 [inline] parse_apply_sb_mount_options fs/ext4/super.c:2504 [inline] __ext4_fill_super fs/ext4/super.c:5261 [inline] ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706 get_tree_bdev_flags+0x387/0x620 fs/super.c:1636 vfs_get_tree+0x93/0x380 fs/super.c:1814 do_new_mount fs/namespace.c:3553 [inline] path_mount+0x6ae/0x1f70 fs/namespace.c:3880 do_mount fs/namespace.c:3893 [inline] __do_sys_mount fs/namespace.c:4103 [inline] __se_sys_mount fs/namespace.c:4080 [inline] __x64_sys_mount+0x280/0x300 fs/namespace.c:4080 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e Since userspace is expected to provide s_mount_opts field to be at most 63 characters long with the ending byte being NUL-term, use a 64-byte buffer which matches the size of s_mount_opts, so that strscpy_pad() does its job properly. Return with error if the user still managed to provide a non-NUL-term string here. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2026-01-14 | not yet calculated | CVE-2025-71123 | https://git.kernel.org/stable/c/52ac96c4a2dd7bc47666000440b0602d9742e820 https://git.kernel.org/stable/c/6e37143560e37869d51b7d9e0ac61fc48895f8a0 https://git.kernel.org/stable/c/902ca2356f1e3ec5355c5808ad5d3f9d0095b0cc https://git.kernel.org/stable/c/db9ee13fab0267eccf6544ee35b16c9522db9aac https://git.kernel.org/stable/c/5bbacbbf1ca4419861dca3c6b82707c10e9c021c https://git.kernel.org/stable/c/ee5a977b4e771cc181f39d504426dbd31ed701cc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/a6xx: move preempt_prepare_postamble after error check Move the call to preempt_prepare_postamble() after verifying that preempt_postamble_ptr is valid. If preempt_postamble_ptr is NULL, dereferencing it in preempt_prepare_postamble() would lead to a crash. This change avoids calling the preparation function when the postamble allocation has failed, preventing potential NULL pointer dereference and ensuring proper error handling. Patchwork: https://patchwork.freedesktop.org/patch/687659/ | 2026-01-14 | not yet calculated | CVE-2025-71124 | https://git.kernel.org/stable/c/2c46497eb148ec61909f4101b8443f3c4c2daaec https://git.kernel.org/stable/c/ef3b04091fd8bc737dc45312375df8625b8318e2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tracing: Do not register unsupported perf events Synthetic events currently do not have a function to register perf events. This leads to calling the tracepoint register functions with a NULL function pointer which triggers: ------------[ cut here ]------------ WARNING: kernel/tracepoint.c:175 at tracepoint_add_func+0x357/0x370, CPU#2: perf/2272 Modules linked in: kvm_intel kvm irqbypass CPU: 2 UID: 0 PID: 2272 Comm: perf Not tainted 6.18.0-ftest-11964-ge022764176fc-dirty #323 PREEMPTLAZY Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:tracepoint_add_func+0x357/0x370 Code: 28 9c e8 4c 0b f5 ff eb 0f 4c 89 f7 48 c7 c6 80 4d 28 9c e8 ab 89 f4 ff 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc <0f> 0b 49 c7 c6 ea ff ff ff e9 ee fe ff ff 0f 0b e9 f9 fe ff ff 0f RSP: 0018:ffffabc0c44d3c40 EFLAGS: 00010246 RAX: 0000000000000001 RBX: ffff9380aa9e4060 RCX: 0000000000000000 RDX: 000000000000000a RSI: ffffffff9e1d4a98 RDI: ffff937fcf5fd6c8 RBP: 0000000000000001 R08: 0000000000000007 R09: ffff937fcf5fc780 R10: 0000000000000003 R11: ffffffff9c193910 R12: 000000000000000a R13: ffffffff9e1e5888 R14: 0000000000000000 R15: ffffabc0c44d3c78 FS: 00007f6202f5f340(0000) GS:ffff93819f00f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d3162281a8 CR3: 0000000106a56003 CR4: 0000000000172ef0 Call Trace: <TASK> tracepoint_probe_register+0x5d/0x90 synth_event_reg+0x3c/0x60 perf_trace_event_init+0x204/0x340 perf_trace_init+0x85/0xd0 perf_tp_event_init+0x2e/0x50 perf_try_init_event+0x6f/0x230 ? perf_event_alloc+0x4bb/0xdc0 perf_event_alloc+0x65a/0xdc0 __se_sys_perf_event_open+0x290/0x9f0 do_syscall_64+0x93/0x7b0 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e ? trace_hardirqs_off+0x53/0xc0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Instead, have the code return -ENODEV, which doesn't warn and has perf error out with: # perf record -e synthetic:futex_wait Error: The sys_perf_event_open() syscall returned with 19 (No such device) for event (synthetic:futex_wait). "dmesg | grep -i perf" may provide additional information. Ideally perf should support synthetic events, but for now just fix the warning. The support can come later. | 2026-01-14 | not yet calculated | CVE-2025-71125 | https://git.kernel.org/stable/c/6819bc6285c0ff835f67cfae7efebc03541782f6 https://git.kernel.org/stable/c/6d15f08e6d8d4b4fb02d90805ea97f3e2c1d6fbc https://git.kernel.org/stable/c/f7305697b60d79bc69c0a6e280fc931b4e8862dd https://git.kernel.org/stable/c/65b1971147ec12f0b1cee0811c859a3d7d9b04ce https://git.kernel.org/stable/c/3437c775bf209c674ad66304213b6b3c3b1b3f69 https://git.kernel.org/stable/c/6df47e5bb9b62d72f186f826ab643ea1856877c7 https://git.kernel.org/stable/c/ef7f38df890f5dcd2ae62f8dbde191d72f3bebae |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: avoid deadlock on fallback while reinjecting Jakub reported an MPTCP deadlock at fallback time: WARNING: possible recursive locking detected 6.18.0-rc7-virtme #1 Not tainted -------------------------------------------- mptcp_connect/20858 is trying to acquire lock: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_try_fallback+0xd8/0x280 but task is already holding lock: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&msk->fallback_lock); lock(&msk->fallback_lock); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by mptcp_connect/20858: #0: ff1100001da18290 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg+0x114/0x1bc0 #1: ff1100001db40fd0 (k-sk_lock-AF_INET#2){+.+.}-{0:0}, at: __mptcp_retrans+0x2cb/0xaa0 #2: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0 stack backtrace: CPU: 0 UID: 0 PID: 20858 Comm: mptcp_connect Not tainted 6.18.0-rc7-virtme #1 PREEMPT(full) Hardware name: Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dump_stack_lvl+0x6f/0xa0 print_deadlock_bug.cold+0xc0/0xcd validate_chain+0x2ff/0x5f0 __lock_acquire+0x34c/0x740 lock_acquire.part.0+0xbc/0x260 _raw_spin_lock_bh+0x38/0x50 __mptcp_try_fallback+0xd8/0x280 mptcp_sendmsg_frag+0x16c2/0x3050 __mptcp_retrans+0x421/0xaa0 mptcp_release_cb+0x5aa/0xa70 release_sock+0xab/0x1d0 mptcp_sendmsg+0xd5b/0x1bc0 sock_write_iter+0x281/0x4d0 new_sync_write+0x3c5/0x6f0 vfs_write+0x65e/0xbb0 ksys_write+0x17e/0x200 do_syscall_64+0xbb/0xfd0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fa5627cbc5e Code: 4d 89 d8 e8 14 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa RSP: 002b:00007fff1fe14700 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa5627cbc5e RDX: 0000000000001f9c RSI: 00007fff1fe16984 RDI: 0000000000000005 RBP: 00007fff1fe14710 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff1fe16920 R13: 0000000000002000 R14: 0000000000001f9c R15: 0000000000001f9c The packet scheduler could attempt a reinjection after receiving an MP_FAIL and before the infinite map has been transmitted, causing a deadlock since MPTCP needs to do the reinjection atomically from WRT fallback. Address the issue explicitly avoiding the reinjection in the critical scenario. Note that this is the only fallback critical section that could potentially send packets and hit the double-lock. | 2026-01-14 | not yet calculated | CVE-2025-71126 | https://git.kernel.org/stable/c/0107442e82c0f8d6010e07e6030741c59c520d6e https://git.kernel.org/stable/c/252892d5a6a2f163ce18f32716e46fa4da7d4e79 https://git.kernel.org/stable/c/0ca9fb4335e726dab4f23b3bfe87271d8f005f41 https://git.kernel.org/stable/c/50f47c02be419bf0a3ae94c118addf67beef359f https://git.kernel.org/stable/c/ffb8c27b0539dd90262d1021488e7817fae57c42 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Discard Beacon frames to non-broadcast address Beacon frames are required to be sent to the broadcast address, see IEEE Std 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon .. frame shall be set to the broadcast address"). A unicast Beacon frame might be used as a targeted attack to get one of the associated STAs to do something (e.g., using CSA to move it to another channel). As such, it is better have strict filtering for this on the received side and discard all Beacon frames that are sent to an unexpected address. This is even more important for cases where beacon protection is used. The current implementation in mac80211 is correctly discarding unicast Beacon frames if the Protected Frame bit in the Frame Control field is set to 0. However, if that bit is set to 1, the logic used for checking for configured BIGTK(s) does not actually work. If the driver does not have logic for dropping unicast Beacon frames with Protected Frame bit 1, these frames would be accepted in mac80211 processing as valid Beacon frames even though they are not protected. This would allow beacon protection to be bypassed. While the logic for checking beacon protection could be extended to cover this corner case, a more generic check for discard all Beacon frames based on A1=unicast address covers this without needing additional changes. Address all these issues by dropping received Beacon frames if they are sent to a non-broadcast address. | 2026-01-14 | not yet calculated | CVE-2025-71127 | https://git.kernel.org/stable/c/be0974be5c42584e027883ac2af7dab5e950098c https://git.kernel.org/stable/c/0a59a3895f804469276d188effa511c72e752f35 https://git.kernel.org/stable/c/88aab153d1528bc559292a12fb5105ee97528e1f https://git.kernel.org/stable/c/6e5bff40bb38741e40c33043ba0816fba5f93661 https://git.kernel.org/stable/c/7b240a8935d554ad36a52c2c37c32039f9afaef2 https://git.kernel.org/stable/c/a21704df4024708be698fb3fd5830d5b113b70e0 https://git.kernel.org/stable/c/193d18f60588e95d62e0f82b6a53893e5f2f19f8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erspan: Initialize options_len before referencing options. The struct ip_tunnel_info has a flexible array member named options that is protected by a counted_by(options_len) attribute. The compiler will use this information to enforce runtime bounds checking deployed by FORTIFY_SOURCE string helpers. As laid out in the GCC documentation, the counter must be initialized before the first reference to the flexible array member. After scanning through the files that use struct ip_tunnel_info and also refer to options or options_len, it appears the normal case is to use the ip_tunnel_info_opts_set() helper. Said helper would initialize options_len properly before copying data into options, however in the GRE ERSPAN code a partial update is done, preventing the use of the helper function. Before this change the handling of ERSPAN traffic in GRE tunnels would cause a kernel panic when the kernel is compiled with GCC 15+ and having FORTIFY_SOURCE configured: memcpy: detected buffer overflow: 4 byte write of buffer size 0 Call Trace: <IRQ> __fortify_panic+0xd/0xf erspan_rcv.cold+0x68/0x83 ? ip_route_input_slow+0x816/0x9d0 gre_rcv+0x1b2/0x1c0 gre_rcv+0x8e/0x100 ? raw_v4_input+0x2a0/0x2b0 ip_protocol_deliver_rcu+0x1ea/0x210 ip_local_deliver_finish+0x86/0x110 ip_local_deliver+0x65/0x110 ? ip_rcv_finish_core+0xd6/0x360 ip_rcv+0x186/0x1a0 Reported-at: https://launchpad.net/bugs/2129580 | 2026-01-14 | not yet calculated | CVE-2025-71128 | https://git.kernel.org/stable/c/b282b2a9eed848587c1348abdd5d83fa346a2743 https://git.kernel.org/stable/c/35ddf66c65eff93fff91406756ba273600bf61a3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Sign extend kfunc call arguments The kfunc calls are native calls so they should follow LoongArch calling conventions. Sign extend its arguments properly to avoid kernel panic. This is done by adding a new emit_abi_ext() helper. The emit_abi_ext() helper performs extension in place meaning a value already store in the target register (Note: this is different from the existing sign_extend() helper and thus we can't reuse it). | 2026-01-14 | not yet calculated | CVE-2025-71129 | https://git.kernel.org/stable/c/fd43edf357a3a1f5ed1c4bf450b60001c9091c39 https://git.kernel.org/stable/c/0d666db731e95890e0eda7ea61bc925fd2be90c6 https://git.kernel.org/stable/c/321993a874f571a94b5a596f1132f798c663b56e https://git.kernel.org/stable/c/3f5a238f24d7b75f9efe324d3539ad388f58536e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer Initialize the eb.vma array with values of 0 when the eb structure is first set up. In particular, this sets the eb->vma[i].vma pointers to NULL, simplifying cleanup and getting rid of the bug described below. During the execution of eb_lookup_vmas(), the eb->vma array is successively filled up with struct eb_vma objects. This process includes calling eb_add_vma(), which might fail; however, even in the event of failure, eb->vma[i].vma is set for the currently processed buffer. If eb_add_vma() fails, eb_lookup_vmas() returns with an error, which prompts a call to eb_release_vmas() to clean up the mess. Since eb_lookup_vmas() might fail during processing any (possibly not first) buffer, eb_release_vmas() checks whether a buffer's vma is NULL to know at what point did the lookup function fail. In eb_lookup_vmas(), eb->vma[i].vma is set to NULL if either the helper function eb_lookup_vma() or eb_validate_vma() fails. eb->vma[i+1].vma is set to NULL in case i915_gem_object_userptr_submit_init() fails; the current one needs to be cleaned up by eb_release_vmas() at this point, so the next one is set. If eb_add_vma() fails, neither the current nor the next vma is set to NULL, which is a source of a NULL deref bug described in the issue linked in the Closes tag. When entering eb_lookup_vmas(), the vma pointers are set to the slab poison value, instead of NULL. This doesn't matter for the actual lookup, since it gets overwritten anyway, however the eb_release_vmas() function only recognizes NULL as the stopping value, hence the pointers are being set to NULL as they go in case of intermediate failure. This patch changes the approach to filling them all with NULL at the start instead, rather than handling that manually during failure. (cherry picked from commit 08889b706d4f0b8d2352b7ca29c2d8df4d0787cd) | 2026-01-14 | not yet calculated | CVE-2025-71130 | https://git.kernel.org/stable/c/25d69e07770745992387c016613fd7ac8eaf9893 https://git.kernel.org/stable/c/0336188cc85d0eab8463bd1bbd4ded4e9602de8b https://git.kernel.org/stable/c/24d55ac8e31d2f8197bfad71ffcb3bae21ed7117 https://git.kernel.org/stable/c/63f23aa2fbb823c8b15a29269fde220d227ce5b3 https://git.kernel.org/stable/c/4fe2bd195435e71c117983d87f278112c5ab364c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt As soon as crypto_aead_encrypt is called, the underlying request may be freed by an asynchronous completion. Thus dereferencing req->iv after it returns is invalid. Instead of checking req->iv against info, create a new variable unaligned_info and use it for that purpose instead. | 2026-01-14 | not yet calculated | CVE-2025-71131 | https://git.kernel.org/stable/c/18202537856e0fae079fed2c9308780bcff2bb9d https://git.kernel.org/stable/c/baf0e2d1e03ddb04781dfe7f22a654d3611f69b2 https://git.kernel.org/stable/c/50f196d2bbaee4ab2494bb1b0d294deba292951a https://git.kernel.org/stable/c/0279978adec6f1296af66b642cce641c6580be46 https://git.kernel.org/stable/c/ccbb96434d88e32358894c879457b33f7508e798 https://git.kernel.org/stable/c/5476f7f8a311236604b78fcc5b2a63b3a61b0169 https://git.kernel.org/stable/c/50fdb78b7c0bcc550910ef69c0984e751cac72fa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smc91x: fix broken irq-context in PREEMPT_RT When smc91x.c is built with PREEMPT_RT, the following splat occurs in FVP_RevC: [ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000 [ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106] [ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work [ 13.062266] C ** replaying previous printk message ** [ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)} [ 13.062353] Hardware name: , BIOS [ 13.062382] Workqueue: mld mld_ifc_work [ 13.062469] Call trace: [ 13.062494] show_stack+0x24/0x40 (C) [ 13.062602] __dump_stack+0x28/0x48 [ 13.062710] dump_stack_lvl+0x7c/0xb0 [ 13.062818] dump_stack+0x18/0x34 [ 13.062926] process_scheduled_works+0x294/0x450 [ 13.063043] worker_thread+0x260/0x3d8 [ 13.063124] kthread+0x1c4/0x228 [ 13.063235] ret_from_fork+0x10/0x20 This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT, but smc_special_unlock() does not restore IRQs on PREEMPT_RT. The reason is that smc_special_unlock() calls spin_unlock_irqrestore(), and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero. To address this issue, replace smc_special_trylock() with spin_trylock_irqsave(). | 2026-01-14 | not yet calculated | CVE-2025-71132 | https://git.kernel.org/stable/c/1c4cb705e733250d13243f6a69b8b5a92e39b9f6 https://git.kernel.org/stable/c/9d222141b00156509d67d80c771fbefa92c43ace https://git.kernel.org/stable/c/ef277ae121b3249c99994652210a326b52d527b0 https://git.kernel.org/stable/c/36561b86cb2501647662cfaf91286dd6973804a6 https://git.kernel.org/stable/c/b6018d5c1a8f09d5efe4d6961d7ee45fdf3a7ce3 https://git.kernel.org/stable/c/6402078bd9d1ed46e79465e1faaa42e3458f8a33 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: avoid invalid read in irdma_net_event irdma_net_event() should not dereference anything from "neigh" (alias "ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE. Other events come with different structures pointed to by "ptr" and they may be smaller than struct neighbour. Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case. The bug is mostly harmless, but it triggers KASAN on debug kernels: BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma] Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554 CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1 Hardware name: [...] Workqueue: events rt6_probe_deferred Call Trace: <IRQ> dump_stack_lvl+0x60/0xb0 print_address_description.constprop.0+0x2c/0x3f0 print_report+0xb4/0x270 kasan_report+0x92/0xc0 irdma_net_event+0x32e/0x3b0 [irdma] notifier_call_chain+0x9e/0x180 atomic_notifier_call_chain+0x5c/0x110 rt6_do_redirect+0xb91/0x1080 tcp_v6_err+0xe9b/0x13e0 icmpv6_notify+0x2b2/0x630 ndisc_redirect_rcv+0x328/0x530 icmpv6_rcv+0xc16/0x1360 ip6_protocol_deliver_rcu+0xb84/0x12e0 ip6_input_finish+0x117/0x240 ip6_input+0xc4/0x370 ipv6_rcv+0x420/0x7d0 __netif_receive_skb_one_core+0x118/0x1b0 process_backlog+0xd1/0x5d0 __napi_poll.constprop.0+0xa3/0x440 net_rx_action+0x78a/0xba0 handle_softirqs+0x2d4/0x9c0 do_softirq+0xad/0xe0 </IRQ> | 2026-01-14 | not yet calculated | CVE-2025-71133 | https://git.kernel.org/stable/c/db93ae6fa66f1c61ae63400191195e3ee58021da https://git.kernel.org/stable/c/305c02e541befe4a44ffde30ed374970f41aeb6c https://git.kernel.org/stable/c/fc23d05f0b3fb4d80657e7afebae2cae686b31c8 https://git.kernel.org/stable/c/bf197c7c79ef6458d1ee84dd7db251b51784885f https://git.kernel.org/stable/c/d9b9affd103f51b42322da4ed5ac025b560bc354 https://git.kernel.org/stable/c/6f05611728e9d0ab024832a4f1abb74a5f5d0bb0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: change all pageblocks migrate type on coalescing When a page is freed it coalesces with a buddy into a higher order page while possible. When the buddy page migrate type differs, it is expected to be updated to match the one of the page being freed. However, only the first pageblock of the buddy page is updated, while the rest of the pageblocks are left unchanged. That causes warnings in later expand() and other code paths (like below), since an inconsistency between migration type of the list containing the page and the page-owned pageblocks migration types is introduced. [ 308.986589] ------------[ cut here ]------------ [ 308.987227] page type is 0, passed migratetype is 1 (nr=256) [ 308.987275] WARNING: CPU: 1 PID: 5224 at mm/page_alloc.c:812 expand+0x23c/0x270 [ 308.987293] Modules linked in: algif_hash(E) af_alg(E) nft_fib_inet(E) nft_fib_ipv4(E) nft_fib_ipv6(E) nft_fib(E) nft_reject_inet(E) nf_reject_ipv4(E) nf_reject_ipv6(E) nft_reject(E) nft_ct(E) nft_chain_nat(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) nf_tables(E) s390_trng(E) vfio_ccw(E) mdev(E) vfio_iommu_type1(E) vfio(E) sch_fq_codel(E) drm(E) i2c_core(E) drm_panel_orientation_quirks(E) loop(E) nfnetlink(E) vsock_loopback(E) vmw_vsock_virtio_transport_common(E) vsock(E) ctcm(E) fsm(E) diag288_wdt(E) watchdog(E) zfcp(E) scsi_transport_fc(E) ghash_s390(E) prng(E) aes_s390(E) des_generic(E) des_s390(E) libdes(E) sha3_512_s390(E) sha3_256_s390(E) sha_common(E) paes_s390(E) crypto_engine(E) pkey_cca(E) pkey_ep11(E) zcrypt(E) rng_core(E) pkey_pckmo(E) pkey(E) autofs4(E) [ 308.987439] Unloaded tainted modules: hmac_s390(E):2 [ 308.987650] CPU: 1 UID: 0 PID: 5224 Comm: mempig_verify Kdump: loaded Tainted: G E 6.18.0-gcc-bpf-debug #431 PREEMPT [ 308.987657] Tainted: [E]=UNSIGNED_MODULE [ 308.987661] Hardware name: IBM 3906 M04 704 (z/VM 7.3.0) [ 308.987666] Krnl PSW : 0404f00180000000 00000349976fa600 (expand+0x240/0x270) [ 308.987676] R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3 [ 308.987682] Krnl GPRS: 0000034980000004 0000000000000005 0000000000000030 000003499a0e6d88 [ 308.987688] 0000000000000005 0000034980000005 000002be803ac000 0000023efe6c8300 [ 308.987692] 0000000000000008 0000034998d57290 000002be00000100 0000023e00000008 [ 308.987696] 0000000000000000 0000000000000000 00000349976fa5fc 000002c99b1eb6f0 [ 308.987708] Krnl Code: 00000349976fa5f0: c020008a02f2 larl %r2,000003499883abd4 00000349976fa5f6: c0e5ffe3f4b5 brasl %r14,0000034997378f60 #00000349976fa5fc: af000000 mc 0,0 >00000349976fa600: a7f4ff4c brc 15,00000349976fa498 00000349976fa604: b9040026 lgr %r2,%r6 00000349976fa608: c0300088317f larl %r3,0000034998800906 00000349976fa60e: c0e5fffdb6e1 brasl %r14,00000349976b13d0 00000349976fa614: af000000 mc 0,0 [ 308.987734] Call Trace: [ 308.987738] [<00000349976fa600>] expand+0x240/0x270 [ 308.987744] ([<00000349976fa5fc>] expand+0x23c/0x270) [ 308.987749] [<00000349976ff95e>] rmqueue_bulk+0x71e/0x940 [ 308.987754] [<00000349976ffd7e>] __rmqueue_pcplist+0x1fe/0x2a0 [ 308.987759] [<0000034997700966>] rmqueue.isra.0+0xb46/0xf40 [ 308.987763] [<0000034997703ec8>] get_page_from_freelist+0x198/0x8d0 [ 308.987768] [<0000034997706fa8>] __alloc_frozen_pages_noprof+0x198/0x400 [ 308.987774] [<00000349977536f8>] alloc_pages_mpol+0xb8/0x220 [ 308.987781] [<0000034997753bf6>] folio_alloc_mpol_noprof+0x26/0xc0 [ 308.987786] [<0000034997753e4c>] vma_alloc_folio_noprof+0x6c/0xa0 [ 308.987791] [<0000034997775b22>] vma_alloc_anon_folio_pmd+0x42/0x240 [ 308.987799] [<000003499777bfea>] __do_huge_pmd_anonymous_page+0x3a/0x210 [ 308.987804] [<00000349976cb0 ---truncated--- | 2026-01-14 | not yet calculated | CVE-2025-71134 | https://git.kernel.org/stable/c/914769048818021556c940b9163e8056be9507dd https://git.kernel.org/stable/c/a794d65b132107a085d165caba33aae1101316a5 https://git.kernel.org/stable/c/7838a4eb8a1d23160bd3f588ea7f2b8f7c00c55b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt() The variable mddev->private is first assigned to conf and then checked: conf = mddev->private; if (!conf) ... If conf is NULL, then mddev->private is also NULL. In this case, null-pointer dereferences can occur when calling raid5_quiesce(): raid5_quiesce(mddev, true); raid5_quiesce(mddev, false); since mddev->private is assigned to conf again in raid5_quiesce(), and conf is dereferenced in several places, for example: conf->quiesce = 0; wake_up(&conf->wait_for_quiescent); To fix this issue, the function should unlock mddev and return before invoking raid5_quiesce() when conf is NULL, following the existing pattern in raid5_change_consistency_policy(). | 2026-01-14 | not yet calculated | CVE-2025-71135 | https://git.kernel.org/stable/c/20597b7229aea8b5bc45cd92097640257c7fc33b https://git.kernel.org/stable/c/e5abb6af905de6b2fead8a0b3f32ab0b81468a01 https://git.kernel.org/stable/c/7ad6ef91d8745d04aff9cce7bdbc6320d8e05fe9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() It's possible for cp_read() and hdmi_read() to return -EIO. Those values are further used as indexes for accessing arrays. Fix that by checking return values where it's needed. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2026-01-14 | not yet calculated | CVE-2025-71136 | https://git.kernel.org/stable/c/f81ee181cb036d046340c213091b69d9a8701a76 https://git.kernel.org/stable/c/f913b9a2ccd6114b206b9e91dae5e3dc13a415a0 https://git.kernel.org/stable/c/d6a22a4a96e4dfe6897cb3532d2b3016d87706f0 https://git.kernel.org/stable/c/a73881ae085db5702d8b13e2fc9f78d51c723d3f https://git.kernel.org/stable/c/60dde0960e3ead8a9569f6c494d90d0232ac0983 https://git.kernel.org/stable/c/b693d48a6ed0cd09171103ad418e4a693203d6e4 https://git.kernel.org/stable/c/8163419e3e05d71dcfa8fb49c8fdf8d76908fe51 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" This patch ensures that the RX ring size (rx_pending) is not set below the permitted length. This avoids UBSAN shift-out-of-bounds errors when users passes small or zero ring sizes via ethtool -G. | 2026-01-14 | not yet calculated | CVE-2025-71137 | https://git.kernel.org/stable/c/5d8dfa3abb9a845302e021cf9c92d941abbc011a https://git.kernel.org/stable/c/4cc4cfe4d23c883120b6f3d41145edbaa281f2ab https://git.kernel.org/stable/c/658caf3b8aad65f8b8e102670ca4f68c7030f655 https://git.kernel.org/stable/c/b23a2e15589466a027c9baa3fb5813c9f6a6c6dc https://git.kernel.org/stable/c/aa743b0d98448282b2cb37356db8db2a48524624 https://git.kernel.org/stable/c/442848e457f5a9f71a4e7e14d24d73dae278ebe3 https://git.kernel.org/stable/c/85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add missing NULL pointer check for pingpong interface It is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in a single place the check is missing. Also use convenient locals instead of phys_enc->* where available. Patchwork: https://patchwork.freedesktop.org/patch/693860/ | 2026-01-14 | not yet calculated | CVE-2025-71138 | https://git.kernel.org/stable/c/678d1c86566dfbb247ba25482d37fddde6140cc9 https://git.kernel.org/stable/c/471baae774a30a04cf066907b60eaf3732928cb7 https://git.kernel.org/stable/c/35ea3282136a630a3fd92b76f5a3a02651145ef1 https://git.kernel.org/stable/c/88733a0b64872357e5ecd82b7488121503cb9cc6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kernel/kexec: fix IMA when allocation happens in CMA area *** Bug description *** When I tested kexec with the latest kernel, I ran into the following warning: [ 40.712410] ------------[ cut here ]------------ [ 40.712576] WARNING: CPU: 2 PID: 1562 at kernel/kexec_core.c:1001 kimage_map_segment+0x144/0x198 [...] [ 40.816047] Call trace: [ 40.818498] kimage_map_segment+0x144/0x198 (P) [ 40.823221] ima_kexec_post_load+0x58/0xc0 [ 40.827246] __do_sys_kexec_file_load+0x29c/0x368 [...] [ 40.855423] ---[ end trace 0000000000000000 ]--- *** How to reproduce *** This bug is only triggered when the kexec target address is allocated in the CMA area. If no CMA area is reserved in the kernel, use the "cma=" option in the kernel command line to reserve one. *** Root cause *** The commit 07d24902977e ("kexec: enable CMA based contiguous allocation") allocates the kexec target address directly on the CMA area to avoid copying during the jump. In this case, there is no IND_SOURCE for the kexec segment. But the current implementation of kimage_map_segment() assumes that IND_SOURCE pages exist and map them into a contiguous virtual address by vmap(). *** Solution *** If IMA segment is allocated in the CMA area, use its page_address() directly. | 2026-01-14 | not yet calculated | CVE-2025-71139 | https://git.kernel.org/stable/c/a843e4155c83211c55b1b6cc17eab27a6a2c5b6f https://git.kernel.org/stable/c/a3785ae5d334bb71d47a593d54c686a03fb9d136 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Use spinlock for context list protection lock Previously a mutex was added to protect the encoder and decoder context lists from unexpected changes originating from the SCP IP block, causing the context pointer to go invalid, resulting in a NULL pointer dereference in the IPI handler. Turns out on the MT8173, the VPU IPI handler is called from hard IRQ context. This causes a big warning from the scheduler. This was first reported downstream on the ChromeOS kernels, but is also reproducible on mainline using Fluster with the FFmpeg v4l2m2m decoders. Even though the actual capture format is not supported, the affected code paths are triggered. Since this lock just protects the context list and operations on it are very fast, it should be OK to switch to a spinlock. | 2026-01-14 | not yet calculated | CVE-2025-71140 | https://git.kernel.org/stable/c/2c1ea6214827041f548279c9eda341eda0cc8351 https://git.kernel.org/stable/c/b92c19675f632a41af1222027a231bc2b7efa7ed https://git.kernel.org/stable/c/3e858938b0e659f6ec9ddcf853a87f1c5c3f44e1 https://git.kernel.org/stable/c/a5844227e0f030d2af2d85d4aed10c5eca6ca176 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/tilcdc: Fix removal actions in case of failed probe The drm_kms_helper_poll_fini() and drm_atomic_helper_shutdown() helpers should only be called when the device has been successfully registered. Currently, these functions are called unconditionally in tilcdc_fini(), which causes warnings during probe deferral scenarios. [ 7.972317] WARNING: CPU: 0 PID: 23 at drivers/gpu/drm/drm_atomic_state_helper.c:175 drm_atomic_helper_crtc_duplicate_state+0x60/0x68 ... [ 8.005820] drm_atomic_helper_crtc_duplicate_state from drm_atomic_get_crtc_state+0x68/0x108 [ 8.005858] drm_atomic_get_crtc_state from drm_atomic_helper_disable_all+0x90/0x1c8 [ 8.005885] drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x90/0x144 [ 8.005911] drm_atomic_helper_shutdown from tilcdc_fini+0x68/0xf8 [tilcdc] [ 8.005957] tilcdc_fini [tilcdc] from tilcdc_pdev_probe+0xb0/0x6d4 [tilcdc] Fix this by rewriting the failed probe cleanup path using the standard goto error handling pattern, which ensures that cleanup functions are only called on successfully initialized resources. Additionally, remove the now-unnecessary is_registered flag. | 2026-01-14 | not yet calculated | CVE-2025-71141 | https://git.kernel.org/stable/c/21e52dc7762908c3d499cfb493d1b8281fc1d3ab https://git.kernel.org/stable/c/71be8825e83c90c1e020feb77b29e6a99629e642 https://git.kernel.org/stable/c/a585c7ef9cabda58088916baedc6573e9a5cd2a7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cpuset: fix warning when disabling remote partition A warning was triggered as follows: WARNING: kernel/cgroup/cpuset.c:1651 at remote_partition_disable+0xf7/0x110 RIP: 0010:remote_partition_disable+0xf7/0x110 RSP: 0018:ffffc90001947d88 EFLAGS: 00000206 RAX: 0000000000007fff RBX: ffff888103b6e000 RCX: 0000000000006f40 RDX: 0000000000006f00 RSI: ffffc90001947da8 RDI: ffff888103b6e000 RBP: ffff888103b6e000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: ffff88810b2e2728 R12: ffffc90001947da8 R13: 0000000000000000 R14: ffffc90001947da8 R15: ffff8881081f1c00 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f55c8bbe0b2 CR3: 000000010b14c000 CR4: 00000000000006f0 Call Trace: <TASK> update_prstate+0x2d3/0x580 cpuset_partition_write+0x94/0xf0 kernfs_fop_write_iter+0x147/0x200 vfs_write+0x35d/0x500 ksys_write+0x66/0xe0 do_syscall_64+0x6b/0x390 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f55c8cd4887 Reproduction steps (on a 16-CPU machine): # cd /sys/fs/cgroup/ # mkdir A1 # echo +cpuset > A1/cgroup.subtree_control # echo "0-14" > A1/cpuset.cpus.exclusive # mkdir A1/A2 # echo "0-14" > A1/A2/cpuset.cpus.exclusive # echo "root" > A1/A2/cpuset.cpus.partition # echo 0 > /sys/devices/system/cpu/cpu15/online # echo member > A1/A2/cpuset.cpus.partition When CPU 15 is offlined, subpartitions_cpus gets cleared because no CPUs remain available for the top_cpuset, forcing partitions to share CPUs with the top_cpuset. In this scenario, disabling the remote partition triggers a warning stating that effective_xcpus is not a subset of subpartitions_cpus. Partitions should be invalidated in this case to inform users that the partition is now invalid(cpus are shared with top_cpuset). To fix this issue: 1. Only emit the warning only if subpartitions_cpus is not empty and the effective_xcpus is not a subset of subpartitions_cpus. 2. During the CPU hotplug process, invalidate partitions if subpartitions_cpus is empty. | 2026-01-14 | not yet calculated | CVE-2025-71142 | https://git.kernel.org/stable/c/5d8b9d38a7676be7bb5e7d57f92156a98dab39fb https://git.kernel.org/stable/c/aa7d3a56a20f07978d9f401e13637a6479b13bd0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: samsung: exynos-clkout: Assign .num before accessing .hws Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") annotated the hws member of 'struct clk_hw_onecell_data' with __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS) about the number of elements in .hws[], so that it can warn when .hws[] is accessed out of bounds. As noted in that change, the __counted_by member must be initialized with the number of elements before the first array access happens, otherwise there will be a warning from each access prior to the initialization because the number of elements is zero. This occurs in exynos_clkout_probe() due to .num being assigned after .hws[] has been accessed: UBSAN: array-index-out-of-bounds in drivers/clk/samsung/clk-exynos-clkout.c:178:18 index 0 is out of range for type 'clk_hw *[*]' Move the .num initialization to before the first access of .hws[], clearing up the warning. | 2026-01-14 | not yet calculated | CVE-2025-71143 | https://git.kernel.org/stable/c/fbf57f5e453dadadb3d29b2d1dbe067e3dc4e236 https://git.kernel.org/stable/c/eb1f3a6ab3efee2b52361879cdc2dc6b11f499c0 https://git.kernel.org/stable/c/a317f63255ebc3dac378c79c5bff4f8d0561c290 https://git.kernel.org/stable/c/cf33f0b7df13685234ccea7be7bfe316b60db4db |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure context reset on disconnect() After the blamed commit below, if the MPC subflow is already in TCP_CLOSE status or has fallback to TCP at mptcp_disconnect() time, mptcp_do_fastclose() skips setting the `send_fastclose flag` and the later __mptcp_close_ssk() does not reset anymore the related subflow context. Any later connection will be created with both the `request_mptcp` flag and the msk-level fallback status off (it is unconditionally cleared at MPTCP disconnect time), leading to a warning in subflow_data_ready(): WARNING: CPU: 26 PID: 8996 at net/mptcp/subflow.c:1519 subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13)) Modules linked in: CPU: 26 UID: 0 PID: 8996 Comm: syz.22.39 Not tainted 6.18.0-rc7-05427-g11fc074f6c36 #1 PREEMPT(voluntary) Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 RIP: 0010:subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13)) Code: 90 0f 0b 90 90 e9 04 fe ff ff e8 b7 1e f5 fe 89 ee bf 07 00 00 00 e8 db 19 f5 fe 83 fd 07 0f 84 35 ff ff ff e8 9d 1e f5 fe 90 <0f> 0b 90 e9 27 ff ff ff e8 8f 1e f5 fe 4c 89 e7 48 89 de e8 14 09 RSP: 0018:ffffc9002646fb30 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88813b218000 RCX: ffffffff825c8435 RDX: ffff8881300b3580 RSI: ffffffff825c8443 RDI: 0000000000000005 RBP: 000000000000000b R08: ffffffff825c8435 R09: 000000000000000b R10: 0000000000000005 R11: 0000000000000007 R12: ffff888131ac0000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f88330af6c0(0000) GS:ffff888a93dd2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f88330aefe8 CR3: 000000010ff59000 CR4: 0000000000350ef0 Call Trace: <TASK> tcp_data_ready (net/ipv4/tcp_input.c:5356) tcp_data_queue (net/ipv4/tcp_input.c:5445) tcp_rcv_state_process (net/ipv4/tcp_input.c:7165) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1955) __release_sock (include/net/sock.h:1158 (discriminator 6) net/core/sock.c:3180 (discriminator 6)) release_sock (net/core/sock.c:3737) mptcp_sendmsg (net/mptcp/protocol.c:1763 net/mptcp/protocol.c:1857) inet_sendmsg (net/ipv4/af_inet.c:853 (discriminator 7)) __sys_sendto (net/socket.c:727 (discriminator 15) net/socket.c:742 (discriminator 15) net/socket.c:2244 (discriminator 15)) __x64_sys_sendto (net/socket.c:2247) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f883326702d Address the issue setting an explicit `fastclosing` flag at fastclose time, and checking such flag after mptcp_do_fastclose(). | 2026-01-14 | not yet calculated | CVE-2025-71144 | https://git.kernel.org/stable/c/5c7c7135468f3fc6379cde9777a2c18bfe92d82f https://git.kernel.org/stable/c/1c7c3a9314d8a7fc0e9a508606466a967c8e774a https://git.kernel.org/stable/c/f1a77dfc3b045c3dd5f6e64189b9f52b90399f07 https://git.kernel.org/stable/c/86730ac255b0497a272704de9a1df559f5d6602e |
| Ludashi--Ludashi | A local information disclosure vulnerability exists in the Ludashi driver before 5.1025 due to a lack of access control in the IOCTL handler. This driver exposes a device interface accessible to a normal user and handles attacker-controlled structures containing the lower 4GB of physical addresses. The handler maps arbitrary physical memory via MmMapIoSpace and copies data back to user mode without verifying the caller's privileges or the target address range. This allows unprivileged users to read arbitrary physical memory, potentially exposing kernel data structures, kernel pointers, security tokens, and other sensitive information. This vulnerability can be further exploited to bypass the Kernel Address Space Layout Rules (KASLR) and achieve local privilege escalation. | 2026-01-15 | not yet calculated | CVE-2025-67246 | http://ludashi.com https://github.com/CDipper/CVE-Publication |
| LycheeOrg--Lychee | Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected albums. When a user unlocks a password-protected public album, the system automatically unlocks ALL other public albums that share the same password, resulting in a complete authorization bypass. This vulnerability is fixed in 7.1.0. | 2026-01-12 | not yet calculated | CVE-2026-22784 | https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-jj56-2c54-4f25 https://github.com/LycheeOrg/Lychee/commit/f021a29f9ab2bafa81d9f5e32ff5bc89915c7d41 |
| maximmasiutin--TinyWeb | TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. This vulnerability is fixed in 1.98. | 2026-01-12 | not yet calculated | CVE-2026-22781 | https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-m779-84h5-72q2 https://github.com/maximmasiutin/TinyWeb/commit/876b7e2887f4ea5be3e18bb2af7313f23a283c96 https://www.masiutin.net/tinyweb-cve-2025-cgi-command-injection.html |
| MCP Server--Zen | A path traversal vulnerability exists in Zen MCP Server before 9.8.2 that allows authenticated attackers to read arbitrary files on the system. The vulnerability is caused by flawed logic in the is_dangerous_path() validation function that uses exact string matching against a blacklist of system directories. Attackers can bypass these restrictions by accessing subdirectories of blacklisted paths. | 2026-01-12 | not yet calculated | CVE-2025-66689 | https://github.com/BeehiveInnovations/zen-mcp-server/issues/293 https://github.com/Team-Off-course/MCP-Server-Vuln-Analysis/blob/main/CVE-2025-66689.md |
| metabase--metabase | Metabase is an open-source data analytics platform. Prior to 55.13, 56.3, and 57.1, self-hosted Metabase instances that allow users to create subscriptions could be potentially impacted if their Metabase is colocated with other unsecured resources. This vulnerability is fixed in 55.13, 56.3, and 57.1. | 2026-01-12 | not yet calculated | CVE-2026-22805 | https://github.com/metabase/metabase/security/advisories/GHSA-2wgg-7r2p-cmqx |
| Microsoft--Microsoft Edge (Chromium-based) | Microsoft Edge Elevation Service exposes a privileged COM interface that inadequately validates the privileges of the calling process. A standard (non‑administrator) local user can invoke the IElevatorEdge interface method LaunchUpdateCmdElevatedAndWait, causing the service to execute privileged update commands as LocalSystem. This allows a non‑administrator to enable or disable Windows Virtualization‑Based Security (VBS) by modifying protected system registry keys under HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard. Disabling VBS weakens critical platform protections such as Credential Guard, Hypervisor‑protected Code Integrity (HVCI), and the Secure Kernel, resulting in a security feature bypass. | 2026-01-16 | not yet calculated | CVE-2026-21223 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability |
| Mini Router--Italy Wireless | A Stored Cross-Site Scripting (XSS) vulnerability in Web management interface in Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 allows attackers to execute arbitrary scripts via a crafted payload due to unsanitized repeater AP SSID value when is displayed in any page at /index.htm. | 2026-01-15 | not yet calculated | CVE-2025-65349 | https://imgur.com/a/X9DNOBj https://github.com/5ulfur/security-advisories/tree/main/CVE-2025-65349 |
| Mitel MiVoice--Mitel MiVoice | A vulnerability in the Provisioning Manager component of Mitel MiVoice MX-ONE 7.3 (7.3.0.0.50) through 7.8 SP1 (7.8.1.0.14) could allow an unauthenticated attacker to conduct an authentication bypass attack due to improper authentication mechanisms. A successful exploit could allow an attacker to gain unauthorized access to user or admin accounts in the system. | 2026-01-15 | not yet calculated | CVE-2025-67822 | https://www.mitel.com/support/security-advisories https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0009 |
| Mitel--Mitel | A vulnerability in the Multimedia Email component of Mitel MiContact Center Business through 10.2.0.10 and Mitel CX through 1.1.0.1 could allow an unauthenticated attacker to conduct a Cross-Site Scripting (XSS) attack due to insufficient input validation. A successful exploit requires user interaction where the email channel is enabled. This could allow an attacker to execute arbitrary scripts in the victim's browser or desktop client application. | 2026-01-15 | not yet calculated | CVE-2025-67823 | https://www.mitel.com/support/security-advisories https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0010 |
| mlflow--mlflow/mlflow | MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0. | 2026-01-12 | not yet calculated | CVE-2025-14279 | https://huntr.com/bounties/ef478f72-2e4f-44dc-8055-fc06bef03108 https://github.com/mlflow/mlflow/commit/b0ffd289e9b0d0cc32c9e3a9b9f3843ae83dbec3 |
| Mozilla--Firefox | Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0877 | https://bugzilla.mozilla.org/show_bug.cgi?id=1999257 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-02/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0878 | https://bugzilla.mozilla.org/show_bug.cgi?id=2003989 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0879 | https://bugzilla.mozilla.org/show_bug.cgi?id=2004602 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-02/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Sandbox escape due to integer overflow in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0880 | https://bugzilla.mozilla.org/show_bug.cgi?id=2005014 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-02/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Sandbox escape in the Messaging System component. This vulnerability affects Firefox < 147 and Thunderbird < 147. | 2026-01-13 | not yet calculated | CVE-2026-0881 | https://bugzilla.mozilla.org/show_bug.cgi?id=2005845 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-04/ |
| Mozilla--Firefox | Use-after-free in the IPC component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0882 | https://bugzilla.mozilla.org/show_bug.cgi?id=1924125 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-02/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Information disclosure in the Networking component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0883 | https://bugzilla.mozilla.org/show_bug.cgi?id=1989340 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0884 | https://bugzilla.mozilla.org/show_bug.cgi?id=2003588 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0885 | https://bugzilla.mozilla.org/show_bug.cgi?id=2003607 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0886 | https://bugzilla.mozilla.org/show_bug.cgi?id=2005658 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-02/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0887 | https://bugzilla.mozilla.org/show_bug.cgi?id=2006500 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Information disclosure in the XML component. This vulnerability affects Firefox < 147 and Thunderbird < 147. | 2026-01-13 | not yet calculated | CVE-2026-0888 | https://bugzilla.mozilla.org/show_bug.cgi?id=1985996 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-04/ |
| Mozilla--Firefox | Denial-of-service in the DOM: Service Workers component. This vulnerability affects Firefox < 147 and Thunderbird < 147. | 2026-01-13 | not yet calculated | CVE-2026-0889 | https://bugzilla.mozilla.org/show_bug.cgi?id=1999084 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-04/ |
| Mozilla--Firefox | Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0890 | https://bugzilla.mozilla.org/show_bug.cgi?id=2005081 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0891 | Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147 and Thunderbird < 147. | 2026-01-13 | not yet calculated | CVE-2026-0892 | Memory safety bugs fixed in Firefox 147 and Thunderbird 147 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-04/ |
| nanomq--nanomq | An issue in nanomq v0.22.7 allows attackers to cause a Denial of Service (DoS) via a crafted request. The number of data packets received in the recv-q queue of the Nanomq process continues to increase, causing the nanomq broker to fall into a deadlock and be unable to provide normal services. | 2026-01-15 | not yet calculated | CVE-2024-48077 | https://github.com/nanomq/nanomq https://gist.github.com/pengwGit/2379e7a8fe75d09621f7c060db0237c4 |
| NAVER--lucy-xss-filter | lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missing a file extension. | 2026-01-16 | not yet calculated | CVE-2026-23768 | https://cve.naver.com/detail/cve-2026-23768.html https://github.com/naver/lucy-xss-filter/pull/31 |
| NAVER--lucy-xss-filter | lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files. | 2026-01-16 | not yet calculated | CVE-2026-23769 | https://cve.naver.com/detail/cve-2026-23769.html https://github.com/naver/lucy-xss-filter/pull/32 |
| Neoteroi--BlackSheep | BlackSheep is an asynchronous web framework to build event based web applications with Python. Prior to 2.4.6, the HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests (e.g. insert a new header) or even create a new HTTP request. Exploitation requires developers to pass unsanitized user input directly into headers.The server part is not affected because BlackSheep delegates to an underlying ASGI server handling of response headers. This vulnerability is fixed in 2.4.6. | 2026-01-14 | not yet calculated | CVE-2026-22779 | https://github.com/Neoteroi/BlackSheep/security/advisories/GHSA-6pw3-h7xf-x4gp https://github.com/Neoteroi/BlackSheep/commit/bd4ecb9542b5d52442276b5a6907931b90f38d12 https://github.com/Neoteroi/BlackSheep/releases/tag/v2.4.6 |
| NETAPP--ONTAP 9 | ONTAP versions 9.16.1 prior to 9.16.1P9 and 9.17.1 prior to 9.17.1P2 with snapshot locking enabled are susceptible to a vulnerability which could allow a privileged remote attacker to set the snapshot expiry time to none. | 2026-01-12 | not yet calculated | CVE-2026-22050 | https://security.netapp.com/advisory/NTAP-20260112-0001 |
| NETGEAR--EX5000 | An insufficient authentication vulnerability in NETGEAR WiFi range extenders allows a network adjacent attacker with WiFi authentication or a physical Ethernet port connection to bypass the authentication process and access the admin panel. | 2026-01-13 | not yet calculated | CVE-2026-0407 | https://www.netgear.com/support/product/ex5000 https://www.netgear.com/support/product/ex3110 https://www.netgear.com/support/product/ex6110 https://www.netgear.com/support/product/ex2800 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| NETGEAR--EX5000 | A path traversal vulnerability in NETGEAR WiFi range extenders allows an attacker with LAN authentication to access the router's IP and review the contents of the dynamically generated webproc file, which records the username and password submitted to the router GUI. | 2026-01-13 | not yet calculated | CVE-2026-0408 | https://www.netgear.com/support/product/ex5000 https://www.netgear.com/support/product/ex3110 https://www.netgear.com/support/product/ex6110 https://www.netgear.com/support/product/ex2800 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| NETGEAR--RBE970 | An authentication bypass vulnerability in NETGEAR Orbi devices allows users connected to the local network to access the router web interface as an admin. | 2026-01-13 | not yet calculated | CVE-2026-0405 | https://www.netgear.com/support/product/rbe971 https://www.netgear.com/support/product/rbe970 https://www.netgear.com/support/product/cbr750 https://www.netgear.com/support/product/nbr750 https://www.netgear.com/support/product/rbe770 https://www.netgear.com/support/product/rbe771 https://www.netgear.com/support/product/rbe772 https://www.netgear.com/support/product/rbe773 https://www.netgear.com/support/product/rbr750 https://www.netgear.com/support/product/rbs750 https://www.netgear.com/support/product/rbr840 https://www.netgear.com/support/product/rbs840 https://www.netgear.com/support/product/rbr850 https://www.netgear.com/support/product/rbs850 https://www.netgear.com/support/product/rbr860 https://www.netgear.com/support/product/rbs860 https://www.netgear.com/support/product/rbre950 https://www.netgear.com/support/product/rbse950 https://www.netgear.com/support/product/rbre960 https://www.netgear.com/support/product/rbse960 https://www.netgear.com/support/product/rbe370 https://www.netgear.com/support/product/rbe371 https://www.netgear.com/support/product/rbe372 https://www.netgear.com/support/product/rbe373 https://www.netgear.com/support/product/rbe374 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| NETGEAR--RBR750 | An insufficient input validation vulnerability in NETGEAR Orbi routers allows attackers connected to the router's LAN to execute OS command injections. | 2026-01-13 | not yet calculated | CVE-2026-0403 | https://www.netgear.com/support/product/rbr750 https://www.netgear.com/support/product/rbs750 https://www.netgear.com/support/product/rbre960 https://www.netgear.com/support/product/rbse960 https://www.netgear.com/support/product/rbr850 https://www.netgear.com/support/product/rbs850 https://www.netgear.com/support/product/rbe971 https://www.netgear.com/support/product/rbe970 https://www.netgear.com/support/product/rbr860 https://www.netgear.com/support/product/rbs860 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| NETGEAR--RBRE960 | An insufficient input validation vulnerability in NETGEAR Orbi devices' DHCPv6 functionality allows network adjacent attackers authenticated over WiFi or on LAN to execute OS command injections on the router. DHCPv6 is not enabled by default. | 2026-01-13 | not yet calculated | CVE-2026-0404 | https://www.netgear.com/support/product/rbre960 https://www.netgear.com/support/product/rbse960 https://www.netgear.com/support/product/rbr850 https://www.netgear.com/support/product/rbs850 https://www.netgear.com/support/product/rbr860 https://www.netgear.com/support/product/rbs860 https://www.netgear.com/support/product/rbre950 https://www.netgear.com/support/product/rbse950 https://www.netgear.com/support/product/rbr750 https://www.netgear.com/support/product/rbs750 https://www.netgear.com/support/product/rbr840 https://www.netgear.com/support/product/rbs840 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| NETGEAR--XR1000v2 | An insufficient input validation vulnerability in the NETGEAR XR1000v2 allows attackers connected to the router's LAN to execute OS command injections. | 2026-01-13 | not yet calculated | CVE-2026-0406 | https://www.netgear.com/support/product/xr1000v2 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| Ollama--Ollama | Ollama 0.11.5-rc0 through current version 0.13.5 contain a null pointer dereference vulnerability in the multi-modal model image processing functionality. When processing base64-encoded image data via the /api/chat endpoint, the application fails to validate that the decoded data represents valid media before passing it to the mtmd_helper_bitmap_init_from_buf function. This function can return NULL for malformed input, but the code does not check this return value before dereferencing the pointer in subsequent operations. A remote attacker can exploit this by sending specially crafted base64 image data that decodes to invalid media, causing a segmentation fault and crashing the runner process. This results in a denial of service condition where the model becomes unavailable to all users until the service is restarted. | 2026-01-12 | not yet calculated | CVE-2025-15514 | https://huntr.com/bounties/172df98b-07cd-41ea-a628-366f8cd525c0 https://ollama.com/ https://https://github.com/ollama/ollama https://www.vulncheck.com/advisories/ollama-multi-modal-image-processing-null-pointer-dereference |
| Omnilogic--Omni Secure Files | Omni Secure Files plugin versions prior to 0.1.14 contain an arbitrary file upload vulnerability in the bundled plupload example endpoint. The /wp-content/plugins/omni-secure-files/plupload/examples/upload.php handler allows unauthenticated uploads without enforcing safe file type restrictions, enabling an attacker to place attacker-controlled files under the plugin's uploads directory. This can lead to remote code execution if a server-executable file type is uploaded and subsequently accessed. | 2026-01-16 | not yet calculated | CVE-2012-10064 | https://wpscan.com/vulnerability/376fd666-6471-479c-9b74-1d8088a33e89/ https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/omni-secure-files/omni-secure-files-0113-arbitrary-file-upload https://wordpress.org/plugins/omni-secure-files/ https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-omni-secure-files-upload-php-arbitrary-file-upload-0-1-13/ https://web.archive.org/web/20121025112632/http%3A//secunia.com/advisories/49441 https://packetstorm.news/files/id/113411 https://www.exploit-db.com/exploits/19009 https://web.archive.org/web/20191021091221/https%3A//www.securityfocus.com/bid/53872/ https://www.vulncheck.com/advisories/omni-secure-files-unauthenticated-arbitrary-file-upload |
| Omnispace--Omnispace | Directory traversal vulnerability in Omnispace Agora Project before 25.10 allowing unauthenticated attackers to read files on the system via the misc controller and the ExternalGetFile action. Only files with an extension can be read. | 2026-01-15 | not yet calculated | CVE-2025-67076 | https://www.agora-project.net https://www.helx.io/blog/advisory-agora-project/ |
| Omnispace--Omnispace | File upload vulnerability in Omnispace Agora Project before 25.10 allowing authenticated, or under certain conditions also guest users, via the UploadTmpFile action. | 2026-01-15 | not yet calculated | CVE-2025-67077 | https://www.agora-project.net https://www.helx.io/blog/advisory-agora-project/ |
| Omnispace--Omnispace | Cross site scripting (XSS) vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute arbitrary code via the notify parameter of the file controller used to display errors. | 2026-01-15 | not yet calculated | CVE-2025-67078 | https://www.agora-project.net https://www.helx.io/blog/advisory-agora-project/ |
| Omnispace--Omnispace | File upload vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute code through the MSL engine of the Imagick library via crafted PDF file to the file upload and thumbnail functions. | 2026-01-15 | not yet calculated | CVE-2025-67079 | https://www.agora-project.net https://www.helx.io/blog/advisory-agora-project/ |
| orval-labs--orval | orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Prior to 7.18.0, the MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allows an attacker to "break out" of the string literal and inject arbitrary code. This vulnerability is fixed in 7.18.0. | 2026-01-12 | not yet calculated | CVE-2026-22785 | https://github.com/orval-labs/orval/security/advisories/GHSA-mwr6-3gp8-9jmj https://github.com/orval-labs/orval/commit/80b5fe73b94f120a3a5561952d6d4b0f8d7e928d |
| Paessler--Paessler | Paessler PRTG Network Monitor before 25.4.114 allows XSS by an unauthenticated attacker via the tag parameter. | 2026-01-14 | not yet calculated | CVE-2025-67833 | https://paessler.com https://helpdesk.paessler.com/en/support/solutions/articles/76000087289-vulnerabilities-in-prtg-prior-v25-4-114-1032 |
| Paessler--Paessler | Paessler PRTG Network Monitor before 25.4.114 allows XSS by an unauthenticated attacker via the filter parameter. | 2026-01-14 | not yet calculated | CVE-2025-67834 | https://paessler.com https://helpdesk.paessler.com/en/support/solutions/articles/76000087289-vulnerabilities-in-prtg-prior-v25-4-114-1032 |
| Paessler--Paessler | Paessler PRTG Network Monitor before 25.4.114 allows Denial-of-Service (DoS) by an authenticated attacker via the Notification Contacts functionality. | 2026-01-14 | not yet calculated | CVE-2025-67835 | https://paessler.com https://helpdesk.paessler.com/en/support/solutions/articles/76000087289-vulnerabilities-in-prtg-prior-v25-4-114-1032 |
| Palo Alto Networks--Cloud NGFW | A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated attempts to trigger this issue results in the firewall entering into maintenance mode. | 2026-01-15 | not yet calculated | CVE-2026-0227 | https://security.paloaltonetworks.com/CVE-2025-4620 |
| Pegasystems--Pega Infinity | Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file. | 2026-01-13 | not yet calculated | CVE-2025-62182 | https://support.pega.com/support-doc/pega-security-advisory-l25-vulnerability-remediation-note |
| pH7Software--pH7Software | A stored cross-site scripting (XSS) vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the user profile Description field. | 2026-01-14 | not yet calculated | CVE-2025-63644 | https://drive.google.com/drive/folders/1mYDvUTnlTPCGTB-7tHD3pmu_wHtlMVRP https://medium.com/@rudranshsinghrajpurohit/cve-2025-63644-stored-cross-site-scripting-xss-vulnerability-in-ph7-social-dating-cms-23ed0e7eb853 |
| phpgurukul--phpgurukul | phpgurukul News Portal Project V4.1 has an Arbitrary File Deletion Vulnerability in remove_file.php. The parameter file can cause any file to be deleted. | 2026-01-13 | not yet calculated | CVE-2025-69990 | https://github.com/Y4y17/CVE/blob/main/News%20Portal%20Project/File%20deletion%20vulnerability.md |
| phpgurukul--phpgurukul | phpgurukul News Portal Project V4.1 is vulnerable to SQL Injection in check_availablity.php. | 2026-01-13 | not yet calculated | CVE-2025-69991 | https://github.com/Y4y17/CVE/blob/main/News%20Portal%20Project/SQL%20Injection.md |
| phpgurukul--phpgurukul | phpgurukul News Portal Project V4.1 has File Upload Vulnerability via upload.php, which enables the upload of files of any format to the server without identity authentication. | 2026-01-13 | not yet calculated | CVE-2025-69992 | https://github.com/Y4y17/CVE/blob/main/News%20Portal%20Project/File%20upload%20vulnerability.md |
| QloApps--QloApps | A CSRF issue in index.php in QloApps hotel eCommerce 1.5.1 allows an attacker to change the admin's email address via a crafted HTML document. | 2026-01-12 | not yet calculated | CVE-2021-41074 | https://qloapps.com/ https://github.com/dillonkirsch/CVE-2021-41074 |
| RIOT--RIOT OS | RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the tapslip6 utility. The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. The utility uses strcpy() and strcat() to concatenate the fixed prefix '/dev/' with a user-supplied device name provided via the -s command-line option without bounds checking. This allows an attacker to supply an excessively long device name and overflow a fixed-size stack buffer, leading to process crashes and memory corruption. | 2026-01-12 | not yet calculated | CVE-2026-22213 | https://seclists.org/fulldisclosure/2026/Jan/15 https://www.riot-os.org/ https://github.com/RIOT-OS/RIOT https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-tapslip6-utility |
| RIOT--RIOT OS | RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the ethos utility due to missing bounds checking when processing incoming serial frame data. The vulnerability occurs in the _handle_char() function, where incoming frame bytes are appended to a fixed-size stack buffer without verifying that the current write index remains within bounds. An attacker capable of sending crafted serial or TCP-framed input can cause the current write index to exceed the buffer size, resulting in a write past the end of the stack buffer. This condition leads to memory corruption and application crash. | 2026-01-12 | not yet calculated | CVE-2026-22214 | https://seclists.org/fulldisclosure/2026/Jan/16 https://www.riot-os.org/ https://github.com/RIOT-OS/RIOT https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-ethos-serial-frame-parser |
| run-llama--llama_index | LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.load_from_disk() in llama_index/indices/managed/bge_m3/base.py. The function uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. An attacker who can provide a crafted persist directory containing a malicious pickle file can trigger arbitrary code execution when the victim loads the index from disk. | 2026-01-12 | not yet calculated | CVE-2024-14021 | https://huntr.com/bounties/ab4ceeb4-aa85-4d1c-aaca-4eda1b71fc12 https://www.llamaindex.ai/ https://github.com/run-llama/llama_index https://www.vulncheck.com/advisories/llamaindex-bgem3index-unsafe-deserialization |
| run-llama--llama_index | LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query(). | 2026-01-12 | not yet calculated | CVE-2024-58339 | https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f https://www.llamaindex.ai/ https://github.com/run-llama/llama_index https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion |
| RustCrypto--utils | RustCrypto CMOV provides conditional move CPU intrinsics which are guaranteed on major platforms to execute in constant-time and not be rewritten as branches by the compiler. Prior to 0.4.4, the thumbv6m-none-eabi (Cortex M0, M0+ and M1) compiler emits non-constant time assembly when using cmovnz (portable version). This vulnerability is fixed in 0.4.4. | 2026-01-15 | not yet calculated | CVE-2026-23519 | https://github.com/RustCrypto/utils/security/advisories/GHSA-2gqc-6j2q-83qp https://github.com/RustCrypto/utils/commit/55977257e7c82a309d5e8abfdd380a774f0f9778 |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In crates/ecstore/src/rpc/http_auth.rs, the invalid signature branch logs sensitive data. This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers. This vulnerability is fixed in 1.0.0-alpha.80. | 2026-01-16 | not yet calculated | CVE-2026-22782 | https://github.com/rustfs/rustfs/security/advisories/GHSA-333v-68xh-8mmq https://github.com/rustfs/rustfs/commit/6b2eebee1d07399ef02c0863bd515b4412a5a560 https://github.com/rustfs/rustfs/blob/9e162b6e9ebb874cc1d06a7b33bc4a05786578aa/crates/ecstore/src/rpc/http_auth.rs#L115-L122 |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses PKCS1Encoding which is vulnerable to Bleichenbacher padding oracle attacks. Modern systems should use OAEP (Optimal Asymmetric Encryption Padding). This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68698 | https://github.com/samrocketman/jervis/security/advisories/GHSA-mqw7-c5gg-xq97 https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses deterministic AES IV derivation from a passphrase. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68701 | https://github.com/samrocketman/jervis/security/advisories/GHSA-crxp-chh4-9ghp https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses padLeft(32, '0') when it should use padLeft(64, '0') because SHA-256 produces 32 bytes which equates to 64 hex characters. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68702 | https://github.com/samrocketman/jervis/security/advisories/GHSA-67rj-pjg6-pq59 https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68703 | https://github.com/samrocketman/jervis/security/advisories/GHSA-36h5-vrq6-pp34 https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses java.util.Random() which is not cryptographically secure for timing attack mitigation. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68704 | https://github.com/samrocketman/jervis/security/advisories/GHSA-c9q6-g3hr-8gww https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the code doesn't validate that the JWT header specifies "alg":"RS256". This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68925 | https://github.com/samrocketman/jervis/security/advisories/GHSA-5pq9-5mpr-jj85 https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, AES/CBC/PKCS5Padding lacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68931 | https://github.com/samrocketman/jervis/security/advisories/GHSA-gxp5-mv27-vjcj https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| Schneider Electric--EcoStruxure Power Build Rapsody | CWE-415: Double Free vulnerability exists that could cause heap memory corruption when the end user imports a malicious project file (SSD file) shared by the attacker into Rapsody. | 2026-01-15 | not yet calculated | CVE-2025-13844 | https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-04.pdf |
| Schneider Electric--EcoStruxure Power Build Rapsody | CWE-416: Use After Free vulnerability that could cause remote code execution when the end user imports the malicious project file (SSD file) into Rapsody. | 2026-01-15 | not yet calculated | CVE-2025-13845 | https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-04.pdf |
| Semantic--Semantic | An issue in Semantic machines v5.4.8 allows attackers to bypass authentication via sending a crafted HTTP request to various API endpoints. | 2026-01-13 | not yet calculated | CVE-2025-66698 | http://veda.com http://semantic.com https://github.com/Perunchess/CVE-2025-66698 |
| ServiceNow--Now Assist AI Agents | A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform. ServiceNow has addressed this vulnerability by deploying a relevant security update to hosted instances in October 2025. Security updates have also been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Additionally, the vulnerability is addressed in the listed Store App versions. We recommend that customers promptly apply an appropriate security update or upgrade if they have not already done so. | 2026-01-12 | not yet calculated | CVE-2025-12420 | https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2587329 |
| siyuan-note--siyuan | SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2. | 2026-01-16 | not yet calculated | CVE-2026-23645 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j https://github.com/siyuan-note/siyuan/issues/16844 https://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388 |
| Slab--Quill | A lack of data validation vulnerability in the HTML export feature in Quill in allows Cross-Site Scripting (XSS). This issue affects Quill: 2.0.3. | 2026-01-13 | not yet calculated | CVE-2025-15056 | https://fluidattacks.com/advisories/diomedes https://github.com/slab/quill |
| Sonatype--Nexus Repository | Server-Side Request Forgery (SSRF) vulnerability in Sonatype Nexus Repository 3 versions 3.0.0 and later allows authenticated administrators to configure proxy repositories with URLs that can access unintended network destinations, potentially including cloud metadata services and internal network resources. A workaround configuration is available starting in version 3.88.0, but the product remains vulnerable by default. | 2026-01-14 | not yet calculated | CVE-2026-0600 | https://support.sonatype.com/hc/en-us/articles/47928855816595 |
| Sonatype--Nexus Repository | A reflected cross-site scripting vulnerability exists in Nexus Repository 3 that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted request requiring user interaction. | 2026-01-14 | not yet calculated | CVE-2026-0601 | https://help.sonatype.com/en/sonatype-nexus-repository-3-88-0-release-notes.html https://support.sonatype.com/hc/en-us/articles/47934334375955 |
| Sourcecodester--Sourcecodester | Sourcecodester Covid-19 Contact Tracing System 1.0 is vulnerable to RCE (Remote Code Execution). The application receives a reverse shell (php) into imagem of the user enabling RCE. | 2026-01-12 | not yet calculated | CVE-2025-66802 | https://feedly.com/cve/CVE-2022-2746 https://github.com/mtgsjr/CVE-2025-66802 |
| SparkyFitness--SparkyFitness | SparkyFitness v0.15.8.2 is vulnerable to Cross Site Scripting (XSS) via user input and LLM output. | 2026-01-15 | not yet calculated | CVE-2025-65368 | https://github.com/CodeWithCJ/SparkyFitness https://github.com/CodeWithCJ/SparkyFitness/security/advisories/GHSA-j7x6-6678-2xqp#event-521570 |
| Stackideas.com--EasyDiscuss extension for Joomla | Lack of input filterung leads to a persistent XSS vulnerability in the forum post handling of the Easy Discuss component for Joomla. | 2026-01-16 | not yet calculated | CVE-2026-21623 | https://stackideas.com/easydiscuss |
| Stackideas.com--EasyDiscuss extension for Joomla | Lack of input filterung leads to a persistent XSS vulnerability in the user avatar text handling of the Easy Discuss component for Joomla. | 2026-01-16 | not yet calculated | CVE-2026-21624 | https://stackideas.com/easydiscuss |
| Stackideas.com--EasyDiscuss extension for Joomla | User provided uploads to the Easy Discuss component for Joomla aren't properly validated. Uploads are purely checked by file extensions, no mime type checks are happening. | 2026-01-16 | not yet calculated | CVE-2026-21625 | https://stackideas.com/easydiscuss |
| SteelSeries--SteelSeries | SteelSeries Nahimic 3 1.10.7 allows Directory traversal. | 2026-01-16 | not yet calculated | CVE-2025-68921 | https://steelseries.gg https://steelseries.com/nahimic https://gist.github.com/ZeroMemoryEx/93208b7e57a5444de3654816857ddef4 |
| Steven--Uploadify | Uploadify WordPress plugin versions up to and including 1.0 contain an arbitrary file upload vulnerability in process_upload.php due to missing file type validation. An unauthenticated remote attacker can upload arbitrary files to the affected WordPress site, which may allow remote code execution by uploading executable content to a web-accessible location. | 2026-01-15 | not yet calculated | CVE-2011-10041 | https://packetstorm.news/files/id/98652 https://wpscan.com/vulnerability/6946364c-9764-468e-87d5-2dd57e531985/ https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/uploadify/uploadify-10-arbitrary-file-upload https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-uploadify-remote-file-upload-1-0/ https://www.vulncheck.com/advisories/uploadify-unauthenticated-arbitrary-file-upload |
| Svelte--Svelte | An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3. | 2026-01-15 | not yet calculated | CVE-2025-15265 | https://fluidattacks.com/advisories/lydian https://github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3 https://fluidattacks.com/advisories/lydian |
| sveltejs--kit | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5. | 2026-01-15 | not yet calculated | CVE-2025-67647 | https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4x62-9r35 https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226 |
| sveltejs--kit | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5. | 2026-01-15 | not yet calculated | CVE-2026-22803 | https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46 https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5 https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1 |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the mac parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-15 | not yet calculated | CVE-2025-70656 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/11/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the cloneType parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-15 | not yet calculated | CVE-2025-70744 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/10/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the timeZone parameter of the fromSetSysTime function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-16 | not yet calculated | CVE-2025-70746 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/4/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the serviceName parameter of the sub_65A28 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-14 | not yet calculated | CVE-2025-70747 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/6/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the security_5g parameter of the sub_4CA50 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-70753 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/8/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the wanSpeed parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-15 | not yet calculated | CVE-2025-71019 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/9/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the security parameter of the sub_4C408 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-16 | not yet calculated | CVE-2025-71020 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/5/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the serverName parameter of the sub_65A28 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-14 | not yet calculated | CVE-2025-71021 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/7/1.md |
| Tenda--Tenda | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the mac2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-71023 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/11/1.md |
| Tenda--Tenda | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the serviceName2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-71024 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/12/1.md |
| Tenda--Tenda | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the cloneType2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-71025 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/10/1.md |
| Tenda--Tenda | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the wanSpeed2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-71026 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/9/1.md |
| Tenda--Tenda | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the wanMTU2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-71027 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/8/1.md |
| The GNU C Library--glibc | Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments. | 2026-01-14 | not yet calculated | CVE-2026-0861 | https://sourceware.org/bugzilla/show_bug.cgi?id=33796 https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001 |
| The GNU C Library--glibc | Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver. | 2026-01-15 | not yet calculated | CVE-2026-0915 | https://sourceware.org/bugzilla/show_bug.cgi?id=33802 |
| The Nu Html Checker--The Nu Html Checker | Nu Html Checker (validator.nu) contains a restriction bypass that allows remote attackers to make the server perform arbitrary HTTP/HTTPS requests to internal resources, including localhost services. While the validator implements hostname-based protections to block direct access to localhost and 127.0.0.1, these controls can be bypassed using DNS rebinding techniques or domains that resolve to loopback addresses.This issue affects The Nu Html Checker (vnu): latest (commit 23f090a11bab8d0d4e698f1ffc197a4fe226a9cd). | 2026-01-16 | not yet calculated | CVE-2025-15104 | https://fluidattacks.com/advisories/europe https://github.com/validator/validator |
| TheLibrarian--TheLibrarian.io | The Librarian contains a information leakage vulnerability through the `web_fetch` tool, which can be used to retrieve arbitrary external content provided by an attacker, which can be used to proxy requests through The Librarian infrastructure. The vendor has fixed the vulnerability in all versions of TheLibrarian. | 2026-01-16 | not yet calculated | CVE-2026-0612 | http://mindgard.ai/blog/thelibrarian-ios-ai-security- https://thelibrarian.io/ |
| TheLibrarian--TheLibrarian.io | The Librarian contains an internal port scanning vulnerability, facilitated by the `web_fetch` tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and services, enabling scanning of the Hertzner cloud environment that TheLibrarian uses. The vendor has fixed the vulnerability in all affected versions. | 2026-01-16 | not yet calculated | CVE-2026-0613 | https://mindgard.ai/blog/thelibrarian-ios-ai-security-disclosure https://thelibrarian.io/ |
| TheLibrarian--TheLibrarian.io | The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability in all affected versions. | 2026-01-16 | not yet calculated | CVE-2026-0615 | http://mindgard.ai/blog/thelibrarian-ios-ai-security- https://thelibrarian.io/ |
| TheLibrarian--TheLibrarian.io | TheLibrarians web_fetch tool can be used to retrieve the Adminer interface content, which can then be used to log into the internal TheLibrarian backend system. The vendor has fixed the vulnerability in all affected versions. | 2026-01-16 | not yet calculated | CVE-2026-0616 | https://mindgard.ai/blog/thelibrarian-ios-ai-security-disclosure https://thelibrarian.io/ |
| TinyOS--TinyOS | TinyOS versions up to and including 2.1.2 contain a global buffer overflow vulnerability in the printfUART formatted output implementation used within the ZigBee / IEEE 802.15.4 networking stack. The implementation formats output into a fixed-size global buffer and concatenates strings for %s format specifiers using strcat() without verifying remaining buffer capacity. When printfUART is invoked with a caller-controlled string longer than the available space, the unbounded sprintf/strcat sequence writes past the end of debugbuf, resulting in global memory corruption. This can cause denial of service, unintended behavior, or information disclosure via corrupted adjacent global state or UART output. | 2026-01-14 | not yet calculated | CVE-2026-22211 | https://seclists.org/fulldisclosure/2026/Jan/14 https://github.com/tinyos/tinyos-main https://www.vulncheck.com/advisories/tinyos-global-buffer-overflow-in-printfuart |
| TinyOS--TinyOS | TinyOS versions up to and including 2.1.2 contain a stack-based buffer overflow vulnerability in the mcp2200gpio utility. The vulnerability is caused by unsafe use of strcpy() and strcat() functions when constructing device paths during automatic device discovery. A local attacker can exploit this by creating specially crafted filenames under /dev/usb/, leading to stack memory corruption and application crashes. | 2026-01-12 | not yet calculated | CVE-2026-22212 | https://seclists.org/fulldisclosure/2026/Jan/14 https://github.com/tinyos/tinyos-main https://www.vulncheck.com/advisories/tinyos-stack-based-buffer-overflow-in-mcp2200gpio |
| TOA Corporation--Multiple Network Cameras TRIFORA 3 series | OS Command Injection vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation, which may allow a logged-in user with the low("monitoring user") or higher privilege to execute an arbitrary OS command. | 2026-01-16 | not yet calculated | CVE-2026-20759 | https://www.toa-products.com/securityinfo/pdf/tv2025-001jp.pdf https://jvn.jp/en/jp/JVN08087148/ |
| TOA Corporation--Multiple Network Cameras TRIFORA 3 series | Cross-site scripting vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If an attacking administrator configures the affected product with some malicious input, an arbitrary script may be executed on the web browser of a victim administrator who accesses the setting screen. | 2026-01-16 | not yet calculated | CVE-2026-20894 | https://www.toa-products.com/securityinfo/pdf/tv2025-001jp.pdf https://jvn.jp/en/jp/JVN08087148/ |
| TOA Corporation--Multiple Network Cameras TRIFORA 3 series | Path Traversal vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If this vulnerability is exploited, arbitrary files on the affected product may be retrieved by a logged-in user with the low("monitoring user") or higher privilege. | 2026-01-16 | not yet calculated | CVE-2026-22876 | https://www.toa-products.com/securityinfo/pdf/tv2025-001jp.pdf https://jvn.jp/en/jp/JVN08087148/ |
| Tongyu--Tongyu | An authentication bypass vulnerability in the Tongyu AX1800 Wi-Fi 6 Router with firmware 1.0.0 allows unauthenticated network-adjacent attackers to perform arbitrary configuration changes without providing credentials, as long as a valid admin session is active. This can result in full compromise of the device (i.e., via unauthenticated access to /boaform/formSaveConfig and /boaform/admin endpoints). | 2026-01-13 | not yet calculated | CVE-2025-68707 | https://www.tongyucom.com/product/ax1800.html https://github.com/actuator/cve/tree/main/Tongyu https://github.com/actuator/cve/blob/main/Tongyu/CVE-2025-68707.txt |
| TP-Link Systems Inc.--TL-WR841N v14 | A Null Pointer Dereference vulnerability exists in the referer header check of the web portal of TP-Link TL-WR841N v14, caused by improper input validation. A remote, unauthenticated attacker can exploit this flaw and cause Denial of Service on the web portal service.This issue affects TL-WR841N v14: before 250908. | 2026-01-15 | not yet calculated | CVE-2025-9014 | https://www.tp-link.com/us/support/faq/4894/ https://www.tp-link.com/jp/support/download/tl-wr841n/#Firmware https://www.tp-link.com/en/support/download/tl-wr841n/#Firmware https://www.tp-link.com/us/support/download/tl-wr841n/#Firmware |
| TP-Link Systems Inc.--VIGI InSight Sx45 Series (S245/S345/S445) | Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to the device, compromising configuration and network security. | 2026-01-16 | not yet calculated | CVE-2026-0629 | https://www.vigi.com/us/support/download/ https://www.vigi.com/en/support/download/ https://www.vigi.com/in/support/download/ https://www.tp-link.com/us/support/faq/4899/ |
| Typesetter--Typesetter | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's browser session. | 2026-01-14 | not yet calculated | CVE-2025-71164 | https://github.com/Typesetter/Typesetter https://github.com/Typesetter/Typesetter/issues/706 https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-editing-php |
| Typesetter--Typesetter | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. | 2026-01-14 | not yet calculated | CVE-2025-71165 | https://github.com/Typesetter/Typesetter https://github.com/Typesetter/Typesetter/issues/709 https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-status-php |
| Typesetter--Typesetter | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. | 2026-01-14 | not yet calculated | CVE-2025-71166 | https://github.com/Typesetter/Typesetter https://github.com/Typesetter/Typesetter/issues/707 https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-move-message-handling |
| TYPO3--TYPO3 CMS | By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | 2026-01-13 | not yet calculated | CVE-2025-59020 | https://typo3.org/security/advisory/typo3-core-sa-2026-001 Git commit of main branch Git commit of 13.4 branch Git commit of 12.4 branch |
| TYPO3--TYPO3 CMS | Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, create, and modify any redirect record without restriction to the user's own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs - facilitating phishing or other malicious redirect attacks. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | 2026-01-13 | not yet calculated | CVE-2025-59021 | https://typo3.org/security/advisory/typo3-core-sa-2026-002 Git commit of main branch Git commit of 13.4 branch Git commit of 12.4 branch |
| TYPO3--TYPO3 CMS | Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | 2026-01-13 | not yet calculated | CVE-2025-59022 | https://typo3.org/security/advisory/typo3-core-sa-2026-003 Git commit of main branch Git commit of 13.4 branch Git commit of 12.4 branch |
| TYPO3--TYPO3 CMS | TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | 2026-01-13 | not yet calculated | CVE-2026-0859 | https://typo3.org/security/advisory/typo3-core-sa-2026-004 Git commit of main branch Git commit of 13.4 branch Git commit of 12.4 branch |
| Vanilla OS--fabricators ltd | fabricators Ltd Vanilla OS 2 Core image v1.1.0 was discovered to contain static keys for the SSH service, allowing attackers to possibly execute a man-in-the-middle attack during connections with other hosts. | 2026-01-13 | not yet calculated | CVE-2024-54855 | http://vanilla.com http://fabricators.com https://github.com/Vanilla-OS/core-image/security/advisories/GHSA-67pc-hqr2-g34h |
| Viafirma--Inbox | IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. This allows the user's email addresses to be modified and, subsequently, using the password recovery functionality to access the application by impersonating any user, including those with administrative permissions. | 2026-01-12 | not yet calculated | CVE-2025-41077 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-viafirma-products |
| Viafirma--Viafirma Documents | Weaknesses in the authorization mechanisms of Viafirma Documents v3.7.129 allow an authenticated user without privileges to list and access other user data, use user creation, modification, and deletion features, and escalate privileges by impersonating other users of the application in the generation and signing of documents. | 2026-01-12 | not yet calculated | CVE-2025-41078 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-viafirma-products |
| Vivotek--Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330 | Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Vivotek Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330 (Firmware modules) allows OS Command Injection.This issue affects Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330: 0100a, 0106a, 0106b, 0107a, 0107b_1, 0109a, 0112a, 0113a, 0113d, 0117b, 0119e, 0120b, 0121, 0121d, 0121d_48573_1, 0122e, 0124d_48573_1, 012501, 012502, 0125c. | 2026-01-13 | not yet calculated | CVE-2026-22755 | http://www.vapidlabs.com/advisory.php?v=220 |
| WeblateOrg--weblate | Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2. | 2026-01-14 | not yet calculated | CVE-2026-21889 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3g2f-4rjg-9385 https://github.com/WeblateOrg/weblate/pull/17516 https://github.com/WeblateOrg/weblate/commit/a6eb5fd0299780eca286be8ff187dc2d10feec47 |
| WordPress--Dreamer Blog | The Dreamer Blog WordPress theme through 1.2 is vulnerable to arbitrary installations due to a missing capability check. | 2026-01-13 | not yet calculated | CVE-2025-10915 | https://wpscan.com/vulnerability/dab3a804-9027-4b4a-b61c-61b562045bc4/ |
| WordPress--E-xact | Hosted Payment | | The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. | 2026-01-13 | not yet calculated | CVE-2025-14829 | https://wpscan.com/vulnerability/872569bc-16fb-427f-accc-147f284137cd/ |
| WordPress--Quiz Maker | The Quiz Maker WordPress plugin before 6.7.0.89 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 2026-01-12 | not yet calculated | CVE-2025-14579 | https://wpscan.com/vulnerability/1ff8ea2b-6513-4d5c-b7ea-9ab39c9ea9c6/ |
| WorkDo--eCommerceGo SaaS | Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a lack of proper validation of user input by sending a POST request to '/store-ticket', using the 'subject' and 'description' parameters. | 2026-01-12 | not yet calculated | CVE-2025-40977 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-workdo-products |
| WorkDo--eCommerceGo SaaS | Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request to '/ticket/x/conversion', using the 'reply_description' parameter. | 2026-01-12 | not yet calculated | CVE-2025-40978 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-workdo-products |
| WorkDo--HRMGo | Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's HRMGo, consisting of a lack of proper validation of user input by sending a POST request to '/hrmgo/ticket/changereply', using the 'description' parameter. | 2026-01-12 | not yet calculated | CVE-2025-40975 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-workdo-products |
| WorkDo--TicketGo | Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's TicketGo, consisting of a lack of proper validation of user input by sending a POST request to '/ticketgo-saas/home', using the 'description' parameter. | 2026-01-12 | not yet calculated | CVE-2025-40976 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-workdo-products |
| xmall--xmall | Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users' order details via manipulation of the query parameter userId. | 2026-01-12 | not yet calculated | CVE-2023-36331 | https://github.com/Exrick/xmall/issues/100 |
| yhirose--cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory. | 2026-01-12 | not yet calculated | CVE-2026-22776 | https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q https://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792 |
| YSoft--SafeQ 6 | Y Soft SafeQ 6 renders the Workflow Connector password field in a way that allows an administrator with UI access to reveal the value using browser developer/inspection tools. The affected customers are only those with a password-protected scan workflow connector. This issue affects Y Soft SafeQ 6 in versions before MU106. | 2026-01-14 | not yet calculated | CVE-2025-13175 | https://www.ysoft.com/safeq https://docs.ysoft.cloud/safeq6/latest/safeq6/release-notes-build-106 https://cert.pl/en/posts/2026/01/CVE-2025-13175 |
| Zhiyuan-Zhyuan | Cross site scripting vulnerability in seeyon Zhiyuan A8+ Collaborative Management Software 7.0 via the topValue parameter to the seeyon/main.do endpoint. | 2026-01-16 | not yet calculated | CVE-2025-56451 | https://www.yuque.com/076w/syst1m/zlp7c6hmowx6cg51?singleDoc https://gist.github.com/076w/b223381ba06b05845d919fb29619777b |
Vulnerability Summary for the Week of January 5, 2026
Posted on Monday January 12, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| AA-Team--Amazon Native Shopping Recommendations | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Native Shopping Recommendations allows SQL Injection.This issue affects Amazon Native Shopping Recommendations: from n/a through 1.3. | 2026-01-05 | 9.3 | CVE-2025-30633 | https://vdp.patchstack.com/database/wordpress/plugin/woozone-contextual/vulnerability/wordpress-amazon-native-shopping-recommendations-plugin-1-3-sql-injection-vulnerability?_s_id=cve |
| AA-Team--Premium Age Verification / Restriction for WordPress | Incorrect Privilege Assignment vulnerability in AA-Team Premium Age Verification / Restriction for WordPress, AA-Team Responsive Coming Soon Landing Page / Holding Page for WordPress allows Privilege Escalation.This issue affects Premium Age Verification / Restriction for WordPress: from n/a through 3.0.2; Responsive Coming Soon Landing Page / Holding Page for WordPress: from n/a through 3.0. | 2026-01-06 | 8.8 | CVE-2025-29004 | https://patchstack.com/database/wordpress/plugin/age-restriction/vulnerability/wordpress-premium-age-verification-restriction-for-wordpress-plugin-3-0-2-privilege-escalation-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/plugin/wordpress-flat-countdown/vulnerability/wordpress-responsive-coming-soon-landing-page-holding-page-for-wordpress-3-0-privilege-escalation-vulnerability?_s_id=cve |
| AA-Team--Premium SEO Pack | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Premium SEO Pack allows SQL Injection.This issue affects Premium SEO Pack: from n/a through 3.3.2. | 2026-01-05 | 8.5 | CVE-2025-31044 | https://vdp.patchstack.com/database/wordpress/plugin/premium-seo-pack/vulnerability/wordpress-premium-seo-pack-3-3-2-sql-injection-vulnerability?_s_id=cve |
| AA-Team--Woocommerce Sales Funnel Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Sales Funnel Builder, AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows Reflected XSS.This issue affects Woocommerce Sales Funnel Builder: from n/a through 1.1; Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2. | 2026-01-06 | 7.1 | CVE-2025-30631 | https://patchstack.com/database/wordpress/plugin/woosales/vulnerability/wordpress-woocommerce-sales-funnel-builder-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/plugin/azon-addon-js-composer/vulnerability/wordpress-amazon-affiliates-addon-for-wpbakery-page-builder-formerly-visual-composer-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ABB--WebPro SNMP Card PowerValue | Incorrect Implementation of Authentication Algorithm vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K. | 2026-01-07 | 8.8 | CVE-2025-4676 | https://search.abb.com/library/Download.aspx?DocumentID=2CRT000009&LanguageCode=en&DocumentPartId=&Action=Launch |
| Adtecdigital--SignEdje Digital Signage Player | Adtec Digital SignEdje Digital Signage Player v2.08.28 contains multiple hardcoded default credentials that allow unauthenticated remote access to web, telnet, and SSH interfaces. Attackers can exploit these credentials to gain root-level access and execute system commands across multiple Adtec Digital product versions. | 2026-01-06 | 7.5 | CVE-2020-36915 | ExploitDB-48954 Adtec Digital Official Homepage Zero Science Lab Disclosure (ZSL-2020-5603) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange VulnCheck Advisory: Adtec Digital SignEdje Digital Signage Player v2.08.28 Default Credentials |
| aio-libs--aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3. | 2026-01-05 | 7.5 | CVE-2025-69223 | https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a |
| aksharsoftsolutions--AS Password Field In Default Registration Form | The AS Password Field In Default Registration Form plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | 2026-01-06 | 9.8 | CVE-2025-14996 | https://www.wordfence.com/threat-intel/vulnerabilities/id/061f022b-b922-4499-bb34-8ea91ba5ace3?source=cve https://plugins.trac.wordpress.org/browser/as-password-field-in-default-registration-form/tags/2.0.0/as-password-field-default-registration.php |
| Alibaba--Fastjson | Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845. | 2026-01-09 | 10 | CVE-2025-70974 | https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48 https://www.seebug.org/vuldb/ssvid-98020 https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238 https://www.freebuf.com/vuls/208339.html https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955 |
| arraytics--Eventin Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) | The Eventin - Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded. | 2026-01-09 | 7.2 | CVE-2025-14657 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e4188b26-80f8-41b8-be19-1ddcbd7e39f5?source=cve https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/base/Enqueue/register.php?old=3390273&old_path=wp-event-solution%2Ftrunk%2Fbase%2FEnqueue%2Fregister.php https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/base/api-handler.php?old=3390273&old_path=wp-event-solution%2Ftrunk%2Fbase%2Fapi-handler.php https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/core/event/api.php?old=3390273&old_path=wp-event-solution%2Ftrunk%2Fcore%2Fevent%2Fapi.php |
| Arteco-Global--Arteco Web Client DVR/NVR | Arteco Web Client DVR/NVR contains a session hijacking vulnerability with insufficient session ID complexity that allows remote attackers to bypass authentication. Attackers can brute force session IDs within a specific numeric range to obtain valid sessions and access live camera streams without authorization. | 2026-01-06 | 9.8 | CVE-2020-36925 | ExploitDB-49348 Arteco Official Vendor Homepage Zero Science Lab Disclosure (ZSL-2020-5613) Packet Storm Security Exploit Archive IBM X-Force Exchange Vulnerability Entry 1 IBM X-Force Exchange Vulnerability Entry 2 CXSecurity Vulnerability Listing VulnCheck Advisory: Arteco Web Client DVR/NVR Session ID Brute Force Authentication Bypass |
| AWS--Kiro IDE | Processing specially crafted workspace folder names could allow for arbitrary command injection in the Kiro GitLab Merge-Request helper in Kiro IDE before version 0.6.18 when opening maliciously crafted workspaces. To mitigate, users should update to the latest version. | 2026-01-09 | 7.8 | CVE-2026-0830 | https://kiro.dev/changelog/spec-correctness-and-cli/ https://aws.amazon.com/security/security-bulletins/2026-001-AWS/ |
| bg5sbk--MiniCMS | A vulnerability was found in bg5sbk MiniCMS up to 1.8. The impacted element is an unknown function of the file /minicms/mc-admin/post.php of the component Trash File Restore Handler. Performing a manipulation results in improper authentication. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 7.3 | CVE-2025-15457 | VDB-339490 | bg5sbk MiniCMS Trash File Restore post.php improper authentication VDB-339490 | CTI Indicators (IOB, IOC, IOA) Submit #725139 | MiniCMS https://github.com/bg5sbk/MiniCMS V1.8 unauthorized vulnerability https://github.com/ueh1013/VULN/issues/12 |
| bg5sbk--MiniCMS | A vulnerability was determined in bg5sbk MiniCMS up to 1.8. This affects an unknown function of the file /mc-admin/post-edit.php of the component Article Handler. Executing a manipulation can lead to improper authentication. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 7.3 | CVE-2025-15458 | VDB-339491 | bg5sbk MiniCMS Article post-edit.php improper authentication VDB-339491 | CTI Indicators (IOB, IOC, IOA) Submit #725142 | MiniCMS https://github.com/bg5sbk/MiniCMS V1.8 unauthorized vulnerability https://github.com/ueh1013/VULN/issues/9 |
| Brecht--Custom Related Posts | Insertion of Sensitive Information Into Sent Data vulnerability in Brecht Custom Related Posts allows Retrieve Embedded Sensitive Data.This issue affects Custom Related Posts: from n/a through 1.8.0. | 2026-01-05 | 7.5 | CVE-2025-68033 | https://vdp.patchstack.com/database/wordpress/plugin/custom-related-posts/vulnerability/wordpress-custom-related-posts-plugin-1-8-0-sensitive-data-exposure-vulnerability?_s_id=cve |
| buddydev--BuddyPress Xprofile Custom Field Types | The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2026-01-06 | 7.2 | CVE-2025-14997 | https://www.wordfence.com/threat-intel/vulnerabilities/id/89a7a717-dac3-490e-89dd-268be8eb7bf5?source=cve https://plugins.trac.wordpress.org/browser/bp-xprofile-custom-field-types/tags/1.2.8/src/handlers/class-field-upload-helper.php https://plugins.trac.wordpress.org/changeset/3430565/bp-xprofile-custom-field-types |
| CAYIN Technology--SMP-8000QD | Cayin Signage Media Player 3.0 contains an authenticated remote command injection vulnerability in system.cgi and wizard_system.cgi pages. Attackers can exploit the 'NTP_Server_IP' parameter with default credentials to execute arbitrary shell commands as root. | 2026-01-06 | 8.8 | CVE-2020-36910 | ExploitDB-48557 Cayin Technology Official Website Zero Science Lab Disclosure (ZSL-2020-5569) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Listing VulnCheck Advisory: Cayin Signage Media Player 3.0 Authenticated Remote Command Injection via NTP Parameter |
| Centreon--Infra Monitoring | Missing Authentication for Critical Function vulnerability in Centreon Infra Monitoring centreon-awie (Awie import module) allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3. | 2026-01-05 | 9.8 | CVE-2025-15026 | https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15026-centreon-awie-critical-severity-5357 |
| Centreon--Infra Monitoring | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon Infra Monitoring (Awie export modules) allows SQL Injection to unauthenticated user. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3. | 2026-01-05 | 9.8 | CVE-2025-15029 | https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15029-centreon-awie-critical-severity-5356 |
| Centreon--Infra Monitoring | In the backup parameters, a user with high privilege is able to concatenate custom instructions to the backup setup. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Centreon Infra Monitoring (Backup configuration in the administration setup modules) allows OS Command Injection.This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. | 2026-01-05 | 7.2 | CVE-2025-5965 | https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-5965-centreon-web-high-severity-5362 |
| code-projects--Intern Membership Management System | A vulnerability was determined in code-projects Intern Membership Management System 1.0. Affected is an unknown function of the file /intern/admin/check_admin.php. Executing a manipulation of the argument Username can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-08 | 7.3 | CVE-2026-0700 | VDB-339977 | code-projects Intern Membership Management System check_admin.php sql injection VDB-339977 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733001 | code-projects Intern Membership Management System check_admin.php 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20check_admin.php%20sql%20injection.md https://code-projects.org/ |
| code-projects--Online Music Site | A security vulnerability has been detected in code-projects Online Music Site 1.0. Affected by this vulnerability is an unknown functionality of the file /login.php. Such manipulation of the argument username/password leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2026-01-05 | 7.3 | CVE-2026-0605 | VDB-339549 | code-projects Online Music Site login.php sql injection VDB-339549 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731695 | code-projects https://code-projects.org/online-music-site-in-php-with-source-code/ 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A52.md https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A52.md#vulnerability-details-and-poc https://code-projects.org/ |
| code-projects--Online Music Site | A vulnerability was detected in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /FrontEnd/Albums.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-01-05 | 7.3 | CVE-2026-0606 | VDB-339550 | code-projects Online Music Site Albums.php sql injection VDB-339550 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731696 | code-projects https://code-projects.org/online-music-site-in-php-with-source-code/ 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A51.md https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A51.md#vulnerability-details-and-poc https://code-projects.org/ |
| code-projects--Online Music Site | A flaw has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminViewSongs.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-01-05 | 7.3 | CVE-2026-0607 | VDB-339551 | code-projects Online Music Site AdminViewSongs.php sql injection VDB-339551 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731697 | code-projects https://code-projects.org/online-music-site-in-php-with-source-code/ 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A53.md https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A53.md#vulnerability-details-and-poc https://code-projects.org/ |
| code-projects--Online Music Site | A vulnerability was identified in code-projects Online Music Site 1.0. The affected element is an unknown function of the file /Administrator/PHP/AdminAddUser.php. The manipulation of the argument txtusername leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2026-01-11 | 7.3 | CVE-2026-0851 | VDB-340446 | code-projects Online Music Site AdminAddUser.php sql injection VDB-340446 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733644 | Code-Projects Online Music Site V1.0 SQLinjection https://github.com/tuo159515/sql-injection/issues/2 https://code-projects.org/ |
| code-projects--Online Product Reservation System | A security flaw has been discovered in code-projects Online Product Reservation System 1.0. This vulnerability affects unknown code of the file app/user/login.php of the component User Login. The manipulation of the argument emailadd results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-05 | 7.3 | CVE-2026-0583 | VDB-339475 | code-projects Online Product Reservation System User Login login.php sql injection VDB-339475 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731093 | code-projects Online Product Reservation system V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_login.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_login.php.md#poc https://code-projects.org/ |
| code-projects--Online Product Reservation System | A security vulnerability has been detected in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the file /order_view.php of the component GET Parameter Handler. Such manipulation of the argument transaction_id leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2026-01-05 | 7.3 | CVE-2026-0585 | VDB-339477 | code-projects Online Product Reservation System GET Parameter order_view.php sql injection VDB-339477 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731096 | code-projects Online Product Reservation system V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_order_view.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_order_view.php.md#poc https://code-projects.org/ |
| code-projects--Online Product Reservation System | A vulnerability was found in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the component Administration Backend. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be used. | 2026-01-05 | 7.3 | CVE-2026-0589 | VDB-339499 | code-projects Online Product Reservation System Administration Backend improper authentication VDB-339499 | CTI Indicators (IOB, IOC) Submit #731127 | code-projects Online Product Reservation System V1.0 Authentication Bypass Issues https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/auth_bypass_admin_panel.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/auth_bypass_admin_panel.md#poc https://code-projects.org/ |
| code-projects--Online Product Reservation System | A security flaw has been discovered in code-projects Online Product Reservation System 1.0. This affects an unknown function of the file /handgunner-administrator/register_code.php of the component User Registration Handler. Performing a manipulation of the argument fname/lname/address/city/province/country/zip/tel_no/email/username results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-05 | 7.3 | CVE-2026-0592 | VDB-339502 | code-projects Online Product Reservation System User Registration register_code.php sql injection VDB-339502 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731130 | code-projects Online Product Reservation System V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_register_code.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_register_code.php.md#poc https://code-projects.org/ |
| codename065--Download Manager | The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change user's passwords, except administrators, and leverage that to gain access to their account. | 2026-01-06 | 7.3 | CVE-2025-15364 | https://www.wordfence.com/threat-intel/vulnerabilities/id/067031e8-6aa8-451c-a318-b1848c7a4f92?source=cve https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.40/src/__/Crypt.php#L18 https://plugins.trac.wordpress.org/changeset/3431915/download-manager#file7 |
| Codepeople--Sell Downloads | Missing Authorization vulnerability in Codepeople Sell Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sell Downloads: from n/a through 1.1.12. | 2026-01-05 | 7.5 | CVE-2025-68850 | https://vdp.patchstack.com/database/wordpress/plugin/sell-downloads/vulnerability/wordpress-sell-downloads-plugin-1-1-12-broken-access-control-vulnerability?_s_id=cve |
| Columbia Weather Systems--MicroServer | An unused function in MicroServer can start a reverse SSH connection to a vendor registered domain, without mutual authentication. An attacker on the local network with admin access to the web server, and the ability to manipulate DNS responses, can redirect the SSH connection to an attacker controlled device. | 2026-01-07 | 8.8 | CVE-2025-61939 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json |
| Columbia Weather Systems--MicroServer | An unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and directories. An attacker with admin access to MicroServer can gain limited shell access, enabling persistence through reverse shells, and the ability to modify or remove data stored in the file system. | 2026-01-07 | 8 | CVE-2025-66620 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json |
| Comfy-Org--ComfyUI-Manager | ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior. This issue has been patched in versions 3.39.2 and 4.0.5. | 2026-01-10 | 7.5 | CVE-2026-22777 | https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2 https://github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410 |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to inject arbitrary shell commands that execute on the underlying server during the deployment workflow. A regular member user can exploit this vulnerability. Version 4.0.0-beta.420.7 contains a patch for the issue. | 2026-01-05 | 10 | CVE-2025-59157 | https://github.com/coollabsio/coolify/security/advisories/GHSA-5cg9-38qj-8mc3 |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh to the server and authenticate as root user, using the private key. As of time of publication, it is unclear if a patch is available. | 2026-01-05 | 10 | CVE-2025-64420 | https://github.com/coollabsio/coolify/security/advisories/GHSA-qwxj-qch7-whpc |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters coming from docker-compose.yaml are not sanitized when used in commands. If a victim user creates an application from an attacker repository (using build pack "docker compose"), the attacker can execute commands on the Coolify instance as root. Version 4.0.0-beta.445 fixes the issue. | 2026-01-05 | 9.7 | CVE-2025-64419 | https://github.com/coollabsio/coolify/security/advisories/GHSA-234r-xrrg-m8f3 https://github.com/coollabsio/coolify/commit/f86ccfaa9af572a5487da8ea46b0a125a4854cf6 |
| coreruleset--coreruleset | The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue. | 2026-01-08 | 9.3 | CVE-2026-21876 | https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2c5 https://github.com/coreruleset/coreruleset/commit/80d80473abf71bd49bf6d3c1ab221e3c74e4eb83 https://github.com/coreruleset/coreruleset/commit/9917985de09a6cf38b3261faf9105e909d67a7d6 https://github.com/coreruleset/coreruleset/releases/tag/v3.3.8 https://github.com/coreruleset/coreruleset/releases/tag/v4.22.0 |
| Corourke--iPhone Webclip Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Corourke iPhone Webclip Manager allows Stored XSS.This issue affects iPhone Webclip Manager: from n/a through 0.5. | 2026-01-05 | 7.1 | CVE-2024-53735 | https://vdp.patchstack.com/database/wordpress/plugin/iphone-webclip-manager/vulnerability/wordpress-iphone-webclip-manager-plugin-0-5-csrf-to-stored-xss-vulnerability?_s_id=cve |
| danny-avila--LibreChat | LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 is prone to a server-side request forgery (SSRF) vulnerability due to missing restrictions of the Actions feature in the default configuration. LibreChat enables users to configure agents with predefined instructions and actions that can interact with remote services via OpenAPI specifications, supporting various HTTP methods, parameters, and authentication methods including custom headers. By default, there are no restrictions on accessible services, which means agents can also access internal components like the RAG API included in the default Docker Compose setup. This issue is fixed in version 0.8.1-rc2. | 2026-01-07 | 9.1 | CVE-2025-69222 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8 https://github.com/danny-avila/LibreChat/commit/3b41e392ba5c0d603c1737d8582875e04eaa6e02 https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2 |
| danny-avila--LibreChat | LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change the behavior of arbitrary agents by uploading new files to the file context or file search, even if they have no permissions for this agent. This issue is fixed in version 0.8.2-rc2. | 2026-01-07 | 7.1 | CVE-2025-69220 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-xcmf-rpmh-hg59 https://github.com/danny-avila/LibreChat/commit/4b9c6ab1cb9de626736de700c7981f38be08d237 https://cwe.mitre.org/data/definitions/284.html https://cwe.mitre.org/data/definitions/862.html https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2 https://owasp.org/Top10/A01_2021-Broken_Access_Control https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html https://raw.githubusercontent.com/OWASP/ASVS/v5.0.0/5.0/OWASP_Application_Security_Verification_Standard_5.0.0_en.pdf |
| Dasinfomedia--WPCHURCH | Incorrect Privilege Assignment vulnerability in Dasinfomedia WPCHURCH allows Privilege Escalation.This issue affects WPCHURCH: from n/a through 2.7.0. | 2026-01-07 | 8.8 | CVE-2025-31643 | https://patchstack.com/database/wordpress/plugin/church-management/vulnerability/wordpress-wpchurch-2-7-0-privilege-escalation-vulnerability?_s_id=cve |
| Dasinfomedia--WPCHURCH | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dasinfomedia WPCHURCH allows Reflected XSS.This issue affects WPCHURCH: from n/a through 2.7.0. | 2026-01-06 | 7.1 | CVE-2025-31642 | https://patchstack.com/database/wordpress/plugin/church-management/vulnerability/wordpress-wpchurch-plugin-2-7-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Dell--Unisphere for PowerMax | Dell Unisphere for PowerMax, version(s) 9.2.4.x, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access to data and resources outside of the intended sphere of control. | 2026-01-06 | 7.6 | CVE-2025-36589 | https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities |
| devolo AG--devolo dLAN Cockpit | devolo dLAN Cockpit 4.3.1 contains an unquoted service path vulnerability in the 'DevoloNetworkService' that allows local non-privileged users to potentially execute arbitrary code. Attackers can exploit the insecure service path configuration by inserting malicious code in the system root path to execute with elevated privileges during application startup or system reboot. | 2026-01-07 | 8.4 | CVE-2019-25231 | Zero Science Lab Vulnerability Advisory Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange Devolo Vendor Homepage |
| DevToys-app--DevToys | DevToys is a desktop app for developers. In versions from 2.0.0.0 to before 2.0.9.0, a path traversal vulnerability exists in the DevToys extension installation mechanism. When processing extension packages (NUPKG archives), DevToys does not sufficiently validate file paths contained within the archive. A malicious extension package could include crafted file entries such as ../../target-file, causing the extraction process to write files outside the intended extensions directory. This flaw enables an attacker to overwrite arbitrary files on the user's system with the privileges of the DevToys process. Depending on the environment, this may lead to code execution, configuration tampering, or corruption of application or system files. This issue has been patched in version 2.0.9.0. | 2026-01-10 | 8.8 | CVE-2026-22685 | https://github.com/DevToys-app/DevToys/security/advisories/GHSA-ggxr-h6fm-p2qh https://github.com/DevToys-app/DevToys/pull/1643 https://github.com/DevToys-app/DevToys/commit/02fb7d46d9c663a4ee6ed968baa6a8810405047f |
| Digital zoom studio--DZS Video Gallery | Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.37. | 2026-01-07 | 9.8 | CVE-2025-47552 | https://patchstack.com/database/wordpress/plugin/dzs-videogallery/vulnerability/wordpress-dzs-video-gallery-12-25-php-object-injection-vulnerability?_s_id=cve |
| Digital zoom studio--DZS Video Gallery | Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.25. | 2026-01-06 | 8.8 | CVE-2025-47553 | https://patchstack.com/database/wordpress/plugin/dzs-videogallery/vulnerability/wordpress-dzs-video-gallery-plugin-12-25-php-object-injection-vulnerability?_s_id=cve |
| Digital zoom studio--DZS Video Gallery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Digital zoom studio DZS Video Gallery allows Reflected XSS.This issue affects DZS Video Gallery: from n/a through 12.25. | 2026-01-07 | 7.1 | CVE-2025-32300 | https://patchstack.com/database/wordpress/plugin/dzs-videogallery/vulnerability/wordpress-dzs-video-gallery-plugin-12-25-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| djanym--Optional Email | The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in all versions up to, and including, 1.3.11. This is due to the plugin not restricting its 'random_password' filter to registration contexts, allowing the filter to affect password reset key generation. This makes it possible for unauthenticated attackers to set a known password reset key when initiating a password reset, reset the password of any user including administrators, and gain access to their accounts. | 2026-01-07 | 9.8 | CVE-2025-15018 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ff4243e9-cf72-40d5-bc7d-204426024a1d?source=cve https://plugins.trac.wordpress.org/browser/optional-email/tags/1.3.11/optional-email.php?marks=44,51#L44 |
| e-plugins--JobBank | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins JobBank allows Reflected XSS.This issue affects JobBank: from n/a through 1.2.2. | 2026-01-06 | 7.1 | CVE-2025-69085 | https://patchstack.com/database/wordpress/plugin/jobbank/vulnerability/wordpress-jobbank-plugin-1-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| eastsidecode--WP Enable WebP | The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpse_file_and_ext_webp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2026-01-07 | 8.8 | CVE-2025-15158 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fa53c5ee-fe7f-4fb2-baaa-2c1a151d4b2c?source=cve https://plugins.trac.wordpress.org/browser/wp-enable-webp/trunk/wp-enable-webp.php?rev=1998897#L43 |
| Elated-Themes--Frapp | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Frappé allows PHP Local File Inclusion.This issue affects Frappé: from n/a through 1.8. | 2026-01-06 | 8.1 | CVE-2025-69083 | https://patchstack.com/database/wordpress/theme/frappe/vulnerability/wordpress-frappe-theme-1-8-local-file-inclusion-vulnerability?_s_id=cve |
| Extreme Networks--Aerohive HiveOS | Aerohive HiveOS contains a denial of service vulnerability in the NetConfig UI that allows unauthenticated attackers to render the web interface unusable. Attackers can send a crafted HTTP request to the action.php5 script with specific parameters to trigger a 5-minute service disruption. | 2026-01-06 | 7.5 | CVE-2020-36907 | ExploitDB-48441 Extreme Networks Product Homepage HiveOS Product Announcements Zero Science Lab Disclosure (ZSL-2020-5566) NCSC Security Advisory IBM X-Force Vulnerability Exchange Packet Storm Security Exploit Entry VulnCheck Advisory: Extreme Networks Aerohive HiveOS <=11.x 11.x Unauthenticated Remote Denial of Service |
| FIBAR GROUP S.A.--Home Center 3 | FIBARO System Home Center 5.021 contains a remote file inclusion vulnerability in the undocumented proxy API that allows attackers to include arbitrary client-side scripts. Attackers can exploit the 'url' GET parameter to inject malicious JavaScript and potentially hijack user sessions or manipulate page content. | 2026-01-06 | 7.5 | CVE-2020-36905 | ExploitDB-48240 Official Vendor Homepage Zero Science Lab Disclosure (ZSL-2020-5563) Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange VulnCheck Advisory: FIBARO System Home Center 5.021 Remote File Inclusion via Proxy API |
| FlagForgeCTF--flagForge | Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expression dynamically using unescaped user input (the username parameter). An attacker can exploit this by sending a specially crafted username containing regex meta-characters (e.g., deeply nested groups or quantifiers), causing the MongoDB regex engine to consume excessive CPU resources. This can lead to Denial of Service for other users. The issue is fixed in version 2.3.3. To workaround this issue, implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path. | 2026-01-08 | 7.5 | CVE-2026-21868 | https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-949h-9824-xmcx |
| FLIR Systems, Inc.--FLIR Thermal Camera F/FC/PT/D | FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains hard-coded SSH credentials that cannot be changed through normal camera operations. Attackers can leverage these persistent, unmodifiable credentials to gain unauthorized remote access to the thermal camera system. | 2026-01-07 | 7.5 | CVE-2017-20214 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 42787 Packet Storm Security Exploit Archive CXSecurity Vulnerability Listing Archived FLIR Security Advisory |
| FLIR Systems, Inc.--FLIR Thermal Camera F/FC/PT/D Stream | FLIR Thermal Camera F/FC/PT/D Stream firmware version 8.0.0.64 contains an unauthenticated vulnerability that allows remote attackers to access live camera streams without credentials. Attackers can exploit the vulnerability to view unauthorized thermal camera video feeds across multiple camera series without requiring any authentication. | 2026-01-07 | 7.5 | CVE-2017-20213 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 42789 Packet Storm Security Exploit Archive CXSecurity Vulnerability Listing Archived FLIR Security Advisory |
| FLIR Systems, Inc.--FLIR Thermal Camera FC-S/PT | FLIR Thermal Camera FC-S/PT firmware version 8.0.0.64 contains an authenticated OS command injection vulnerability that allows attackers to execute shell commands with root privileges. Authenticated attackers can inject arbitrary shell commands through unvalidated input parameters to gain complete control of the thermal camera system. | 2026-01-07 | 8.8 | CVE-2017-20215 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 42788 Packet Storm Security Exploit Archive CXSecurity Vulnerability Listing Archived FLIR Security Advisory |
| FLIR Systems, Inc.--FLIR Thermal Camera PT-Series | FLIR Thermal Camera PT-Series firmware version 8.0.0.64 contains multiple unauthenticated remote command injection vulnerabilities in the controllerFlirSystem.php script. Attackers can execute arbitrary system commands as root by exploiting unsanitized POST parameters in the execFlirSystem() function through shell_exec() calls. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-06 (UTC). | 2026-01-07 | 9.8 | CVE-2017-20216 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 42785 Packet Storm Security Exploit Archive CXSecurity Vulnerability Listing Archived FLIR Security Advisory |
| frappe--frappe | Frappe is a full-stack web application framework. Versions 14.99.5 and below and 15.0.0 through 15.80.1 include requests that are vulnerable to path traversal attacks. Arbitrary files from the server could be retrieved due to a lack of proper sanitization on some requests. This issue is fixed in versions 14.99.6 and 15.88.1. To workaround, changing the setup to use a reverse proxy is recommended. | 2026-01-05 | 7.5 | CVE-2025-68953 | https://github.com/frappe/frappe/security/advisories/GHSA-xj39-3g4p-f46v https://github.com/frappe/frappe/commit/3867fb112c3f7be1a863e40f19e9235719f784fb https://github.com/frappe/frappe/commit/959efd6a498cfaeaf7d4e0ab6cca78c36192d34d |
| Frenify--Arlo | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Frenify Arlo arlo allows Reflected XSS.This issue affects Arlo: from n/a through 6.0.3. | 2026-01-07 | 7.1 | CVE-2025-69082 | https://patchstack.com/database/wordpress/theme/arlo/vulnerability/wordpress-arlo-theme-6-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| fsylum--FS Registration Password | The FS Registration Password plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | 2026-01-06 | 9.8 | CVE-2025-15001 | https://www.wordfence.com/threat-intel/vulnerabilities/id/22351b90-fc34-44ce-9241-4a0f01eb7b1c?source=cve https://plugins.trac.wordpress.org/browser/registration-password/tags/1.0.1/src/WP/Auth.php https://plugins.trac.wordpress.org/changeset/3431651/registration-password |
| G5Theme--Handmade Framework | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in G5Theme Handmade Framework allows PHP Local File Inclusion.This issue affects Handmade Framework: from n/a through 3.9. | 2026-01-08 | 7.5 | CVE-2026-22521 | https://patchstack.com/database/wordpress/plugin/handmade-framework/vulnerability/wordpress-handmade-framework-plugin-3-9-local-file-inclusion-vulnerability?_s_id=cve |
| ggml-org--llama.cpp | llama.cpp is an inference of several LLM models in C/C++. In commits 55d4206c8 and prior, the n_discard parameter is parsed directly from JSON input in the llama.cpp server's completion endpoints without validation to ensure it's non-negative. When a negative value is supplied and the context fills up, llama_memory_seq_rm/add receives a reversed range and negative offset, causing out-of-bounds memory writes in the token evaluation loop. This deterministic memory corruption can crash the process or enable remote code execution (RCE). There is no fix at the time of publication. | 2026-01-07 | 8.8 | CVE-2026-21869 | https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-8947-pfff-2f3c |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage. | 2026-01-09 | 8 | CVE-2025-13761 | GitLab Issue #582237 HackerOne Bug Bounty Report #3441368 https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown. | 2026-01-09 | 8.7 | CVE-2025-9222 | GitLab Issue #562561 HackerOne Bug Bounty Report #3297483 https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace identifiers in API requests. | 2026-01-09 | 7.1 | CVE-2025-13772 | GitLab Issue #581268 https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/ |
| greenshot--greenshot | Greenshot is an open source Windows screenshot utility. Versions 1.3.310 and below arvulnerable to OS Command Injection through unsanitized filename processing. The FormatArguments method in ExternalCommandDestination.cs:269 uses string.Format() to insert user-controlled filenames directly into shell commands without sanitization, allowing attackers to execute arbitrary commands by crafting malicious filenames containing shell metacharacters. This issue is fixed in version 1.3.311. | 2026-01-08 | 7.8 | CVE-2026-22035 | https://github.com/greenshot/greenshot/security/advisories/GHSA-7hvw-q8q5-gpmj https://github.com/greenshot/greenshot/commit/5dedd5c9f0a9896fa0af1d4980d875a48bf432cb https://github.com/greenshot/greenshot/releases/tag/v1.3.311 |
| GT3 themes--Photo Gallery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3 themes Photo Gallery allows Reflected XSS.This issue affects Photo Gallery: from n/a through 2.7.7.26. | 2026-01-06 | 7.1 | CVE-2025-69084 | https://patchstack.com/database/wordpress/plugin/gt3-photo-video-gallery/vulnerability/wordpress-photo-gallery-plugin-2-7-7-26-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Guangzhou V--V-SOL GPON/EPON OLT Platform | V-SOL GPON/EPON OLT Platform v2.03 contains an open redirect vulnerability in the script that allows attackers to manipulate the 'parent' GET parameter. Attackers can craft malicious links that redirect logged-in users to arbitrary websites by exploiting improper input validation in the redirect mechanism. | 2026-01-07 | 9.8 | CVE-2019-25282 | Zero Science Lab Vulnerability Advisory Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Database Entry VSOL Vendor Homepage |
| Guangzhou Yeroo Tech Co., Ltd.--iDS6 DSSPro Digital Signage System | iDS6 DSSPro Digital Signage System 6.2 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept authentication credentials through cleartext cookie transmission. Attackers can exploit the autoSave feature to capture user passwords during man-in-the-middle attacks on HTTP communications. | 2026-01-06 | 7.5 | CVE-2020-36917 | Zero Science Lab Disclosure (ZSL-2020-5605) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Database Entry Archived Yeroo Tech Vendor Homepage VulnCheck Advisory: iDS6 DSSPro Digital Signage System 6.2 Cleartext Password Disclosure via Cookie |
| haxtheweb--issues | HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0. | 2026-01-10 | 8.1 | CVE-2026-22704 | https://github.com/haxtheweb/issues/security/advisories/GHSA-3fm2-xfq7-7778 https://github.com/haxtheweb/haxcms-nodejs/releases/tag/v25.0.0 |
| IceWhaleTech--ZimaOS | ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a known system service account. The application's login function fails to properly handle the password validation result for these users, effectively granting authenticated access to anyone who knows one of these common usernames and provides any password. As of time of publication, no known patched versions are available. | 2026-01-08 | 9.4 | CVE-2026-21891 | https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-xj93-qw9p-jxq4 |
| Infility--Infility Global | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global allows SQL Injection.This issue affects Infility Global: from n/a through 2.14.48. | 2026-01-05 | 9.3 | CVE-2025-68865 | https://vdp.patchstack.com/database/wordpress/plugin/infility-global/vulnerability/wordpress-infility-global-plugin-2-14-38-sql-injection-vulnerability?_s_id=cve |
| INIM Electronics s.r.l.--SmartLiving SmartLAN/G/SI | SmartLiving SmartLAN <=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the 'par' POST parameter with the 'testemail' module. Attackers can exploit the unsanitized parameter and system() function call to execute arbitrary system commands with root privileges using default credentials. | 2026-01-07 | 8.8 | CVE-2019-25289 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 47765 Packet Storm Security Exploit File CXSecurity Vulnerability Issue IBM X-Force Vulnerability Exchange Entry Inim Vendor Homepage |
| INIM Electronics s.r.l.--Smartliving SmartLAN/G/SI | INIM Electronics Smartliving SmartLAN/G/SI <=6.x contains hard-coded credentials in its Linux distribution image that cannot be changed through normal device operations. Attackers can exploit these persistent credentials to log in and gain unauthorized system access across multiple SmartLiving device models. | 2026-01-07 | 7.5 | CVE-2019-25291 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 47763 Packet Storm Security Exploit File IBM X-Force Vulnerability Exchange Entry INIM Vendor Homepage |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a Use After Free vulnerability in the CIccXform::Create() function, where it deletes the hint. This issue is fixed in version 2.3.1.1. | 2026-01-06 | 9.8 | CVE-2026-21675 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-wcwx-794g-g78f https://github.com/InternationalColorConsortium/iccDEV/issues/182 https://github.com/InternationalColorConsortium/iccDEV/commit/510baf58fa48e00ebbb5dd577f0db4af8876bb31 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are prone to have Undefined Behavior (UB) and Out of Memory errors. This issue is fixed in version 2.3.1.2. | 2026-01-06 | 8.8 | CVE-2026-21485 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-chp2-4gv5-2432 https://github.com/InternationalColorConsortium/iccDEV/issues/340 https://github.com/InternationalColorConsortium/iccDEV/commit/c136aac51d25cbb4d9db63f071edad4f088843df |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have a Heap-based Buffer Overflow in its CIccMBB::Validate function which checks tag data validity. This issue is fixed in version 2.3.1.1. | 2026-01-06 | 8.8 | CVE-2026-21676 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-j5vv-p2hv-c392 https://github.com/InternationalColorConsortium/iccDEV/issues/215 https://github.com/InternationalColorConsortium/iccDEV/commit/e4c38a67d06073b38d58580b0cfc78ca61005f84 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have Undefined Behavior in its CIccCLUT::Init function which initializes and sets the size of a CLUT. This issue is fixed in version 2.3.1.1. | 2026-01-06 | 8.8 | CVE-2026-21677 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-95w5-jvqf-3994 https://github.com/InternationalColorConsortium/iccDEV/issues/181 https://github.com/InternationalColorConsortium/iccDEV/commit/201125fbda22c8e4ea95800a6b427093fa4b8a22 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap-buffer-overflow in CIccLocalizedUnicode::GetText(). This issue has been patched in version 2.3.1.2. | 2026-01-07 | 8.8 | CVE-2026-21679 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-h4wg-473g-p5wc https://github.com/InternationalColorConsortium/iccDEV/issues/328 https://github.com/InternationalColorConsortium/iccDEV/pull/329 https://github.com/InternationalColorConsortium/iccDEV/commit/2eb25ab95f0db7664ec3850390b6f89e302e7039 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow in `CIccXmlArrayType::ParseText()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-21682 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-jq9m-54gr-c56c https://github.com/InternationalColorConsortium/iccDEV/issues/178 https://github.com/InternationalColorConsortium/iccDEV/pull/229 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `icStatusCMM::CIccEvalCompare::EvaluateProfile()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-21683 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-f2wp-j3fr-938w https://github.com/InternationalColorConsortium/iccDEV/issues/183 https://github.com/InternationalColorConsortium/iccDEV/pull/228 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `SIccCalcOp::ArgsPushed()` at `IccProfLib/IccMpeCalc.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-21688 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-3r2x-j7v3-pg6f https://github.com/InternationalColorConsortium/iccDEV/issues/379 https://github.com/InternationalColorConsortium/iccDEV/pull/422 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `ToXmlCurve()` at `IccXML/IccLibXML/IccMpeXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-21692 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-7662-mf46-wr88 https://github.com/InternationalColorConsortium/iccDEV/issues/388 https://github.com/InternationalColorConsortium/iccDEV/pull/432 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccSegmentedCurveXml::ToXml()` at `IccXML/IccLibXML/IccMpeXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-21693 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-v3q7-7hw6-6jq8 https://github.com/InternationalColorConsortium/iccDEV/issues/389 https://github.com/InternationalColorConsortium/iccDEV/pull/432 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccProfileXml::ParseBasic()` at `IccXML/IccLibXML/IccProfileXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-22046 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-7v4q-mhr2-hj7r https://github.com/InternationalColorConsortium/iccDEV/issues/448 https://github.com/InternationalColorConsortium/iccDEV/pull/451 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `SIccCalcOp::Describe()` at `IccProfLib/IccMpeCalc.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-22047 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-22q7-8347-79m5 https://github.com/InternationalColorConsortium/iccDEV/issues/454 https://github.com/InternationalColorConsortium/iccDEV/pull/459 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccCLUT::Init()` at `IccProfLib/IccTagLut.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-08 | 8.8 | CVE-2026-22255 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-qv2w-mq3g-73gv https://github.com/InternationalColorConsortium/iccDEV/issues/466 https://github.com/InternationalColorConsortium/iccDEV/pull/469 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below contain Use After Free, Heap-based Buffer Overflow and Integer Overflow or Wraparound and Out-of-bounds Write vulnerabilities in its CIccSparseMatrix::CIccSparseMatrix function. This issue is fixed in version 2.3.1.2. | 2026-01-06 | 7.8 | CVE-2026-21486 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-mg98-j5q2-674w https://github.com/InternationalColorConsortium/iccDEV/commit/1ab7363f38a20089934d3410c88f714eea392bf5 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have an infinite loop in the IccProfile.cpp function, CalcProfileID. This issue is fixed in version 2.3.1.1. | 2026-01-06 | 7.5 | CVE-2026-21507 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-hgp5-r8m9-8qpj https://github.com/InternationalColorConsortium/iccDEV/issues/244 https://github.com/InternationalColorConsortium/iccDEV/commit/3f3ce789d0d2b608c194ed172fa38943519dc198 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have overflows and underflows in CIccXmlArrayType::ParseTextCountNum(). This vulnerability affects users of the iccDEV library who process ICC color profiles. This issue is fixed in version 2.3.1.1. | 2026-01-06 | 7.8 | CVE-2026-21673 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-g66g-f82c-vgm6 https://github.com/InternationalColorConsortium/iccDEV/issues/243 https://github.com/InternationalColorConsortium/iccDEV/commit/32740802ee14418bd14c429d7e2f142d92cd5c4f |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap-buffer-overflow vulnerability in IccTagXml(). This issue has been patched in version 2.3.1.2. | 2026-01-07 | 7.8 | CVE-2026-21678 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-9rp2-4c6g-hppf https://github.com/InternationalColorConsortium/iccDEV/issues/55 https://github.com/InternationalColorConsortium/iccDEV/pull/219 https://github.com/InternationalColorConsortium/iccDEV/commit/c6c0f1cf45b48db94266132ccda5280a1a33569d |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Undefined Behavior runtime error. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 7.1 | CVE-2026-21681 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-v4qq-v3c3-x62x https://github.com/InternationalColorConsortium/iccDEV/pull/269 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagSpectralViewingConditions()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 7.1 | CVE-2026-21684 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-fg9m-j9x8-8279 https://github.com/InternationalColorConsortium/iccDEV/issues/216 https://github.com/InternationalColorConsortium/iccDEV/pull/225 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagLut16::Read()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 7.1 | CVE-2026-21685 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-c3xr-6687-5c8p https://github.com/InternationalColorConsortium/iccDEV/issues/213 https://github.com/InternationalColorConsortium/iccDEV/pull/223 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagLutAtoB::Validate()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 7.1 | CVE-2026-21686 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-792q-cqq9-mq4x https://github.com/InternationalColorConsortium/iccDEV/issues/214 https://github.com/InternationalColorConsortium/iccDEV/pull/222 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagCurve::CIccTagCurve()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 7.1 | CVE-2026-21687 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-prmm-g479-4fv7 https://github.com/InternationalColorConsortium/iccDEV/issues/180 https://github.com/InternationalColorConsortium/iccDEV/pull/221 |
| ipaymu--iPaymu Payment Gateway for WooCommerce | The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII including names, addresses, and purchased products. | 2026-01-07 | 8.2 | CVE-2026-0656 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7e639aed-ec67-4212-9051-1f7465bbfde2?source=cve https://plugins.trac.wordpress.org/browser/ipaymu-for-woocommerce/tags/2.0.2/gateway.php?marks=316-336,370-380#L316 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429657%40ipaymu-for-woocommerce&new=3429657%40ipaymu-for-woocommerce |
| iWT Ltd.--FaceSentry Access Control System | FaceSentry Access Control System 6.4.8 contains a cleartext password storage vulnerability that allows attackers to access unencrypted credentials in the device's SQLite database. Attackers can directly read sensitive login information stored in /faceGuard/database/FaceSentryWeb.sqlite without additional authentication. | 2026-01-07 | 8.2 | CVE-2019-25279 | Zero Science Lab Vulnerability Advisory IBM X-Force Exchange Vulnerability Entry Packet Storm Security Exploit Entry |
| iWT Ltd.--FaceSentry Access Control System | FaceSentry Access Control System 6.4.8 contains a cleartext transmission vulnerability that allows remote attackers to intercept authentication credentials. Attackers can perform man-in-the-middle attacks to capture HTTP cookie authentication information during network communication. | 2026-01-07 | 7.5 | CVE-2019-25278 | Zero Science Lab Vulnerability Advisory Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange Entry |
| JanStudio--Gecko | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JanStudio Gecko allows PHP Local File Inclusion.This issue affects Gecko: from n/a through 1.9.8. | 2026-01-07 | 8.1 | CVE-2025-69080 | https://patchstack.com/database/wordpress/theme/gecko/vulnerability/wordpress-gecko-theme-1-9-8-local-file-inclusion-vulnerability?_s_id=cve |
| jwsthemes--FreeAgent | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes FreeAgent allows PHP Local File Inclusion.This issue affects FreeAgent: from n/a through 2.1.2. | 2026-01-05 | 8.1 | CVE-2025-69087 | https://vdp.patchstack.com/database/wordpress/theme/freeagent/vulnerability/wordpress-freeagent-theme-2-1-2-local-file-inclusion-vulnerability?_s_id=cve |
| Jwsthemes--Issabella | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Jwsthemes Issabella allows PHP Local File Inclusion.This issue affects Issabella: from n/a through 1.1.2. | 2026-01-06 | 8.1 | CVE-2025-69086 | https://patchstack.com/database/wordpress/theme/issabella/vulnerability/wordpress-issabella-theme-1-1-2-local-file-inclusion-vulnerability?_s_id=cve |
| kanboard--kanboard | Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSE_PROXY_AUTH is enabled. The application blindly trusts HTTP headers for user authentication without verifying the request originated from a trusted reverse proxy. An attacker can impersonate any user, including administrators, by simply sending a spoofed HTTP header. This issue is fixed in version 1.2.49. | 2026-01-08 | 9.1 | CVE-2026-21881 | https://github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739w https://github.com/kanboard/kanboard/commit/7af6143e2ad25b5c15549cca8af4341c7ac4e2fc https://github.com/kanboard/kanboard/releases/tag/v1.2.49 |
| KlbTheme--Machic Core | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KlbTheme Machic Core allows DOM-Based XSS.This issue affects Machic Core: from n/a through 1.2.6. | 2026-01-05 | 7.1 | CVE-2023-49186 | https://vdp.patchstack.com/database/wordpress/plugin/machic-core/vulnerability/wordpress-machic-core-plugin-1-2-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| loopus--WP Cost Estimation & Payment Forms Builder | The WP Cost Estimation plugin for WordPress is vulnerable to arbitrary file uploads and deletion due to missing file type validation in the lfb_upload_form and lfb_removeFile AJAX actions in versions up to, and including, 9.642. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. Additionally, the attacker can also delete files on the server such as database configuration files, subsequently uploading their own database files. | 2026-01-08 | 9.8 | CVE-2019-25296 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ae50aa5d-95e3-4650-9dbf-118b4ba3abda?source=cve https://www.wordfence.com/blog/2019/02/vulnerabilities-patched-in-wp-cost-estimation-plugin/ https://www.zdnet.com/article/another-wordpress-commercial-plugin-gets-exploited-in-the-wild/ https://wpscan.com/vulnerability/9219 https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wp-cost-estimation-payment-forms-builder-multiple-vulnerabilities-9-642/ |
| MacWarrior--clipbucket-v5 | ClipBucket v5 is an open source video sharing platform. Versions 5.5.2-#187 and below allow an attacker to perform Blind SQL Injection through the add comment section within a channel. When adding a comment within a channel, there is a POST request to the /actions/ajax.php endpoint. The obj_id parameter within the POST request to /actions/ajax.php is then used within the user_exists function of the upload/includes/classes/user.class. php file as the $id parameter. It is then used within the count function of the upload/includes/classes/db.class. php file. The $id parameter is concatenated into the query without validation or sanitization, and a user-supplied input like 1' or 1=1-- - can be used to trigger the injection. This issue does not have a fix at the time of publication. | 2026-01-07 | 9.8 | CVE-2026-21875 | https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-crpv-fmc4-j392 |
| Marketing Fire LLC--LoginWP - Pro | Missing Authorization vulnerability in Marketing Fire LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5. | 2026-01-05 | 7.5 | CVE-2025-46255 | https://vdp.patchstack.com/database/wordpress/plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-settings-change-vulnerability?_s_id=cve |
| Meow Apps--Media File Renamer | Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7. | 2026-01-05 | 9.1 | CVE-2023-50897 | https://vdp.patchstack.com/database/wordpress/plugin/media-file-renamer/vulnerability/wordpress-media-file-renamer-plugin-5-7-7-arbitrary-file-rename-lead-to-rce-vulnerability?_s_id=cve |
| Mojoomla--WPCHURCH | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mojoomla WPCHURCH allows Blind SQL Injection.This issue affects WPCHURCH: from n/a through 2.7.0. | 2026-01-07 | 9.3 | CVE-2025-32303 | https://patchstack.com/database/wordpress/plugin/church-management/vulnerability/wordpress-wpchurch-2-7-0-sql-injection-vulnerability?_s_id=cve |
| Mojoomla--WPCHURCH | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mojoomla WPCHURCH allows PHP Local File Inclusion.This issue affects WPCHURCH: from n/a through 2.7.0. | 2026-01-06 | 8.1 | CVE-2025-32304 | https://patchstack.com/database/wordpress/plugin/church-management/vulnerability/wordpress-wpchurch-plugin-2-7-0-local-file-inclusion-vulnerability?_s_id=cve |
| moneyspace--Money Space | The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or can guess an order_id to access the mspaylink endpoint and retrieve full credit card numbers and CVV codes directly from the HTML/JS response, constituting a severe PCI-DSS violation. | 2026-01-07 | 8.6 | CVE-2025-13371 | https://www.wordfence.com/threat-intel/vulnerabilities/id/77db827d-9afd-4b59-b0ad-1ad562634c52?source=cve https://github.com/MoneySpace-net/money-space-for-Woocommerce/blob/e79d96cfc1b12cece15c6f0b309045403cc6a9d2/view/mspaylink.php#L164 https://plugins.trac.wordpress.org/browser/money-space/trunk/view/mspaylink.php#L232 https://plugins.trac.wordpress.org/browser/money-space/tags/2.13.9/view/mspaylink.php#L232 https://github.com/MoneySpace-net/money-space-for-Woocommerce/blob/e79d96cfc1b12cece15c6f0b309045403cc6a9d2/view/mspaylink.php#L232 |
| n/a--GNU Wget2 | A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially allow further compromise of the user's environment. | 2026-01-09 | 8.8 | CVE-2025-69194 | https://access.redhat.com/security/cve/CVE-2025-69194 RHBZ#2425773 |
| n/a--GNU Wget2 | A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. A remote attacker can exploit this by providing a specially crafted URL, which, upon user interaction with wget2, can lead to memory corruption. This can cause the application to crash and potentially allow for further malicious activities. | 2026-01-09 | 7.6 | CVE-2025-69195 | https://access.redhat.com/security/cve/CVE-2025-69195 RHBZ#2425770 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0. | 2026-01-07 | 10 | CVE-2026-21858 | https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg |
| n8n-io--n8n | n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended. | 2026-01-08 | 10 | CVE-2026-21877 | https://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263 https://github.com/n8n-io/n8n/commit/f4b009d00d1f4ba9359b8e8f1c071e3d910a55f6 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the Crypto_AOS_ProcessSecurity function reads memory without valid bounds checking when parsing AOS frame hashes. This issue has been patched in version 1.4.3. | 2026-01-10 | 8.2 | CVE-2026-21898 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-7ch6-2pmg-m853 https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the Crypto_Config_Add_Gvcid_Managed_Parameters function only checks whether gvcid_counter > GVCID_MAN_PARAM_SIZE. As a result, it allows up to the 251st entry, which causes a write past the end of the array, overwriting gvcid_counter located immediately after gvcid_managed_parameters_array[250]. This leads to an out-of-bounds write, and the overwritten gvcid_counter may become an arbitrary value, potentially affecting the parameter lookup/registration logic that relies on it. This issue has been patched in version 1.4.3. | 2026-01-10 | 7.3 | CVE-2026-21897 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-9x7j-gx23-7m5r https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, CryptoLib's KMC crypto service integration is vulnerable to a heap buffer overflow when decoding Base64-encoded ciphertext/cleartext fields returned by the KMC service. The decode destination buffer is sized using an expected output length (len_data_out), but the Base64 decoder writes output based on the actual Base64 input length and does not enforce any destination size limit. An oversized Base64 string in the KMC JSON response can cause out-of-bounds writes on the heap, resulting in process crash and potentially code execution under certain conditions. This issue has been patched in version 1.4.3. | 2026-01-10 | 7.5 | CVE-2026-22697 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-qjx3-83jh-2jc4 https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| neeraj_slit--Brevo for WooCommerce | The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'user_connection_id' parameter in all versions up to, and including, 4.0.49 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-08 | 7.2 | CVE-2025-14436 | https://www.wordfence.com/threat-intel/vulnerabilities/id/670f4e26-75c9-40cd-8088-2fa4c40f6feb?source=cve https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/woocommerce-sendinblue.php#L164 https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/woocommerce-sendinblue.php#L171 https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/woocommerce-sendinblue.php#L188 https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/src/managers/admin-manager.php#L59 https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/src/views/admin_menus.php#L728 https://plugins.trac.wordpress.org/changeset/3434903/woocommerce-sendinblue-newsletter-subscription |
| NREL--BEopt | NREL BEopt 2.8.0.0 contains a DLL hijacking vulnerability that allows attackers to load arbitrary libraries by tricking users into opening application files from remote shares. Attackers can exploit insecure library loading of sdl2.dll and libegl.dll by placing malicious libraries on WebDAV or SMB shares to execute unauthorized code. | 2026-01-07 | 9.8 | CVE-2019-25268 | Zero Science Lab Vulnerability Advisory Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange BEopt Product Homepage |
| opajaap--WP Photo Album Plus | The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-07 | 7.1 | CVE-2025-14835 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0903521d-3b07-4539-97c9-15e6bbe2cc2e?source=cve https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-ajax.php#L43 https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-ajax.php#L1130 https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-filter.php#L125 https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-functions.php#L5617 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3427638%40wp-photo-album-plus%2Ftrunk&old=3426267%40wp-photo-album-plus%2Ftrunk&sfp_email=&sfph_mail= |
| OpenCTI-Platform--opencti | OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.1, the GraphQL mutation "WorkspacePopoverDeletionMutation" allows users to delete workspace-related objects such as dashboards and investigation cases. However, the mutation lacks proper authorization checks to verify ownership of the targeted resources. An attacker can exploit this by supplying an active UUID of another user. Since the API does not validate whether the requester owns the resource, the mutation executes successfully, resulting in unauthorized deletion of the entire workspace. Version 6.8.1 fixes the issue. | 2026-01-05 | 7.1 | CVE-2025-61781 | https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-pr6m-q4g7-342c |
| OPEXUS--eCASE Audit | OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 11.14.1.0. | 2026-01-08 | 7.6 | CVE-2026-22230 | url url url |
| OPEXUS--eCase Portal | OPEXUS eCasePortal before version 9.0.45.0 allows an unauthenticated attacker to navigate to the 'Attachments.aspx' endpoint, iterate through predictable values of 'formid', and download or delete all user-uploaded files, or upload new files. | 2026-01-08 | 9.8 | CVE-2026-22234 | url url |
| OPEXUS--eComplaint | OPEXUS eComplaint before version 9.0.45.0 allows an attacker to visit the the 'DocumentOpen.aspx' endpoint, iterate through predictable values of 'chargeNumber', and download any uploaded files. | 2026-01-08 | 7.5 | CVE-2026-22235 | url url |
| opf--openproject | OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disguised as a PNG) as a work package attachment, an attacker can exploit the backend image processing engine (ImageMagick). When the work package is exported to PDF, the backend attempts to resize the image, triggering the ImageMagick text: coder. This allows an attacker to read arbitrary local files that the application user has permissions to access (e.g., /etc/passwd, all project configuration files, private project data, etc.). The attack requires permissions to upload attachments to a container that can be exported to PDF, such as a work package. The issue has been patched in version 16.6.4. Those who are unable to upgrade may apply the patch manually. | 2026-01-10 | 9.1 | CVE-2026-22600 | https://github.com/opf/openproject/security/advisories/GHSA-m8f2-cwpq-vvhh https://github.com/opf/openproject/releases/tag/v16.6.4 |
| Plexus--Plexus anblick Digital Signage Management | Plexus anblick Digital Signage Management 3.1.13 contains an open redirect vulnerability in the 'PantallaLogin' script that allows attackers to manipulate the 'pagina' GET parameter. Attackers can craft malicious links that redirect users to arbitrary websites by exploiting improper input validation in the parameter. | 2026-01-06 | 9.8 | CVE-2020-36912 | Zero Science Lab Disclosure (ZSL-2020-5573) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange Entry Plexus Vendor Homepage VulnCheck Advisory: Plexus anblick Digital Signage Management 3.1.13 Open Redirect via Pagina Parameter |
| pnpm--pnpm | pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0. | 2026-01-07 | 8.8 | CVE-2025-69264 | https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5 |
| pnpm--pnpm | pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0. | 2026-01-07 | 7.6 | CVE-2025-69262 | https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx https://github.com/pnpm/pnpm/releases/tag/v10.27.0 |
| pnpm--pnpm | pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0. | 2026-01-07 | 7.5 | CVE-2025-69263 | https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85 |
| Pro-Bravia--Sony BRAVIA Digital Signage | Sony BRAVIA Digital Signage 1.7.8 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive system details through API endpoints. Attackers can retrieve network interface information, server configurations, and system metadata by sending requests to the exposed system API. | 2026-01-06 | 7.5 | CVE-2020-36922 | ExploitDB-49187 Sony BRAVIA Digital Signage Official Homepage BRAVIA Signage Software Resources Sony Professional Display Software Product Page Zero Science Lab Disclosure (ZSL-2020-5610) Packet Storm Security Exploit Entry CXSecurity Vulnerability Database IBM X-Force Vulnerability Exchange VulnCheck Advisory: Sony BRAVIA Digital Signage 1.7.8 Unauthenticated System API Information Disclosure |
| Pro-Bravia--Sony BRAVIA Digital Signage | Sony BRAVIA Digital Signage 1.7.8 contains a remote file inclusion vulnerability that allows attackers to inject arbitrary client-side scripts through the content material URL parameter. Attackers can exploit this vulnerability to hijack user sessions, execute cross-site scripting code, and modify display content by manipulating the input material type. | 2026-01-06 | 7.5 | CVE-2020-36924 | ExploitDB-49186 Sony BRAVIA Digital Signage Product Homepage BRAVIA Signage Software Resources Sony Professional Display Software Product Page Zero Science Lab Disclosure (ZSL-2020-5612) Packet Storm Security Exploit Archive IBM X-Force Exchange Vulnerability Entry CXSecurity Vulnerability Listing VulnCheck Advisory: Sony BRAVIA Digital Signage 1.7.8 Unauthenticated Remote File Inclusion |
| projectworlds--House Rental and Property Listing | A flaw has been found in projectworlds House Rental and Property Listing 1.0. Impacted is an unknown function of the file /app/register.php?action=reg of the component Signup. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-01-06 | 7.3 | CVE-2026-0643 | VDB-339686 | projectworlds House Rental and Property Listing Signup register.php unrestricted upload VDB-339686 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #732563 | projectworlds.com rental And Property Listing Project V1.0 File unrestricted upload https://github.com/1uzpk/cve/issues/4 |
| Qualcomm, Inc.--Snapdragon | Cryptographic issue may occur while encrypting license data. | 2026-01-06 | 8.4 | CVE-2025-47345 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while deinitializing a HDCP session. | 2026-01-06 | 7.8 | CVE-2025-47339 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing a video session to set video parameters. | 2026-01-06 | 7.8 | CVE-2025-47343 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing a secure logging command in the trusted application. | 2026-01-06 | 7.8 | CVE-2025-47346 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing identity credential operations in the trusted application. | 2026-01-06 | 7.8 | CVE-2025-47348 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when multiple threads concurrently access and modify shared resources. | 2026-01-06 | 7.8 | CVE-2025-47356 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while preprocessing IOCTLs in sensors. | 2026-01-06 | 7.8 | CVE-2025-47380 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while passing pages to DSP with an unaligned starting address. | 2026-01-06 | 7.8 | CVE-2025-47388 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption when accessing resources in kernel driver. | 2026-01-06 | 7.8 | CVE-2025-47393 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption when copying overlapping buffers during memory operations due to incorrect offset calculations. | 2026-01-06 | 7.8 | CVE-2025-47394 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption occurs when a secure application is launched on a device with insufficient memory. | 2026-01-06 | 7.8 | CVE-2025-47396 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Quanta Computer--QOCA aim AI Medical Cloud Platform | QOCA aim AI Medical Cloud Platform developed by Quanta Computer has an Arbitrary File Upload vulnerability, allowing authenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2026-01-05 | 8.8 | CVE-2025-15240 | https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html |
| quickjs-ng--quickjs | A vulnerability was determined in quickjs-ng quickjs up to 0.11.0. This vulnerability affects the function js_typed_array_constructor of the file quickjs.c. Executing a manipulation can lead to heap-based buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This patch is called c5d80831e51e48a83eab16ea867be87f091783c5. A patch should be applied to remediate this issue. | 2026-01-10 | 7.3 | CVE-2026-0821 | VDB-340355 | quickjs-ng quickjs quickjs.c js_typed_array_constructor heap-based overflow VDB-340355 | CTI Indicators (IOB, IOC, IOA) Submit #731780 | quickjs-ng quickjs v0.11.0 Heap-based Buffer Overflow https://github.com/quickjs-ng/quickjs/issues/1296 https://github.com/quickjs-ng/quickjs/pull/1299 https://github.com/quickjs-ng/quickjs/issues/1296#issue-3780003395 https://github.com/quickjs-ng/quickjs/commit/c5d80831e51e48a83eab16ea867be87f091783c5 |
| Red Hat--Red Hat Ansible Automation Platform 2.5 for RHEL 8 | A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g., Controller, Hub, EDA). If this flaw were exploited, an attacker's capabilities would only be limited by role based access controls (RBAC). | 2026-01-08 | 8.5 | CVE-2025-14025 | https://access.redhat.com/articles/7136004 RHSA-2026:0360 RHSA-2026:0361 RHSA-2026:0408 RHSA-2026:0409 https://access.redhat.com/security/cve/CVE-2025-14025 RHBZ#2418785 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect memory allocation on the stack, followed by unsafe memory copying. As a result, applications using libsoup may crash unexpectedly, creating a denial-of-service risk. | 2026-01-08 | 7.5 | CVE-2026-0719 | https://access.redhat.com/security/cve/CVE-2026-0719 RHBZ#2427906 https://gitlab.gnome.org/GNOME/libsoup/-/issues/477 |
| Red Hat--Red Hat JBoss Enterprise Application Platform 8.1 | A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions. | 2026-01-07 | 9.6 | CVE-2025-12543 | RHSA-2026:0383 RHSA-2026:0384 RHSA-2026:0386 https://access.redhat.com/security/cve/CVE-2025-12543 RHBZ#2408784 |
| RED--RED-V Super Digital Signage System RXV-A740R | RED-V Super Digital Signage System 5.1.1 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive webserver log files. Attackers can visit multiple endpoints to retrieve system resources and debug log information without authentication. | 2026-01-06 | 7.5 | CVE-2020-36921 | Zero Science Lab Disclosure (ZSL-2020-5609) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Database RED-V Vendor Homepage VulnCheck Advisory: RED-V Super Digital Signage System 5.1.1 Log Information Disclosure Vulnerability |
| remix-run--react-router | React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2. | 2026-01-10 | 9.1 | CVE-2025-61686 | https://github.com/remix-run/react-router/security/advisories/GHSA-9583-h5hc-x8cw |
| remix-run--react-router | React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0. | 2026-01-10 | 8.2 | CVE-2026-21884 | https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7 |
| remix-run--react-router | React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0. | 2026-01-10 | 8 | CVE-2026-22029 | https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx |
| remix-run--react-router | React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0. | 2026-01-10 | 7.6 | CVE-2025-59057 | https://github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x8 |
| Rustaurius--Five Star Restaurant Reservations | Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Five Star Restaurant Reservations: from n/a through 2.7.8. | 2026-01-05 | 8.6 | CVE-2025-68044 | https://vdp.patchstack.com/database/wordpress/plugin/restaurant-reservations/vulnerability/wordpress-five-star-restaurant-reservations-plugin-2-7-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| RustCrypto--elliptic-curves | RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a denial-of-service vulnerability exists in the SM2 PKE decryption path where an invalid elliptic-curve point (C1) is decoded and the resulting value is unwrapped without checking. Specifically, AffinePoint::from_encoded_point(&encoded_c1) may return a None/CtOption::None when the supplied coordinates are syntactically valid but do not lie on the SM2 curve. The calling code previously used .unwrap(), causing a panic when presented with such input. This issue has been patched via commit 085b7be. | 2026-01-10 | 7.5 | CVE-2026-22699 | https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-78p6-6878-8mj6 https://github.com/RustCrypto/elliptic-curves/pull/1602 https://github.com/RustCrypto/elliptic-curves/commit/085b7bee647029bd189e1375203418205006bcab |
| RustCrypto--elliptic-curves | RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a denial-of-service vulnerability exists in the SM2 public-key encryption (PKE) implementation: the decrypt() path performs unchecked slice::split_at operations on input buffers derived from untrusted ciphertext. An attacker can submit short/undersized ciphertext or carefully-crafted DER-encoded structures to trigger bounds-check panics (Rust unwinding) which crash the calling thread or process. This issue has been patched via commit e60e991. | 2026-01-10 | 7.5 | CVE-2026-22700 | https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-j9xq-69pf-pcm8 https://github.com/RustCrypto/elliptic-curves/pull/1603 https://github.com/RustCrypto/elliptic-curves/commit/e60e99167a9a2b187ebe80c994c5204b0fdaf4ab |
| SaasProject--Booking Package | Improper Validation of Specified Quantity in Input vulnerability in SaasProject Booking Package allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Booking Package: from n/a through 1.6.27. | 2026-01-05 | 7.5 | CVE-2024-30516 | https://vdp.patchstack.com/database/wordpress/plugin/booking-package/vulnerability/wordpress-booking-package-plugin-1-6-27-price-manipulation-vulnerability?_s_id=cve |
| salvo-rs--salvo | Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generate an file view of a folder which include a render of the current path, in which its inserted in the HTML without proper sanitation, this leads to reflected XSS using the fact that request path is decoded and normalized in the matching stage but not is inserted raw in the html view (current.path), the only constraint here is for the root path (eg. /files in the PoC example) to have a sub directory (e.g common ones styles/scripts/etc) so that the matching return the list HTML page instead of the Not Found page. This issue has been patched in version 0.88.1. | 2026-01-08 | 8.8 | CVE-2026-22256 | https://github.com/salvo-rs/salvo/security/advisories/GHSA-rjf8-2wcw-f6mp https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L593 |
| salvo-rs--salvo | Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generates a file view of a folder without sanitizing the files or folders names, this may potentially lead to XSS in cases where a website allow the access to public files using this feature and anyone can upload a file. This issue has been patched in version 0.88.1. | 2026-01-08 | 8.8 | CVE-2026-22257 | https://github.com/salvo-rs/salvo/security/advisories/GHSA-54m3-5fxr-2f3j https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L581 |
| Sangfor--Operation and Maintenance Management System | A vulnerability was found in Sangfor Operation and Maintenance Management System up to 3.0.8. This issue affects some unknown processing of the file /isomp-protocol/protocol/getHis of the component HTTP POST Request Handler. The manipulation of the argument sessionPath results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-09 | 9.8 | CVE-2025-15500 | VDB-340345 | Sangfor Operation and Maintenance Management System HTTP POST Request getHis os command injection VDB-340345 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727208 | Sangfor Operation and Maintenance Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) 3.0.8 OS Command Injection https://github.com/master-abc/cve/issues/11 https://github.com/master-abc/cve/issues/11#issue-3770602189 |
| Sangfor--Operation and Maintenance Management System | A vulnerability was determined in Sangfor Operation and Maintenance Management System up to 3.0.8. Impacted is the function WriterHandle.getCmd of the file /isomp-protocol/protocol/getCmd. This manipulation of the argument sessionPath causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-09 | 9.8 | CVE-2025-15501 | VDB-340346 | Sangfor Operation and Maintenance Management System getCmd WriterHandle.getCmd os command injection VDB-340346 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727214 | Sangfor Operation and Maintenance Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) 3.0.8 OS Command Injection https://github.com/master-abc/cve/issues/12 https://github.com/master-abc/cve/issues/12#issue-3770615262 |
| Sangfor--Operation and Maintenance Management System | A vulnerability has been found in Sangfor Operation and Maintenance Management System up to 3.0.8. This vulnerability affects the function uploadCN of the file VersionController.java. The manipulation of the argument filename leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-09 | 8.8 | CVE-2025-15499 | VDB-340344 | Sangfor Operation and Maintenance Management System VersionController.java uploadCN os command injection VDB-340344 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727207 | Sangfor Operation and Maintenance Management System (è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ / OSM) 3.0.8 Command Injection https://github.com/master-abc/cve/issues/10 https://github.com/master-abc/cve/issues/10#issue-3770540830 |
| Sangfor--Operation and Maintenance Management System | A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3.0.8. The affected element is the function SessionController of the file /isomp-protocol/protocol/session. Such manipulation of the argument Hostname leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-10 | 7.3 | CVE-2025-15502 | VDB-340347 | Sangfor Operation and Maintenance Management System session SessionController os command injection VDB-340347 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727217 | Sangfor Operation and Maintenance Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) 3.0.8 OS Command Injection https://github.com/master-abc/cve/issues/14 https://github.com/master-abc/cve/issues/14#issue-3770634476 |
| Sangfor--Operation and Maintenance Management System | A security flaw has been discovered in Sangfor Operation and Maintenance Management System up to 3.0.8. The impacted element is an unknown function of the file /fort/trust/version/common/common.jsp. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-10 | 7.3 | CVE-2025-15503 | VDB-340348 | Sangfor Operation and Maintenance Management System common.jsp unrestricted upload VDB-340348 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727253 | Sangfor Operation and Maintenance Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) 3.0.8 Unrestricted Upload https://github.com/master-abc/cve/issues/13 https://github.com/master-abc/cve/issues/13#issue-3770623333 |
| Sfwebservice--InWave Jobs | Missing Authorization vulnerability in Sfwebservice InWave Jobs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InWave Jobs: from n/a through 3.5.8. | 2026-01-06 | 9.8 | CVE-2025-39477 | https://patchstack.com/database/wordpress/plugin/iwjob/vulnerability/wordpress-inwave-jobs-plugin-3-5-8-broken-access-control-vulnerability?_s_id=cve |
| shabti--Frontend Admin by DynamiApps | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.25. This is due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This makes it possible for unauthenticated attackers to register as administrators and gain complete control of the site, granted they can access a user registration form containing a Role field. | 2026-01-09 | 9.8 | CVE-2025-14736 | https://www.wordfence.com/threat-intel/vulnerabilities/id/07eb71fc-6588-490d-8947-3077ec4a9045?source=cve https://plugins.trac.wordpress.org/changeset/3427243/acf-frontend-form-element/trunk/main/frontend/fields/user/class-role.php |
| shabti--Frontend Admin by DynamiApps | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts. | 2026-01-09 | 9.1 | CVE-2025-14741 | https://www.wordfence.com/threat-intel/vulnerabilities/id/53adbab6-953a-4a6f-bbfc-89efdbdd28e0?source=cve https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.26/main/frontend/fields/general/class-delete-object.php?marks=106,119,132,142#L106 |
| shabti--Frontend Admin by DynamiApps | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 7.2 | CVE-2025-14937 | https://www.wordfence.com/threat-intel/vulnerabilities/id/46c988ff-9cc5-4f2b-a3dd-06eaef5a7919?source=cve https://plugins.trac.wordpress.org/changeset/3427236/acf-frontend-form-element |
| Shazdeh--Header Image Slider | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Shazdeh Header Image Slider header-image-slider allows DOM-Based XSS.This issue affects Header Image Slider: from n/a through 0.3. | 2026-01-06 | 7.1 | CVE-2024-30547 | https://patchstack.com/database/wordpress/plugin/header-image-slider/vulnerability/wordpress-header-image-slider-plugin-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Shenzhen Xingmeng Qihang Media Co., Ltd.--QiHang Media Web (QH.aspx) Digital Signage | QiHang Media Web Digital Signage 3.0.9 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept user authentication credentials through cleartext cookie transmission. Attackers can perform man-in-the-middle attacks to capture and potentially misuse stored authentication credentials transmitted in an insecure manner. | 2026-01-06 | 7.5 | CVE-2020-36914 | Zero Science Lab Disclosure (ZSL-2020-5578) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Database Entry HowFor Vendor Homepage VulnCheck Advisory: QiHang Media Web Digital Signage 3.0.9 Cookie Authentication Credentials Disclosure |
| solwininfotech--User Activity Log | The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenticated attackers to push select site options from 0 to a non-zero value, allowing them to reopen registration or corrupt options like 'wp_user_roles', breaking wp-admin access. | 2026-01-07 | 7.5 | CVE-2025-11877 | https://www.wordfence.com/threat-intel/vulnerabilities/id/24225f47-cec2-4270-88f0-8696ebfb7168?source=cve https://plugins.trac.wordpress.org/browser/user-activity-log/trunk/user-functions.php |
| Sony Electronics Inc.--Sony BRAVIA Digital Signage | Sony BRAVIA Digital Signage 1.7.8 contains an insecure direct object reference vulnerability that allows attackers to bypass authorization controls. Attackers can access hidden system resources like '/#/content-creation' by manipulating client-side access restrictions. | 2026-01-06 | 9.8 | CVE-2020-36923 | Zero Science Lab Disclosure (ZSL-2020-5611) IBM X-Force Exchange Vulnerability Entry CXSecurity Vulnerability Listing Packet Storm Security Exploit Archive Sony Professional Display Software Product Page BRAVIA Signage Software Resources Sony BRAVIA Digital Signage Official Homepage VulnCheck Advisory: Sony BRAVIA Digital Signage 1.7.8 Client-Side Protection Bypass via IDOR |
| spinnaker--spinnaker | Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. The primary impact is allowing users to fetch data from a remote URL. This data can be then injected into spinnaker pipelines via helm or other methods to extract things LIKE idmsv1 authentication data. This also includes calling internal spinnaker API's via a get and similar endpoints. Further, depending upon the artifact in question, auth data may be exposed to arbitrary endpoints (e.g. GitHub auth headers) leading to credentials exposure. To trigger this, a spinnaker installation MUST have two things. The first is an artifact enabled that allows user input. This includes GitHub file artifacts, BitBucket, GitLab, HTTP artifacts and similar artifact providers. JUST enabling the http artifact provider will add a "no-auth" http provider that could be used to extract link local data (e.g. AWS Metadata information). The second is a system that can consume the output of these artifacts. e.g. Rosco helm can use this to fetch values data. K8s account manifests if the API returns JSON can be used to inject that data into the pipeline itself though the pipeline would fail. This vulnerability is fixed in versions 2025.1.6, 2025.2.3, and 2025.3.0. As a workaround, disable HTTP account types that allow user input of a given URL. This is probably not feasible in most cases. Git, Docker and other artifact account types with explicit URL configurations bypass this limitation and should be safe as they limit artifact URL loading. Alternatively, use one of the various vendors which provide OPA policies to restrict pipelines from accessing or saving a pipeline with invalid URLs. | 2026-01-05 | 7.9 | CVE-2025-61916 | https://github.com/spinnaker/spinnaker/security/advisories/GHSA-vrjc-q2fh-6x9h |
| spree--spree | Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5. | 2026-01-10 | 7.5 | CVE-2026-22589 | https://github.com/spree/spree/security/advisories/GHSA-3ghg-3787-w2xr https://github.com/spree/spree/commit/16067def6de8e0742d55313e83b0fbab6d2fd795 https://github.com/spree/spree/commit/4c2bd62326fba0d846fd9e4bad2c62433829b3ad https://github.com/spree/spree/commit/d051925778f24436b62fa8e4a6b842c72ca80a67 https://github.com/spree/spree/commit/e1cff4605eb15472904602aebaf8f2d04852d6ad |
| staniel359--muffon | muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. An attacker can exploit this issue by embedding a specially crafted `muffon://` link on any website they control. When a victim visits the site or clicks the link, the browser triggers Muffon's custom URL handler, causing the application to launch and process the URL. This leads to RCE on the victim's machine without further interaction. Version 2.3.0 patches the issue. | 2026-01-05 | 8.8 | CVE-2025-55204 | https://github.com/staniel359/muffon/security/advisories/GHSA-gc3f-gqph-522q https://drive.google.com/file/d/1eCPCQ6leuVM_vecfofFv04c0t9isCBqR/view?usp=sharing https://github.com/staniel359/muffon/releases/tag/v2.3.0 |
| SUSE--harvester | Projects using the SUSE Virtualization (Harvester) environment may expose the OS default ssh login password if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration setup. | 2026-01-08 | 9.8 | CVE-2025-62877 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62877 https://github.com/harvester/harvester/security/advisories/GHSA-6g8q-hp2j-gvwv |
| SUSE--neuvector | NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle (MITM) attacks. | 2026-01-08 | 8.8 | CVE-2025-66001 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66001 https://github.com/neuvector/neuvector/security/advisories/GHSA-4jj9-cgqc-x9h5 |
| Tdmsignage--TDM Digital Signage PC Player | TDM Digital Signage PC Player 4.1.0.4 contains an elevation of privileges vulnerability that allows authenticated users to modify executable files. Attackers can leverage the 'Modify' permissions for authenticated users to replace executable files with malicious binaries and gain elevated system access. | 2026-01-06 | 8.8 | CVE-2020-36916 | ExploitDB-48953 TDM Digital Signage Official Website Sony Professional Display Software Product Page Zero Science Lab Disclosure (ZSL-2020-5604) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange VulnCheck Advisory: TDM Digital Signage PC Player 4.1.0.4 Privilege Escalation via Insecure Permissions |
| Tencent--WeKnora | WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. This issue has been patched in version 0.2.5. | 2026-01-10 | 10 | CVE-2026-22688 | https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc https://github.com/Tencent/WeKnora/commit/f7900a5e9a18c99d25cec9589ead9e4e59ce04bb |
| Tencent--WeKnora | WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, after WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, an attacker can use prompt based bypass techniques to evade query restrictions and obtain sensitive information from the target server and database. This issue has been patched in version 0.2.5. | 2026-01-10 | 8.1 | CVE-2026-22687 | https://github.com/Tencent/WeKnora/security/advisories/GHSA-pcwc-3fw3-8cqv https://github.com/Tencent/WeKnora/commit/da55707022c252dd2c20f8e18145b2d899ee06a1 |
| Tenda--AC23 | A weakness has been identified in Tenda AC23 16.03.07.52. This affects the function sscanf of the file /goform/PowerSaveSet. Executing a manipulation of the argument Time can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-06 | 8.8 | CVE-2026-0640 | VDB-339683 | Tenda AC23 PowerSaveSet sscanf buffer overflow VDB-339683 | CTI Indicators (IOB, IOC, IOA) Submit #731772 | Tenda AC23 V16.03.07.52 Buffer Overflow https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow/Tenda%20AC23_Buffer_Overflow.md https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow/Tenda%20AC23_Buffer_Overflow.md#poc https://www.tenda.com.cn/ |
| the-hideout--tarkov-data-manager | The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, an authentication bypass vulnerability in the login endpoint allows any unauthenticated user to gain full admin access to the Tarkov Data Manager admin panel by exploiting a JavaScript prototype property access vulnerability, combined with loose equality type coercion. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities. | 2026-01-07 | 9.8 | CVE-2026-21854 | https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-r8w6-9xwg-6h73 https://github.com/the-hideout/tarkov-data-manager/commit/f188f0abf766cefe3f1b7b4fc6fe9dad3736174a |
| the-hideout--tarkov-data-manager | The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, a reflected Cross Site Scripting (XSS) vulnerability in the toast notification system allows any attacker to execute arbitrary JavaScript in the context of a victim's browser session by crafting a malicious URL. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities. | 2026-01-07 | 9.3 | CVE-2026-21855 | https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-9c23-rrg9-jc89 |
| the-hideout--tarkov-data-manager | The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8, a time based blind SQL injection vulnerability in the webhook edit and scanner api endpoints that allow an authenticated attacker to execute arbitrary SQL queries against the MySQL database. Commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 contains a patch. | 2026-01-07 | 7.2 | CVE-2026-21856 | https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-4gcx-ghwc-rc78 https://github.com/the-hideout/tarkov-data-manager/commit/9bdb3a75a98a7047b6d70144eb1da1655d6992a8 |
| ThemeREX Group--Hope | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Group Hope charity-is-hope allows PHP Local File Inclusion.This issue affects Hope: from n/a through 3.0.0. | 2026-01-07 | 8.1 | CVE-2025-69081 | https://patchstack.com/database/wordpress/theme/charity-is-hope/vulnerability/wordpress-hope-theme-3-0-0-local-file-inclusion-vulnerability?_s_id=cve |
| Themesgrove--WidgetKit Pro | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesgrove WidgetKit Pro allows Reflected XSS.This issue affects WidgetKit Pro: from n/a through 1.13.1. | 2026-01-07 | 7.1 | CVE-2025-46494 | https://patchstack.com/database/wordpress/plugin/widgetkit-pro/vulnerability/wordpress-widgetkit-pro-plugin-1-13-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Themify--Shopo | Unrestricted Upload of File with Dangerous Type vulnerability in Themify Shopo allows Upload a Web Shell to a Web Server.This issue affects Shopo: from n/a through 1.1.4. | 2026-01-05 | 9.9 | CVE-2025-31048 | https://vdp.patchstack.com/database/wordpress/theme/shopo/vulnerability/wordpress-shopo-1-1-4-arbitrary-file-upload-vulnerability?_s_id=cve |
| Themify--Themify Edmin | Deserialization of Untrusted Data vulnerability in Themify Themify Edmin allows Object Injection.This issue affects Themify Edmin: from n/a through 2.0.0. | 2026-01-05 | 8.8 | CVE-2025-31047 | https://vdp.patchstack.com/database/wordpress/theme/edmin/vulnerability/wordpress-themify-edmin-2-0-0-php-object-injection-vulnerability?_s_id=cve |
| Themify--Themify Sidepane WordPress Theme | Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Sidepane WordPress Theme, Themify Themify Newsy, Themify Themify Folo, Themify Themify Edmin, Themify Bloggie, Themify Photobox, Themify Wigi, Themify Rezo, Themify Slide allows Upload a Web Shell to a Web Server.This issue affects Themify Sidepane WordPress Theme: from n/a through 1.9.8; Themify Newsy: from n/a through 1.9.9; Themify Folo: from n/a through 1.9.6; Themify Edmin: from n/a through 2.0.0; Bloggie: from n/a through 2.0.8; Photobox: from n/a through 2.0.1; Wigi: from n/a through 2.0.1; Rezo: from n/a through 1.9.7; Slide: from n/a through 1.7.5. | 2026-01-06 | 9.9 | CVE-2025-30996 | https://patchstack.com/database/wordpress/theme/sidepane/vulnerability/wordpress-themify-sidepane-wordpress-theme-1-9-8-arbitrary-file-upload-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/theme/newsy/vulnerability/wordpress-themify-newsy-1-9-9-arbitrary-file-upload-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/theme/folo/vulnerability/wordpress-themify-folo-1-9-6-arbitrary-file-upload-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/theme/edmin/vulnerability/wordpress-themify-edmin-2-0-0-arbitrary-file-upload-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/theme/bloggie/vulnerability/wordpress-bloggie-2-0-8-arbitrary-file-upload-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/theme/photobox/vulnerability/wordpress-photobox-2-0-1-arbitrary-file-upload-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/theme/wigi/vulnerability/wordpress-wigi-2-0-1-arbitrary-file-upload-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/theme/rezo/vulnerability/wordpress-rezo-1-9-7-arbitrary-file-upload-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/theme/slide/vulnerability/wordpress-slide-1-7-5-arbitrary-file-upload-vulnerability?_s_id=cve |
| Trend Micro, Inc.--Trend Micro Apex Central | A LoadLibraryEX vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to load an attacker-controlled DLL into a key executable, leading to execution of attacker-supplied code under the context of SYSTEM on affected installations. | 2026-01-08 | 9.8 | CVE-2025-69258 | https://success.trendmicro.com/en-US/solution/KA-0022071 https://success.trendmicro.com/ja-JP/solution/KA-0022081 https://www.tenable.com/security/research/tra-2026-01 |
| Trend Micro, Inc.--Trend Micro Apex Central | A message unchecked NULL return value vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations. Please note: authentication is not required in order to exploit this vulnerability.. | 2026-01-08 | 7.5 | CVE-2025-69259 | https://success.trendmicro.com/en-US/solution/KA-0022071 https://success.trendmicro.com/ja-JP/solution/KA-0022081 https://www.tenable.com/security/research/tra-2026-01 |
| Trend Micro, Inc.--Trend Micro Apex Central | A message out-of-bounds read vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations. Please note: authentication is not required in order to exploit this vulnerability. | 2026-01-08 | 7.5 | CVE-2025-69260 | https://success.trendmicro.com/en-US/solution/KA-0022071 https://success.trendmicro.com/ja-JP/solution/KA-0022081 https://www.tenable.com/security/research/tra-2026-01 |
| TRENDnet--TEW-713RE | A vulnerability was detected in TRENDnet TEW-713RE 1.02. The impacted element is an unknown function of the file /goformX/formFSrvX. The manipulation of the argument SZCMD results in os command injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-06 | 9.8 | CVE-2025-15471 | VDB-339721 | TRENDnet TEW-713RE formFSrvX os command injection VDB-339721 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721441 | TRENDnet TEW-713RE 1.02 OS Command Injection https://pentagonal-time-3a7.notion.site/Command-Injection-Vulnerability-in-formFSrvX-of-Trendnet-TEW-713RE-2d1e5dd4c5a5801481abe7a944763d39 |
| TRENDnet--TEW-811DRU | A flaw has been found in TRENDnet TEW-811DRU 1.0.2.0. This affects the function setDeviceURL of the file uapply.cgi of the component httpd . This manipulation of the argument DeviceURL causes os command injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-06 | 7.2 | CVE-2025-15472 | VDB-339722 | TRENDnet TEW-811DRU httpd uapply.cgi setDeviceURL os command injection VDB-339722 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721874 | TRENDnet TEW-811DRU 1.0.4.0 OS Command Injection https://pentagonal-time-3a7.notion.site/TrendNet-TEW-811DRU-2d2e5dd4c5a58016a612e99853b835f8 |
| TryGhost--Ghost | Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0. | 2026-01-10 | 8.1 | CVE-2026-22594 | https://github.com/TryGhost/Ghost/security/advisories/GHSA-5fp7-g646-ccf4 https://github.com/TryGhost/Ghost/commit/b59f707f670e6f175b669977724ccf16c718430b https://github.com/TryGhost/Ghost/commit/fc7bc2fb0888513498154ec5cb4b21eccb88de07 |
| TryGhost--Ghost | Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session authentication. External systems that have been authenticated via Staff Tokens for Admin/Owner-role users would have had access to these endpoints. This issue has been patched in versions 5.130.6 and 6.11.0. | 2026-01-10 | 8.1 | CVE-2026-22595 | https://github.com/TryGhost/Ghost/security/advisories/GHSA-9xg7-mwmp-xmjx https://github.com/TryGhost/Ghost/commit/9513d2a35c21067127ce8192443d8919ddcefcc8 https://github.com/TryGhost/Ghost/commit/c3017f81a5387b253a7b8c1ba1959d430ee536a3 |
| Tumult Inc--Tumult Hype Animations | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tumult Inc Tumult Hype Animations allows DOM-Based XSS.This issue affects Tumult Hype Animations: from n/a through 1.9.11. | 2026-01-05 | 7.1 | CVE-2024-30461 | https://vdp.patchstack.com/database/wordpress/plugin/tumult-hype-animations/vulnerability/wordpress-tumult-hype-animations-plugin-1-9-11-csrf-to-xss-vulnerability?_s_id=cve |
| Ubiquiti Inc--UBB-XG | A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Affected Products: UBB-XG (Version 1.2.2 and earlier) UDB-Pro/UDB-Pro-Sector (Version 1.4.1 and earlier) UBB (Version 3.1.5 and earlier) Mitigation: Update your UBB-XG to Version 1.2.3 or later. Update your UDB-Pro/UDB-Pro-Sector to Version 1.4.2 or later. Update your UBB to Version 3.1.7 or later. | 2026-01-08 | 8.8 | CVE-2026-21638 | https://community.ui.com/releases/Security-Advisory-Bulletin-060-060/cde18da7-2bc4-41bb-a9cc-48a4a4c479c1 |
| Ubiquiti Inc--UCRM Argentina AFIP invoices Plugin | A Cross-Site Scripting (XSS) vulnerability in the UCRM Argentina AFIP invoices Plugin (v1.2.0 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. This plugin is disabled by default. Affected Products: UCRM Argentina AFIP invoices Plugin (Version 1.2.0 and earlier) Mitigation: Update UCRM Argentina AFIP invoices Plugin to Version 1.3.0 or later. | 2026-01-05 | 7.5 | CVE-2025-59467 | https://community.ui.com/releases/Security-Advisory-Bulletin-057/6d3f2a51-22b8-47a1-9296-1e9dcd64e073 |
| Ubiquiti Inc--UniFi Protect Application | A malicious actor with access to the adjacent network could obtain unauthorized access to a UniFi Protect Camera by exploiting a discovery protocol vulnerability in the Unifi Protect Application (Version 6.1.79 and earlier). Affected Products: UniFi Protect Application (Version 6.1.79 and earlier). Mitigation: Update your UniFi Protect Application to Version 6.2.72 or later. | 2026-01-05 | 8.8 | CVE-2026-21633 | https://community.ui.com/releases/Security-Advisory-Bulletin-058-058/6922ff20-8cd7-4724-8d8c-676458a2d0f9 |
| UTT-- 520W | A security vulnerability has been detected in UTT è¿›å– 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formUser. Such manipulation of the argument passwd1 leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 8.8 | CVE-2025-15459 | VDB-339495 | UTT è¿›å– 520W formUser strcpy buffer overflow VDB-339495 | CTI Indicators (IOB, IOC, IOA) Submit #725816 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/22.md https://github.com/cymiao1978/cve/blob/main/new/22.md#poc |
| UTT-- 520W | A vulnerability was detected in UTT è¿›å– 520W 1.7.7-180627. This affects the function strcpy of the file /goform/formPptpClientConfig. Performing a manipulation of the argument EncryptionMode results in buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 8.8 | CVE-2025-15460 | VDB-339496 | UTT è¿›å– 520W formPptpClientConfig strcpy buffer overflow VDB-339496 | CTI Indicators (IOB, IOC, IOA) Submit #725817 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/23.md https://github.com/cymiao1978/cve/blob/main/new/23.md#poc |
| UTT-- 520W | A flaw has been found in UTT è¿›å– 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/formTaskEdit. Executing a manipulation of the argument selDateType can lead to buffer overflow. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 8.8 | CVE-2025-15461 | VDB-339497 | UTT è¿›å– 520W formTaskEdit strcpy buffer overflow VDB-339497 | CTI Indicators (IOB, IOC, IOA) Submit #725818 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/24.md https://github.com/cymiao1978/cve/blob/main/new/24.md#poc |
| UTT-- 520W | A vulnerability has been found in UTT è¿›å– 520W 1.7.7-180627. This issue affects the function strcpy of the file /goform/ConfigAdvideo. The manipulation of the argument timestart leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 8.8 | CVE-2025-15462 | VDB-339498 | UTT è¿›å– 520W ConfigAdvideo strcpy buffer overflow VDB-339498 | CTI Indicators (IOB, IOC, IOA) Submit #725819 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/25.md https://github.com/cymiao1978/cve/blob/main/new/25.md#poc |
| UTT-- 520W | A vulnerability was determined in UTT è¿›å– 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formConfigFastDirectionW. This manipulation of the argument ssid causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-11 | 8.8 | CVE-2026-0836 | VDB-340436 | UTT è¿›å– 520W formConfigFastDirectionW strcpy buffer overflow VDB-340436 | CTI Indicators (IOB, IOC, IOA) Submit #729018 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/Lena-lyy/cve/blob/main/1223/26.md |
| UTT-- 520W | A vulnerability was identified in UTT è¿›å– 520W 1.7.7-180627. This affects the function strcpy of the file /goform/formFireWall. Such manipulation of the argument GroupName leads to buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-11 | 8.8 | CVE-2026-0837 | VDB-340437 | UTT è¿›å– 520W formFireWall strcpy buffer overflow VDB-340437 | CTI Indicators (IOB, IOC, IOA) Submit #729019 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/Lena-lyy/cve/blob/main/1223/27.md |
| UTT-- 520W | A security flaw has been discovered in UTT è¿›å– 520W 1.7.7-180627. This impacts the function strcpy of the file /goform/ConfigWirelessBase. Performing a manipulation of the argument ssid results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-11 | 8.8 | CVE-2026-0838 | VDB-340438 | UTT è¿›å– 520W ConfigWirelessBase strcpy buffer overflow VDB-340438 | CTI Indicators (IOB, IOC, IOA) Submit #729020 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/Lena-lyy/cve/blob/main/1223/28.md |
| UTT-- 520W | A weakness has been identified in UTT è¿›å– 520W 1.7.7-180627. Affected is the function strcpy of the file /goform/APSecurity. Executing a manipulation of the argument wepkey1 can lead to buffer overflow. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-11 | 8.8 | CVE-2026-0839 | VDB-340439 | UTT è¿›å– 520W APSecurity strcpy buffer overflow VDB-340439 | CTI Indicators (IOB, IOC, IOA) Submit #729028 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/GUOTINGTING2297/cve/blob/main/1234/29.md |
| UTT-- 520W | A security vulnerability has been detected in UTT è¿›å– 520W 1.7.7-180627. Affected by this vulnerability is the function strcpy of the file /goform/formConfigNoticeConfig. The manipulation of the argument timestart leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-11 | 8.8 | CVE-2026-0840 | VDB-340440 | UTT è¿›å– 520W formConfigNoticeConfig strcpy buffer overflow VDB-340440 | CTI Indicators (IOB, IOC, IOA) Submit #729029 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/GUOTINGTING2297/cve/blob/main/1234/30.md |
| UTT-- 520W | A vulnerability was detected in UTT è¿›å– 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formPictureUrl. The manipulation of the argument importpictureurl results in buffer overflow. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-11 | 8.8 | CVE-2026-0841 | VDB-340441 | UTT è¿›å– 520W formPictureUrl strcpy buffer overflow VDB-340441 | CTI Indicators (IOB, IOC, IOA) Submit #729030 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/GUOTINGTING2297/cve/blob/main/1234/31.md |
| Veeam--Backup And Recovery | This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as root by creating a malicious backup configuration file. | 2026-01-08 | 7.8 | CVE-2025-55125 | https://www.veeam.com/kb4792 |
| Veeam--Backup and Recovery | This vulnerability allows a Backup Administrator to perform remote code execution (RCE) as the postgres user by sending a malicious password parameter. | 2026-01-08 | 9 | CVE-2025-59468 | https://www.veeam.com/kb4792 |
| Veeam--Backup and Recovery | This vulnerability allows a Backup or Tape Operator to write files as root. | 2026-01-08 | 9 | CVE-2025-59469 | https://www.veeam.com/kb4792 |
| Veeam--Backup and Recovery | This vulnerability allows a Backup Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter. | 2026-01-08 | 9 | CVE-2025-59470 | https://www.veeam.com/kb4792 |
| vega--vega | Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. First, they use `vega` in an application that attaches both `vega` library and a `vega.View` instance similar to the Vega Editor to the global `window`, or has any other satisfactory function gadgets in the global scope. Second, they allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code). This vulnerability allows for DOM XSS, potentially stored, potentially reflected, depending on how the library is being used. The vulnerability requires user interaction with the page to trigger. An attacker can exploit this issue by tricking a user into opening a malicious Vega specification. Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the application's domain. This can lead to theft of sensitive information such as authentication tokens, manipulation of data displayed to the user, or execution of unauthorized actions on behalf of the victim. This exploit compromises confidentiality and integrity of impacted applications.Patched versions are available in `vega-selections@6.1.2` (requires ESM) for Vega v6 and `vega-selections@5.6.3` (no ESM needed) for Vega v5. As a workaround, do not attach `vega` or `vega.View` instances to global variables or the window as the editor used to do. This is a development-only debugging practice that should not be used in any situation where Vega/Vega-lite definitions can come from untrusted parties. | 2026-01-05 | 8.1 | CVE-2025-65110 | https://github.com/vega/vega/security/advisories/GHSA-829q-m3qg-ph8r |
| vega--vega | vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions `6.1.1`. There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in CSP safe mode does not prevent this issue. | 2026-01-05 | 7.2 | CVE-2025-66648 | https://github.com/vega/vega/security/advisories/GHSA-m9rg-mr6g-75gm |
| veronalabs--SlimStat Analytics | The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Recent Custom Events report. | 2026-01-09 | 7.2 | CVE-2025-15055 | https://www.wordfence.com/threat-intel/vulnerabilities/id/afbfabfc-b923-4fe9-9e8f-0cf159f488db?source=cve https://plugins.trac.wordpress.org/changeset/3429990/wp-slimstat |
| veronalabs--SlimStat Analytics | The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprint value stored in the database. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the Real-time Access Log report. | 2026-01-09 | 7.2 | CVE-2025-15057 | https://www.wordfence.com/threat-intel/vulnerabilities/id/90920df9-1362-466b-b14b-4714087f556b?source=cve https://plugins.trac.wordpress.org/changeset/3428488/wp-slimstat |
| Waituk--Entrada | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Waituk Entrada allows SQL Injection.This issue affects Entrada: from n/a through 5.7.7. | 2026-01-05 | 9.3 | CVE-2025-39484 | https://vdp.patchstack.com/database/wordpress/theme/entrada/vulnerability/wordpress-entrada-theme-5-7-7-sql-injection-vulnerability?_s_id=cve |
| webrndexperts--Latest Registered Users | The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in the rnd_handle_form_submit function hooked to both admin_post_my_simple_form and admin_post_nopriv_my_simple_form actions. This makes it possible for unauthenticated attackers to export complete user details (excluding passwords and sensitive tokens) in CSV format via the 'action' parameter. | 2026-01-07 | 7.5 | CVE-2025-13493 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e6139543-81e3-480a-93a4-1d87b3f3f51e?source=cve https://plugins.trac.wordpress.org/browser/latest-registered-users/trunk/latest-registered-users.php#L246 https://plugins.trac.wordpress.org/browser/latest-registered-users/tags/1.4/latest-registered-users.php#L246 https://plugins.trac.wordpress.org/browser/latest-registered-users/trunk/latest-registered-users.php#L66 |
| WHILL--Model C2 Electric Wheelchair | WHILL Model C2 Electric Wheelchairs and Model F Power Chairs do not enforce authentication for Bluetooth connections. An attacker within range can pair with the device and issue movement commands, override speed restrictions, and manipulate configuration profiles without any credentials or user interaction. | 2026-01-05 | 9.8 | CVE-2025-14346 | https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-364-01 |
| woocommerce--WooCommerce Square | The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Square "ccof" (credit card on file) values and leverage this value to potentially make fraudulent charges on the target site. | 2026-01-10 | 7.5 | CVE-2025-13457 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c7f4f726-7e53-4397-8d8b-7a574326adc6?source=cve https://plugins.trac.wordpress.org/changeset/3415850/woocommerce-square |
| WPweb--Follow My Blog Post | Missing Authorization vulnerability in WPweb Follow My Blog Post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Follow My Blog Post: from n/a through 2.4.0. | 2026-01-05 | 7.5 | CVE-2025-68547 | https://vdp.patchstack.com/database/wordpress/plugin/follow-my-blog-post/vulnerability/wordpress-follow-my-blog-post-plugin-2-4-0-arbitrary-content-deletion-vulnerability?_s_id=cve |
| xfinitysoft--Reviewify Review Discounts & Photo/Video Reviews for WooCommerce | The Reviewify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'send_test_email' AJAX action in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to create arbitrary WooCommerce discount coupons, potentially causing financial loss to the store. | 2026-01-07 | 7.5 | CVE-2025-14070 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9db8756a-a177-4d39-b169-dc874cac2b3b?source=cve https://cwe.mitre.org/data/definitions/862.html https://plugins.trac.wordpress.org/browser/review-for-discount/trunk/admin/class-xswcrd-review-discounts-admin.php#L425 https://plugins.trac.wordpress.org/browser/review-for-discount/tags/1.0.6/admin/class-xswcrd-review-discounts-admin.php#L425 |
| xwiki-contrib--macro-fullcalendar | XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5. | 2026-01-10 | 10 | CVE-2025-65091 | https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-2g22-wg49-fgv5 https://github.com/xwiki-contrib/macro-fullcalendar/commit/5fdcf06a05015786492fda69b4d9dea5460cc994 |
| Yerootech--iDS6 DSSPro Digital Signage System | iDS6 DSSPro Digital Signage System 6.2 contains an improper access control vulnerability that allows authenticated users to elevate privileges through console JavaScript functions. Attackers can create users, modify roles and permissions, and potentially achieve full application takeover by exploiting insecure direct object references. | 2026-01-06 | 8.8 | CVE-2020-36920 | ExploitDB-48992 Archived Yeroo Tech Vendor Homepage Zero Science Lab Disclosure (ZSL-2020-5608) Packet Storm Security Exploit Entry CXSecurity Vulnerability Database Entry IBM X-Force Vulnerability Exchange VulnCheck Advisory: iDS6 DSSPro Digital Signage System 6.2 Privilege Escalation via Access Control |
| yocoadmin--Yoco Payments | The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.8.8 via the file parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | 2026-01-07 | 7.5 | CVE-2025-13801 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ad74d5d0-270e-41d3-9596-2f71b05af276?source=cve https://plugins.trac.wordpress.org/browser/yoco-payment-gateway/tags/3.8.8/src/Helpers/Logs.php#L25 https://plugins.trac.wordpress.org/browser/yoco-payment-gateway/tags/3.8.8/src/Helpers/Logs.php#L59 |
| zauberzeug--nicegui | NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0. | 2026-01-08 | 7.2 | CVE-2026-21873 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mhpg-c27v-6mxr https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0 |
| Zenitel--ICX500 | Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device. | 2026-01-09 | 10 | CVE-2025-64093 | Zenitel Security Advisory |
| Zenitel--ICX500 | This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database. | 2026-01-09 | 7.5 | CVE-2025-64092 | Zenitel Security Advisory |
| Zenitel--TCIS-3+ | This vulnerability allows authenticated attackers to execute commands via the hostname of the device. | 2026-01-09 | 10 | CVE-2025-64090 | Zenitel Security Advisory |
| Zenitel--TCIS-3+ | This vulnerability allows authenticated attackers to execute commands via the NTP-configuration of the device. | 2026-01-09 | 8.6 | CVE-2025-64091 | Zenitel Security Advisory |
| Zimbra--Collaboration | Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message. | 2026-01-05 | 7.2 | CVE-2025-66376 | https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| aaextensions--AA Block country | The AA Block Country plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to the plugin trusting user-supplied headers such as HTTP_X_FORWARDED_FOR to determine the client's IP address without proper validation or considering if the server is behind a trusted proxy. This makes it possible for unauthenticated attackers to bypass IP-based access restrictions by spoofing their IP address via the X-Forwarded-For header. | 2026-01-07 | 5.3 | CVE-2025-13694 | https://www.wordfence.com/threat-intel/vulnerabilities/id/037ac32a-dc2e-4e9f-9318-65dfee1c80e9?source=cve https://plugins.trac.wordpress.org/browser/aa-block-country/trunk/aablockcountry.php#L26 https://plugins.trac.wordpress.org/browser/aa-block-country/tags/1.0.1/aablockcountry.php#L26 |
| ABB--WebPro SNMP Card PowerValue | Improper Check for Unusual or Exceptional Conditions vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K. | 2026-01-07 | 6.5 | CVE-2025-4675 | https://search.abb.com/library/Download.aspx?DocumentID=2CRT000009&LanguageCode=en&DocumentPartId=&Action=Launch |
| ABB--WebPro SNMP Card PowerValue | Insufficient Session Expiration vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K. | 2026-01-07 | 6.5 | CVE-2025-4677 | https://search.abb.com/library/Download.aspx?DocumentID=2CRT000009&LanguageCode=en&DocumentPartId=&Action=Launch |
| aharonyan--Guest posting / Frontend Posting / Front Editor WP Front User Submit | The Guest posting / Frontend Posting / Front Editor - WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all versions up to, and including, 5.0.0. This makes it possible for unauthenticated attackers to delete arbitrary media attachments. | 2026-01-07 | 5.3 | CVE-2025-13419 | https://www.wordfence.com/threat-intel/vulnerabilities/id/874b3448-df4c-49c4-bf4f-435cf48f6305?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432207%40front-editor&new=3432207%40front-editor&sfp_email=&sfph_mail= |
| ahecht--AH Shortcodes | The AH Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column' shortcode attribute in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14109 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0b77243f-f48b-4a94-9d60-bf96dc26fe77?source=cve https://plugins.trac.wordpress.org/browser/ah-shortcodes/trunk/includes/shortcodes.php#L28 https://plugins.trac.wordpress.org/browser/ah-shortcodes/tags/1.0.2/includes/shortcodes.php#L28 |
| airesvsg--ACF to REST API | The ACF to REST API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.4. This is due to insufficient capability checks in the update_item_permissions_check() method, which only verifies that the current user has the edit_posts capability without checking object-specific permissions (e.g., edit_post($id), edit_user($id), manage_options). This makes it possible for authenticated attackers, with Contributor-level access and above, to modify ACF fields on posts they do not own, any user account, comments, taxonomy terms, and even the global options page via the /wp-json/acf/v3/{type}/{id} endpoints, granted they can authenticate to the site. | 2026-01-07 | 4.3 | CVE-2025-12030 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5ab508fa-298c-48c1-8510-f2e0a881675a?source=cve https://plugins.trac.wordpress.org/browser/acf-to-rest-api/tags/3.3.4/v3/lib/endpoints/class-acf-to-rest-api-controller.php#L108 https://plugins.trac.wordpress.org/browser/acf-to-rest-api/tags/3.3.4/v3/lib/endpoints/class-acf-to-rest-api-controller.php#L120 |
| All-Dynamics Software--enlogic:show Digital Signage System | All-Dynamics Software enlogic:show 2.0.2 contains a session fixation vulnerability that allows attackers to set a predefined PHP session identifier during the login process. Attackers can forge HTTP GET requests to welcome.php with a manipulated session token to bypass authentication and potentially execute cross-site request forgery attacks. | 2026-01-06 | 5.3 | CVE-2020-36913 | Zero Science Lab Disclosure (ZSL-2020-5577) Vendor Changelog for Version 2.0.3 Packet Storm Security Exploit Entry IBM X-Force Vulnerability Database Entry VulnCheck Advisory: All-Dynamics Software enlogic:show 2.0.2 Session Fixation Authentication Bypass |
| alobaidi--The Tooltip | The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'the_tooltip' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-13908 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d2bac05e-ecd0-427b-90a0-6cf78175cd19?source=cve https://plugins.trac.wordpress.org/browser/the-tooltip/trunk/the-tooltip.php#L92 https://plugins.trac.wordpress.org/browser/the-tooltip/tags/1.0.2/the-tooltip.php#L92 |
| Altera--Quartus Prime Pro | Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Pro Installer (SFX) on Windows allows Search Order Hijacking.This issue affects Quartus Prime Pro: from 24.1 through 24.3.1. | 2026-01-06 | 6.7 | CVE-2025-14596 | https://www.altera.com/security/security-advisory/asa-0004 |
| Altera--Quartus Prime Pro | Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Pro on Windows (System Console modules) allows Search Order Hijacking.This issue affects Quartus Prime Pro: from 17.0 through 25.1.1. | 2026-01-06 | 6.7 | CVE-2025-14605 | https://www.altera.com/security/security-advisory/asa-0004 |
| Altera--Quartus Prime Pro | Insecure Temporary File vulnerability in Altera Quartus Prime Pro Installer (SFX) on Windows allows : Use of Predictable File Names.This issue affects Quartus Prime Pro: from 24.1 through 25.1.1. | 2026-01-06 | 6.7 | CVE-2025-14612 | https://www.altera.com/security/security-advisory/asa-0004 |
| Altera--Quartus Prime Standard | Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Standard Installer (SFX) on Windows, Altera Quartus Prime Lite Installer (SFX) on Windows allows Search Order Hijacking.This issue affects Quartus Prime Standard: from 23.1 through 24.1; Quartus Prime Lite: from 23.1 through 24.1. | 2026-01-06 | 6.7 | CVE-2025-14599 | https://www.altera.com/security/security-advisory/asa-0005 |
| Altera--Quartus Prime Standard | Insecure Temporary File vulnerability in Altera Quartus Prime Standard Installer (SFX) on Windows, Altera Quartus Prime Lite Installer (SFX) on Windows allows Explore for Predictable Temporary File Names.This issue affects Quartus Prime Standard: from 23.1 through 24.1; Quartus Prime Lite: from 23.1 through 24.1. | 2026-01-06 | 6.7 | CVE-2025-14614 | https://www.altera.com/security/security-advisory/asa-0005 |
| Altera--Quartus Prime Standard | Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Standard on Windows (Nios II Command Shell modules), Altera Quartus Prime Lite on Windows (Nios II Command Shell modules) allows Search Order Hijacking.This issue affects Quartus Prime Standard: from 19.1 through 24.1; Quartus Prime Lite: from 19.1 through 24.1. | 2026-01-06 | 6.7 | CVE-2025-14625 | https://www.altera.com/security/security-advisory/asa-0005 |
| ameliabooking--Booking for Appointments and Events Calendar Amelia | The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it possible for unauthenticated attackers to mark payments as refunded, trigger sending of queued notifications (emails/SMS/WhatsApp), and access debug information among other things. | 2026-01-09 | 5.3 | CVE-2025-14720 | https://www.wordfence.com/threat-intel/vulnerabilities/id/771ed385-587c-400f-89c6-1a827c3e2c79?source=cve https://plugins.trac.wordpress.org/changeset/3429650/ameliabooking/trunk/src/Application/Commands/Square/SquareRefundWebhookCommandHandler.php |
| amirshk--Autogen Headers Menu | The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head_class' parameter of the 'autogen_menu' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-13704 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a63bf106-78cf-441b-a1b3-77ec1cf6c22b?source=cve https://plugins.trac.wordpress.org/browser/autogen-headers-menu/trunk/index.php#L115 https://plugins.trac.wordpress.org/browser/autogen-headers-menu/tags/1.0.1/index.php#L115 https://plugins.trac.wordpress.org/browser/autogen-headers-menu/trunk/index.php#L53 https://plugins.trac.wordpress.org/browser/autogen-headers-menu/tags/1.0.1/index.php#L53 |
| amu02aftab--Client Testimonial Slider | The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aft_testimonial_meta_name' custom field in the Client Information metabox in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected administrative page. | 2026-01-09 | 6.4 | CVE-2025-13897 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5bf12608-4e02-4b3a-9363-991dca5ee11b?source=cve https://plugins.trac.wordpress.org/browser/wp-client-testimonial/trunk/wp-client-testimonial.php#L117 https://plugins.trac.wordpress.org/browser/wp-client-testimonial/tags/2.0/wp-client-testimonial.php#L117 |
| anand_kumar--Header and Footer Scripts | The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-11453 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d658e087-8cc7-4653-af3c-407b6f73fb7b?source=cve https://plugins.trac.wordpress.org/browser/header-and-footer-scripts/tags/2.2.2/shfs.php#L119 |
| anilankola--Newsletter Email Subscribe | The Newsletter Email Subscribe plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4. This is due to incorrect nonce validation on the nels_settings_page function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-07 | 4.3 | CVE-2025-14904 | https://www.wordfence.com/threat-intel/vulnerabilities/id/00dd9a3c-a9f9-4fd2-9c93-0def42cec496?source=cve https://plugins.trac.wordpress.org/browser/newsletter-email-subscribe/tags/2.4/newsletter-email-subscribe.php#L109 |
| anjan011--Simple User Meta Editor | The Simple User Meta Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user meta value field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-07 | 4.4 | CVE-2025-14888 | https://www.wordfence.com/threat-intel/vulnerabilities/id/37342a62-97cd-43ef-af27-33092e840e67?source=cve https://plugins.trac.wordpress.org/browser/simple-user-meta-editor/tags/1.0.0/includes/templates/editor/index.php#L57 |
| anwerashif--xShare | The xShare plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'xshare_plugin_reset()' function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-07 | 4.3 | CVE-2025-13527 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d6006ffe-e2db-477f-8a9f-c0cf0434086b?source=cve https://plugins.trac.wordpress.org/browser/xshare/trunk/index.php#L50 https://plugins.trac.wordpress.org/browser/xshare/tags/1.0.1/index.php#L50 |
| anybodesign--AD Sliding FAQ | The AD Sliding FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliding_faq' shortcode in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14122 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d6c277f4-28e0-4159-a524-6576d72d2059?source=cve https://plugins.trac.wordpress.org/browser/ad-sliding-faq/trunk/any-sliding-faq.php#L205 https://plugins.trac.wordpress.org/browser/ad-sliding-faq/tags/2.4/any-sliding-faq.php#L205 |
| Arista Networks--EOS | On affected platforms running Arista EOS with MACsec configuration, a specially crafted packet can cause the MACsec process to terminate unexpectedly. Continuous receipt of these packets with certain MACsec configurations can cause longer term disruption of dataplane traffic. | 2026-01-06 | 4.3 | CVE-2025-7048 | https://www.arista.com/en/support/advisories-notices/security-advisory/23120-security-advisory-0132 |
| arraytics--Appointment Booking Calendar WP Timetics Booking Plugin | The Appointment Booking and Scheduling Calendar Plugin - WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and register_routes functions in all versions up to, and including, 1.0.36. This makes it possible for unauthenticated attackers to view and modify booking details. | 2026-01-06 | 6.5 | CVE-2025-5919 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d8d50b65-7479-4140-9231-c06c18d8be8f?source=cve https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.36/core/bookings/api-booking.php#L56 https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.36/core/bookings/booking.php#L592 |
| ashishajani--Contact Form vCard Generator | The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive Contact Form 7 submission data via the 'wp-gvc-cf-download-id' parameter, including names, phone numbers, email addresses, and messages. | 2026-01-09 | 5.3 | CVE-2025-13717 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bdde4399-af90-4528-92a4-5176dfa5e453?source=cve https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/trunk/includes/wp-gvc-cf-settings.php#L13 https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/tags/2.4/includes/wp-gvc-cf-settings.php#L13 https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/trunk/includes/wp-gvc-cf-settings.php#L105 https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/tags/2.4/includes/wp-gvc-cf-settings.php#L105 |
| audrasjb--Key Figures | The Key Figures plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kf_field_figure_default_color_render function in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-07 | 4.4 | CVE-2025-14792 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f4943899-a25a-4e50-b33e-139ed5e8f748?source=cve http://plugins.trac.wordpress.org/browser/key-figures/tags/1.1/admin/kf-admin.php#L201 |
| authlib--authlib | Authlib is a Python library which builds OAuth and OpenID Connect servers. In version 1.6.5 and prior, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller's session altogether. This issue has been patched in version 1.6.6. | 2026-01-08 | 5.7 | CVE-2025-68158 | https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523 https://github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489 https://github.com/authlib/authlib/commit/7974f45e4d7492ab5f527577677f2770ce423228 |
| Automattic--WP Job Manager | Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager allows Cross Site Request Forgery.This issue affects WP Job Manager: from n/a through 2.0.0. | 2026-01-05 | 5.4 | CVE-2023-52212 | https://vdp.patchstack.com/database/wordpress/plugin/wp-job-manager/vulnerability/wordpress-wp-job-manager-plugin-2-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| averta--Depicter Popup & Slider Builder | The Popup and Slider Builder by Depicter - Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the RulesAjaxController class in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to update pop-up display settings. | 2026-01-06 | 5.3 | CVE-2025-11370 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d35faf39-4882-4393-9b77-57dc45ac9d04?source=cve https://github.com/nguy3nB4oo11/depicter-vuln-repro/blob/main/RulesAjaxController.php https://github.com/nguy3nB4oo11/depicter-vuln-repro/blob/main/ajax.php https://plugins.trac.wordpress.org/changeset/3428118/depicter/trunk/app/routes/ajax.php |
| averta--Phlox | The Phlox theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption` HTML attribute in all versions up to, and including, 2.17.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-06 | 6.4 | CVE-2025-4776 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a49f8150-a27d-4801-8923-31af335c3cbd?source=cve https://themes.trac.wordpress.org/changeset/300858/ |
| averta--Shortcodes and extra features for Phlox theme | The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a combination of the 'tag' and 'title_tag' parameters in all versions up to, and including, 2.17.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-10 | 6.4 | CVE-2025-12379 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1144e0d9-692e-45a5-ac63-bcdd64a8bd8a?source=cve https://plugins.trac.wordpress.org/browser/auxin-elements/tags/2.17.12/includes/elementor/widgets/heading-modern.php#L1194 https://plugins.trac.wordpress.org/changeset/3429103/auxin-elements/trunk/includes/elementor/widgets/heading-modern.php |
| averta--Shortcodes and extra features for Phlox theme | The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.17.13 via the auxels_ajax_search due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract titles of draft posts that they should not have access to. | 2026-01-06 | 5.3 | CVE-2025-13215 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7f47ab91-7d91-4231-91ef-66c556ad8496?source=cve https://plugins.trac.wordpress.org/browser/auxin-elements/tags/2.17.12/public/includes/frontend-ajax.php#L348 |
| Awethemes--AweBooking | Insertion of Sensitive Information Into Sent Data vulnerability in Awethemes AweBooking allows Retrieve Embedded Sensitive Data.This issue affects AweBooking: from n/a through 3.2.26. | 2026-01-05 | 6.5 | CVE-2025-68014 | https://vdp.patchstack.com/database/wordpress/plugin/awebooking/vulnerability/wordpress-awebooking-plugin-3-2-26-sensitive-data-exposure-vulnerability?_s_id=cve |
| axllent--mailpit | Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time. This issue has been patched in version 1.28.2. | 2026-01-10 | 6.5 | CVE-2026-22689 | https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm https://github.com/axllent/mailpit/commit/6f1f4f34c98989fd873261018fb73830b30aec3f |
| axllent--mailpit | Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1. | 2026-01-07 | 5.8 | CVE-2026-21859 | https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr https://github.com/axllent/mailpit/commit/3b9b470c093b3d20b7d751722c1c24f3eed2e19d |
| baqend--Speed Kit | Missing Authorization vulnerability in baqend Speed Kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Speed Kit: from n/a through 2.0.2. | 2026-01-08 | 4.3 | CVE-2026-22487 | https://patchstack.com/database/wordpress/plugin/baqend/vulnerability/wordpress-speed-kit-plugin-2-0-2-broken-access-control-vulnerability?_s_id=cve |
| beshkin--Shabat Keeper | The Shabat Keeper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] parameter in all versions up to, and including, 0.4.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-09 | 6.1 | CVE-2025-13701 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3aa73be6-0836-4540-8a80-e1da34c0ee0d?source=cve https://plugins.trac.wordpress.org/browser/shabat-keeper/trunk/shabat-keeper.php#L148 https://plugins.trac.wordpress.org/browser/shabat-keeper/tags/0.4.4/shabat-keeper.php#L148 |
| bg5sbk--MiniCMS | A flaw has been found in bg5sbk MiniCMS up to 1.8. Impacted is the function delete_page of the file /minicms/mc-admin/page.php of the component File Recovery Request Handler. This manipulation causes improper authentication. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 6.5 | CVE-2025-15455 | VDB-339488 | bg5sbk MiniCMS File Recovery Request page.php delete_page improper authentication VDB-339488 | CTI Indicators (IOB, IOC, IOA) Submit #725137 | MiniCMS https://github.com/bg5sbk/MiniCMS V1.8 Unauthorized page deletion https://github.com/ueh1013/VULN/issues/14 |
| BiggiDroid--Simple PHP CMS | A vulnerability was found in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/editsite.php. The manipulation of the argument image results in unrestricted upload. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-09 | 4.7 | CVE-2025-15495 | VDB-340273 | BiggiDroid Simple PHP CMS editsite.php unrestricted upload VDB-340273 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725890 | BiggiDroid Simple PHP CMS 1.0 Unrestricted Upload Submit #726040 | BiggiDroid Simple PHP CMS 1.0 Unrestricted Upload (Duplicate) https://gitee.com/hdert/ck/issues/IDGO28 https://github.com/Asim-QAZi/RCE-Simplephpblog-biggiedroid |
| bitpressadmin--Bit Form Custom Contact Form, Multi Step, Conversational Form & Payment Form builder | The Bit Form - Contact Form Plugin plugin for WordPress is vulnerable to unauthorized workflow execution due to missing authorization in the triggerWorkFlow function in all versions up to, and including, 2.21.6. This is due to a logic flaw in the nonce verification where the security check only blocks requests when both the nonce verification fails and the user is logged in. This makes it possible for unauthenticated attackers to replay form workflow executions and trigger all configured integrations including webhooks, email notifications, CRM integrations, and automation platforms via the bitforms_trigger_workflow AJAX action granted they can obtain the entry ID and log IDs from a legitimate form submission response. | 2026-01-07 | 6.5 | CVE-2025-14901 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0402e4a6-73ba-49e6-bf80-997ac83b4cfe?source=cve https://plugins.trac.wordpress.org/browser/bit-form/tags/2.21.6/includes/Frontend/Ajax/FrontendAjax.php#L146 https://plugins.trac.wordpress.org/browser/bit-form/tags/2.21.6/includes/Frontend/Ajax/FrontendAjax.php#L30 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3429172%40bit-form%2Ftrunk&old=3420966%40bit-form%2Ftrunk&sfp_email=&sfph_mail=#file827 |
| bluelabsio--records-mover | A weakness has been identified in bluelabsio records-mover up to 1.5.4. The affected element is an unknown function of the component Table Object Handler. This manipulation causes sql injection. The attack needs to be launched locally. Upgrading to version 1.6.0 is sufficient to fix this issue. Patch name: 3f8383aa89f45d861ca081e3e9fd2cc9d0b5dfaa. You should upgrade the affected component. | 2026-01-07 | 5.3 | CVE-2023-7333 | VDB-339566 | bluelabsio records-mover Table Object sql injection VDB-339566 | CTI Indicators (IOB, IOC, TTP) https://github.com/bluelabsio/records-mover/pull/254 https://github.com/bluelabsio/records-mover/commit/3f8383aa89f45d861ca081e3e9fd2cc9d0b5dfaa https://github.com/bluelabsio/records-mover/releases/tag/v1.6.0 |
| bruterdregz--Contact Us Simple Form | The Contact Us Simple Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 4.4 | CVE-2025-14028 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2c78ab13-22ed-4f00-b132-c9ff99c51273?source=cve https://plugins.trac.wordpress.org/browser/contact-us-simple-form/trunk/contact-us-simple-form.php#L223 https://plugins.trac.wordpress.org/browser/contact-us-simple-form/tags/1.0/contact-us-simple-form.php#L223 https://plugins.trac.wordpress.org/browser/contact-us-simple-form/trunk/contact-us-simple-form.php#L239 https://plugins.trac.wordpress.org/browser/contact-us-simple-form/tags/1.0/contact-us-simple-form.php#L239 |
| BuddyDev--MediaPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev MediaPress allows Stored XSS.This issue affects MediaPress: from n/a through 1.6.2. | 2026-01-08 | 6.5 | CVE-2026-22519 | https://patchstack.com/database/wordpress/plugin/mediapress/vulnerability/wordpress-mediapress-plugin-1-6-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| buddydev--MediaPress | The MediaPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mpp-uploader shortcode in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-06 | 6.4 | CVE-2025-14552 | https://www.wordfence.com/threat-intel/vulnerabilities/id/82b5ade8-582e-4440-b043-d30e757c9467?source=cve https://plugins.trac.wordpress.org/browser/mediapress/tags/1.6.1/core/gallery/mpp-gallery-template-tags.php#L665 |
| burtrw--Lesson Plan Book | The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-09 | 6.1 | CVE-2025-13893 | https://www.wordfence.com/threat-intel/vulnerabilities/id/18696937-5cc5-4e14-940d-fc25468377a3?source=cve https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L719 https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L1776 https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L1910 |
| bww--URL Image Importer | The URL Image Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.7 due to insufficient sanitization of SVG files. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2026-01-06 | 6.4 | CVE-2025-14120 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8704320e-9624-4924-92e8-adb61356aecb?source=cve https://plugins.trac.wordpress.org/browser/url-image-importer/trunk/url-image-importer.php#L176 https://plugins.trac.wordpress.org/browser/url-image-importer/tags/1.0.7/url-image-importer.php#L176 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429292%40url-image-importer&new=3429292%40url-image-importer&sfp_email=&sfph_mail= |
| callumalden--Starred Review | The Starred Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the PHP_SELF variable in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-07 | 6.1 | CVE-2025-14118 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2eb65c25-9400-4c5a-a4b2-b72628725500?source=cve https://plugins.trac.wordpress.org/browser/starred-review/trunk/starred-review.php#L29 https://plugins.trac.wordpress.org/browser/starred-review/tags/1.4.2/starred-review.php#L29 |
| Campcodes--Supplier Management System | A flaw has been found in Campcodes Supplier Management System 1.0. Affected by this issue is some unknown functionality of the file /retailer/edit_profile.php. This manipulation of the argument txtRetailerAddress causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-01-05 | 6.3 | CVE-2026-0597 | VDB-339506 | Campcodes Supplier Management System edit_profile.php sql injection VDB-339506 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731433 | campcodes Supplier Management System 1.0 SQL Injection https://github.com/dhy-spec/cve/issues/1 https://www.campcodes.com/ |
| carboneio--carbone | A weakness has been identified in carboneio carbone up to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e. This impacts an unknown function of the file lib/input.js of the component Formatter Handler. Executing a manipulation can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is said to be difficult. Upgrading to version 3.5.6 will fix this issue. This patch is called 04f9feb24bfca23567706392f9ad2c53bbe4134e. You should upgrade the affected component. A successful exploitation can "only occur if the parent NodeJS application has the same security issue". | 2026-01-07 | 5 | CVE-2024-14020 | VDB-339503 | carboneio carbone Formatter input.js prototype pollution VDB-339503 | CTI Indicators (IOB, IOC, TTP, IOA) https://github.com/carboneio/carbone/commit/04f9feb24bfca23567706392f9ad2c53bbe4134e https://github.com/carboneio/carbone/releases/tag/3.5.6 |
| cbutlerjr--WP-Members Membership Plugin | The WP-Members Membership Plugin for WordPress is vulnerable to unauthorized file access in versions up to, and including, 3.5.4.4. This is due to storing user-uploaded files in predictable directories (wp-content/uploads/wpmembers/user_files/<user_id>/) without implementing proper access controls beyond basic directory listing protection (.htaccess with Options -Indexes). This makes it possible for unauthenticated attackers to directly access and download sensitive documents uploaded by site users via direct URL access, granted they can guess or enumerate user IDs and filenames. | 2026-01-07 | 5.3 | CVE-2025-12648 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9d0154fd-0cab-4445-a92e-c44ae9931479?source=cve https://plugins.trac.wordpress.org/browser/wp-members/trunk/includes/class-wp-members-forms.php#L604 https://plugins.trac.wordpress.org/browser/wp-members/trunk/includes/admin/class-wp-members-admin-api.php#L707 https://plugins.trac.wordpress.org/changeset/3427043/wp-members/trunk/includes/class-wp-members-forms.php |
| Centreon--Infra Monitoring | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (DSM extenstio configuration modules) allows Stored XSS to user with elevated privileges. This issue affects Infra Monitoring: from 25.10.0 before 25.10.1, from 24.10.0 before 24.10.4, from 24.04.0 before 24.04.8. | 2026-01-05 | 6.8 | CVE-2025-12511 | https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12511-centreon-dsm-medium-severity-5361 |
| Centreon--Infra Monitoring | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Hosts configuration form modules) allows Stored XSS to users with high privileges. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. | 2026-01-05 | 6.8 | CVE-2025-12513 | https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12513-centreon-web-medium-severity-5360 |
| Centreon--Infra Monitoring | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Administration ACL menu configuration modules) allows Stored XSS to users with high privileges. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. | 2026-01-05 | 6.8 | CVE-2025-13056 | https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-13056-centreon-web-medium-severity-5358 |
| Centreon--Infra Monitoring | Missing Authorization vulnerability in Centreon Infra Monitoring (Administration parameters API endpoint modules) allows Accessing Functionality Not Properly Constrained by ACLs, resulting in Information Disclosure like downtime or acknowledgement configurations. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. | 2026-01-05 | 5.3 | CVE-2025-12519 | https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12519-centreon-web-medium-severity-5359 |
| charmbracelet--soft-serve | Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely. This issue has been patched in version 0.11.2. | 2026-01-08 | 5.4 | CVE-2026-22253 | https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-6jm8-x3g6-r33j https://github.com/charmbracelet/soft-serve/commit/000ab5164f0be68cf1ea6b6e7227f11c0e388a42 |
| chrisblackwell--1180px Shortcodes | The 1180px Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14114 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ddf2ca43-a1d5-4809-b8ad-916b23f71a7d?source=cve https://plugins.trac.wordpress.org/browser/1180px-shortcodes/trunk/1180px.php#L115 https://plugins.trac.wordpress.org/browser/1180px-shortcodes/tags/1.1.1/1180px.php#L115 |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in the licensing features of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker with administrative privileges to gain access to sensitive information. This vulnerability is due to improper parsing of XML that is processed by the web-based management interface of Cisco ISE and Cisco ISE-PIC. An attacker could exploit this vulnerability by uploading a malicious file to the application. A successful exploit could allow the attacker to read arbitrary files from the underlying operating system that could include sensitive data that should otherwise be inaccessible even to administrators. To exploit this vulnerability, the attacker must have valid administrative credentials. | 2026-01-07 | 4.9 | CVE-2026-20029 | cisco-sa-ise-xxe-jWSbSDKt |
| Cisco--Cisco Secure Firewall Threat Defense (FTD) Software | Multiple Cisco products are affected by a vulnerability in the processing of DCE/RPC requests that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to leak sensitive information or to restart, resulting in an interruption of packet inspection. This vulnerability is due to an error in buffer handling logic when processing DCE/RPC requests, which can result in a buffer use-after-free read. An attacker could exploit this vulnerability by sending a large number of DCE/RPC requests through an established connection that is inspected by Snort 3. A successful exploit could allow the attacker to unexpectedly restart the Snort 3 Detection Engine, which could cause a denial of service (DoS). | 2026-01-07 | 5.8 | CVE-2026-20026 | cisco-sa-snort3-dcerpc-vulns-J9HNF4tH |
| Cisco--Cisco Secure Firewall Threat Defense (FTD) Software | Multiple Cisco products are affected by a vulnerability in the processing of DCE/RPC requests that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to leak sensitive information or to restart, resulting in an interruption of packet inspection. This vulnerability is due to an error in buffer handling logic when processing DCE/RPC requests, which can result in a buffer out-of-bounds read. An attacker could exploit this vulnerability by sending a large number of DCE/RPC requests through an established connection that is inspected by Snort 3. A successful exploit could allow the attacker to obtain sensitive information in the Snort 3 data stream. | 2026-01-07 | 5.3 | CVE-2026-20027 | cisco-sa-snort3-dcerpc-vulns-J9HNF4tH |
| cld378632668--JavaMall | A vulnerability was found in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. This impacts the function Upload of the file src/main/java/com/macro/mall/controller/MinioController.java. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 6.3 | CVE-2025-15448 | VDB-339481 | cld378632668 JavaMall MinioController.java upload unrestricted upload VDB-339481 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721997 | https://github.com/cld378632668/JavaMall JavaMall 1.0 Upload any file https://github.com/zyhzheng500-maker/cve/blob/main/javamall%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md |
| cld378632668--JavaMall | A vulnerability was determined in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. Affected is the function delete of the file src/main/java/com/macro/mall/controller/MinioController.java. This manipulation of the argument objectName causes path traversal. The attack can be initiated remotely. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 5.4 | CVE-2025-15449 | VDB-339482 | cld378632668 JavaMall MinioController.java delete path traversal VDB-339482 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #722000 | https://github.com/cld378632668/JavaMall JavaMall 1.0 Delete any file https://github.com/zyhzheng500-maker/cve/blob/main/JavaMall%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%88%A0%E9%99%A4.md |
| clevelandwebdeveloper--Smart App Banners | The Smart App Banners plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'size' and 'verticalalign' parameters of the 'app-store-download' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-13841 | https://www.wordfence.com/threat-intel/vulnerabilities/id/add85b9b-3a4d-4c46-a90f-10c9645e249d?source=cve https://plugins.trac.wordpress.org/browser/smart-app-banners/trunk/index.php#L321 https://plugins.trac.wordpress.org/browser/smart-app-banners/tags/1.2/index.php#L321 |
| code-projects--Intern Membership Management System | A flaw has been found in code-projects Intern Membership Management System 1.0. The impacted element is an unknown function of the file /intern/admin/edit_admin.php. This manipulation of the argument admin_id causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2026-01-08 | 4.7 | CVE-2026-0697 | VDB-339974 | code-projects Intern Membership Management System edit_admin.php sql injection VDB-339974 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #732998 | code-projects Intern Membership Management System 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20admin.php%20sql%20injection1.md https://code-projects.org/ |
| code-projects--Intern Membership Management System | A vulnerability has been found in code-projects Intern Membership Management System 1.0. This affects an unknown function of the file /intern/admin/edit_students.php. Such manipulation of the argument admin_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2026-01-08 | 4.7 | CVE-2026-0698 | VDB-339975 | code-projects Intern Membership Management System edit_students.php sql injection VDB-339975 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #732999 | code-projects Intern Membership Management System 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20students_details.php%20sql%20injection.md https://code-projects.org/ |
| code-projects--Intern Membership Management System | A vulnerability was found in code-projects Intern Membership Management System 1.0. This impacts an unknown function of the file /intern/admin/edit_activity.php. Performing a manipulation of the argument activity_id results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2026-01-08 | 4.7 | CVE-2026-0699 | VDB-339976 | code-projects Intern Membership Management System edit_activity.php sql injection VDB-339976 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733000 | code-projects Intern Membership Management System activity.php 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20activity.php%20sql%20injection.md https://code-projects.org/ |
| code-projects--Intern Membership Management System | A vulnerability was identified in code-projects Intern Membership Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /intern/admin/add_admin.php. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2026-01-08 | 4.7 | CVE-2026-0701 | VDB-339978 | code-projects Intern Membership Management System add_admin.php sql injection VDB-339978 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733002 | code-projects Intern Membership Management System add_admin.php v1.0 sql injection https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20add_admin.php%20sql%20injection.md https://code-projects.org/ |
| code-projects--Intern Membership Management System | A security vulnerability has been detected in code-projects Intern Membership Management System 1.0. This issue affects some unknown processing of the file /intern/admin/delete_admin.php. Such manipulation of the argument admin_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-01-08 | 4.7 | CVE-2026-0728 | VDB-340125 | code-projects Intern Membership Management System delete_admin.php sql injection VDB-340125 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733003 | code-projects Intern Membership Management System delete_admin.php v1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20delete_admin.php%20sql%20injection.md https://code-projects.org/ |
| code-projects--Intern Membership Management System | A vulnerability was detected in code-projects Intern Membership Management System 1.0. Impacted is an unknown function of the file /intern/admin/add_activity.php. Performing a manipulation of the argument Title results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2026-01-08 | 4.7 | CVE-2026-0729 | VDB-340126 | code-projects Intern Membership Management System add_activity.php sql injection VDB-340126 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733004 | code-projects Intern Membership Management System add_activity.php v1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20add_activity.php%20sql%20injection.md https://code-projects.org/ |
| code-projects--Intern Membership Management System | A vulnerability was determined in code-projects Intern Membership Management System 1.0. Impacted is an unknown function of the file /admin/delete_activity.php. Executing a manipulation of the argument activity_id can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-11 | 4.7 | CVE-2026-0850 | VDB-340445 | code-projects Intern Membership Management System delete_activity.php sql injection VDB-340445 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733486 | code-projects Intern Membership Management System delete_activity.php v1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20delete_activity.php%20sql%20injection.md https://code-projects.org/ |
| code-projects--Online Product Reservation System | A weakness has been identified in code-projects Online Product Reservation System 1.0. This issue affects some unknown processing of the file app/products/left_cart.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. | 2026-01-05 | 6.3 | CVE-2026-0584 | VDB-339476 | code-projects Online Product Reservation System left_cart.php sql injection VDB-339476 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731095 | code-projects Online Product Reservation system in PHP with source code V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_left_cart.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_left_cart.php.md#poc https://code-projects.org/ |
| code-projects--Online Product Reservation System | A vulnerability was determined in code-projects Online Product Reservation System 1.0. The affected element is an unknown function of the file /app/checkout/delete.php of the component POST Parameter Handler. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-05 | 6.3 | CVE-2026-0590 | VDB-339500 | code-projects Online Product Reservation System POST Parameter delete.php sql injection VDB-339500 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731128 | code-projects Online Product Reservation System V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_checkout_delete.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_checkout_delete.php.md#poc https://code-projects.org/ |
| code-projects--Online Product Reservation System | A vulnerability was identified in code-projects Online Product Reservation System 1.0. The impacted element is an unknown function of the file /app/checkout/update.php of the component Cart Update Handler. Such manipulation of the argument id/qty leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2026-01-05 | 6.3 | CVE-2026-0591 | VDB-339501 | code-projects Online Product Reservation System Cart Update update.php sql injection VDB-339501 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731129 | code-projects Online Product Reservation System V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_checkout_update.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_checkout_update.php.md#poc https://code-projects.org/ |
| code-projects--Online Product Reservation System | A vulnerability was detected in code-projects Online Product Reservation System 1.0. The affected element is an unknown function of the file handgunner-administrator/prod.php. Performing a manipulation of the argument cat results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2026-01-05 | 4.3 | CVE-2026-0586 | VDB-339478 | code-projects Online Product Reservation System prod.php cross site scripting VDB-339478 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731098 | code-projects Online Product Reservation system in PHP with source code V1.0 Improper Neutralization of Alternate XSS Syntax https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/xss_prod.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/xss_prod.php.md#poc https://code-projects.org/ |
| codeclouds--Unify | The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.9. This makes it possible for unauthenticated attackers to delete specific plugin options via the 'unify_plugin_downgrade' parameter. | 2026-01-07 | 5.3 | CVE-2025-13529 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b5fd4a47-0549-4d03-b81a-ad97d3d5d390?source=cve https://plugins.trac.wordpress.org/browser/unify/trunk/Services/Hooks.php#L154 https://plugins.trac.wordpress.org/browser/unify/tags/3.4.9/Services/Hooks.php#L154 |
| Columbia Weather Systems--MicroServer | MicroServer copies parts of the system firmware to an unencrypted external SD card on boot, which contains user and vendor secrets. An attacker can utilize these plaintext secrets to modify the vendor firmware, or gain admin access to the web portal. | 2026-01-07 | 6.5 | CVE-2025-64305 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json |
| coreshop--CoreShop | CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database account used by the application is read-only and non-DBA, limiting impact to confidential data disclosure only. No data modification or service disruption is possible. This issue has been patched in version 4.1.8. | 2026-01-08 | 4.9 | CVE-2026-22242 | https://github.com/coreshop/CoreShop/security/advisories/GHSA-ch7p-mpv4-4vg4 https://github.com/coreshop/CoreShop/commit/59e84fec59d113952b6d28a9b30c6317f9e6e5dd |
| corsonr--Easy GitHub Gist Shortcodes | The Easy GitHub Gist Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the gist shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14147 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b117d77b-2c11-451c-b236-b55e8af68a9a?source=cve https://plugins.trac.wordpress.org/browser/easy-github-gist-shortcodes/trunk/easy-github-gist-shortcodes.php#L24 https://plugins.trac.wordpress.org/browser/easy-github-gist-shortcodes/tags/1.0/easy-github-gist-shortcodes.php#L24 |
| creativemotion--Clearfy Cache WordPress optimization plugin, Minify HTML, CSS & JS, Defer | The Clearfy Cache - WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcr_upm_change_flag" function. This makes it possible for unauthenticated attackers to disable plugin/theme update notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-09 | 4.3 | CVE-2025-13749 | https://www.wordfence.com/threat-intel/vulnerabilities/id/55750dcf-c6ec-4be6-967f-60bf940fa30e?source=cve https://research.cleantalk.org/cve-2025-13749/ https://plugins.trac.wordpress.org/changeset/3421009/clearfy |
| Crocoblock--JetEngine | Missing Authorization vulnerability in Crocoblock JetEngine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through 3.8.1.1. | 2026-01-07 | 4.3 | CVE-2025-69333 | https://patchstack.com/database/wordpress/plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-1-1-broken-access-control-vulnerability?_s_id=cve |
| croixhaug--Appointment Booking Calendar Simply Schedule Appointments Booking Plugin | The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via the hash() function due to use of a hardcoded fall-back salt. This makes it possible for unauthenticated attackers to generate a valid token across sites running the plugin that have not manually set a salt in the wp-config.php file and access booking information that will allow them to make modifications. | 2026-01-06 | 6.5 | CVE-2025-11723 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a5f3fbd2-6152-4a89-8fe9-982120d1a640?source=cve https://plugins.trac.wordpress.org/changeset/3393919/ |
| ctietze--PullQuote | The PullQuote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pullquote' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-13903 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0a0ee752-7fc4-46d3-9e0f-8b9317b0ea72?source=cve https://plugins.trac.wordpress.org/browser/pullquote/trunk/includes/core.php#L12 https://plugins.trac.wordpress.org/browser/pullquote/tags/1.0/includes/core.php#L12 |
| cuvixsystem--Post Like Dislike | The Post Like Dislike plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-07 | 6.1 | CVE-2025-14130 | https://www.wordfence.com/threat-intel/vulnerabilities/id/598529d2-16c7-4bbd-9321-aa338c94eb36?source=cve https://plugins.trac.wordpress.org/browser/post-like-dislike/trunk/post-like-dislike.php#L106 https://plugins.trac.wordpress.org/browser/post-like-dislike/tags/1.0/post-like-dislike.php#L106 |
| cyberlord92--miniOrange OTP Verification and SMS Notification for WooCommerce | The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions up to, and including, 4.3.8. This makes it possible for unauthenticated attackers to enable or disable SMS notification settings for WooCommerce orders. | 2026-01-10 | 5.3 | CVE-2025-14948 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f84ddc83-2079-45b9-8354-51094581b1f8?source=cve https://plugins.trac.wordpress.org/browser/miniorange-sms-order-notification-otp-verification/tags/4.3.8/notifications/wcsmsnotification/handler/class-woocommercenotifications.php#L138 https://plugins.trac.wordpress.org/browser/miniorange-sms-order-notification-otp-verification?rev=3423647 |
| D-Link--DI-8200G | A vulnerability was found in D-Link DI-8200G 17.12.20A1. This affects an unknown function of the file /upgrade_filter.asp. The manipulation of the argument path results in command injection. The attack may be performed from remote. The exploit has been made public and could be used. | 2026-01-08 | 6.3 | CVE-2026-0732 | VDB-340129 | D-Link DI-8200G upgrade_filter.asp command injection VDB-340129 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733275 | D-Link DI_8200G Router V17.12.20A1 Command Execution https://github.com/DavCloudz/cve/blob/main/D-link/DI_8200G/DI_8200G%20V17.12.20A1%20Command%20Execution%20Vulnerability/readme.md https://github.com/DavCloudz/cve/blob/main/D-link/DI_8200G/DI_8200G%20V17.12.20A1%20Command%20Execution%20Vulnerability/readme.md#poc https://www.dlink.com/ |
| damienoh--WP Widget Changer | The WP Widget Changer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-07 | 6.1 | CVE-2025-14131 | https://www.wordfence.com/threat-intel/vulnerabilities/id/699392b4-8270-47b5-90c1-5280d1389586?source=cve https://wordpress.org/plugins/wp-widget-changer/ https://plugins.trac.wordpress.org/browser/wp-widget-changer/trunk/widget_changer.php#L162 https://plugins.trac.wordpress.org/browser/wp-widget-changer/tags/1.2.5/widget_changer.php#L162 |
| danny-avila--LibreChat | LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control when querying agent permissions. An authenticated attacker can read the permissions of arbitrary agents, even if they have no permissions for this agent. LibreChat allows the configuration of agents that have a predefined set of instructions and context. Private agents are not visible to other users. However, if an attacker knows the agent ID, they can read the permissions of the agent including the permissions individually assigned to other users. This issue is fixed in version 0.8.2-rc2. | 2026-01-07 | 4.3 | CVE-2025-69221 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-5ccx-4r3h-9qc7 https://github.com/danny-avila/LibreChat/commit/06ba025bd95574c815ac6968454be7d3b024391c https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2 |
| davidangel--PhotoFade | The PhotoFade plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'time' parameter in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-13847 | https://www.wordfence.com/threat-intel/vulnerabilities/id/00145a6b-26fd-4cba-a446-8236438075d8?source=cve https://plugins.trac.wordpress.org/browser/photofade/trunk/photo-fade.php#L96 https://plugins.trac.wordpress.org/browser/photofade/tags/0.2.1/photo-fade.php#L96 |
| debtcom--Debt.com Business in a Box | The Debt.com Business in a Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'configuration' parameter of the lead_form shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-13852 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1bb58556-29be-4272-85fc-bb2b7c72abf4?source=cve https://plugins.trac.wordpress.org/browser/debtcom-business-in-a-box/trunk/inc/bib_form.php#L256 https://plugins.trac.wordpress.org/browser/debtcom-business-in-a-box/tags/4.1.0/inc/bib_form.php#L256 |
| Dell--PowerProtect Data Domain with Data Domain Operating System (DD OS) Feature Release | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS2023 release versions 7.10.1.0 through 7.10.1.70, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution. | 2026-01-09 | 6 | CVE-2025-46644 | https://www.dell.com/support/kbdoc/en-us/000405813/dsa-2025-415-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities |
| Dell--PowerProtect Data Domain with Data Domain Operating System (DD OS) Feature Release | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS 2023 release versions 7.10.1.0 through 7.10.1.70, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution. | 2026-01-09 | 6.5 | CVE-2025-46645 | https://www.dell.com/support/kbdoc/en-us/000405813/dsa-2025-415-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities |
| Dell--Secure Connect Gateway (SCG) Appliance | Dell Secure Connect Gateway (SCG) 5.0 Appliance and Application, version(s) versions 5.26 to 5.30, contain(s) an Execution with Unnecessary Privileges vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | 2026-01-06 | 6.4 | CVE-2025-46696 | https://www.dell.com/support/kbdoc/en-us/000385230/dsa-2025-390-dell-secure-connect-gateway-security-update-for-multiple-vulnerabilities |
| directus--directus | Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability exists in the Directus SAML authentication callback endpoint. During SAML authentication, the `RelayState` parameter is intended to preserve the user's original destination. However, while the login initiation flow validates redirect targets against allowed domains, this validation is not applied to the callback endpoint. This allows an attacker to craft a malicious authentication request that redirects users to an arbitrary external URL upon completion. The vulnerability is present in both the success and error handling paths of the callback. This vulnerability can be exploited without authentication. Version 11.14.0 contains a patch. | 2026-01-08 | 4.3 | CVE-2026-22032 | https://github.com/directus/directus/security/advisories/GHSA-3573-4c68-g8cc https://github.com/directus/directus/commit/dad9576ea9362905cc4de8028d3877caff36dc23 |
| djrowling--Niche Hero | Beautifully-designed blocks in seconds | The Niche Hero | Beautifully-designed blocks in seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spacing' parameter of the nh_row shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14145 | https://www.wordfence.com/threat-intel/vulnerabilities/id/52368b7d-5fe2-444c-bd7f-e4385dffa8a9?source=cve https://plugins.trac.wordpress.org/browser/niche-hero/trunk/niche-hero.php#L302 https://plugins.trac.wordpress.org/browser/niche-hero/tags/1.0.5/niche-hero.php#L302 |
| Dokan--Dokan Pro | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dokan Dokan Pro allows Stored XSS.This issue affects Dokan Pro: from n/a through 3.14.5. | 2026-01-05 | 6.5 | CVE-2025-39497 | https://vdp.patchstack.com/database/wordpress/plugin/dokan-pro/vulnerability/wordpress-dokan-pro-plugin-3-14-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| enartia--Piraeus Bank WooCommerce Payment Gateway | The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the payment gateway. This makes it possible for unauthenticated attackers to change any order's status to 'failed' via the publicly accessible WooCommerce API endpoint by providing only the order ID (MerchantReference parameter), which can be easily enumerated as order IDs are sequential integers. This can cause significant business disruption including canceled shipments, inventory issues, and loss of revenue. | 2026-01-07 | 5.3 | CVE-2025-14460 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d7b15198-8f44-4390-862b-35d41eb8a854?source=cve https://plugins.trac.wordpress.org/browser/woo-payment-gateway-for-piraeus-bank/trunk/classes/WC_Piraeusbank_Gateway.php#L821 https://plugins.trac.wordpress.org/browser/woo-payment-gateway-for-piraeus-bank/tags/3.1.4/classes/WC_Piraeusbank_Gateway.php#L821 |
| EngoTheme--Plant - Gardening & Houseplants WordPress Theme | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in EngoTheme Plant - Gardening & Houseplants WordPress Theme allows Retrieve Embedded Sensitive Data.This issue affects Plant - Gardening & Houseplants WordPress Theme: from n/a through 1.0.0. | 2026-01-06 | 5.3 | CVE-2025-31051 | https://patchstack.com/database/wordpress/theme/plant/vulnerability/wordpress-plant-gardening-houseplants-wordpress-theme-1-0-0-sensitive-data-exposure-vulnerability?_s_id=cve |
| expresstech--Quiz and Survey Master (QSM) Easy Quiz and Survey Maker | The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based SQL Injection via the 'is_linking' parameter in all versions up to, and including, 10.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-06 | 6.5 | CVE-2025-9318 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e6524e66-5bd1-4616-8185-c0501a09893e?source=cve https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/rest-api.php#L533 |
| expresstech--Quiz and Survey Master (QSM) Easy Quiz and Survey Maker | The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability and status checks on multiple functions in all versions up to, and including, 10.3.1. This makes it possible for unauthenticated attackers to view the details of unpublished, private, or password-protected quizzes, as well as submit file responses to questions from those quizzes, which allow file upload. | 2026-01-06 | 6.5 | CVE-2025-9637 | https://www.wordfence.com/threat-intel/vulnerabilities/id/88a9abf4-62a9-4695-87e7-18ff0b0075e9?source=cve https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/classes/class-qmn-quiz-manager.php#L281 https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/classes/class-qmn-quiz-manager.php#L1987 https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/rest-api.php |
| expresstech--Quiz and Survey Master (QSM) Easy Quiz and Survey Maker | The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the qsm_dashboard_delete_result function in all versions up to, and including, 10.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete quiz results. | 2026-01-06 | 4.3 | CVE-2025-9294 | https://www.wordfence.com/threat-intel/vulnerabilities/id/55895508-d0ef-4855-8d15-b8a45ba0dcb2?source=cve https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/admin/options-page-questions-tab.php#L1116 |
| FLIR Systems, Inc.--FLIR Thermal Camera F/FC/PT/D | FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains an information disclosure vulnerability that allows unauthenticated attackers to read arbitrary files through unverified input parameters. Attackers can exploit the /var/www/data/controllers/api/xml.php readFile() function to access local system files without authentication. | 2026-01-07 | 6.2 | CVE-2017-20212 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 42786 Packet Storm Security Exploit Archive CXSecurity Vulnerability Listing Archived FLIR Security Advisory |
| Flycatcher Toys--smART Sketcher | A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-11 | 6.3 | CVE-2026-0842 | VDB-340442 | Flycatcher Toys smART Sketcher Bluetooth Low Energy missing authentication VDB-340442 | CTI Indicators (IOB, IOC) Submit #729134 | Flycatcher Toys smART Sketcher 2.0 0/1/2 Missing Authentication for Critical Function https://github.com/davidrxchester/smart-sketcher-upload/blob/main/smartsketch-upload.py |
| fpcorso--Testimonial Master | The Testimonial Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-07 | 6.1 | CVE-2025-14127 | https://www.wordfence.com/threat-intel/vulnerabilities/id/15e65a86-db8e-4a4a-b9c6-c688021a514f?source=cve https://wordpress.org/plugins/testimonial-master/ https://plugins.trac.wordpress.org/browser/testimonial-master/trunk/php/tm_help_page.php#L190 https://plugins.trac.wordpress.org/browser/testimonial-master/tags/0.2.1/php/tm_help_page.php#L190 |
| fulippo--WP Status Notifier | The WP Status Notifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-07 | 4.3 | CVE-2025-13521 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fbffc404-9ea9-4025-8241-2c374b760ca3?source=cve https://plugins.trac.wordpress.org/browser/wp-change-status-notifier/trunk/options-page.php#L2 https://plugins.trac.wordpress.org/browser/wp-change-status-notifier/tags/1.0/options-page.php#L2 |
| furqan-khanzada--Menu Card | The Menu Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `category` parameter in all versions up to, and including, 0.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-13862 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cec428cd-0fa1-4bc4-b7f6-faf90c31f306?source=cve https://plugins.trac.wordpress.org/browser/menu-card/trunk/menu-card.php#L102 https://plugins.trac.wordpress.org/browser/menu-card/tags/0.8.0/menu-card.php#L102 |
| galdub--Folders Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager | The Folders - Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Replacement in all versions up to, and including, 3.1.5. This is due to missing object-level authorization checks in the handle_folders_file_upload() function. This makes it possible for authenticated attackers, with Author-level access and above, to replace arbitrary media files from the WordPress Media Library. | 2026-01-08 | 4.3 | CVE-2025-12640 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ac6432a4-6597-4d1e-b63d-c007a301d1b2?source=cve https://plugins.trac.wordpress.org/changeset/3402986/folders/tags/3.1.6/includes/media.replace.php |
| ghera74--ilGhera Support System for WooCommerce | The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'delete_single_ticket_callback' and 'change_ticket_status_callback' functions in all versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary support tickets and modify their status. | 2026-01-06 | 5.3 | CVE-2025-14034 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e74fb552-3ef4-47cd-8fe6-8cc1e74b8377?source=cve https://plugins.trac.wordpress.org/browser/wc-support-system/trunk/includes/class-wc-support-system.php#L1331 https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.2.6/includes/class-wc-support-system.php#L1331 https://plugins.trac.wordpress.org/browser/wc-support-system/trunk/includes/class-wc-support-system.php#L865 https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.2.6/includes/class-wc-support-system.php#L865 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426161%40wc-support-system&new=3426161%40wc-support-system&sfp_email=&sfph_mail= |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls. | 2026-01-09 | 6.5 | CVE-2025-10569 | GitLab Issue #570528 HackerOne Bug Bounty Report #3284689 https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to modify instance-wide AI feature provider settings by exploiting missing authorization checks in GraphQL mutations. | 2026-01-09 | 6.5 | CVE-2025-13781 | GitLab Issue #578756 HackerOne Bug Bounty Report #3400940 https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations. | 2026-01-09 | 5.4 | CVE-2025-11246 | GitLab Issue #573728 HackerOne Bug Bounty Report #3292475 https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/ |
| glenwpcoder--Drag and Drop Multiple File Upload for Contact Form 7 | The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due to the plugin not blocking .phar and .svg files. This makes it possible for unauthenticated attackers to upload arbitrary .phar or .svg files containing malicious PHP or JavaScript code. Malicious PHP code can be used to achieve remote code execution on the server via direct file access, if the server is configured to execute .phar files as PHP. The upload of .svg files allows for Stored Cross-Site Scripting under certain circumstances. | 2026-01-07 | 6.1 | CVE-2025-14842 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c78a0325-5bbf-4550-8477-94247f085e40?source=cve https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/trunk/inc/dnd-upload-cf7.php#L1116 https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/trunk/inc/dnd-upload-cf7.php#L108 https://plugins.trac.wordpress.org/browser/contact-form-7/trunk/includes/formatting.php#L310 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3428236%40drag-and-drop-multiple-file-upload-contact-form-7%2Ftrunk&old=3415946%40drag-and-drop-multiple-file-upload-contact-form-7%2Ftrunk&sfp_email=&sfph_mail= |
| greenshady--Entry Views | The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-13729 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0e7e9fcc-804a-46a8-95cd-b358ba7681ec?source=cve https://plugins.trac.wordpress.org/browser/entry-views/tags/1.0.0/inc/shortcodes.php#L25 https://plugins.trac.wordpress.org/browser/entry-views/tags/1.0.0/inc/shortcodes.php#L36 https://plugins.trac.wordpress.org/browser/entry-views/tags/1.0.0/inc/template.php#L35 |
| Guangzhou V--V-SOL GPON/EPON OLT Platform | V-SOL GPON/EPON OLT Platform v2.03 contains multiple reflected cross-site scripting vulnerabilities due to improper input sanitization in various script parameters. Attackers can exploit these vulnerabilities by injecting malicious HTML and script code to execute arbitrary scripts in a victim's browser session. | 2026-01-07 | 6.1 | CVE-2019-25284 | Zero Science Lab Vulnerability Advisory Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Database VSOL Vendor Homepage |
| guchengwuyue--yshopmall | A vulnerability was determined in guchengwuyue yshopmall up to 1.9.1. Affected is the function getPage of the file /api/jobs. This manipulation of the argument sort causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-09 | 6.3 | CVE-2025-15496 | VDB-340274 | guchengwuyue yshopmall jobs getPage sql injection VDB-340274 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #726464 | https://github.com/guchengwuyue/yshopmall yshopmall V1.9.1 SQL Injection https://github.com/guchengwuyue/yshopmall/issues/39 https://github.com/guchengwuyue/yshopmall/issues/39#issue-3769727898 |
| Hakob--Re Gallery & Responsive Photo Gallery Plugin | Missing Authorization vulnerability in Hakob Re Gallery & Responsive Photo Gallery Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Re Gallery & Responsive Photo Gallery Plugin: from n/a through 1.17.18. | 2026-01-08 | 5.3 | CVE-2026-22486 | https://patchstack.com/database/wordpress/plugin/regallery/vulnerability/wordpress-re-gallery-responsive-photo-gallery-plugin-plugin-1-17-17-broken-access-control-vulnerability?_s_id=cve |
| harfbuzz--harfbuzz | HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0. | 2026-01-10 | 5.3 | CVE-2026-22693 | https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae |
| hayyatapps--Stylish Order Form Builder | The Stylish Order Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'product_name' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-13531 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2d9c4d9d-5d4c-4ea9-bf8d-0ee634f9ca7c?source=cve https://plugins.trac.wordpress.org/browser/stylish-order-form-builder/trunk/functions-admin.php#L74 https://plugins.trac.wordpress.org/browser/stylish-order-form-builder/tags/1.0/functions-admin.php#L74 https://plugins.trac.wordpress.org/browser/stylish-order-form-builder/trunk/Pages/manage-forms/includes/all-products.php#L9 https://plugins.trac.wordpress.org/browser/stylish-order-form-builder/tags/1.0/Pages/manage-forms/includes/all-products.php#L9 |
| hblpay--HBLPAY Payment Gateway for WooCommerce | The HBLPAY Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'cusdata' parameter in all versions up to, and including, 5.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-07 | 6.1 | CVE-2025-14875 | https://www.wordfence.com/threat-intel/vulnerabilities/id/06362518-f2ee-485f-9e0e-1b1ada9c72db?source=cve https://plugins.trac.wordpress.org/browser/hblpay-payment-gateway-for-woocommerce/trunk/hblpay-paymentgateway-woocommerce.php#L248 |
| HCLSoftware--DevOps Deploy | In HCL DevOps Deploy 8.1.2.0 through 8.1.2.3, a user with LLM configuration privileges may be able to recover a credential previously saved for performing authenticated LLM Queries. | 2026-01-07 | 4.9 | CVE-2025-62327 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127336 |
| helpdeskcom--HelpDesk contact form plugin | The HelpDesk contact form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing or incorrect nonce validation on the handle_query_args() function. This makes it possible for unauthenticated attackers to update the plugin's license ID and contact form ID settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-07 | 4.3 | CVE-2025-13657 | https://www.wordfence.com/threat-intel/vulnerabilities/id/342ece60-faf1-4fee-bf1e-6f6107f32861?source=cve https://plugins.trac.wordpress.org/browser/helpdesk-contact-form/trunk/includes/class-admin-page.php#L63 https://plugins.trac.wordpress.org/browser/helpdesk-contact-form/tags/1.1.5/includes/class-admin-page.php#L63 |
| IdeaBox Creations--Dashboard Welcome for Beaver Builder | Missing Authorization vulnerability in IdeaBox Creations Dashboard Welcome for Beaver Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dashboard Welcome for Beaver Builder: from n/a through 1.0.8. | 2026-01-08 | 5.3 | CVE-2026-22488 | https://patchstack.com/database/wordpress/plugin/dashboard-welcome-for-beaver-builder/vulnerability/wordpress-dashboard-welcome-for-beaver-builder-plugin-1-0-8-broken-access-control-vulnerability?_s_id=cve |
| Ideagen--DevonWay | Ideagen DevonWay contains a stored cross site scripting vulnerability. A remote, authenticated attacker could craft a payload in the 'Reports' page that executes when another user views the report. Fixed in 2.62.4 and 2.62 LTS. | 2026-01-08 | 5.5 | CVE-2026-22587 | url url |
| imtiazrayhan--ConvertForce Popup Builder | The ConvertForce Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gutenberg block's `entrance_animation` attribute in all versions up to, and including, 0.0.7. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-10 | 6.4 | CVE-2025-14506 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c57b9a78-53f4-40bb-ae6a-c5242b41329f?source=cve https://plugins.trac.wordpress.org/browser/convertforce-popup-builder/trunk/inc/Blocks/Conversion.php#L47 https://plugins.trac.wordpress.org/browser/convertforce-popup-builder/trunk/inc/Blocks/Conversion.php#L66 https://plugins.trac.wordpress.org/changeset/3419678/ |
| indieweb--IndieWeb | The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Telephone' parameter in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-14893 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b29f0fea-a2db-4b2e-b7b8-d15b2395e9e6?source=cve https://plugins.trac.wordpress.org/changeset/3423983/ |
| infosatech--WP Page Permalink Extension | The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked to `wp_ajax_cwpp_trigger_flush_rewrite_rules`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to flush the site's rewrite rules via the `action` parameter. | 2026-01-09 | 6.5 | CVE-2025-14172 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c5ba37d7-8fde-4ee3-93db-d2459da34bc4?source=cve https://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/trunk/change-wp-page-permalinks.php#L188 https://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/tags/1.5.4/change-wp-page-permalinks.php#L188 |
| INIM Electronics s.r.l.--Smartliving SmartLAN/G/SI | Smartliving SmartLAN/G/SI <=6.x contains an unauthenticated server-side request forgery vulnerability in the GetImage functionality through the 'host' parameter. Attackers can exploit the onvif.cgi endpoint by specifying external domains to bypass firewalls and perform network enumeration through arbitrary HTTP requests. | 2026-01-07 | 5.3 | CVE-2019-25290 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 47764 Packet Storm Security Exploit File IBM X-Force Vulnerability Exchange Entry INIM Vendor Homepage |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below have an Out-of-bounds Read, Use of Out-of-range Pointer Offset and have Improper Input Validation in its CIccProfile::LoadTag function. This issue is fixed in version 2.3.1.2. | 2026-01-06 | 6.1 | CVE-2026-21487 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-xq7x-9524-f7cp https://github.com/InternationalColorConsortium/iccDEV/issues/340 https://github.com/InternationalColorConsortium/iccDEV/commit/1516e2cafc253bb06fd3700d589a4ed0f09f7bd6 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Out-of-bounds Read, Heap-based Buffer Overflow and Improper Null Termination through its CIccTagText::Read function. This issue is fixed in version 2.3.1.2. | 2026-01-06 | 6.1 | CVE-2026-21488 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-4j2g-rvv4-86vg https://github.com/InternationalColorConsortium/iccDEV/commit/9daaccceb231c43db8cab312ee5bbe9d2aa6b153 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below have Out-of-bounds Read and Integer Underflow (Wrap or Wraparound) vulnerabilities in its CIccCalculatorFunc::SequenceNeedTempReset function. This issue is fixed in version 2.3.1.2. | 2026-01-06 | 6.1 | CVE-2026-21489 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-ph89-6q5h-wfw5 https://github.com/InternationalColorConsortium/iccDEV/commit/cfabfe52c9c7eb0481b62c8aad56580bb11efdad |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It results in heap buffer overflow in `CIccTagLut16::Validate()`. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-06 | 6.1 | CVE-2026-21490 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-9q9c-699q-xr2q https://github.com/InternationalColorConsortium/iccDEV/issues/397 https://github.com/InternationalColorConsortium/iccDEV/commit/7c2cb719a9de1c00844e457e070d657314383ee3 https://github.com/InternationalColorConsortium/iccDEV/commit/e91fe722ac54ce497d410153e7405090e0565d7b |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It results in unicode buffer overflow in `CIccTagTextDescription`. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-06 | 6.1 | CVE-2026-21491 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-4pv4-4x2x-6j88 https://github.com/InternationalColorConsortium/iccDEV/issues/396 https://github.com/InternationalColorConsortium/iccDEV/commit/7c2cb719a9de1c00844e457e070d657314383ee3 https://github.com/InternationalColorConsortium/iccDEV/commit/e91fe722ac54ce497d410153e7405090e0565d7b |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Type Confusion in its CIccSingleSampledeCurveXml class during XML Curve Serialization. This issue is fixed in version 2.3.1.2. | 2026-01-06 | 6.6 | CVE-2026-21493 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-p85g-f9q7-jmjx https://github.com/InternationalColorConsortium/iccDEV/issues/358 https://github.com/InternationalColorConsortium/iccDEV/commit/7ff76d1471077172f9659de8d9536443eac7c48f |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It results in heap buffer overflow in `CIccTagLut8::Validate()`. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-06 | 6.1 | CVE-2026-21494 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-hjxv-xr7w-84fc https://github.com/InternationalColorConsortium/iccDEV/issues/398 https://github.com/InternationalColorConsortium/iccDEV/commit/7c2cb719a9de1c00844e457e070d657314383ee3 https://github.com/InternationalColorConsortium/iccDEV/commit/e91fe722ac54ce497d410153e7405090e0565d7b |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV has undefined behavior due to a null pointer passed to memcpy() in CIccTagSparseMatrixArray. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 6.1 | CVE-2026-21503 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-h554-qrfh-53gx https://github.com/InternationalColorConsortium/iccDEV/issues/367 https://github.com/InternationalColorConsortium/iccDEV/pull/417 https://github.com/InternationalColorConsortium/iccDEV/commit/55259a6395c4f6124b5d0e38469c77412926bd3d |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap buffer overflow in the ToneMap parser. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 6.6 | CVE-2026-21504 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-rqp9-r53c-3m9h https://github.com/InternationalColorConsortium/iccDEV/issues/366 https://github.com/InternationalColorConsortium/iccDEV/pull/415 https://github.com/InternationalColorConsortium/iccDEV/commit/14fe3785e6b1f9992375b2a24617a0d7f6a70f95 https://github.com/InternationalColorConsortium/iccDEV/commit/23a38f83f2a5874a1c4427df59ec342af3277cad https://github.com/InternationalColorConsortium/iccDEV/blob/798be59011649a26a529600cc3cd56437634d3d0/IccProfLib/IccMpeBasic.cpp#L4557 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a NULL pointer dereference vulnerability. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 6.5 | CVE-2026-21680 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-mgp7-w4w3-mhx4 https://github.com/InternationalColorConsortium/iccDEV/issues/322 https://github.com/InternationalColorConsortium/iccDEV/pull/325 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccProfileXml::ParseBasic()` at `IccXML/IccLibXML/IccProfileXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 6.5 | CVE-2026-21689 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-5rqc-w93q-589m https://github.com/InternationalColorConsortium/iccDEV/issues/382 https://github.com/InternationalColorConsortium/iccDEV/pull/423 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccTagXmlTagData::ToXml()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 6.3 | CVE-2026-21690 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-2f26-vh48-38g6 https://github.com/InternationalColorConsortium/iccDEV/issues/393 https://github.com/InternationalColorConsortium/iccDEV/pull/426 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a NULL pointer member call vulnerability. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-06 | 5.5 | CVE-2026-21492 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-xpq3-v3jj-mgvx https://github.com/InternationalColorConsortium/iccDEV/issues/394 https://github.com/InternationalColorConsortium/iccDEV/pull/401 https://github.com/InternationalColorConsortium/iccDEV/commit/b200a629ada310137d6ae5c53fc9e6d91a4b0dae https://github.com/InternationalColorConsortium/iccDEV/commit/e72361d215351cbac0002466c4f936e94d6a99e7 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to division by zero in the TIFF Image Reader. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 5.5 | CVE-2026-21495 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-xhrm-79rg-5784 https://github.com/InternationalColorConsortium/iccDEV/commit/10c34179a0332a869c2b46e305a9cd23a6311dfe |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the signature parser. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 5.5 | CVE-2026-21496 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-wj8m-6w77-r4rw https://github.com/InternationalColorConsortium/iccDEV/issues/381 https://github.com/InternationalColorConsortium/iccDEV/pull/405 https://github.com/InternationalColorConsortium/iccDEV/commit/0e51ceb427925b7e22f0465547df7506d35cda1c https://github.com/InternationalColorConsortium/iccDEV/commit/b5ad23aceece3789bdf1c47bae1ecf9d7bfcd26d |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via an unknown tag parser. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 5.5 | CVE-2026-21497 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-7gv7-cmrv-4j85 https://github.com/InternationalColorConsortium/iccDEV/issues/374 https://github.com/InternationalColorConsortium/iccDEV/pull/403 https://github.com/InternationalColorConsortium/iccDEV/commit/9419cac7f084197941994b8b9d17def204008385 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML calculator parser. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 5.5 | CVE-2026-21498 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-6822-qvxq-m736 https://github.com/InternationalColorConsortium/iccDEV/issues/375 https://github.com/InternationalColorConsortium/iccDEV/pull/404 https://github.com/InternationalColorConsortium/iccDEV/commit/75f124f40ba45491211cb4b67f0e05b7c7d59553 https://github.com/InternationalColorConsortium/iccDEV/commit/bdfa31940726aaabb0a6f19194d9062ba0598959 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML parser. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 5.5 | CVE-2026-21499 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-c3pv-2cpf-7v2p https://github.com/InternationalColorConsortium/iccDEV/issues/372 https://github.com/InternationalColorConsortium/iccDEV/pull/412 https://github.com/InternationalColorConsortium/iccDEV/commit/00c03013e11b35ddbd7caae4368d1add185849d9 https://github.com/InternationalColorConsortium/iccDEV/commit/af299895bbcbecca6f67d6dc3d8e1dc92f1fc3fa https://github.com/InternationalColorConsortium/iccDEV/blob/8e71f0a701abcbd554725ba7b70258203e682a61/IccXML/IccLibXML/IccProfileXml.cpp#L477 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to stack overflow in the XML calculator macro expansion. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 5.5 | CVE-2026-21500 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-4h4j-mm9w-2cp4 https://github.com/InternationalColorConsortium/iccDEV/issues/384 https://github.com/InternationalColorConsortium/iccDEV/pull/406 https://github.com/InternationalColorConsortium/iccDEV/commit/cce5f9b68a6c067b7ef898ccd5b000770745fb14 https://github.com/InternationalColorConsortium/iccDEV/commit/f295826a6f15add90490030f23b2ddd8593bff5b |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to stack overflow in the calculator parser. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 5.5 | CVE-2026-21501 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-x7hw-h22p-2x4w https://github.com/InternationalColorConsortium/iccDEV/issues/365 https://github.com/InternationalColorConsortium/iccDEV/pull/413 https://github.com/InternationalColorConsortium/iccDEV/commit/798be59011649a26a529600cc3cd56437634d3d0 https://github.com/InternationalColorConsortium/iccDEV/commit/f3056ed99935d479091470127ad16f8be1912bb7 https://github.com/InternationalColorConsortium/iccDEV/blob/8e71f0a701abcbd554725ba7b70258203e682a61/IccProfLib/IccMpeCalc.cpp#L4588 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML tag parser. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 5.5 | CVE-2026-21502 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-67r8-q3mh-42j6 https://github.com/InternationalColorConsortium/iccDEV/issues/368 https://github.com/InternationalColorConsortium/iccDEV/pull/407 https://github.com/InternationalColorConsortium/iccDEV/commit/d04c236775e89a029f93efcc242fdb1fbc245a1c https://github.com/InternationalColorConsortium/iccDEV/commit/d9e42a1fb2606e25e498eb94f34f6da89f522e35 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV has undefined behavior due to an invalid enum value. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 5.5 | CVE-2026-21505 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-j577-8285-qrf9 https://github.com/InternationalColorConsortium/iccDEV/issues/361 https://github.com/InternationalColorConsortium/iccDEV/pull/419 https://github.com/InternationalColorConsortium/iccDEV/commit/3bbe2088b2796cf0aa4f7fa19f7ccd9ad1c7aba5 https://github.com/InternationalColorConsortium/iccDEV/commit/b1bb72fc3e9442ee1355aabae7314bb7d3fc9d41 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to Null pointer dereference in CIccProfileXml::ParseBasic(), leading to denial of service. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 5.5 | CVE-2026-21506 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-wfm7-m548-x4vp https://github.com/InternationalColorConsortium/iccDEV/issues/371 https://github.com/InternationalColorConsortium/iccDEV/pull/418 https://github.com/InternationalColorConsortium/iccDEV/commit/f2ea32372ad3ebbd29147940229cb9c5548fe033 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccTag:IsTypeCompressed()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 5.4 | CVE-2026-21691 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-c9q5-x498-jv92 https://github.com/InternationalColorConsortium/iccDEV/issues/392 https://github.com/InternationalColorConsortium/iccDEV/pull/426 |
| INTINITUM FORM--Geo Controller | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in INTINITUM FORM Geo Controller allows DOM-Based XSS.This issue affects Geo Controller: from n/a through 8.5.2. | 2026-01-05 | 6.5 | CVE-2023-51513 | https://vdp.patchstack.com/database/wordpress/plugin/cf-geoplugin/vulnerability/wordpress-geo-controller-plugin-8-5-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| itsourcecode--Society Management System | A vulnerability was identified in itsourcecode Society Management System 1.0. This affects an unknown part of the file /admin/edit_activity_query.php. The manipulation of the argument Title leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2026-01-05 | 6.3 | CVE-2026-0582 | VDB-339474 | itsourcecode Society Management System edit_activity_query.php sql injection VDB-339474 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731207 | itsourcecode Society Management System V1.0 SQL Injection https://github.com/xiaotsai/tttt/issues/2 https://itsourcecode.com/ |
| ivole--Customer Reviews for WooCommerce | The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'displayName' parameter in all versions up to, and including, 5.93.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with customer-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. While it is possible to invoke the AJAX action without authentication, the attacker would need to know a valid form ID, which requires them to place an order. This vulnerability can be exploited by unauthenticated attackers if guest checkout is enabled. However, the form ID still needs to be obtained through placing an order. | 2026-01-07 | 6.4 | CVE-2025-14891 | https://www.wordfence.com/threat-intel/vulnerabilities/id/88e4eec2-2861-4d1d-97eb-67887f59c745?source=cve https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/trunk/includes/reminders/class-cr-local-forms-ajax.php#L76 https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/trunk/templates/form-customer.php#L19 https://plugins.trac.wordpress.org/changeset/3424980/customer-reviews-woocommerce |
| iWT Ltd.--FaceSentry Access Control System | FaceSentry Access Control System 6.4.8 contains a cross-site scripting vulnerability in the 'msg' parameter of pluginInstall.php that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated input to execute arbitrary JavaScript in victim browsers, potentially stealing authentication credentials and conducting phishing attacks. | 2026-01-07 | 6.1 | CVE-2019-25277 | Zero Science Lab Vulnerability Advisory Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange |
| jegstudio--Gutenverse Form Contact Form Builder, Booking, Reservation, Subscribe for Block Editor | The Gutenverse Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.3.2. This is due to the plugin's framework component adding SVG to the allowed MIME types via the upload_mimes filter without implementing any sanitization of SVG file contents. This makes it possible for authenticated attackers, with Author-level access and above, to upload SVG files containing malicious JavaScript that executes when the file is viewed, leading to arbitrary JavaScript execution in victims' browsers. | 2026-01-08 | 6.4 | CVE-2025-14984 | https://www.wordfence.com/threat-intel/vulnerabilities/id/792fa6cb-e55a-4f68-b8a8-9039fb1ff694?source=cve https://plugins.trac.wordpress.org/browser/gutenverse-form/tags/2.3.2/lib/framework/includes/class-init.php#L837 https://plugins.trac.wordpress.org/browser/gutenverse-form/tags/2.3.2/lib/framework/includes/class-init.php#L169 https://plugins.trac.wordpress.org/changeset/3427504/gutenverse-form/trunk/lib/framework/includes/class-init.php?old=3395520&old_path=gutenverse-form%2Ftrunk%2Flib%2Fframework%2Fincludes%2Fclass-init.php |
| jegtheme--Jeg Kit for Elementor Powerful Addons for Elementor, Widgets & Templates for WordPress | The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.0.1 due to insufficient input sanitization in the countdown widget's redirect functionality. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary JavaScript that will execute when an administrator or other user views the page containing the malicious countdown element. | 2026-01-08 | 6.4 | CVE-2025-14275 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8fcb4047-5173-4d10-a4bb-72f1919b9203?source=cve https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/3.0.1/assets/js/elements/countdown.js#L1 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432624%40jeg-elementor-kit%2Ftrunk&old=3379532%40jeg-elementor-kit%2Ftrunk&sfp_email=&sfph_mail= |
| jiujiujia--jjjfood | A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product is distributed under multiple different names. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-11 | 6.3 | CVE-2026-0843 | VDB-340443 | jiujiujia/victor123/wxw850227 jjjfood/jjjshop_food index sql injection VDB-340443 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731001 | https://www.jiujiujia.net/ PHP-based Three-Dot Ordering System Vulnerable to SQL Injection lasest SQL Injection http://101.200.76.102:38765/qwertyuiop/qwsdfvbnm/1/vuldb/JJJshop/EnglishVers%E4%B8%89%E5%8B%BE%E7%82%B9%E9%A4%90%E7%B3%BB%E7%BB%9FPHP%E7%89%88%E5%AD%98%E5%9C%A8product.category.indexSQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.pdf |
| jonua--Table Field Add-on for ACF and SCF | The Table Field Add-on for ACF and SCF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table Cell Content in all versions up to, and including, 1.3.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-06 | 6.4 | CVE-2025-12067 | https://www.wordfence.com/threat-intel/vulnerabilities/id/93f80716-a95b-49fc-805f-446d4723ca77?source=cve https://plugins.trac.wordpress.org/changeset/3386339/ |
| jseto--Travel Bucket List Wish To Go | The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14053 | https://www.wordfence.com/threat-intel/vulnerabilities/id/02b9450e-422f-45f1-a55b-cf401e39247c?source=cve https://plugins.trac.wordpress.org/browser/wish-to-go/trunk/wish-to-go.php#L124 https://plugins.trac.wordpress.org/browser/wish-to-go/tags/0.5.2/wish-to-go.php#L124 |
| kanboard--kanboard | Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below have an LDAP Injection vulnerability in the LDAP authentication mechanism. User-supplied input is directly substituted into LDAP search filters without proper sanitization, allowing attackers to enumerate all LDAP users, discover sensitive user attributes, and perform targeted attacks against specific accounts. This issue is fixed in version 1.2.49. | 2026-01-08 | 5.3 | CVE-2026-21880 | https://github.com/kanboard/kanboard/security/advisories/GHSA-v66r-m28r-wmq7 https://github.com/kanboard/kanboard/commit/dd374079f7c2d1dab74c1680960e684ff8668586 https://github.com/kanboard/kanboard/releases/tag/v1.2.49 |
| kanboard--kanboard | Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below are vulnerable to an Open Redirect attack that allows malicious actors to redirect authenticated users to attacker-controlled websites. By crafting URLs such as //evil.com, attackers can bypass the filter_var($url, FILTER_VALIDATE_URL) validation check. This vulnerability could be exploited to conduct phishing attacks, steal user credentials, or distribute malware. The issue is fixed in version 1.2.49. | 2026-01-08 | 4.7 | CVE-2026-21879 | https://github.com/kanboard/kanboard/security/advisories/GHSA-mhv9-7m9w-7hcq https://github.com/kanboard/kanboard/commit/93bcae03301a6d34185a8dba977417e6b3de519f https://github.com/kanboard/kanboard/releases/tag/v1.2.49 |
| kentothemes--Latest Tabs | The Latest Tabs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings update handler in admin-page.php. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-07 | 4.3 | CVE-2025-14999 | https://www.wordfence.com/threat-intel/vulnerabilities/id/837f49e6-dcba-4451-bbbe-14890ab87207?source=cve https://plugins.trac.wordpress.org/browser/kento-latest-tabs/trunk/admin-page.php#L7 |
| kodezen--aBlocks WordPress Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & GSAP Animation Builder | The aBlocks - WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber level access and above, to read plugin settings including block visibility, maintenance mode configuration, and third-party email marketing API keys, as well as read sensitive configuration data including API keys for email marketing services. | 2026-01-07 | 5.4 | CVE-2025-12449 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c10600ae-1ff0-4f12-ae53-39d9342640f4?source=cve https://plugins.trac.wordpress.org/browser/ablocks/tags/2.4.0/includes/ajax/settings.php#L16 https://plugins.trac.wordpress.org/browser/ablocks/tags/2.4.0/includes/classes/abstract-request-handler.php#L486 https://plugins.trac.wordpress.org/browser/ablocks/tags/2.4.0/includes/assets.php#L353 |
| kromitgmbh--titra | Titra is open source project time tracking software. Versions 0.99.49 and below have Improper Access Control, allowing users to view and edit other users' time entries in private projects they have not been granted access to. This issue is fixed in version 0.99.50. | 2026-01-07 | 6.8 | CVE-2026-21694 | https://github.com/kromitgmbh/titra/security/advisories/GHSA-mr2r-wjf8-cj3c https://github.com/kromitgmbh/titra/commit/29e6b88eca005107729e45a6f1731cf0fa5f8938 |
| kromitgmbh--titra | Titra is open source project time tracking software. In versions 0.99.49 and below, an API has a Mass Assignment vulnerability which allows authenticated users to inject arbitrary fields into time entries, bypassing business logic controls via the customfields parameter. The affected endpoint uses the JavaScript spread operator (...customfields) to merge user-controlled input directly into the database document. While customfields is validated as an Object type, there is no validation of which keys are permitted inside that object. This allows attackers to overwrite protected fields such as userId, hours, and state. The issue is fixed in version 0.99.50. | 2026-01-07 | 4.3 | CVE-2026-21695 | https://github.com/kromitgmbh/titra/security/advisories/GHSA-gc65-vr47-jppq https://github.com/kromitgmbh/titra/commit/29e6b88eca005107729e45a6f1731cf0fa5f8938 |
| Leica Geosystems AG--Leica Geosystems GR10/GR25/GR30/GR50 GNSS | Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can trick logged-in users into executing unauthorized actions by crafting malicious web pages that submit requests to the application. | 2026-01-07 | 5.3 | CVE-2019-25259 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 46090 Packet Storm Security Exploit File IBM X-Force Vulnerability Exchange Entry Leica Geosystems Vendor Homepage |
| liangshao--Flashcard Plugin for WordPress | The Flashcard plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.9 via the 'source' attribute of the 'flashcard' shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2026-01-07 | 6.5 | CVE-2025-14867 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f4fcc6e5-1f90-41e7-8d5a-2bfe8cbf46fa?source=cve https://plugins.trac.wordpress.org/browser/flashcard/tags/0.9/flashcard.php?marks=73,109#L73 |
| lnbadmin1--Nearby Now Reviews | The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_tech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-13853 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8dc991ea-0d00-4734-9b9a-5af759e83540?source=cve https://plugins.trac.wordpress.org/browser/nearby-now-reviews/trunk/nn-reviews.php#L160 https://plugins.trac.wordpress.org/browser/nearby-now-reviews/tags/5.2/nn-reviews.php#L160 |
| loopus--WP Cost Estimation & Payment Forms Builder | The WP Cost Estimation plugin for WordPress is vulnerable to Upload Directory Traversal in versions before 9.660 via the uploadFormFiles function. This allows attackers to overwrite any file with a whitelisted type on an affected site. | 2026-01-08 | 6.5 | CVE-2019-25295 | https://www.wordfence.com/threat-intel/vulnerabilities/id/65a9e877-e870-4e36-985d-c0629abe3f78?source=cve https://www.wordfence.com/blog/2019/02/vulnerabilities-patched-in-wp-cost-estimation-plugin/ https://codecanyon.net/item/wp-cost-estimation-payment-forms-builder/7818230 |
| mamurjor--Mamurjor Employee Info | The Mamurjor Employee Info plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to create, update, or delete employee records, departments, designations, salary grades, education records, and salary payments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-07 | 4.3 | CVE-2025-13990 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8e323b87-7b2e-4e5c-94a4-a4a0712f50ba?source=cve https://plugins.trac.wordpress.org/browser/mamurjor-employee-info/trunk/admin/admin.php#L10 https://plugins.trac.wordpress.org/browser/mamurjor-employee-info/trunk/admin/admin.php#L30 https://plugins.trac.wordpress.org/browser/mamurjor-employee-info/trunk/admin/admin.php#L47 https://plugins.trac.wordpress.org/browser/mamurjor-employee-info/tags/1.0.0/admin/admin.php#L10 https://plugins.trac.wordpress.org/browser/mamurjor-employee-info/tags/1.0.0/admin/admin.php#L30 https://plugins.trac.wordpress.org/browser/mamurjor-employee-info/tags/1.0.0/admin/admin.php#L47 |
| manchumahara--CBX Bookmark & Favorite | The CBX Bookmark & Favorite plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-06 | 6.5 | CVE-2025-13652 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a8839665-8f98-4c81-b234-9201236e0194?source=cve https://plugins.trac.wordpress.org/changeset/3413499/ |
| marceljm--Featured Image from URL (FIFU) | The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the fifu_input_url parameter in the FIFU Elementor widget granted they have permissions to use Elementor. | 2026-01-10 | 4.3 | CVE-2025-13393 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b7115070-b84d-4d69-993a-f512b9f9c081?source=cve https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/elementor/widgets/widget.php#L94 https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/elementor/widgets/widget.php#L121 https://research.cleantalk.org/cve-2025-13393/ https://plugins.trac.wordpress.org/changeset/3428744/ |
| Marketing Fire, LLC--LoginWP - Pro | Missing Authorization vulnerability in Marketing Fire, LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5. | 2026-01-05 | 6.5 | CVE-2025-39561 | https://vdp.patchstack.com/database/wordpress/plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-broken-access-control-vulnerability?_s_id=cve |
| mastodon--mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of severed relationships for a particular event fails to check the owner of the list before returning the lost relationships. Any registered local user can access the list of lost followers and followed users caused by any severance event, and go through all severance events this way. The leaked information does not include the name of the account which has lost follows and followers. This has been fixed in Mastodon v4.3.17, v4.4.11 and v4.5.4. | 2026-01-08 | 6.5 | CVE-2026-22246 | https://github.com/mastodon/mastodon/security/advisories/GHSA-ww85-x9cp-5v24 https://github.com/mastodon/mastodon/commit/68e30985ca7afdb89af1b2e9dc962e1993dc8076 https://github.com/mastodon/mastodon/commit/b2bcd34486fd6681cc0f30028086ef0f47282adf https://github.com/mastodon/mastodon/commit/c1fb6893c5175d74c074f6f786d504c8bc610d57 |
| matiasanca--Cool YT Player | The Cool YT Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videoid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-13849 | https://www.wordfence.com/threat-intel/vulnerabilities/id/590bdf82-8006-4729-96e5-42b0d1552d19?source=cve https://plugins.trac.wordpress.org/browser/cool-yt-player/trunk/includes/youtube_video_wrapper.php#L58 https://plugins.trac.wordpress.org/browser/cool-yt-player/tags/1.0/includes/youtube_video_wrapper.php#L58 |
| mattiaspkallio--Snillrik Restaurant | The Snillrik Restaurant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'menu_style' shortcode attribute in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14112 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5fb52c19-6816-423d-ab3a-6b5b2ff21e03?source=cve https://plugins.trac.wordpress.org/browser/snillrik-restaurant-menu/trunk/classes/shortcodes.php#L42 https://plugins.trac.wordpress.org/browser/snillrik-restaurant-menu/tags/2.2.1/classes/shortcodes.php#L42 |
| metodiew--Quote Comments | The Quote Comments plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.0. This is due to missing authorization checks in the quotecomments_add_admin function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin options via the 'action' parameter. | 2026-01-07 | 5.3 | CVE-2025-14370 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1ebe0767-db22-4995-bdf1-5ebb48f960e9?source=cve https://plugins.trac.wordpress.org/browser/quote-comments/tags/3.0.0/quote-comments.php#L309 |
| Microsoft--Microsoft Edge for Android | User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an authorized attacker to perform spoofing over a network. | 2026-01-07 | 5.5 | CVE-2025-62224 | Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability |
| miniflux--v2 | Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting `/proxy/...` URL makes Miniflux fetch and return the internal response. Version 2.2.16 fixes the issue. | 2026-01-08 | 6.5 | CVE-2026-21885 | https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp |
| minnur--External Media | Server-Side Request Forgery (SSRF) vulnerability in minnur External Media allows Server Side Request Forgery.This issue affects External Media: from n/a through 1.0.36. | 2026-01-07 | 4.9 | CVE-2025-49335 | https://patchstack.com/database/wordpress/plugin/external-media/vulnerability/wordpress-external-media-plugin-1-0-36-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| mitchoyoshitaka--Stumble! for WordPress | The Stumble! for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-07 | 6.1 | CVE-2025-14128 | https://www.wordfence.com/threat-intel/vulnerabilities/id/19e1421d-8cb4-44b6-a982-769539b19582?source=cve https://wordpress.org/plugins/stumble-for-wordpress/ https://plugins.trac.wordpress.org/browser/stumble-for-wordpress/trunk/stumble.php#L143 https://plugins.trac.wordpress.org/browser/stumble-for-wordpress/tags/1.1.1/stumble.php#L143 |
| mohammed_kaludi--AMP for WP Accelerated Mobile Pages | The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file. | 2026-01-09 | 6.4 | CVE-2026-0627 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed23318-3b47-4336-a3aa-6b09f3911926?source=cve https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/trunk/templates/features.php#L10373 https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.10/templates/features.php#L10373 https://plugins.trac.wordpress.org/changeset/3434946/accelerated-mobile-pages/trunk/templates/features.php?old=3426181&old_path=accelerated-mobile-pages%2Ftrunk%2Ftemplates%2Ffeatures.php |
| mohammed_kaludi--AMP for WP Accelerated Mobile Pages | The AMP for WP - Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to inverted nonce verification logic in the amp_theme_ajaxcomments AJAX handler, which rejects requests with VALID nonces and accepts requests with MISSING or INVALID nonces. This makes it possible for unauthenticated attackers to submit comments on behalf of logged-in users via a forged request granted they can trick a user into performing an action such as clicking on a link, and the plugin's template mode is enabled. | 2026-01-07 | 4.3 | CVE-2025-14468 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0d195034-4617-474d-a4b1-b299c1607f89?source=cve https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.9/templates/template-mode/template-mode.php#L119 https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.9/templates/template-mode/template-mode.php#L50 https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.9/templates/template-mode/template-mode.php#L698 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3426181%40accelerated-mobile-pages%2Ftrunk&old=3402644%40accelerated-mobile-pages%2Ftrunk&sfp_email=&sfph_mail=#file4 |
| moosend--Moosend Landing Pages | The Moosend Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the moosend_landings_auth_get function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the 'moosend_landing_api_key' option value. | 2026-01-07 | 5.3 | CVE-2025-13496 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eeb4b3b1-47ae-4314-a386-832949456f81?source=cve https://plugins.trac.wordpress.org/browser/moosend-landing-pages/trunk/forms/auth-request.php#L7 https://plugins.trac.wordpress.org/browser/moosend-landing-pages/tags/1.1.6/forms/auth-request.php#L7 |
| mountaingrafix--MG AdvancedOptions | The MG AdvancedOptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-09 | 6.1 | CVE-2025-13892 | https://www.wordfence.com/threat-intel/vulnerabilities/id/86358a01-bf69-4a7f-8b78-a0d42d362d96?source=cve https://plugins.trac.wordpress.org/browser/mg-advancedoptions/trunk/mg-advancedoptions/MG_AdvancedOptions.php#L96 https://plugins.trac.wordpress.org/browser/mg-advancedoptions/trunk/mg-advancedoptions/MG_AdvancedOptions.php#L58 |
| mstoic--Mstoic Shortcodes | The Mstoic Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'start' parameter of the ms_youtube_embeds shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14144 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6e83c039-9b15-4e0c-8b07-3b906938c138?source=cve https://plugins.trac.wordpress.org/browser/mstoic-shortcodes/trunk/functions/shortcodes/youtube_embeds.php#L117 https://plugins.trac.wordpress.org/browser/mstoic-shortcodes/tags/2.0/functions/shortcodes/youtube_embeds.php#L117 |
| mtcaptcha--MTCaptcha WordPress Plugin | The MTCaptcha WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin settings, including sensitive values like the private key, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-07 | 4.3 | CVE-2025-13520 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e8c1e568-7170-40d6-b522-2c89725e0501?source=cve https://plugins.trac.wordpress.org/browser/mtcaptcha/trunk/mt-captcha.php#L410 https://plugins.trac.wordpress.org/browser/mtcaptcha/tags/2.7.2/mt-captcha.php#L410 |
| Munir Kamal--Block Slider | Missing Authorization vulnerability in Munir Kamal Block Slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Block Slider: from n/a through 2.2.3. | 2026-01-08 | 6.5 | CVE-2026-22522 | https://patchstack.com/database/wordpress/plugin/block-slider/vulnerability/wordpress-block-slider-plugin-2-2-3-broken-access-control-vulnerability?_s_id=cve |
| N/A--Elliptic | The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of 'k' is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result. Furthermore, due to the nature of the fault, attackers could-under certain conditions-derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs. This issue affects all known versions of Elliptic (at the time of writing, versions less than or equal to 6.6.1). | 2026-01-08 | 5.6 | CVE-2025-14505 | https://www.herodevs.com/vulnerability-directory/cve-2025-14505 https://github.com/indutny/elliptic/issues/321 |
| n/a--invoiceninja | A security vulnerability has been detected in invoiceninja up to 5.12.38. The affected element is the function copy of the file /app/Jobs/Util/Import.php of the component Migration Import. The manipulation of the argument company_logo leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-07 | 4.7 | CVE-2026-0649 | VDB-339720 | invoiceninja Migration Import Import.php copy server-side request forgery VDB-339720 | CTI Indicators (IOB, IOC, IOA) Submit #721323 | invoiceninja <= 5.12.38. ssrf https://note-hxlab.wetolink.com/share/fWqEpn5fX4rH |
| n/a--milvus | A security vulnerability has been detected in milvus up to 2.6.7. This vulnerability affects the function expr.Exec of the file pkg/util/expr/expr.go of the component HTTP Endpoint. The manipulation of the argument code leads to deserialization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. A fix is planned for the next release 2.6.8. | 2026-01-05 | 6.3 | CVE-2025-15453 | VDB-339486 | milvus HTTP Endpoint expr.go expr.Exec deserialization VDB-339486 | CTI Indicators (IOB, IOC, IOA) Submit #719061 | milvus-io milvus latest Not Safe Remote Expression Execution https://github.com/milvus-io/milvus/issues/46442 https://github.com/milvus-io/milvus/issues/46442#issuecomment-3672197450 https://github.com/milvus-io/milvus/issues/46442#issue-3743414836 https://github.com/milvus-io/milvus/milestone/139 |
| n8n-io--n8n | n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stripe webhook signing secret when registering the webhook endpoint, but incoming webhook requests were not verified against this secret. As a result, any HTTP client that knows the webhook URL could send a POST request containing a matching event type, causing the workflow to execute as if a legitimate Stripe event had been received. This issue affects n8n users who have active workflows using the Stripe Trigger node. An attacker could potentially fake payment or subscription events and influence downstream workflow behavior. The practical risk is reduced by the fact that the webhook URL contains a high-entropy UUID; however, authenticated n8n users with access to the workflow can view this webhook ID. This issue has been patched in version 2.2.2. A temporary workaround for this issue involves users deactivating affected workflows or restricting access to workflows containing Stripe Trigger nodes to trusted users only. | 2026-01-08 | 6.5 | CVE-2026-21894 | https://github.com/n8n-io/n8n/security/advisories/GHSA-jf52-3f2h-h9j5 https://github.com/n8n-io/n8n/pull/22764 https://github.com/n8n-io/n8n/commit/a61a5991093c41863506888336e808ac1eff8d59 |
| nahian91--Awesome Hotel Booking | The Awesome Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to incorrect authorization in the room-single.php shortcode handler in all versions up to, and including, 1.0. This is due to the plugin relying solely on nonce verification without capability checks. This makes it possible for unauthenticated attackers to modify arbitrary booking records by obtaining a nonce from the public booking form. | 2026-01-07 | 5.3 | CVE-2025-14352 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4fe0a08e-eee2-4d48-bb38-dd58bff79118?source=cve https://plugins.trac.wordpress.org/browser/awesome-hotel-booking/trunk/admin/admin-shortcodes/inc/room-single.php#L67 https://plugins.trac.wordpress.org/browser/awesome-hotel-booking/tags/1.0/admin/admin-shortcodes/inc/room-single.php#L67 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, in base64urlDecode, padding-stripping dereferences input[inputLen - 1] before checking that inputLen > 0 or that input != NULL. For inputLen == 0, this becomes an OOB read at input[-1], potentially crashing the process. If input == NULL and inputLen == 0, it dereferences NULL - 1. This issue has been patched in version 1.4.3. | 2026-01-10 | 4.7 | CVE-2026-21899 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-wc29-5hw7-mpj8 https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| Nawawi Jamili--Docket Cache | Missing Authorization vulnerability in Nawawi Jamili Docket Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Docket Cache: from n/a through 24.07.04. | 2026-01-08 | 4.3 | CVE-2026-22492 | https://patchstack.com/database/wordpress/plugin/docket-cache/vulnerability/wordpress-docket-cache-plugin-24-07-04-broken-access-control-vulnerability?_s_id=cve |
| niklaslindemann--Bulk Landing Page Creator for WordPress LPagery | Missing Authorization vulnerability in niklaslindemann Bulk Landing Page Creator for WordPress LPagery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bulk Landing Page Creator for WordPress LPagery: from n/a through 2.4.9. | 2026-01-08 | 5.4 | CVE-2026-22490 | https://patchstack.com/database/wordpress/plugin/lpagery/vulnerability/wordpress-bulk-landing-page-creator-for-wordpress-lpagery-plugin-2-4-4-broken-access-control-vulnerability?_s_id=cve |
| ninjateam--FastDup Fastest WordPress Migration & Duplicator | The FastDup - Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7 via the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary directories on the server, which can contain sensitive information. | 2026-01-06 | 6.5 | CVE-2026-0604 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ac97c729-4c75-429b-bbf2-27ca322be1cf?source=cve https://plugins.trac.wordpress.org/browser/fastdup/trunk/includes/Endpoint/TemplateApi.php#L219 https://plugins.trac.wordpress.org/browser/fastdup/tags/2.7/includes/Endpoint/TemplateApi.php#L219 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432226%40fastdup&new=3432226%40fastdup&sfp_email=&sfph_mail=#file3 |
| nsthemes--NS Ie Compatibility Fixer | The NS IE Compatibility Fixer plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 2.1.5. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | 2026-01-07 | 4.3 | CVE-2025-14845 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3c25b462-cb9e-4250-bb17-9f2a0bd7665e?source=cve https://plugins.trac.wordpress.org/browser/ns-ie-compatibility-fixer/tags/2.1.5/ns-admin-options/ns_admin_option_dashboard.php#L29 https://plugins.trac.wordpress.org/browser/ns-ie-compatibility-fixer/tags/2.1.5/ns-admin-options/ns_admin_option_dashboard.php#L30 https://plugins.trac.wordpress.org/browser/ns-ie-compatibility-fixer/tags/2.1.5/ns-admin-options/ns_settings_custom.php#L8 https://developer.wordpress.org/plugins/security/nonces/ https://developer.wordpress.org/reference/functions/wp_verify_nonce/ https://developer.wordpress.org/reference/functions/check_admin_referer/ |
| octobercms--october | October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. A user with the Global Editor Settings permission could inject malicious HTML/JS into the stylesheet input at Markup Styles. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12. | 2026-01-10 | 6.1 | CVE-2025-61674 | https://github.com/octobercms/october/security/advisories/GHSA-gxxc-m74c-f48x |
| octobercms--october | October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. A user with the Customize Backend Styles permission could inject malicious HTML/JS into the stylesheet input at Styles from Branding & Appearance settings. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12. | 2026-01-10 | 6.1 | CVE-2025-61676 | https://github.com/octobercms/october/security/advisories/GHSA-wvpq-h33f-8rp6 |
| openchamp--Simcast | The Simcast plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the settingsPage function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-07 | 4.3 | CVE-2025-14077 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e3917e1a-c230-46ad-9889-6ab233ecc4d0?source=cve https://plugins.trac.wordpress.org/browser/simcast/trunk/Simcast_OptionsManager.php#L257 https://plugins.trac.wordpress.org/browser/simcast/tags/1.0.0/Simcast_OptionsManager.php#L257 |
| OpenCTI-Platform--opencti | OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.3, an open redirect vulnerability exists in the OpenCTI platform's SAML authentication endpoint (/auth/saml/callback). By manipulating the RelayState parameter, an attacker can force the server to issue a 302 redirect to any external URL, enabling phishing, credential theft, and arbitrary site redirection. This issue has been patched in version 6.8.3. | 2026-01-07 | 5.4 | CVE-2025-61782 | https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jc3f-c62g-v7qw https://github.com/OpenCTI-Platform/opencti/commit/f755165a26888925c4a58018f7238ff92a0bd378 https://github.com/OpenCTI-Platform/opencti/releases/tag/6.8.3 |
| OPEXUS--eCASE Audit | OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPEXUS eCASE Platform 11.14.1.0. | 2026-01-08 | 5.5 | CVE-2026-22231 | url url url |
| OPEXUS--eCASE Audit | OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0. | 2026-01-08 | 5.5 | CVE-2026-22232 | url url url |
| OPEXUS--eCASE Audit | OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the "Estimated Staff Hours" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0. | 2026-01-08 | 5.5 | CVE-2026-22233 | url url url |
| opf--openproject | OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to. This issue has been patched in version 16.6.3. | 2026-01-10 | 4.3 | CVE-2026-22605 | https://github.com/opf/openproject/security/advisories/GHSA-fq4m-pxvm-8x2j https://github.com/opf/openproject/releases/tag/v16.6.3 |
| P5--FNIP-8x16A | P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to add new admin users, change passwords, and modify system configurations by tricking authenticated users into loading a specially crafted form. | 2026-01-06 | 4.3 | CVE-2020-36906 | ExploitDB-48362 Official Product Homepage Zero Science Lab Disclosure (ZSL-2020-5564) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange 1 IBM X-Force Vulnerability Exchange 2 VulnCheck Advisory: P5 FNIP-8x16A FNIP-4xSH 1.0.20 Cross-Site Request Forgery via User Management |
| pagup--Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO) | The BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialty_cs_alt' post meta in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the post editor. | 2026-01-09 | 6.4 | CVE-2025-15019 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0af219a7-6596-47b2-ab8e-a71f20218759?source=cve https://plugins.trac.wordpress.org/changeset/3431985/bulk-image-alt-text-with-yoast/trunk/admin/views/metabox.view.php |
| pagup--WP Google Street View (with 360 virtual tour) & Google maps + Local SEO | The WP Google Street View (with 360° virtual tour) & Google maps + Local SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpgsv_map' shortcode in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2026-0563 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2bc8a3fb-176e-4bf0-b96e-6ccb9688254b?source=cve https://plugins.trac.wordpress.org/changeset/3432185/wp-google-street-view/trunk/includes/shortcode.php |
| Parsl--parsl | Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize component of versions prior to 2026.01.05. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database. Version 2026.01.05 fixes the issue. | 2026-01-08 | 5.3 | CVE-2026-21892 | https://github.com/Parsl/parsl/security/advisories/GHSA-f2mf-q878-gh58 https://github.com/Parsl/parsl/commit/013a928461e70f38a33258bd525a351ed828e974 |
| Passionate Brains--GA4WP: Google Analytics for WordPress | Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through 2.10.0. | 2026-01-08 | 5.4 | CVE-2026-22517 | https://patchstack.com/database/wordpress/plugin/ga-for-wp/vulnerability/wordpress-ga4wp-google-analytics-for-wordpress-plugin-2-10-0-broken-access-control-vulnerability?_s_id=cve |
| pencilwp--X Addons for Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pencilwp X Addons for Elementor allows DOM-Based XSS.This issue affects X Addons for Elementor: from n/a through 1.0.23. | 2026-01-08 | 6.5 | CVE-2026-22518 | https://patchstack.com/database/wordpress/plugin/x-addons-elementor/vulnerability/wordpress-x-addons-for-elementor-plugin-1-0-23-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PHPGurukul--Online Course Registration System | A vulnerability was determined in PHPGurukul Online Course Registration System up to 3.1. This impacts an unknown function of the file /onlinecourse/admin/manage-students.php. This manipulation of the argument id/cid causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-08 | 6.3 | CVE-2026-0733 | VDB-340130 | PHPGurukul Online Course Registration System manage-students.php sql injection VDB-340130 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733328 | PHPGurukul Online Course Registration System ≤ 3.1 SQL Injection Vulnerability Submit #733331 | PHPGurukul Online Course Registration System ≤ 3.1 SQL Injection (Duplicate) https://note-hxlab.wetolink.com/share/cU33RBoPPAF0 https://note-hxlab.wetolink.com/share/Tma34bofeB2L https://phpgurukul.com/ |
| PHPGurukul--Online Course Registration System | A vulnerability was found in PHPGurukul Online Course Registration System up to 3.1. This affects an unknown part of the file /enroll.php. The manipulation of the argument studentregno/Pincode/session/department/level/course/sem results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. | 2026-01-09 | 6.3 | CVE-2026-0803 | VDB-340255 | PHPGurukul Online Course Registration System enroll.php sql injection VDB-340255 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733344 | PHPGurukul Online Course Registration System ≤ 3.1 SQL Injection https://note-hxlab.wetolink.com/share/qX132pk8Wofk https://phpgurukul.com/ |
| pichel--WP Js List Pages Shortcodes | The WP Js List Pages Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14110 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3f8dced7-cbe1-4d50-9fa0-1cf441dddefa?source=cve https://plugins.trac.wordpress.org/browser/wp-js-list-pages-shortcodes/tags/1.21/js-list-pages-shortcodes.php#L58 https://plugins.trac.wordpress.org/browser/wp-js-list-pages-shortcodes/trunk/js-list-pages-shortcodes.php#L47 https://plugins.trac.wordpress.org/browser/wp-js-list-pages-shortcodes/trunk/js-list-pages-shortcodes.php#L50 https://plugins.trac.wordpress.org/browser/wp-js-list-pages-shortcodes/trunk/js-list-pages-shortcodes.php#L58 |
| POSIMYTH Innovation--The Plus Addons for Elementor Pro | Missing Authorization vulnerability in POSIMYTH Innovation The Plus Addons for Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Plus Addons for Elementor Pro: from n/a before 6.3.7. | 2026-01-07 | 6.5 | CVE-2025-46434 | https://patchstack.com/database/wordpress/plugin/theplus_elementor_addon/vulnerability/wordpress-the-plus-addons-for-elementor-pro-plugin-6-3-7-broken-access-control-vulnerability?_s_id=cve |
| POSIMYTH--The Plus Addons for Elementor Page Builder Lite | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite allows DOM-Based XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 5.3.3. | 2026-01-05 | 6.5 | CVE-2024-23511 | https://vdp.patchstack.com/database/wordpress/plugin/the-plus-addons-for-elementor-page-builder/vulnerability/wordpress-the-plus-addons-for-elementor-plugin-5-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| pr-gateway--Blog2Social: Social Media Auto Post & Scheduler | The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. This is due to a misconfigured authorization check on the 'getShipItemFullText' function which only verifies that a user has the 'read' capability (Subscriber-level) and a valid nonce, but fails to verify whether the user has permission to access the specific post being requested. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract data from password-protected, private, or draft posts. | 2026-01-10 | 4.3 | CVE-2025-14943 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7374db91-4e7d-4db2-9c58-bb9bdda5c85d?source=cve https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Get.php#L243 https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Get.php?rev=3423620#L252 |
| praveentamil--Sticky Action Buttons | The Sticky Action Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the sabs_options_page_form_submit() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-07 | 4.3 | CVE-2025-14465 | https://www.wordfence.com/threat-intel/vulnerabilities/id/82b243c7-5b58-4765-9083-4660c0b479cc?source=cve https://plugins.trac.wordpress.org/browser/sticky-action-buttons/tags/1.0/sticky-action-buttons.php#L105 |
| premmerce--Premmerce WooCommerce Customers Manager | The Premmerce WooCommerce Customers Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'money_spent_from', 'money_spent_to', 'registered_from', and 'registered_to' parameters in all versions up to, and including, 1.1.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. | 2026-01-07 | 6.1 | CVE-2025-13369 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9980ec20-60ae-42eb-a2cd-146e57435398?source=cve https://plugins.trac.wordpress.org/browser/woo-customers-manager/trunk/src/Admin/Admin.php#L135 https://plugins.trac.wordpress.org/browser/woo-customers-manager/tags/1.1.14/src/Admin/Admin.php#L135 https://plugins.trac.wordpress.org/browser/woo-customers-manager/trunk/views/admin/filter.php#L43 https://plugins.trac.wordpress.org/browser/woo-customers-manager/tags/1.1.14/views/admin/filter.php#L43 |
| Project-MONAI--MONAI | MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.1, a Path Traversal (Zip Slip) vulnerability exists in MONAI's `_download_from_ngc_private()` function. The function uses `zipfile.ZipFile.extractall()` without path validation, while other similar download functions in the same codebase properly use the existing `safe_extract_member()` function. Commit 4014c8475626f20f158921ae0cf98ed259ae4d59 fixes this issue. | 2026-01-07 | 5.3 | CVE-2026-21851 | https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-9rg3-9pvr-6p27 https://github.com/Project-MONAI/MONAI/commit/4014c8475626f20f158921ae0cf98ed259ae4d59 |
| pterodactyl--panel | Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This allows an attacker who intercepts that token to use it in addition to a known username/password during the 60-second token validity window. The attacker must have intercepted a valid 2FA token (for example, during a screen share). This issue is fixed in version 1.12.0. | 2026-01-06 | 6.5 | CVE-2025-69197 | https://github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683 https://github.com/pterodactyl/panel/commit/032bf076d92bb2f929fa69c1bac1b89f26b8badf https://github.com/pterodactyl/panel/releases/tag/v1.12.0 |
| publishpress--Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories | The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Contributor-level access and above, to create, update, delete, and publish malicious workflows that may automatically delete any post upon publication or update, including posts created by administrators. | 2026-01-09 | 5.4 | CVE-2025-14718 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8198d81a-40c0-49c1-8c38-f5ef6fb911ad?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/post-expirator/tags/4.9.3/src/Modules/Workflows/Rest/RestApiV1.php&new_path=/post-expirator/tags/4.9.4/src/Modules/Workflows/Rest/RestApiV1.php |
| pypa--virtualenv | virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1. | 2026-01-10 | 4.5 | CVE-2026-22702 | https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986 https://github.com/pypa/virtualenv/pull/3013 https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc |
| Qualcomm, Inc.--Snapdragon | Information disclosure while processing a firmware event. | 2026-01-06 | 6.1 | CVE-2025-47331 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing a config call from userspace. | 2026-01-06 | 6.7 | CVE-2025-47332 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while handling buffer mapping operations in the cryptographic driver. | 2026-01-06 | 6.6 | CVE-2025-47333 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing shared command buffer packet between camera userspace and kernel. | 2026-01-06 | 6.7 | CVE-2025-47334 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while parsing clock configuration data for a specific hardware type. | 2026-01-06 | 6.7 | CVE-2025-47335 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while performing sensor register read operations. | 2026-01-06 | 6.7 | CVE-2025-47336 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while accessing a synchronization object during concurrent operations. | 2026-01-06 | 6.7 | CVE-2025-47337 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while handling sensor utility operations. | 2026-01-06 | 6.7 | CVE-2025-47344 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Transient DOS while parsing a WLAN management frame with a Vendor Specific Information Element. | 2026-01-06 | 6.5 | CVE-2025-47395 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Transient DOS while parsing video packets received from the video firmware. | 2026-01-06 | 5.5 | CVE-2025-47330 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Information disclosure when a weak hashed value is returned to userland code in response to a IOCTL call to obtain a session ID. | 2026-01-06 | 5.5 | CVE-2025-47369 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Quanta Computer--QOCA aim AI Medical Cloud Platform | QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Missing Authorization vulnerability, allowing authenticated remote attackers to modify specific network packet parameters, enabling certain system functions to access other users' files. | 2026-01-05 | 6.5 | CVE-2025-15235 | https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html |
| Quanta Computer--QOCA aim AI Medical Cloud Platform | QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2026-01-05 | 6.5 | CVE-2025-15238 | https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html |
| Quanta Computer--QOCA aim AI Medical Cloud Platform | QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2026-01-05 | 6.5 | CVE-2025-15239 | https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html |
| Quanta Computer--QOCA aim AI Medical Cloud Platform | QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Path Traversal vulnerability, allowing authenticated remote attackers to read folder names under the specified path by exploiting an Absolute Path Traversal vulnerability. | 2026-01-05 | 4.3 | CVE-2025-15236 | https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html |
| Quanta Computer--QOCA aim AI Medical Cloud Platform | QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Path Traversal vulnerability, allowing authenticated remote attackers to read folder names under the specified path by exploiting an Absolute Path Traversal vulnerability. | 2026-01-05 | 4.3 | CVE-2025-15237 | https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html |
| quarkusio--quarkus | Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently blocked. Under sustained or repeated occurrences, this can exhaust the available worker threads, leading to degraded performance, or complete unavailability of the application. This issue has been patched in versions 3.31.0, 3.27.2, and 3.20.5. A workaround involves implementing a health check that monitors the status and saturation of the worker thread pool to detect abnormal thread retention early. | 2026-01-07 | 5.9 | CVE-2025-66560 | https://github.com/quarkusio/quarkus/security/advisories/GHSA-5rfx-cp42-p624 |
| quickjs-ng--quickjs | A vulnerability was identified in quickjs-ng quickjs up to 0.11.0. This issue affects the function js_typed_array_sort of the file quickjs.c. The manipulation leads to heap-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 53eefbcd695165a3bd8c584813b472cb4a69fbf5. To fix this issue, it is recommended to deploy a patch. | 2026-01-10 | 6.3 | CVE-2026-0822 | VDB-340356 | quickjs-ng quickjs quickjs.c js_typed_array_sort heap-based overflow VDB-340356 | CTI Indicators (IOB, IOC, IOA) Submit #731783 | quickjs-ng quickjs v0.11.0 Heap-based Buffer Overflow https://github.com/quickjs-ng/quickjs/issues/1297 https://github.com/quickjs-ng/quickjs/pull/1298 https://github.com/quickjs-ng/quickjs/issues/1297#issue-3780006202 https://github.com/quickjs-ng/quickjs/commit/53eefbcd695165a3bd8c584813b472cb4a69fbf5 |
| RainyGao--DocSys | A vulnerability was detected in RainyGao DocSys up to 2.02.36. The affected element is an unknown function of the file src/com/DocSystem/mapping/GroupMemberMapper.xml. Performing a manipulation of the argument searchWord results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-09 | 6.3 | CVE-2025-15492 | VDB-340270 | RainyGao DocSys GroupMemberMapper.xml sql injection VDB-340270 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725373 | https://github.com/RainyGao-GitHub/DocSys/releases/tag/DocSys_V2 RainyGao-GitHub 2.02.36 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/SQL%E6%B3%A8%E5%85%A53.md https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/SQL%E6%B3%A8%E5%85%A53.md#vulnerability-analysis-and-reproduction%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E5%A4%8D%E7%8E%B0 |
| RainyGao--DocSys | A flaw has been found in RainyGao DocSys up to 2.02.36. The impacted element is an unknown function of the file src/com/DocSystem/mapping/ReposAuthMapper.xml. Executing a manipulation of the argument searchWord can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-09 | 6.3 | CVE-2025-15493 | VDB-340271 | RainyGao DocSys ReposAuthMapper.xml sql injection VDB-340271 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725374 | https://github.com/RainyGao-GitHub/DocSys/releases/tag/DocSys_V2 RainyGao-GitHub 2.02.36 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/sql%E6%B3%A8%E5%85%A52.md https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/sql%E6%B3%A8%E5%85%A52.md#vulnerability-analysis-and-reproduction%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E5%A4%8D%E7%8E%B0 |
| RainyGao--DocSys | A vulnerability has been found in RainyGao DocSys up to 2.02.37. This affects an unknown function of the file com/DocSystem/mapping/UserMapper.xml. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-09 | 6.3 | CVE-2025-15494 | VDB-340272 | RainyGao DocSys UserMapper.xml sql injection VDB-340272 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725407 | https://github.com/RainyGao-GitHub/DocSys/releases/tag/DocSys_V2 RainyGao-GitHub 2.02.37 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/SQL%E6%B3%A8%E5%85%A52.02.37.md https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/SQL%E6%B3%A8%E5%85%A52.02.37.md#vulnerability-analysis-and-reproduction%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E5%A4%8D%E7%8E%B0 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications. | 2026-01-08 | 5.3 | CVE-2026-0707 | https://access.redhat.com/security/cve/CVE-2026-0707 RHBZ#2427768 |
| remix-run--react-router | React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6. | 2026-01-10 | 6.5 | CVE-2025-68470 | https://github.com/remix-run/react-router/security/advisories/GHSA-9jcx-v3wj-wh4m |
| remix-run--react-router | React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0. | 2026-01-10 | 6.5 | CVE-2026-22030 | https://github.com/remix-run/react-router/security/advisories/GHSA-h5cw-625j-3rxh |
| roxnor--EmailKit Email Customizer for WooCommerce & WP | The EmailKit plugin for WordPress is vulnerable to Arbitrary File Read via Path Traversal in all versions up to, and including, 1.6.1. This is due to missing path validation in the create_template REST API endpoint where user-controlled input from the emailkit-editor-template parameter is passed directly to file_get_contents() without sanitization. This makes it possible for authenticated attackers with Author-level permissions or higher to read arbitrary files on the server, including sensitive configuration files like /etc/passwd and wp-config.php, via the REST API. The file contents are stored in post meta and can be exfiltrated through MetForm's email confirmation feature. | 2026-01-07 | 6.5 | CVE-2025-14059 | https://www.wordfence.com/threat-intel/vulnerabilities/id/91ebe8cb-99ec-4380-a77e-17e17144a17e?source=cve https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L163 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3419280%40emailkit%2Ftrunk&old=3373383%40emailkit%2Ftrunk&sfp_email=&sfph_mail=#file1 |
| roxnor--Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers | The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. This is due to the `permission_callback` only validating wp_rest nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary subscriber records. | 2026-01-06 | 5.3 | CVE-2025-14441 | https://www.wordfence.com/threat-intel/vulnerabilities/id/48f5a44d-d01f-4c41-98da-7c1f6c65c254?source=cve https://plugins.trac.wordpress.org/browser/popup-builder-block/trunk/includes/Routes/Subscribers.php#L77 https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Subscribers.php#L77 https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Subscribers.php#L64 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3421671%40popup-builder-block&new=3421671%40popup-builder-block&sfp_email=&sfph_mail= |
| rubengc--GamiPress Gamification plugin to reward points, achievements, badges & ranks in WordPress | The GamiPress - Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the gamipress_ajax_get_posts and gamipress_ajax_get_users functions in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate users, including their email addresses and to retrieve titles of private posts. | 2026-01-06 | 4.3 | CVE-2025-13812 | https://www.wordfence.com/threat-intel/vulnerabilities/id/acfdd579-0be9-476b-90cd-07f417712691?source=cve https://plugins.trac.wordpress.org/changeset/3430697/ |
| ruhul080--My Album Gallery | The My Album Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style_css' shortcode attribute in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14453 | https://www.wordfence.com/threat-intel/vulnerabilities/id/64399c1c-ea82-483b-b320-3c6f2cb010b3?source=cve https://plugins.trac.wordpress.org/browser/my-album-gallery/trunk/controllers/public/class-mygallery-shortcode.php#L121 https://plugins.trac.wordpress.org/browser/my-album-gallery/tags/1.0.4/controllers/public/class-mygallery-shortcode.php#L121 |
| ruhul080--My Album Gallery | The My Album Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image titles in all versions up to, and including, 1.0.4. This is due to insufficient input sanitization and output escaping on the 'attachment->title' attribute. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14796 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1dd0bb5b-2eb5-46f0-8942-2885b1138b70?source=cve https://plugins.trac.wordpress.org/browser/my-album-gallery/tags/1.0.4/mygallery-single.php#L92 https://plugins.trac.wordpress.org/browser/my-album-gallery/tags/1.0.4/controllers/public/class-mygallery-shortcode.php#L143 |
| RustCrypto--signatures | RustCrypto: Signatures offers support for digital signatures, which provide authentication of data using public-key cryptography. Prior to version 0.1.0-rc.2, a timing side-channel was discovered in the Decompose algorithm which is used during ML-DSA signing to generate hints for the signature. This issue has been patched in version 0.1.0-rc.2. | 2026-01-10 | 6.4 | CVE-2026-22705 | https://github.com/RustCrypto/signatures/security/advisories/GHSA-hcp2-x6j4-29j7 https://github.com/RustCrypto/signatures/pull/1144 https://github.com/RustCrypto/signatures/commit/035d9eef98486ecd00a8bf418c7817eb14dd6558 |
| samikeijonen--EDD Download Info | The EDD Download Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'edd_download_info_link' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14121 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c0290595-d74d-404e-9d28-75abc9055031?source=cve https://plugins.trac.wordpress.org/browser/edd-download-info/trunk/includes/shortcodes.php#L43 https://plugins.trac.wordpress.org/browser/edd-download-info/tags/1.1/includes/shortcodes.php#L43 |
| Samsung Mobile--Samsung Mobile Devices | Out-of-bounds read in libimagecodec.quram.so prior to SMR Jan-2026 Release 1 allows remote attacker to access out-of-bounds memory. | 2026-01-09 | 5.3 | CVE-2026-20973 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01 |
| Secure Computing--SnapGear Management Console SG560 | SnapGear Management Console SG560 3.1.5 contains a file manipulation vulnerability that allows authenticated users to read, write, and delete files using the edit_config_files CGI script. Attackers can manipulate POST request parameters in /cgi-bin/cgix/edit_config_files to access and modify files outside the intended /etc/config/ directory. | 2026-01-06 | 6.5 | CVE-2020-36909 | ExploitDB-48556 Zero Science Lab Disclosure (ZSL-2020-5568) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange VulnCheck Advisory: Secure Computing SnapGear Management Console SG560 3.1.5 Arbitrary File Read/Write |
| Secure Computing--SnapGear Management Console SG560 | SnapGear Management Console SG560 version 3.1.5 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft a malicious web page that automatically submits a form to create a new super user account with full administrative privileges when a logged-in user visits the page. | 2026-01-06 | 5.3 | CVE-2020-36908 | ExploitDB-48554 Zero Science Lab Disclosure (ZSL-2020-5567) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange VulnCheck Advisory: Secure Computing SnapGear Management Console SG560 3.1.5 Cross-Site Request Forgery via Admin Users |
| sergiotoca--STM Gallery 1.9 | The STM Gallery 1.9 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'composicion' parameter in all versions up to, and including, 0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-13848 | https://www.wordfence.com/threat-intel/vulnerabilities/id/393d6e4a-af05-48ac-8921-f298932245a4?source=cve https://plugins.trac.wordpress.org/browser/stm-gallery/trunk/stmgallery_v.0.9.php#L121 https://plugins.trac.wordpress.org/browser/stm-gallery/tags/0.9/stmgallery_v.0.9.php#L121 |
| sfturing--hosp_order | A vulnerability was identified in sfturing hosp_order up to 627f426331da8086ce8fff2017d65b1ddef384f8. Affected by this vulnerability is the function findOrderHosNum of the file /ssm_pro/orderHos/. Such manipulation of the argument hospitalAddress/hospitalName leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 6.3 | CVE-2025-15450 | VDB-339483 | sfturing hosp_order orderHos findOrderHosNum sql injection VDB-339483 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #722925 | https://github.com/sfturing/hosp_order hosp_order latest SQL Injection https://github.com/sfturing/hosp_order/issues/111 https://github.com/sfturing/hosp_order/issues/111#issue-3760306826 |
| sharethis--ShareThis Dashboard for Google Analytics | The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.4. This is due to the Google Analytics client_ID and client_secret being stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to craft a link to the sharethis.com server, which will share an authorization token for Google Analytics with a malicious website, if the attacker can trick an administrator logged into the website and Google Analytics to click the link. | 2026-01-07 | 4.7 | CVE-2025-12540 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6781dcc5-db95-43ca-9042-a3c05414b7e6?source=cve https://plugins.trac.wordpress.org/browser/googleanalytics/trunk/credentials.json?rev=3364575 |
| shoheitanaka--Japanized for WooCommerce | The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processed/completed. | 2026-01-09 | 5.3 | CVE-2025-14886 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4bf3248a-f235-472c-b751-96ac9838b27f?source=cve https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/tags/2.7.17/includes/gateways/paidy/class-wc-paidy-endpoint.php#L51 |
| SigmaPlugin--Advanced Database Cleaner PRO | Path Traversal: '.../...//' vulnerability in SigmaPlugin Advanced Database Cleaner PRO allows Path Traversal.This issue affects Advanced Database Cleaner PRO: from n/a through 3.2.10. | 2026-01-07 | 6.4 | CVE-2025-46256 | https://patchstack.com/database/wordpress/plugin/advanced-database-cleaner-pro/vulnerability/wordpress-advanced-database-cleaner-pro-plugin-3-2-10-limited-txt-path-traversal-vulnerability?_s_id=cve |
| sigstore--cosign | Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's public key from either a Fulcio certificate or provided by the user, and the artifact signature to the Rekor entry contents. Without these comparisons, Cosign would accept any response from Rekor as valid. A malicious actor that has compromised a user's identity or signing key could construct a valid Cosign bundle by including any arbitrary Rekor entry, thus preventing the user from being able to audit the signing event. This issue has been patched in versions 2.6.2 and 3.0.4. | 2026-01-10 | 5.5 | CVE-2026-22703 | https://github.com/sigstore/cosign/security/advisories/GHSA-whqx-f9j3-ch6m https://github.com/sigstore/cosign/pull/4623 https://github.com/sigstore/cosign/commit/6832fba4928c1ad69400235bbc41212de5006176 |
| smjrifle--SVG Map Plugin | The SVG Map Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on multiple AJAX actions including 'save_data', 'delete_data', and 'add_popup'. This makes it possible for unauthenticated attackers to update the plugin's settings, delete map data, and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-07 | 6.1 | CVE-2025-13519 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5aaa97cc-4deb-43b6-957d-587834eca125?source=cve https://plugins.trac.wordpress.org/browser/svg-map-by-saedi/trunk/svg-map-by-saedi.php#L90 https://plugins.trac.wordpress.org/browser/svg-map-by-saedi/tags/1.0.0/svg-map-by-saedi.php#L90 |
| SOCA Technology Co., Ltd--SOCA Access Control System | SOCA Access Control System 180612 contains a cross-site scripting vulnerability in the 'senddata' POST parameter of logged_page.php that allows attackers to inject malicious scripts. Attackers can exploit this weakness by sending crafted POST requests to execute arbitrary HTML and script code in a victim's browser session. | 2026-01-07 | 6.1 | CVE-2019-25270 | Zero Science Lab Vulnerability Entry Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange SOCA Vendor Homepage |
| soniz--Curved Text | The Curved Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'radius' parameter of the arctext shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-13854 | https://www.wordfence.com/threat-intel/vulnerabilities/id/48514fdb-20c6-4a7f-8f60-e532ddd8853e?source=cve https://plugins.trac.wordpress.org/browser/curved-text/trunk/curved-text.php#L32 https://plugins.trac.wordpress.org/browser/curved-text/tags/0.1/curved-text.php#L32 |
| spree--spree | Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users' address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request, the backend server accepts and processes references to addresses belonging to other users, subsequently associating those addresses with the attacker's order and returning them in the response. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5. | 2026-01-08 | 6.5 | CVE-2026-22588 | https://github.com/spree/spree/security/advisories/GHSA-g268-72p7-9j6j https://github.com/spree/spree/commit/02acabdce2c5f14fd687335b068d901a957a7e72 https://github.com/spree/spree/commit/17e78a91b736b49dbea8d1bb1223c284383ee5f3 https://github.com/spree/spree/commit/b409c0fd327e7ce37f63238894670d07079eefe8 https://github.com/spree/spree/commit/d3f961c442e0015661535cbd6eb22475f76d2dc7 |
| spwebguy--Responsive Pricing Table | The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'plan_icons' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-13418 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5d28fd23-fa86-4353-b1b4-af61192f8482?source=cve https://wordpress.org/plugins/dk-pricr-responsive-pricing-table/ |
| spwebguy--Responsive Pricing Table | The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'table_currency' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-15058 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e20a34e5-6c1c-4f12-b1d8-aa4b40a5dd00?source=cve https://wordpress.org/plugins/dk-pricr-responsive-pricing-table/ |
| stevejburge--TaxoPress: Tag, Category, and Taxonomy Manager AI Autotagger | The Tag, Category, and Taxonomy Manager - AI Autotagger with OpenAI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the taxopress_ai_add_post_term function in all versions up to, and including, 3.41.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to add or remove taxonomy terms (tags, categories) on any post, including ones they do not own. | 2026-01-06 | 4.3 | CVE-2025-14371 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1ef51ffb-df1e-442d-abc8-3a0308099a0b?source=cve https://plugins.trac.wordpress.org/browser/simple-tags/tags/3.40.1/modules/taxopress-ai/classes/TaxoPressAiAjax.php#L681 |
| stylemix--MasterStudy LMS WordPress Plugin for Online Courses and Education | The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates | 2026-01-06 | 5.4 | CVE-2025-13766 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2719739a-90dc-470b-9270-8578e0cead59?source=cve https://plugins.trac.wordpress.org/changeset/3422825/ |
| techjewel--Fluent Forms Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | The Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.7. This is due to missing capability checks on the `fluentform_ai_create_form` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary forms via the publicly exposed AI builder. | 2026-01-07 | 5.3 | CVE-2025-13722 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f7dbf179-7099-4dfb-8dad-780f996a7005?source=cve https://plugins.trac.wordpress.org/changeset/3406804/fluentform/tags/6.1.8/app/Modules/Ai/AiFormBuilder.php |
| Tenda--AC1206 | A vulnerability was determined in Tenda AC1206 15.03.06.23. Affected by this issue is the function formBehaviorManager of the file /goform/BehaviorManager of the component httpd. Executing a manipulation of the argument modulename/option/data/switch can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-05 | 6.3 | CVE-2026-0581 | VDB-339473 | Tenda AC1206 httpd BehaviorManager formBehaviorManager command injection VDB-339473 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731193 | Tenda AC1206 AC1206V1.0RTL_V15.03.06.23 Command Injection https://github.com/ccc-iotsec/cve-/blob/Tenda/Tenda%20AC1206%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md https://www.tenda.com.cn/ |
| tfrommen--Page Keys | The Page Keys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_key' parameter in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-07 | 4.4 | CVE-2025-15000 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2d3863ec-0cc7-4128-a19e-fc1e2c31195e?source=cve https://plugins.trac.wordpress.org/browser/page-keys/tags/1.3.3/inc/ListTable.php#L260 |
| themehigh--Email Customizer for WooCommerce | Drag and Drop Email Templates Builder | The Email Customizer for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email template content in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in email templates that will execute when customers view transactional emails. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-07 | 4.4 | CVE-2025-13974 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c6927b4f-f47e-47fc-a5bf-b7fa42c31412?source=cve https://plugins.trac.wordpress.org/browser/email-customizer-for-woocommerce/tags/2.6.7/classes/inc/class-wecmf-general-template.php#L213 https://plugins.trac.wordpress.org/browser/email-customizer-for-woocommerce/trunk/classes/inc/class-wecmf-general-template.php#L213 |
| ThemeHunk--Oneline Lite | Missing Authorization vulnerability in ThemeHunk Oneline Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Oneline Lite: from n/a through 6.6. | 2026-01-07 | 4.3 | CVE-2025-69344 | https://patchstack.com/database/wordpress/theme/oneline-lite/vulnerability/wordpress-oneline-lite-theme-6-6-broken-access-control-vulnerability?_s_id=cve |
| themelocation--WP Popup Magic | The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the [wppum_end] shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-13900 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c11a5f07-de89-47ec-a92e-2adc75965648?source=cve https://plugins.trac.wordpress.org/browser/wppopupmagic/trunk/class-wppum-frontend.php#L622 https://plugins.trac.wordpress.org/browser/wppopupmagic/tags/1.0.0/class-wppum-frontend.php#L622 |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address. | 2026-01-08 | 6.5 | CVE-2025-13679 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0830d0c3-99c0-423e-99ab-f0c1cbec52d9?source=cve https://plugins.trac.wordpress.org/changeset/3422766/tutor/tags/3.9.4/ecommerce/OrderController.php |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons. | 2026-01-09 | 4.3 | CVE-2025-13628 | https://www.wordfence.com/threat-intel/vulnerabilities/id/46f71f7b-7326-47b6-a23a-68a40f5bb56b?source=cve https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/ecommerce/CouponController.php |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it possible for authenticated attackers, with subscriber level access and above, to enroll themselves in any course without going through the proper purchase flow. | 2026-01-09 | 4.3 | CVE-2025-13934 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5de212c9-5c2e-4713-b1ce-022dd84520c3?source=cve https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/classes/Course.php |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed. | 2026-01-09 | 4.3 | CVE-2025-13935 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7b8b111a-9626-41f4-8a13-51f576af0257?source=cve https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/classes/Course.php |
| thimpress--LearnPress WordPress LMS Plugin | The LearnPress - WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the catch_lp_ajax function in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to modify course contents by adding/removing/updating/re-ordering sections or modifying section items. | 2026-01-06 | 5.3 | CVE-2025-13964 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ae363511-8a1f-476a-9851-61f7763428c2?source=cve https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.1/inc/Ajax/EditCurriculumAjax.php#L52 https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.1/inc/Ajax/AbstractAjax.php#L18 |
| thimpress--LearnPress WordPress LMS Plugin | The LearnPress - WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher's file_id. | 2026-01-07 | 5.4 | CVE-2025-14802 | https://www.wordfence.com/threat-intel/vulnerabilities/id/884c4508-1ee1-4384-9fc2-29e2c9042426?source=cve https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L527 https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L405 https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L77 https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.3/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L403 |
| ThimPress--Thim Core | Cross-Site Request Forgery (CSRF) vulnerability in ThimPress Thim Core allows Cross Site Request Forgery.This issue affects Thim Core: from n/a through 2.3.3. | 2026-01-05 | 4.3 | CVE-2025-53344 | https://vdp.patchstack.com/database/wordpress/plugin/thim-core/vulnerability/wordpress-thim-core-plugin-plugin-2-3-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| tomiup--WP Recipe Manager | The WP Recipe Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Skill Level' input field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-13667 | https://www.wordfence.com/threat-intel/vulnerabilities/id/12b14418-28f0-4786-b8f8-a637fe007b6c?source=cve https://plugins.trac.wordpress.org/browser/wp-recipe-manager/trunk/inc/libs/class.metaboxes.php#L203 https://plugins.trac.wordpress.org/browser/wp-recipe-manager/tags/1.0.0/inc/libs/class.metaboxes.php#L203 |
| top-position--Top Position Google Finance | The Top Position Google Finance plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-09 | 6.1 | CVE-2025-13895 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fcbf81f8-8b33-4b83-91fb-626b7b5f3bb2?source=cve https://plugins.trac.wordpress.org/browser/top-position-google-finance/trunk/top-position-google-finance.php#L78 https://plugins.trac.wordpress.org/browser/top-position-google-finance/trunk/top-position-google-finance.php#L56 |
| TOTOLINK--WA1200 | A vulnerability has been found in TOTOLINK WA1200 5.9c.2914. The impacted element is an unknown function of the file cstecgi.cgi of the component HTTP Request Handler. The manipulation leads to null pointer dereference. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2026-01-08 | 5.3 | CVE-2026-0731 | VDB-340128 | TOTOLINK WA1200 HTTP Request cstecgi.cgi null pointer dereference VDB-340128 | CTI Indicators (IOB, IOC, IOA) Submit #733249 | TOTOLINK WA1200 V5.9c.2914 NULL Pointer Dereference https://github.com/JackWesleyy/CVE/blob/main/WA1200/TOTOLINK%20WA1200%20NULL%20Pointer%20Dereference%20Vulnerability.md https://github.com/JackWesleyy/CVE/blob/main/WA1200/TOTOLINK%20WA1200%20NULL%20Pointer%20Dereference%20Vulnerability.md#poc https://www.totolink.net/ |
| TOTOLINK--WA300 | A security vulnerability has been detected in TOTOLINK WA300 5.2cu.7112_B20190227. This vulnerability affects the function sub_401510 of the file cstecgi.cgi. The manipulation of the argument UPLOAD_FILENAME leads to command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-01-06 | 6.3 | CVE-2026-0641 | VDB-339684 | TOTOLINK WA300 cstecgi.cgi sub_401510 command injection VDB-339684 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #732234 | TOTOLINK WA300 V5.2cu.7112_B20190227 Command Injection https://github.com/JackWesleyy/CVE/blob/main/WA300/TOTOLINK_WA300_RCE.md https://github.com/JackWesleyy/CVE/blob/main/WA300/TOTOLINK_WA300_RCE.md#poc https://www.totolink.net/ |
| tox-dev--filelock | filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly. The vulnerability occurs in the _acquire() method between raise_on_not_writable_file() (permission check) and os.open() (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service. This issue has been patched in version 3.20.3. | 2026-01-10 | 5.3 | CVE-2026-22701 | https://github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw https://github.com/tox-dev/filelock/commit/255ed068bc85d1ef406e50a135e1459170dd1bf0 https://github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5 |
| TryGhost--Ghost | Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in versions 5.130.6 and 6.11.0. | 2026-01-10 | 6.7 | CVE-2026-22596 | https://github.com/TryGhost/Ghost/security/advisories/GHSA-gjrp-xgmh-x9qq https://github.com/TryGhost/Ghost/commit/cda236e455a7a30e828b6cba3c430e5796ded955 https://github.com/TryGhost/Ghost/commit/f2165f968bcdaae0e35590b38fa280ab03239391 |
| tugbucket--Multi-column Tag Map | The Multi-column Tag Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 17.0.39 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-07 | 4.4 | CVE-2025-14057 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f151cb44-499e-4b08-80fb-0a573594d624?source=cve https://plugins.trac.wordpress.org/browser/multi-column-tag-map/trunk/mctagmap_functions.php#L1845 https://plugins.trac.wordpress.org/browser/multi-column-tag-map/tags/17.0.39/mctagmap_functions.php#L1845 https://plugins.trac.wordpress.org/browser/multi-column-tag-map/tags/17.0.39/mctagmap-options.php#L65 |
| Ubiquiti Inc--UniFi Connect EV Station Lite | An Improper Access Control could allow a malicious actor in Wi-Fi range to the EV Station Lite (v1.5.2 and earlier) to use WiFi AutoLink feature on a device that was only adopted via Ethernet. | 2026-01-05 | 5.3 | CVE-2026-21635 | https://community.ui.com/releases/Security-Advisory-Bulletin-059/0c0b7f7a-68b7-41b9-987e-554f4b40e0e6 |
| Ubiquiti Inc--UniFi Protect Application | A malicious actor with access to the adjacent network could overflow the UniFi Protect Application (Version 6.1.79 and earlier) discovery protocol causing it to restart. Affected Products: UniFi Protect Application (Version 6.1.79 and earlier). Mitigation: Update your UniFi Protect Application to Version 6.2.72 or later. | 2026-01-05 | 6.5 | CVE-2026-21634 | https://community.ui.com/releases/Security-Advisory-Bulletin-058-058/6922ff20-8cd7-4724-8d8c-676458a2d0f9 |
| ultimatemember--ForumWP Forum & Discussion Board | The ForumWP - Forum & Discussion Board plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User's Display Name in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-06 | 6.4 | CVE-2025-13746 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f0eb6dc5-98e2-4d88-98f8-8a63c939b047?source=cve https://plugins.trac.wordpress.org/browser/forumwp/tags/2.1.5/assets/front/js/tooltip.js#L25 https://plugins.trac.wordpress.org/browser/forumwp/tags/2.1.5/includes/common/class-user.php#L906 https://plugins.trac.wordpress.org/browser/forumwp/tags/2.1.5/templates/user-card.php#L57 |
| viitorcloudvc--Viitor Button Shortcodes | The Viitor Button Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' shortcode attribute in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14113 | https://www.wordfence.com/threat-intel/vulnerabilities/id/61488a15-b49f-4381-9a35-746c39f25967?source=cve https://plugins.trac.wordpress.org/browser/viitor-shortcodes/trunk/includes/class-ww-vcsc-shortcodes.php#L51 https://plugins.trac.wordpress.org/browser/viitor-shortcodes/tags/3.0.0/includes/class-ww-vcsc-shortcodes.php#L51 |
| vikasratudi--Page Expire Popup/Redirection for WordPress | The Page Expire Popup/Redirection for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' shortcode attribute in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-06 | 6.5 | CVE-2025-14153 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b0c232b2-f7c8-4a8d-b282-72f61ecfc5da?source=cve https://plugins.trac.wordpress.org/browser/page-expire-popup/trunk/inc/vfpageexpirepopupstructure.php#L8 https://plugins.trac.wordpress.org/browser/page-expire-popup/tags/1.0/inc/vfpageexpirepopupstructure.php#L8 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3427583%40page-expire-popup&new=3427583%40page-expire-popup&sfp_email=&sfph_mail= |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0. | 2026-01-10 | 6.5 | CVE-2026-22773 | https://github.com/vllm-project/vllm/security/advisories/GHSA-grg2-63fw-f2qr |
| wedevs--weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot | The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including third party services API keys. | 2026-01-09 | 5.3 | CVE-2025-14574 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cbca3d1e-0985-43d3-855e-eee07715f670?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/wedocs/tags/2.1.15&new_path=/wedocs/tags/2.1.16#file12 |
| wisdmlabs--AI BotKit AI Chatbot & Live Support for WordPress (No-Code) | The AI BotKit - AI Chatbot & Live Support for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in the `ai_botkit_widget` shortcode in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-13887 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5659af1d-f248-46ff-b282-ef5397222d8d?source=cve https://plugins.trac.wordpress.org/browser/ai-botkit-for-lead-generation/trunk/includes/public/class-shortcode-handler.php#L42 https://plugins.trac.wordpress.org/browser/ai-botkit-for-lead-generation/tags/1.1.7/includes/public/class-shortcode-handler.php#L42 |
| woodpeckerleadform--Woodpecker for WordPress | The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_name' parameter of the [woodpecker-connector] shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-13967 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1d99c8a8-daeb-402b-990d-6bacf6e9a780?source=cve https://plugins.trac.wordpress.org/browser/woodpecker/trunk/public/class-wfw-public.php#L109 https://plugins.trac.wordpress.org/browser/woodpecker/tags/3.0.4/public/class-wfw-public.php#L109 https://plugins.trac.wordpress.org/browser/woodpecker/trunk/public/partials/wfw-public-shortcode.php#L39 https://plugins.trac.wordpress.org/browser/woodpecker/tags/3.0.4/public/partials/wfw-public-shortcode.php#L39 |
| WP Swings--Wallet System for WooCommerce | Insertion of Sensitive Information Into Sent Data vulnerability in WP Swings Wallet System for WooCommerce allows Retrieve Embedded Sensitive Data.This issue affects Wallet System for WooCommerce: from n/a through 2.7.2. | 2026-01-05 | 6.3 | CVE-2025-68029 | https://vdp.patchstack.com/database/wordpress/plugin/wallet-system-for-woocommerce/vulnerability/wordpress-wallet-system-for-woocommerce-plugin-2-7-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| wpcommerz--twinklesmtp Email Service Provider For WordPress | The twinklesmtp - Email Service Provider For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's sender settings in all versions up to, and including, 1.03 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-07 | 4.4 | CVE-2025-14887 | https://www.wordfence.com/threat-intel/vulnerabilities/id/223d62cc-61ee-4818-9521-a772c1d57d59?source=cve https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L32 https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L46 https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L50 https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L84 https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L88 https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L36 |
| wpdevart--Countdown Timer Widget Countdown | The Countdown Timer - Widget Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdevart_countdown' shortcode in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-10 | 6.4 | CVE-2025-14555 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ee84c720-7997-4c09-a2f9-5e1a28bd1100?source=cve https://plugins.trac.wordpress.org/browser/widget-countdown/trunk/includes/front_end.php#L167 https://plugins.trac.wordpress.org/browser/widget-countdown/trunk/includes/front_end.php#L48 https://plugins.trac.wordpress.org/browser/widget-countdown/trunk/includes/front_end.php#L30 https://plugins.trac.wordpress.org/changeset/3425959/ |
| wpdevelop--Booking Calendar | The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option is `'Off'` by default). When the `booking_is_show_popover_in_timeline_front_end` option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible for unauthenticated attackers to extract sensitive booking data including customer names, email addresses, phone numbers, and booking details. | 2026-01-09 | 5.3 | CVE-2025-14146 | https://www.wordfence.com/threat-intel/vulnerabilities/id/281a1c0e-bbd8-4cf6-94ca-b888c7d7e3af?source=cve https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/core/lib/wpbc-ajax.php#L29 https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/includes/_functions/nonce_func.php#L33 https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/core/wpbc-activation.php#L572 https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/core/timeline/v2/wpbc-class-timeline_v2.php#L3187 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3434934%40booking%2Ftrunk&old=3432649%40booking%2Ftrunk&sfp_email=&sfph_mail=#file2 |
| wpdevteam--BetterDocs Knowledge Base Documentation & FAQ Solution for Elementor & Block Editor | The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive data including the OpenAI API key stored in plugin settings. | 2026-01-09 | 6.5 | CVE-2025-14980 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1595f231-d300-484a-a0e1-1e2bc7b82ed3?source=cve https://research.cleantalk.org/cve-2025-14980/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3430424%40betterdocs%2Ftags%2F4.3.4&old=3422660%40betterdocs%2Ftrunk |
| wpdevteam--Templately Elementor & Gutenberg Template Library: 6500+ Free & Pro Ready Templates And Cloud! | The Templately plugin for WordPress is vulnerable to Arbitrary File Write in all versions up to, and including, 3.4.8. This is due to inadequate input validation in the `save_template_to_file()` function where user-controlled parameters like `session_id`, `content_id`, and `ai_page_ids` are used to construct file paths without proper sanitization. This makes it possible for unauthenticated attackers to write arbitrary `.ai.json` files to locations within the uploads directory. | 2026-01-10 | 5.3 | CVE-2026-0831 | https://www.wordfence.com/threat-intel/vulnerabilities/id/778242f4-5dfa-4d72-a032-8b5521c5b8ce?source=cve https://plugins.trac.wordpress.org/browser/templately/tags/3.4.5/includes/Core/Importer/Utils/AIUtils.php#L414 https://plugins.trac.wordpress.org/browser/templately/tags/3.4.5/includes/API/AIContent.php#L38 https://plugins.trac.wordpress.org/changeset/3426051/ |
| wpeverest--User Registration & Membership Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin | The User Registration & Membership - Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. This is due to missing or incorrect nonce validation on the 'process_row_actions' function with the 'delete' action. This makes it possible for unauthenticated attackers to delete arbitrary post via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-10 | 5.4 | CVE-2025-14976 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e5495b4c-a1ac-4860-83a7-686d9436d983?source=cve https://plugins.trac.wordpress.org/browser/user-registration/tags/4.4.8/includes/abstracts/abstract-ur-list-table.php#L290 https://plugins.trac.wordpress.org/changeset/3435099/user-registration |
| wpmudev--Forminator Forms Contact Form, Payment Form & Custom Form Builder | The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with access to the Forminator dashboard, to export sensitive form submission data including personally identifiable information. | 2026-01-09 | 5.3 | CVE-2025-14782 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2b28ddeb-44f5-4d19-b866-94fc2088ee6d?source=cve https://plugins.trac.wordpress.org/changeset/3423003/forminator/trunk/library/class-export.php |
| WPShop.ru--AdsPlace'r Ad Manager, Inserter, AdSense Ads | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPShop.Ru AdsPlace'r - Ad Manager, Inserter, AdSense Ads allows DOM-Based XSS.This issue affects AdsPlace'r - Ad Manager, Inserter, AdSense Ads: from n/a through 1.1.5. | 2026-01-06 | 6.5 | CVE-2024-31088 | https://patchstack.com/database/wordpress/plugin/adsplacer/vulnerability/wordpress-adsplace-r-ad-manager-inserter-adsense-ads-plugin-1-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| wptb--WP Table Builder Drag & Drop Table Builder | The WP Table Builder - Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new wptb-table posts. | 2026-01-09 | 4.3 | CVE-2025-13753 | https://www.wordfence.com/threat-intel/vulnerabilities/id/95f49080-2263-4f6d-9372-30137efd8e10?source=cve https://plugins.trac.wordpress.org/changeset/3432381/wp-table-builder |
| Wptexture--Image Slider Slideshow | Authorization Bypass Through User-Controlled Key vulnerability in Wptexture Image Slider Slideshow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Slider Slideshow: from n/a through 1.8. | 2026-01-08 | 4.3 | CVE-2026-22489 | https://patchstack.com/database/wordpress/plugin/image-slider-slideshow/vulnerability/wordpress-image-slider-slideshow-plugin-1-8-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| WPvibes--AnyWhere Elementor Pro | Missing Authorization vulnerability in WPvibes AnyWhere Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyWhere Elementor Pro: from n/a through 2.29. | 2026-01-05 | 4.3 | CVE-2025-31046 | https://vdp.patchstack.com/database/wordpress/theme/anywhere-elementor-pro/vulnerability/wordpress-anywhere-elementor-pro-2-29-broken-access-control-vulnerability?_s_id=cve |
| wpvibes--Form Vibes Database Manager for Forms | The Form Vibes - Database Manager for Forms plugin for WordPress is vulnerable to SQL Injection via the 'params' parameter in all versions up to, and including, 1.4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-06 | 4.9 | CVE-2025-13409 | https://www.wordfence.com/threat-intel/vulnerabilities/id/28eb6998-be54-4cf9-8bb1-454c07151748?source=cve https://plugins.trac.wordpress.org/browser/form-vibes/tags/1.4.13/inc/modules/analytics/module.php#L62 https://plugins.trac.wordpress.org/browser/form-vibes/tags/1.4.13/inc/modules/analytics/module.php#L51 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425061%40form-vibes&new=3425061%40form-vibes&sfp_email=&sfph_mail= |
| www15to--QR Code for WooCommerce order emails, PDF invoices, packing slips | The QR Code for WooCommerce order emails, PDF invoices, packing slips plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 1.9.42 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14626 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5b2e599c-48de-4d3a-94a3-b98badfb7a98?source=cve https://plugins.trac.wordpress.org/browser/qr-code-tag-for-wc-from-goaskle-com/tags/1.9.42/lib/qrct/QrctWp.php#L1661 https://plugins.trac.wordpress.org/browser/qr-code-tag-for-wc-from-goaskle-com/trunk/lib/qrct/QrctWp.php#L1661 |
| xagio--Xagio SEO AI Powered SEO | The Xagio SEO - AI Powered SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.1.0.30 via the 'pixabayDownloadImage' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-01-06 | 6.4 | CVE-2025-14438 | https://www.wordfence.com/threat-intel/vulnerabilities/id/72779dd2-04eb-445d-88a0-28a9c4d2369b?source=cve https://plugins.trac.wordpress.org/browser/xagio-seo/tags/7.1.0.29/inc/xagio_core.php#L236 https://plugins.trac.wordpress.org/browser/xagio-seo/tags/7.1.0.29/modules/seo/models/xagio_tinymce.php#L91 https://plugins.trac.wordpress.org/browser/xagio-seo/tags/7.1.0.29/modules/seo/models/xagio_tinymce.php#L135 https://plugins.trac.wordpress.org/changeset/3426300/xagio-seo#file374 |
| xwiki-contrib--macro-fullcalendar | XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6. | 2026-01-10 | 5.3 | CVE-2025-65090 | https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m https://github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884 https://jira.xwiki.org/browse/FULLCAL-82 |
| Yahei.Net--Yahei-PHP Prober | Yahei-PHP Prober 0.4.7 contains a remote HTML injection vulnerability that allows attackers to execute arbitrary HTML code through the 'speed' GET parameter. Attackers can inject malicious HTML code in the 'speed' parameter of prober.php to trigger cross-site scripting in user browser sessions. | 2026-01-07 | 6.1 | CVE-2019-25280 | Zero Science Lab Vulnerability Advisory Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange Archived Yahei-PHP Product Homepage |
| Yerootech--iDS6 DSSPro Digital Signage System | iDS6 DSSPro Digital Signage System 6.2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can craft malicious web pages to trick logged-in administrators into adding unauthorized users by exploiting the lack of CSRF protections. | 2026-01-06 | 4.3 | CVE-2020-36918 | ExploitDB-48990 Zero Science Lab Disclosure (ZSL-2020-5606) Archived Yeroo Tech Vendor Homepage Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Database Entry VulnCheck Advisory: iDS6 DSSPro Digital Signage System 6.2 Cross-Site Request Forgery via User Management |
| zanderz--Recras | The Recras WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'recrasname' shortcode attribute in all versions up to, and including, 6.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-13497 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ef93491a-5965-4289-b72c-d1568ff4e6e8?source=cve https://plugins.trac.wordpress.org/browser/recras/trunk/src/OnlineBooking.php#L144 https://plugins.trac.wordpress.org/browser/recras/tags/6.4.1/src/OnlineBooking.php#L144 https://plugins.trac.wordpress.org/changeset/3432851/ |
| zauberzeug--nicegui | NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim's browser. Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected. This issue has been patched in version 3.5.0. | 2026-01-08 | 6.1 | CVE-2026-21871 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-7grm-h62g-5m97 https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0 |
| zauberzeug--nicegui | NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0. | 2026-01-08 | 6.1 | CVE-2026-21872 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-m7j5-rq9j-6jj9 https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0 |
| zauberzeug--nicegui | NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0. | 2026-01-08 | 5.3 | CVE-2026-21874 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2 https://github.com/zauberzeug/nicegui/commit/6c52eb2c90c4b67387c025b29646b4bc1578eb83 https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0 |
| ZTE--MF258K | There is a configuration defect vulnerability in the version server of ZTE MF258K Pro products. Due to improper directory permission settings, an attacker can execute write permissions in a specific directory. | 2026-01-09 | 4.3 | CVE-2025-66315 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/4891644183717871638 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| AcademySoftwareFoundation--OpenColorIO | A vulnerability was found in AcademySoftwareFoundation OpenColorIO up to 2.5.0. This issue affects the function ConvertToRegularExpression of the file src/OpenColorIO/FileRules.cpp. Performing a manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is named ebdbb75123c9d5f4643e041314e2bc988a13f20d. To fix this issue, it is recommended to deploy a patch. The fix was added to the 2.5.1 milestone. | 2026-01-11 | 3.3 | CVE-2025-15506 | VDB-340444 | AcademySoftwareFoundation OpenColorIO FileRules.cpp ConvertToRegularExpression out-of-bounds VDB-340444 | CTI Indicators (IOB, IOC, IOA) Submit #733332 | AcademySoftwareFoundation OpenColorIO 1d77ecd Out-of-Bounds Read https://github.com/AcademySoftwareFoundation/OpenColorIO/issues/2228 https://github.com/AcademySoftwareFoundation/OpenColorIO/pull/2231 https://github.com/oneafter/1225/blob/main/uaf https://github.com/cozdas/OpenColorIO/commit/ebdbb75123c9d5f4643e041314e2bc988a13f20d https://github.com/AcademySoftwareFoundation/OpenColorIO/milestone/11 |
| aws--aws-sdk-net | AWS SDK for .NET works with Amazon Web Services to help build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more. From versions 4.0.0 to before 4.0.3.3, Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. This issue has been patched in version 4.0.3.3. | 2026-01-10 | 3.7 | CVE-2026-22611 | https://github.com/aws/aws-sdk-net/security/advisories/GHSA-9cvc-h2w8-phrp |
| Dell--PowerProtect Data Domain with Data Domain Operating System (DD OS) Feature Release | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS 2023 release versions 7.10.1.0 through 7.10.1.70, contain a Heap-based Buffer Overflow vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Denial of service. | 2026-01-09 | 2.3 | CVE-2025-46643 | https://www.dell.com/support/kbdoc/en-us/000405813/dsa-2025-415-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities |
| Dell--PowerProtect Data Domain with Data Domain Operating System (DD OS) Feature Release | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS 2023 release versions 7.10.1.0 through 7.10.1.70, contain an Exposure of Sensitive Information to an Unauthorized Actor vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | 2026-01-09 | 2.7 | CVE-2025-46676 | https://www.dell.com/support/kbdoc/en-us/000405813/dsa-2025-415-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection. | 2026-01-09 | 3.5 | CVE-2025-3950 | GitLab Issue #537697 HackerOne Bug Bounty Report #3106477 https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/ |
| HCLSoftware--BigFix IVR | Insufficient session expiration in the Web UI authentication component in HCL BigFix IVR version 4.2 allows an authenticated attacker to gain prolonged unauthorized access to protected API endpoints due to excessive expiration periods. | 2026-01-07 | 2 | CVE-2025-31962 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127753 |
| HCLSoftware--BigFix IVR | Improper authentication and missing CSRF protection in the local setup interface component in HCL BigFix IVR version 4.2 allows a local attacker to perform unauthorized configuration changes via unauthenticated administrative configuration requests. | 2026-01-07 | 2.9 | CVE-2025-31963 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127753 |
| HCLSoftware--BigFix IVR | Improper service binding configuration in internal service components in HCL BigFix IVR version 4.2 allows a privileged attacker to impact service availability via exposure of administrative services bound to external network interfaces instead of the local authentication interface. | 2026-01-07 | 2.2 | CVE-2025-31964 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127753 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a memory leak vulnerability in its XML MPE Parsing Path (iccFromXml). This issue is fixed in version 2.3.1.1. | 2026-01-06 | 3.3 | CVE-2026-21674 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-xww6-v3vg-4qc7 https://github.com/InternationalColorConsortium/iccDEV/issues/241 https://github.com/InternationalColorConsortium/iccDEV/commit/d7028d8f558bb681efe2b85f02eb4ca374502cbb |
| lief-project--LIEF | A security flaw has been discovered in lief-project LIEF up to 0.17.1. Affected by this issue is the function Parser::parse_binary of the file src/ELF/Parser.tcc of the component ELF Binary Parser. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. Upgrading to version 0.17.2 can resolve this issue. The patch is identified as 81bd5d7ea0c390563f1c4c017c9019d154802978. It is recommended to upgrade the affected component. | 2026-01-10 | 3.3 | CVE-2025-15504 | VDB-340375 | lief-project LIEF ELF Binary Parser.tcc parse_binary null pointer dereference VDB-340375 | CTI Indicators (IOB, IOC, IOA) Submit #733329 | lief-project LIEF 9698ea6 Memory Corruption https://github.com/lief-project/LIEF/issues/1277 https://github.com/lief-project/LIEF/issues/1277#issuecomment-3693859001 https://github.com/oneafter/1210/blob/main/segv1 https://github.com/lief-project/LIEF/commit/81bd5d7ea0c390563f1c4c017c9019d154802978 https://github.com/lief-project/LIEF/releases/tag/0.17.2 |
| Luxul--XWR-600 | A vulnerability was found in Luxul XWR-600 up to 4.0.1. The affected element is an unknown function of the component Web Administration Interface. The manipulation of the argument Guest Network/Wireless Profile SSID results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond with a technical statement. | 2026-01-11 | 2.4 | CVE-2025-15505 | VDB-340435 | Luxul XWR-600 Web Administration cross site scripting VDB-340435 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727924 | Luxul XWR-600 Router Firmware Ver: 4.0.1 Cross Site Scripting https://docs.google.com/document/d/1S2f5lT0b-KE9m6xq8BY6eSixv6SgsGL1e8QQzeOkq5c/ |
| opf--openproject | OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete list of all users' full names by iterating through these URLs. The same behavior can also be reproduced via the OpenProject API, allowing automated retrieval of full names through the API as well. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually. | 2026-01-10 | 3.5 | CVE-2026-22602 | https://github.com/opf/openproject/security/advisories/GHSA-7fvx-9h6h-g82j https://github.com/opf/openproject/pull/21281 https://github.com/opf/openproject/commit/fb39a779f521d9b08f1e0c9e8aff2b6d4643ea37 https://github.com/opf/openproject/releases/tag/v16.6.2 |
| Palantir--com.palantir.acme:gotham-default-apps-bundle | ### Details On October 1, 2025, Palantir discovered that images uploaded through the Dossier front-end app were not being marked correctly with the proper security levels. The regression was traced back to a change in May 2025, which was meant to allow file uploads to be shared among different artifacts (e.g. other dossiers and presentations). On deployments configured with CBAC, the front-end would present a security picker dialog to set the security level on the uploads, thereby mitigating the issue. On deployments without a CBAC configuration, no security picker dialog appears, leading to a security level of CUSTOM with no markings or datasets selected. The resulting markings and groups for the file uploads thus will be only those added by the "Default authorization rules" defined in the Auth Chooser configuration. On most environments, it is expected that the "Default authorization rules" only add the Everyone group. | 2026-01-09 | 3.5 | CVE-2025-62487 | https://palantir.safebase.us/?tcuUid=c91a1b4f-72e7-4959-9e2d-3a341e5c7a1f |
| PHPGurukul--Staff Leave Management System | A flaw has been found in PHPGurukul Staff Leave Management System 1.0. The affected element is the function ADD_STAFF/UPDATE_STAFF of the file /staffleave/slms/slms/adminviews.py of the component SVG File Handler. Executing a manipulation of the argument profile_pic can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. | 2026-01-08 | 2.4 | CVE-2026-0730 | VDB-340127 | PHPGurukul Staff Leave Management System SVG File adminviews.py UPDATE_STAFF cross site scripting VDB-340127 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733160 | PHPGurukul Staff Leave Management System v1.0 Cross Site Scripting https://github.com/rsecroot/Staff-Leave-Management-System/blob/main/Cross%20Site%20Scripting.md https://phpgurukul.com/ |
| Progress--MOVEit Transfer | Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10. | 2026-01-06 | 3.7 | CVE-2025-11235 | https://docs.progress.com/bundle/moveit-transfer-release-notes-2023_1/page/Fixed-Issues-in-2023.1.3.html |
| projectworlds--House Rental and Property Listing | A vulnerability was detected in projectworlds House Rental and Property Listing 1.0. This issue affects some unknown processing of the file /app/complaint.php. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. | 2026-01-06 | 2.4 | CVE-2026-0642 | VDB-339685 | projectworlds House Rental and Property Listing complaint.php cross site scripting VDB-339685 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #732369 | projectworlds.com House rental And Property Listing 1.0 Cross Site Scripting https://github.com/Pick-program/CVE/issues/4 |
| questdb--ui | A security flaw has been discovered in questdb ui up to 1.11.9. Impacted is an unknown function of the component Web Console. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 1.1.10 is recommended to address this issue. The patch is identified as b42fd9f18476d844ae181a10a249e003dafb823d. You should upgrade the affected component. The vendor confirmed early that the fix "is going to be released as a part of QuestDB 9.3.0" as well. | 2026-01-10 | 3.5 | CVE-2026-0824 | VDB-340357 | questdb ui Web Console cross site scripting VDB-340357 | CTI Indicators (IOB, IOC, TTP) Submit #733253 | questdb V9.2.3(latest) xss https://github.com/59lab/dbdb/blob/main/There%20is%20a%20cross-site%20scripting(XSS)%20vulnerability%20in%20the%20QuestDB%20database.md https://github.com/questdb/questdb/releases/tag/9.3.0 https://github.com/questdb/ui/pull/519#issue-3790862030 https://github.com/questdb/ui/commit/b42fd9f18476d844ae181a10a249e003dafb823d https://github.com/questdb/ui/pull/518 |
| rankology--Rankology SEO and Analytics Tool | The Rankology SEO and Analytics Tool plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect capability check on the 'rankology_code_block' page in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Editor-level access and above, to add header and footer code blocks. | 2026-01-07 | 2.7 | CVE-2025-12958 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c97a341c-23f5-49a9-ad05-1fb387047e3b?source=cve https://wordpress.org/plugins/rankology-seo-and-analytics-tool/ |
| SourceCodester--API Key Manager App | A vulnerability was found in SourceCodester API Key Manager App 1.0. Affected by this vulnerability is an unknown functionality of the component Import Key Handler. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. | 2026-01-05 | 3.5 | CVE-2026-0580 | VDB-339472 | SourceCodester API Key Manager App Import Key cross site scripting VDB-339472 | CTI Indicators (IOB, IOC, TTP) Submit #731146 | SourceCodester API Key Manager App Using HTML, CSS and JavaScript with Source Code 0 Cross Site Scripting Submit #731290 | SourceCodester API Key Manager App Using HTML, CSS and JavaScript with Source Code 0 Basic Cross Site Scripting (Duplicate) https://www.sourcecodester.com/ |
| Xinhu--Rainrock RockOA | A security flaw has been discovered in Xinhu Rainrock RockOA up to 2.7.1. Affected is an unknown function of the file rock_page_gong.php of the component Cover Image Handler. The manipulation of the argument fengmian results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 3.5 | CVE-2026-0587 | VDB-339493 | Xinhu Rainrock RockOA Cover Image rock_page_gong.php cross site scripting VDB-339493 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725384 | Xinhu Xinhu OA V2.7.1 (earlier versions may also be affected) Stored Cross-Site Scripting (XSS) |
| Xinhu--Rainrock RockOA | A weakness has been identified in Xinhu Rainrock RockOA up to 2.7.1. Affected by this vulnerability is an unknown functionality of the file rockfun.php of the component API. This manipulation of the argument callback causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 3.5 | CVE-2026-0588 | VDB-339494 | Xinhu Rainrock RockOA API rockfun.php cross site scripting VDB-339494 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725397 | Xinhu Xinhu OA V2.7.1 JSONP Injection |
| xnx3--wangmarket | A security flaw has been discovered in xnx3 wangmarket up to 4.9. Affected by this issue is some unknown functionality of the file /admin/system/variableSave.do of the component System Variables Page. Performing a manipulation of the argument Description results in cross site scripting. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 2.4 | CVE-2025-15451 | VDB-339484 | xnx3 wangmarket System Variables variableSave.do cross site scripting VDB-339484 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #724838 | https://github.com/xnx3/wangmarket wangmarket 4.9 Improper Neutralization of Alternate XSS Syntax https://www.yuque.com/cocount-eveo/lu0220/eg6s9gropfwtoz9w?singleDoc |
| xnx3--wangmarket | A weakness has been identified in xnx3 wangmarket up to 4.9. This affects the function variableList of the file /admin/system/variableList.do of the component Backend Variable Search. Executing a manipulation of the argument Description can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 2.4 | CVE-2025-15452 | VDB-339485 | xnx3 wangmarket Backend Variable Search variableList.do variableList cross site scripting VDB-339485 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #724840 | https://github.com/xnx3/wangmarket wangmarket 4.9 Improper Neutralization of Alternate XSS Syntax https://www.yuque.com/cocount-eveo/lu0220/flbu025pfmwgudmg?singleDoc |
| zhanglun--lettura | A vulnerability was detected in zhanglun lettura up to 0.1.22. This issue affects some unknown processing of the file src/components/ArticleView/ContentRender.tsx of the component RSS Handler. The manipulation results in cross site scripting. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit is now public and may be used. The patch is identified as 67213093db9923e828a6e3fd8696a998c85da2d4. It is best practice to apply a patch to resolve this issue. | 2026-01-05 | 3.1 | CVE-2025-15454 | VDB-339487 | zhanglun lettura RSS ContentRender.tsx cross site scripting VDB-339487 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725038 | lettura v0.1.22 XSS https://gist.github.com/youremailaddress/cba7c19a4eafcb326d0e912adf132be3 https://gist.github.com/youremailaddress/cba7c19a4eafcb326d0e912adf132be3#proof-of-concept https://github.com/zhanglun/lettura/commit/67213093db9923e828a6e3fd8696a998c85da2d4 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| _nK--nK Themes Helper | Server-Side Request Forgery (SSRF) vulnerability in _nK nK Themes Helper nk-themes-helper allows Server Side Request Forgery.This issue affects nK Themes Helper: from n/a through <= 1.7.9. | 2026-01-08 | not yet calculated | CVE-2025-22726 | https://vdp.patchstack.com/database/Wordpress/Plugin/nk-themes-helper/vulnerability/wordpress-nk-themes-helper-plugin-1-7-9-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| ACCESSALLY, INC.--AccessAlly | AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget. The plugin processes the login_error parameter as PHP code, allowing an attacker to supply and execute arbitrary PHP in the context of the WordPress web server process, resulting in remote code execution. | 2026-01-09 | not yet calculated | CVE-2020-36875 | https://accessally.com/software-release/accessally-3-3-2/ https://wpscan.com/vulnerability/c644de6d-098d-4889-b75d-53fd2b89ff4d/ https://www.vulncheck.com/advisories/accessally-unauthenticated-arbitrary-php-code-execution |
| aio-libs--aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. This issue is fixed in version 3.13.3. | 2026-01-05 | not yet calculated | CVE-2025-69224 | https://github.com/aio-libs/aiohttp/security/advisories/GHSA-69f9-5gxw-wvc2 https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0 |
| aio-libs--aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. This issue is fixed in version 3.13.3. | 2026-01-05 | not yet calculated | CVE-2025-69225 | https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mqqc-3gqh-h2x8 https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96 |
| aio-libs--aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3. | 2026-01-05 | not yet calculated | CVE-2025-69226 | https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76 https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e |
| aio-libs--aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message. This issue is fixed in version 3.13.3. | 2026-01-05 | not yet calculated | CVE-2025-69227 | https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jj3x-wxrx-4x23 https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259 |
| aio-libs--aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. This issue is fixed in version 3.13.3. | 2026-01-05 | not yet calculated | CVE-2025-69228 | https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6jhg-hg63-jvvf https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60 |
| aio-libs--aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. This issue is fixed in version 3.13.3. | 2026-01-05 | not yet calculated | CVE-2025-69229 | https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229 https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712 |
| aio-libs--aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header. This issue is fixed in 3.13.3. | 2026-01-05 | not yet calculated | CVE-2025-69230 | https://github.com/aio-libs/aiohttp/security/advisories/GHSA-fh55-r93g-j68g https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326 |
| AirVPN--Eddie | AirVPN Eddie on MacOS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root.This issue affects Eddie: 2.24.6. | 2026-01-06 | not yet calculated | CVE-2025-14979 | https://fluidattacks.com/advisories/blink182 https://eddie.website/ https://github.com/AirVPN/Eddie |
| AITpro--BulletProof Security | Insertion of Sensitive Information Into Sent Data vulnerability in AITpro BulletProof Security bulletproof-security allows Retrieve Embedded Sensitive Data.This issue affects BulletProof Security: from n/a through <= 6.9. | 2026-01-08 | not yet calculated | CVE-2025-67931 | https://vdp.patchstack.com/database/Wordpress/Plugin/bulletproof-security/vulnerability/wordpress-bulletproof-security-plugin-6-9-sensitive-data-exposure-vulnerability?_s_id=cve |
| AmentoTech--Workreap (theme's plugin) | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AmentoTech Workreap (theme's plugin) workreap allows SQL Injection.This issue affects Workreap (theme's plugin): from n/a through <= 3.3.6. | 2026-01-08 | not yet calculated | CVE-2025-22728 | https://vdp.patchstack.com/database/Wordpress/Plugin/workreap/vulnerability/wordpress-workreap-theme-s-plugin-plugin-3-3-6-sql-injection-vulnerability?_s_id=cve |
| angular--angular | Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular's internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0. | 2026-01-10 | not yet calculated | CVE-2026-22610 | https://github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6 https://github.com/angular/angular/pull/66318 https://github.com/angular/angular/commit/91dc91bae4a1bbefc58bef6ef739d0e02ab44d56 |
| anibalwainstein--Effect Maker | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anibalwainstein Effect Maker effect-maker allows DOM-Based XSS.This issue affects Effect Maker: from n/a through <= 1.2.1. | 2026-01-08 | not yet calculated | CVE-2025-68867 | https://vdp.patchstack.com/database/Wordpress/Plugin/effect-maker/vulnerability/wordpress-effect-maker-plugin-1-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Anthropic--MCP TypeScript SDK | Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service. | 2026-01-05 | not yet calculated | CVE-2026-0621 | https://github.com/modelcontextprotocol/typescript-sdk/issues/965 https://www.vulncheck.com/advisories/mcp-typescript-sdk-uritemplate-exploded-array-pattern-redos |
| Apache Software Foundation--Apache Kyuubi | Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config. This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2. Users are recommended to upgrade to version 1.10.3 or upper, which fixes the issue. | 2026-01-05 | not yet calculated | CVE-2025-66518 | https://lists.apache.org/thread/xp460bwbyzdhho34ljd4nchyt2fmhodl |
| Apache Software Foundation--Apache Mynewt NimBLE | J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE. Improper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection being left in un-encrypted state allowing an eavesdropper to observe the remainder of the exchange. This issue affects Apache NimBLE: through <= 1.8.0. Users are recommended to upgrade to version 1.9.0, which fixes the issue. | 2026-01-10 | not yet calculated | CVE-2025-52435 | https://github.com/apache/mynewt-nimble/commit/164f1c23c18a290908df76ed83fe848bfe4a4903 https://github.com/apache/mynewt-nimble/commit/ec3d75e909fa6dcadf1836fefc4432794a673d18 https://lists.apache.org/thread/ow8dzpsqfh9llfclh5fzh6z237brzc0s |
| Apache Software Foundation--Apache Mynewt NimBLE | Out-of-bounds Read vulnerability in Apache NimBLE HCI H4 driver. Specially crafted HCI event could lead to invalid memory read in H4 driver. This issue affects Apache NimBLE: through 1.8. This issue requires a broken or bogus Bluetooth controller and thus severity is considered low. Users are recommended to upgrade to version 1.9, which fixes the issue. | 2026-01-10 | not yet calculated | CVE-2025-53470 | https://github.com/apache/mynewt-nimble/commit/b973df0c6cf7b30efbf8eb2cafdc1ee843464b76 https://lists.apache.org/thread/32sm0944dyod4sdql77stgyw9xb2msc0 |
| Apache Software Foundation--Apache Mynewt NimBLE | NULL Pointer Dereference vulnerability in Apache Nimble. Missing validation of HCI connection complete or HCI command TX buffer could lead to NULL pointer dereference. This issue requires disabled asserts and broken or bogus Bluetooth controller and thus severity is considered low. This issue affects Apache NimBLE: through 1.8.0. Users are recommended to upgrade to version 1.9.0, which fixes the issue. | 2026-01-10 | not yet calculated | CVE-2025-53477 | https://github.com/apache/mynewt-nimble/commit/0caf9baeb271ede85fcc5237ab87ddbf938600da https://github.com/apache/mynewt-nimble/commit/3160b8c4c7ff8db4e0f9badcdf7df684b151e077 https://lists.apache.org/thread/1dxthc132hwm2tzvjblrtnschcsbw2vo |
| Apache Software Foundation--Apache Mynewt NimBLE | Authentication Bypass by Spoofing vulnerability in Apache NimBLE. Receiving specially crafted Security Request could lead to removal of original bond and re-bond with impostor. This issue affects Apache NimBLE: through 1.8.0. Users are recommended to upgrade to version 1.9.0, which fixes the issue. | 2026-01-10 | not yet calculated | CVE-2025-62235 | https://github.com/apache/mynewt-nimble/commit/41f67e391e788c5feef9030026cc5cbc5431838a https://lists.apache.org/thread/rw2mrpfwb9d9wmq4h4b6ctcd6gpkk2ho |
| Apache Software Foundation--Apache SIS | Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the following SIS services: * Reading of GeoTIFF files having the GEO_METADATA tag defined by the Defense Geospatial Information Working Group (DGIWG). * Parsing of ISO 19115 metadata in XML format. * Parsing of Coordinate Reference Systems defined in the GML format. * Parsing of files in GPS Exchange Format (GPX). This issue affects Apache SIS from versions 0.4 through 1.5 inclusive. Users are recommended to upgrade to version 1.6, which will fix the issue. In the meantime, the security vulnerability can be avoided by launching Java with the javax.xml.accessExternalDTD system property sets to a comma-separated list of authorized protocols. For example: java -Djavax.xml.accessExternalDTD="" ... | 2026-01-05 | not yet calculated | CVE-2025-68280 | https://lists.apache.org/thread/s4ggy3zbtrrn93glgo2vn52lgcxk4bp4 |
| Apache Software Foundation--Apache Struts | Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue. | 2026-01-11 | not yet calculated | CVE-2025-68493 | https://cwiki.apache.org/confluence/display/WW/S2-069 |
| Apache Software Foundation--Apache Uniffle | The Uniffle HTTP client is configured to trust all SSL certificates and disables hostname verification by default. This insecure configuration exposes all REST API communication between the Uniffle CLI/client and the Uniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks. This issue affects all versions from before 0.10.0. Users are recommended to upgrade to version 0.10.0, which fixes the issue. | 2026-01-07 | not yet calculated | CVE-2025-68637 | https://lists.apache.org/thread/trvdd11hmpbjno3t8rc9okr4t036ox2v |
| Apple--iOS and iPadOS | A logic issue was addressed with improved validation. This issue is fixed in iOS 26.2 and iPadOS 26.2. Restoring from a backup may prevent passcode from being required immediately after Face ID enrollment. | 2026-01-09 | not yet calculated | CVE-2025-46286 | https://support.apple.com/en-us/125884 |
| Apple--macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.2. An app may be able to access protected files within an App Sandbox container. | 2026-01-09 | not yet calculated | CVE-2025-46297 | https://support.apple.com/en-us/125886 |
| Apple--tvOS | The issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Processing maliciously crafted web content may lead to an unexpected process crash. | 2026-01-09 | not yet calculated | CVE-2025-46298 | https://support.apple.com/en-us/125889 https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 https://support.apple.com/en-us/125890 |
| Apple--tvOS | A memory initialization issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Processing maliciously crafted web content may disclose internal states of the app. | 2026-01-09 | not yet calculated | CVE-2025-46299 | https://support.apple.com/en-us/125889 https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 https://support.apple.com/en-us/125890 |
| armurox--loggingredactor | Logging Redactor is a Python library designed to redact sensitive data in logs based on regex patterns and / or dictionary keys. Prior to version 0.0.6, non-string types are converted into string types, leading to type errors in %d conversions. The problem has been patched in version 0.0.6. No known workarounds are available. | 2026-01-08 | not yet calculated | CVE-2026-22041 | https://github.com/armurox/loggingredactor/security/advisories/GHSA-rvjx-cfjh-5mc9 https://github.com/armurox/loggingredactor/issues/7 https://github.com/armurox/loggingredactor/releases/tag/0.0.6 |
| Arraytics--Timetics | Authentication Bypass Using an Alternate Path or Channel vulnerability in Arraytics Timetics timetics allows Authentication Abuse.This issue affects Timetics: from n/a through <= 1.0.46. | 2026-01-08 | not yet calculated | CVE-2025-67915 | https://vdp.patchstack.com/database/Wordpress/Plugin/timetics/vulnerability/wordpress-timetics-plugin-1-0-46-broken-authentication-vulnerability?_s_id=cve |
| Aruba.it Dev--Aruba HiSpeed Cache | Missing Authorization vulnerability in Aruba.it Dev Aruba HiSpeed Cache aruba-hispeed-cache allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Aruba HiSpeed Cache: from n/a through < 3.0.3. | 2026-01-08 | not yet calculated | CVE-2025-67913 | https://vdp.patchstack.com/database/Wordpress/Plugin/aruba-hispeed-cache/vulnerability/wordpress-aruba-hispeed-cache-plugin-3-0-3-broken-access-control-vulnerability?_s_id=cve |
| Asseco--AMDX | Asseco ADMX system is used for processing medical records. It allows logged in users to access medical files belonging to other users through manipulation of GET arguments containing document IDs. This issue has been fixed in 6.09.01.62 version of ADMX. | 2026-01-08 | not yet calculated | CVE-2025-4596 | https://cert.pl/en/posts/2026/01/CVE-2025-4596 |
| Asseco--InfoMedica Plus | Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. A low privileged user is able to obtain encoded passwords of all other accounts (including main administrator) due to lack of granularity in access control. Chained exploitation of this vulnerability and CVE-2025-8307 allows an attacker to escalate privileges. This vulnerability has been fixed in versions 4.50.1 and 5.38.0 | 2026-01-08 | not yet calculated | CVE-2025-8306 | https://cert.pl/en/posts/2026/01/CVE-2025-8306/ |
| Asseco--InfoMedica Plus | Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. Passwords of all users are stored in a database in an encoded format. An attacker in possession of these encoded passwords is able to decode them by using an algorithm embedded in the client-side part of the software. This vulnerability has been fixed in versions 4.50.1 and 5.38.0 | 2026-01-08 | not yet calculated | CVE-2025-8307 | https://cert.pl/en/posts/2026/01/CVE-2025-8306/ |
| Astoundify--Jobify | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Astoundify Jobify jobify allows Reflected XSS.This issue affects Jobify: from n/a through <= 4.3.0. | 2026-01-08 | not yet calculated | CVE-2025-67916 | https://vdp.patchstack.com/database/Wordpress/Theme/jobify/vulnerability/wordpress-jobify-theme-4-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ASUS--ASCI | An uncontrolled DLL loading path vulnerability exists in AsusSoftwareManagerAgent. A local attacker may influence the application to load a DLL from an attacker-controlled location, potentially resulting in arbitrary code execution. Refer to the ' Security Update for MyASUS' section on the ASUS Security Advisory for more information. | 2026-01-06 | not yet calculated | CVE-2025-12793 | https://www.asus.com/security-advisory |
| AuntyFey--AuntyFey Smart Combination Lock | AuntyFey Smart Combination Lock firmware versions as of 2025-12-24 contain a vulnerability that allows an unauthenticated attacker within Bluetooth Low Energy (BLE) range to cause a denial of service by repeatedly initiating BLE connections. Sustained connection attempts interrupt keypad authentication input and repeatedly force the device into lockout states, preventing legitimate users from unlocking the device. | 2026-01-07 | not yet calculated | CVE-2025-15474 | https://github.com/nsm-barii/ble-smartlock-dos https://www.amazon.com/dp/B0F9L1M4XG https://www.vulncheck.com/advisories/auntyfey-smart-combination-lock-ble-connection-flood-dos |
| badkeys--badkeys | badkeys is a tool and library for checking cryptographic public keys for known vulnerabilities. In versions 0.0.15 and below, an attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the badkeys command-line tool. This impacts scanning DKIM keys (both --dkim and --dkim-dns), SSH keys (--ssh-lines mode), and filenames in various modes. This issue is fixed in version 0.0.16. | 2026-01-05 | not yet calculated | CVE-2026-21439 | https://github.com/badkeys/badkeys/security/advisories/GHSA-wjpc-4f29-83h3 https://github.com/badkeys/badkeys/issues/40 https://github.com/badkeys/badkeys/commit/635a2f3b1b50a895d8b09ec8629efc06189f349a https://github.com/badkeys/badkeys/commit/de631f69f040974bb5fb442cdab9a1d904c64087 |
| BBR Plugins--Better Business Reviews | Missing Authorization vulnerability in BBR Plugins Better Business Reviews better-business-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Business Reviews: from n/a through <= 0.1.1. | 2026-01-06 | not yet calculated | CVE-2025-69354 | https://vdp.patchstack.com/database/Wordpress/Plugin/better-business-reviews/vulnerability/wordpress-better-business-reviews-plugin-0-1-1-broken-access-control-vulnerability?_s_id=cve |
| bdthemes--Ultimate Store Kit Elementor Addons | Missing Authorization vulnerability in bdthemes Ultimate Store Kit Elementor Addons ultimate-store-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Store Kit Elementor Addons: from n/a through <= 2.9.4. | 2026-01-06 | not yet calculated | CVE-2025-69336 | https://vdp.patchstack.com/database/Wordpress/Plugin/ultimate-store-kit/vulnerability/wordpress-ultimate-store-kit-elementor-addons-plugin-2-9-4-broken-access-control-vulnerability?_s_id=cve |
| BeeS Software Solutions--BET ePortal | BeeS Software Solutions BET Portal contains an SQL injection vulnerability in the login functionality of affected sites. The vulnerability enables arbitrary SQL commands to be executed on the backend database. | 2026-01-09 | not yet calculated | CVE-2025-14598 | https://cloudilyaerp.com/ https://afnaan.me/cve/cve-2025-14598 https://github.com/Afnaan-Ahmed/CVE-2025-14598 |
| beeteam368--VidMov | Path Traversal: '.../...//' vulnerability in beeteam368 VidMov vidmov allows Path Traversal.This issue affects VidMov: from n/a through <= 2.3.8. | 2026-01-08 | not yet calculated | CVE-2025-67914 | https://vdp.patchstack.com/database/Wordpress/Theme/vidmov/vulnerability/wordpress-vidmov-theme-2-3-8-path-traversal-vulnerability?_s_id=cve |
| bokeh--bokeh | Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin header (e.g., http://dashboard.corp.attacker.com/) matches the allowlist according to the flawed logic, the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data, or modifying visualizations. This issue is fixed in version 3.8.2. | 2026-01-08 | not yet calculated | CVE-2026-21883 | https://github.com/bokeh/bokeh/security/advisories/GHSA-793v-589g-574v https://github.com/bokeh/bokeh/commit/cedd113b0e271b439dce768671685cf5f861812e |
| BoldGrid--Post and Page Builder by BoldGrid | Missing Authorization vulnerability in BoldGrid Post and Page Builder by BoldGrid post-and-page-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post and Page Builder by BoldGrid: from n/a through <= 1.27.9. | 2026-01-06 | not yet calculated | CVE-2025-69345 | https://vdp.patchstack.com/database/Wordpress/Plugin/post-and-page-builder/vulnerability/wordpress-post-and-page-builder-by-boldgrid-plugin-1-27-9-broken-access-control-vulnerability?_s_id=cve |
| brandexponents--Oshine | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in brandexponents Oshine oshin allows PHP Local File Inclusion.This issue affects Oshine: from n/a through <= 7.2.7. | 2026-01-08 | not yet calculated | CVE-2025-14359 | https://vdp.patchstack.com/database/Wordpress/Theme/oshin/vulnerability/wordpress-oshine-theme-7-2-7-local-file-inclusion-vulnerability?_s_id=cve |
| BuddhaThemes--WeDesignTech Ultimate Booking Addon | Missing Authorization vulnerability in BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.3. | 2026-01-06 | not yet calculated | CVE-2025-69341 | https://vdp.patchstack.com/database/Wordpress/Plugin/wedesigntech-ultimate-booking-addon/vulnerability/wordpress-wedesigntech-ultimate-booking-addon-plugin-1-0-3-broken-access-control-vulnerability?_s_id=cve |
| Campaign Monitor--Campaign Monitor for WordPress | Missing Authorization vulnerability in Campaign Monitor Campaign Monitor for WordPress forms-for-campaign-monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Campaign Monitor for WordPress: from n/a through <= 2.9.0. | 2026-01-08 | not yet calculated | CVE-2026-0674 | https://vdp.patchstack.com/database/Wordpress/Plugin/forms-for-campaign-monitor/vulnerability/wordpress-campaign-monitor-for-wordpress-plugin-2-9-0-broken-access-control-vulnerability?_s_id=cve |
| chlodigital--PRIMER by chlodigital | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in chloédigital PRIMER by chloédigital primer-by-chloedigital allows Reflected XSS.This issue affects PRIMER by chloédigital: from n/a through <= 1.0.25. | 2026-01-08 | not yet calculated | CVE-2025-68873 | https://vdp.patchstack.com/database/Wordpress/Plugin/primer-by-chloedigital/vulnerability/wordpress-primer-by-chloedigital-plugin-1-0-25-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Cloudways--Breeze | Missing Authorization vulnerability in Cloudways Breeze breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through <= 2.2.21. | 2026-01-06 | not yet calculated | CVE-2025-69364 | https://vdp.patchstack.com/database/Wordpress/Plugin/breeze/vulnerability/wordpress-breeze-plugin-2-2-21-broken-access-control-vulnerability?_s_id=cve |
| CMSJunkie - WordPress Business Directory Plugins--WP-BusinessDirectory | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-businessdirectory allows Reflected XSS.This issue affects WP-BusinessDirectory: from n/a through <= 3.1.5. | 2026-01-08 | not yet calculated | CVE-2025-68887 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-businessdirectory/vulnerability/wordpress-wp-businessdirectory-plugin-3-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CodexThemes--TheGem Theme Elements (for Elementor) | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows PHP Local File Inclusion.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0. | 2026-01-06 | not yet calculated | CVE-2025-69356 | https://vdp.patchstack.com/database/Wordpress/Plugin/thegem-elements-elementor/vulnerability/wordpress-thegem-theme-elements-for-elementor-plugin-5-11-0-local-file-inclusion-vulnerability?_s_id=cve |
| CodexThemes--TheGem Theme Elements (for Elementor) | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows Stored XSS.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0. | 2026-01-06 | not yet calculated | CVE-2025-69357 | https://vdp.patchstack.com/database/Wordpress/Plugin/thegem-elements-elementor/vulnerability/wordpress-thegem-theme-elements-for-elementor-plugin-5-11-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CodexThemes--TheGem Theme Elements (for WPBakery) | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for WPBakery) thegem-elements allows DOM-Based XSS.This issue affects TheGem Theme Elements (for WPBakery): from n/a through <= 5.11.0. | 2026-01-06 | not yet calculated | CVE-2025-69360 | https://vdp.patchstack.com/database/Wordpress/Plugin/thegem-elements/vulnerability/wordpress-thegem-theme-elements-for-wpbakery-plugin-5-11-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Commvault--WebConsole | The Report Builder component of the application stores user input directly in a web page and displays it to other users, which raised concerns about a possible Cross-Site Scripting (XSS) attack. Proper management of this functionality helps ensure a secure and seamless user experience. Although the user input is not validated in the report creation, these scripts are not executed when the report is run by end users. The script is executed when the report is modified through the report builder by a user with edit permissions. The Report Builder is part of the WebConsole. The WebConsole package is currently end of life, and is no longer maintained. We strongly recommend against installing or using it in any production environment. However, if you choose to install it, for example, to access functionality like the Report Builder, it must be deployed within a fully isolated network that has no access to sensitive data or internet connectivity. This is a critical security precaution, as the retired package may contain unpatched vulnerabilities and is no longer supported with updates or fixes. | 2026-01-07 | not yet calculated | CVE-2025-12776 | https://documentation.commvault.com/securityadvisories/CV_2025_06_3.html |
| contentstudio--Contentstudio | Unrestricted Upload of File with Dangerous Type vulnerability in contentstudio Contentstudio contentstudio allows Upload a Web Shell to a Web Server.This issue affects Contentstudio: from n/a through <= 1.3.7. | 2026-01-08 | not yet calculated | CVE-2025-67910 | https://vdp.patchstack.com/database/Wordpress/Plugin/contentstudio/vulnerability/wordpress-contentstudio-plugin-1-3-7-arbitrary-file-upload-vulnerability?_s_id=cve |
| CoolHappy--The Events Calendar Countdown Addon | Missing Authorization vulnerability in CoolHappy The Events Calendar Countdown Addon countdown-for-the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar Countdown Addon: from n/a through <= 1.4.15. | 2026-01-06 | not yet calculated | CVE-2025-69348 | https://vdp.patchstack.com/database/Wordpress/Plugin/countdown-for-the-events-calendar/vulnerability/wordpress-the-events-calendar-countdown-addon-plugin-1-4-15-broken-access-control-vulnerability?_s_id=cve |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify's application deployment workflow. This flaw allows a low-privileged member to inject arbitrary Docker Compose directives during project creation or updates. By defining a malicious service that mounts the host filesystem, an attacker can achieve root-level command execution on the host OS, completely bypassing container isolation. Version 4.0.0-beta.420.7 contains a patch for the issue. | 2026-01-05 | not yet calculated | CVE-2025-59156 | https://github.com/coollabsio/coolify/security/advisories/GHSA-h5xw-7xvp-xrxr |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges (e.g., member role) can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator later attempts to delete the project or its associated resource, the payload automatically executes in the admin's browser context. Version 4.0.0-beta.420.7 contains a patch for the issue. | 2026-01-05 | not yet calculated | CVE-2025-59158 | https://github.com/coollabsio/coolify/security/advisories/GHSA-h52r-jxv9-9vhf |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the `/api/v1/teams/{team_id}/members` and `/api/v1/teams/current/members` API endpoints allows authenticated team members to access a highly sensitive `email_change_code` from other users on the same team. This code is intended for a single-use email change verification and should be kept secret. Its exposure could enable a malicious actor to perform an unauthorized email address change on behalf of the victim. As of time of publication, no known patched versions exist. | 2026-01-05 | not yet calculated | CVE-2025-59955 | https://github.com/coollabsio/coolify/security/advisories/GHSA-927g-56xp-6427 |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can invite a high privileged user. At first, the application will throw an error, but if the attacker clicks the invite button a second time, it actually works. This way, a low privileged user can invite themselves as an administrator to the Coolify instance. After the high privileged user is invited, the attacker can initiate a password reset and log in with the new admin. As of time of publication, it is unclear if a patch is available. | 2026-01-05 | not yet calculated | CVE-2025-64421 | https://github.com/coollabsio/coolify/security/advisories/GHSA-4p6r-m39m-9cm9 https://drive.google.com/file/d/1YZHFgiZv_k9p9909A63DAErsTsh8K1rc/view?usp=drive_link |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. This enables unlimited credential stuffing and brute-force attempts against user and admin accounts. As of time of publication, it is unclear if a patch is available. | 2026-01-05 | not yet calculated | CVE-2025-64422 | https://github.com/coollabsio/coolify/security/advisories/GHSA-688j-rm43-5r8x |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. When they use the link before the legitimate recipient does, they are able to log in as an administrator, meaning they have successfully escalated their privileges. As of time of publication, it is unclear if a patch is available. | 2026-01-05 | not yet calculated | CVE-2025-64423 | https://github.com/coollabsio/coolify/security/advisories/GHSA-4fqm-797g-7m6j |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a command injection vulnerability exists in the git source input fields of a resource, allowing a low privileged user (member) to execute system commands as root on the Coolify instance. As of time of publication, it is unclear if a patch is available. | 2026-01-05 | not yet calculated | CVE-2025-64424 | https://github.com/coollabsio/coolify/security/advisories/GHSA-qx24-jhwj-8w6x https://drive.google.com/file/d/1rk7AYxNDkJUwo8uWbzX62PpBxpDYeyrZ/view?usp=drive_link |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. The victim will receive a password reset email, with a link to the malicious host. If the victim clicks this link, their reset token is sent to the attacker's server, allowing the attacker to use it to change the victim's password and takeover their account. As of time of publication, it is unclear if a patch is available. | 2026-01-05 | not yet calculated | CVE-2025-64425 | https://github.com/coollabsio/coolify/security/advisories/GHSA-f737-2p93-g2cw https://drive.google.com/file/d/1I5sJHcpetJbKlwVS2usAD7qmgH37Y4rw/view?usp=drive_link |
| coredns--coredns | CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limits, or message size constraints. Version 1.14.0 contains a patch. | 2026-01-08 | not yet calculated | CVE-2025-68151 | https://github.com/coredns/coredns/security/advisories/GHSA-527x-5wrf-22m2 https://github.com/coredns/coredns/pull/7490 https://github.com/coredns/coredns/commit/0d8cbb1a6bcb6bc9c1a489865278b8725fa20812 |
| craftcms--cms | Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. | 2026-01-05 | not yet calculated | CVE-2025-68436 | https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9 https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9 |
| craftcms--cms | Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue. | 2026-01-05 | not yet calculated | CVE-2025-68437 | https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 |
| craftcms--cms | Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. | 2026-01-05 | not yet calculated | CVE-2025-68454 | https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383 https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 |
| craftcms--cms | Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. | 2026-01-05 | not yet calculated | CVE-2025-68455 | https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5 https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7 https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 |
| craftcms--cms | Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes. | 2026-01-05 | not yet calculated | CVE-2025-68456 | https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 |
| curl--curl | When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification. | 2026-01-08 | not yet calculated | CVE-2025-13034 | json www |
| curl--curl | When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well. | 2026-01-08 | not yet calculated | CVE-2025-14017 | json www |
| curl--curl | When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. | 2026-01-08 | not yet calculated | CVE-2025-14524 | json www issue |
| curl--curl | When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. | 2026-01-08 | not yet calculated | CVE-2025-14819 | json www |
| curl--curl | When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. | 2026-01-08 | not yet calculated | CVE-2025-15079 | json www issue |
| curl--curl | When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. | 2026-01-08 | not yet calculated | CVE-2025-15224 | json www issue |
| CyberChimps--Responsive Addons for Elementor | Missing Authorization vulnerability in CyberChimps Responsive Addons for Elementor responsive-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Addons for Elementor: from n/a through <= 2.0.8. | 2026-01-06 | not yet calculated | CVE-2025-69363 | https://vdp.patchstack.com/database/Wordpress/Plugin/responsive-addons-for-elementor/vulnerability/wordpress-responsive-addons-for-elementor-plugin-2-0-8-broken-access-control-vulnerability?_s_id=cve |
| D-Link--DSL-2640B | Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the device's DNS settings without valid credentials, enabling DNS hijacking ("DNSChanger") attacks that redirect user traffic to attacker-controlled infrastructure. In 2019, D-Link reported that this behavior was leveraged by the "GhostDNS" malware ecosystem targeting consumer and carrier routers. All impacted products were subsequently designated end-of-life/end-of-service, and no longer receive security updates. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). | 2026-01-05 | not yet calculated | CVE-2026-0625 | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10488 https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10068 https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10118 https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint |
| Data Illusion Zumbrunn--NGSurvey | Stored cross-site scripting (XSS, CWE-79) in the survey content and administration functionality in Data Illusion Zumbrunn NGSurvey Enterprise Edition 3.6.4 on all supported platforms ( on Windows and Linux servers ) allows authenticated remote users with survey creation or edit privileges to execute arbitrary JavaScript in other users' browsers, steal session information and perform unauthorized actions on their behalf via crafted survey content that is rendered without proper output encoding. | 2026-01-07 | not yet calculated | CVE-2025-15479 | https://docs.ngsurvey.com/installation-setup/change-log#id-3.6.17-2025-05-28 https://cds.thalesgroup.com/en/tcs-cert/CVE-2025-15479 |
| Devolutions--PowerShell Universal | Cross-site Scripting vulnerability in Devolutions PowerShell Universal.This issue affects Powershell Universal: before 4.5.6, before 5.6.13. | 2026-01-07 | not yet calculated | CVE-2026-0618 | https://devolutions.net/security/advisories/DEVO-2026-0001/ |
| Devolutions--Remote Desktop Manager | Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a password on screen via a defective masking feature, for example during physical observation or screen sharing. | 2026-01-08 | not yet calculated | CVE-2026-0747 | https://devolutions.net/security/advisories/DEVO-2026-0002/ |
| e-plugins--ListingHub | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins ListingHub listinghub allows Reflected XSS.This issue affects ListingHub: from n/a through 1.2.6. | 2026-01-08 | not yet calculated | CVE-2025-12551 | https://vdp.patchstack.com/database/Wordpress/Plugin/listinghub/vulnerability/wordpress-listinghub-plugin-1-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| e-plugins--Real Estate Pro | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Real Estate Pro real-estate-pro allows Reflected XSS.This issue affects Real Estate Pro: from n/a through <= 2.1.4. | 2026-01-08 | not yet calculated | CVE-2025-13504 | https://vdp.patchstack.com/database/Wordpress/Plugin/real-estate-pro/vulnerability/wordpress-real-estate-pro-plugin-2-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| EFACEC--QC 60/90/120 | An attacker with the ability to interact through the network and with access credentials, could, thanks to the unsecured (unencrypted) MQTT communications protocol, write on the server topics of the board that controls the MQTT communications | 2026-01-07 | not yet calculated | CVE-2026-22535 | https://cds.thalesgroup.com/en |
| EFACEC--QC 60/90/120 | The absence of permissions control for the user XXX allows the current configuration in the sudoers file to escalate privileges without any restrictions | 2026-01-07 | not yet calculated | CVE-2026-22536 | https://cds.thalesgroup.com/en |
| EFACEC--QC 60/90/120 | The lack of hardening of the system allows the user used to manage and maintain the charger to consult different files containing clear-text credentials or valuable information for an attacker. | 2026-01-07 | not yet calculated | CVE-2026-22537 | https://cds.thalesgroup.com/en |
| EFACEC--QC 60/90/120 | As the service interaction is performed without authentication, an attacker with some knowledge of the protocol could obtain information about the charger via OCPP v1.6. | 2026-01-07 | not yet calculated | CVE-2026-22539 | https://cds.thalesgroup.com/en |
| EFACEC--QC 60/90/120 | The massive sending of ICMP requests causes a denial of service on one of the boards from the EVCharger that allows control the EV interfaces. Since the board must be operating correctly for the charger to also function correctly. | 2026-01-07 | not yet calculated | CVE-2026-22541 | https://cds.thalesgroup.com/en |
| EFACEC--QC 60/90/120 | An attacker with access to the system's internal network can cause a denial of service on the system by making two concurrent connections through the Telnet service. | 2026-01-07 | not yet calculated | CVE-2026-22542 | https://cds.thalesgroup.com/en |
| EFACEC--QC 60/90/120 | The credentials required to access the device's web server are sent in base64 within the HTTP headers. Since base64 is not considered a strong cipher, an attacker could intercept the web request handling the login and obtain the credentials | 2026-01-07 | not yet calculated | CVE-2026-22543 | https://cds.thalesgroup.com/en |
| EFACEC--QC 60/90/120 | An attacker with a network connection could detect credentials in clear text. | 2026-01-07 | not yet calculated | CVE-2026-22544 | https://cds.thalesgroup.com/en |
| EFACEC--QC60/90/120 | The massive sending of ARP requests causes a denial of service on one board of the charger that allows control of the EV interfaces. Since the board must be operating correctly for the charger to also function correctly. | 2026-01-07 | not yet calculated | CVE-2026-22540 | https://cds.thalesgroup.com/en |
| Elated-Themes--Neo Ocular | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Neo Ocular neoocular allows PHP Local File Inclusion.This issue affects Neo Ocular: from n/a through < 1.2. | 2026-01-08 | not yet calculated | CVE-2025-67920 | https://vdp.patchstack.com/database/Wordpress/Theme/neoocular/vulnerability/wordpress-neo-ocular-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve |
| Fahad Mahmood--RSS Feed Widget | Missing Authorization vulnerability in Fahad Mahmood RSS Feed Widget rss-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RSS Feed Widget: from n/a through <= 3.0.2. | 2026-01-06 | not yet calculated | CVE-2025-69349 | https://vdp.patchstack.com/database/Wordpress/Plugin/rss-feed-widget/vulnerability/wordpress-rss-feed-widget-plugin-3-0-2-broken-access-control-vulnerability?_s_id=cve |
| Forcepoint--Forcepoint One Endpoint (F1E) | Forcepoint One DLP Client, version 23.04.5642 (and possibly newer versions), includes a restricted version of Python 2.5.4 that prevents use of the ctypes library. ctypes is a foreign function interface (FFI) for Python, enabling calls to DLLs/shared libraries, memory allocation, and direct code execution. It was demonstrated that these restrictions could be bypassed. | 2026-01-06 | not yet calculated | CVE-2025-14026 | https://support.forcepoint.com/s/article/000042256 https://kb.cert.org/vuls/id/420440 |
| Fujitsu Client Computing Limited--Fujitsu Security Solution AuthConductor Client Basic V2 | Origin validation error issue exists in Fujitsu Security Solution AuthConductor Client Basic V2 2.0.25.0 and earlier. If this vulnerability is exploited, an attacker who can log in to the Windows system where the affected product is installed may execute arbitrary code with SYSTEM privilege and/or modify the registry value. | 2026-01-07 | not yet calculated | CVE-2026-20893 | https://www.fmworld.net/biz/common/info/202601acc/ https://jvn.jp/en/jp/JVN24626628/ |
| G5Theme--Zorka | Missing Authorization vulnerability in G5Theme Zorka zorka allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zorka: from n/a through <= 1.5.7. | 2026-01-08 | not yet calculated | CVE-2026-0676 | https://vdp.patchstack.com/database/Wordpress/Theme/zorka/vulnerability/wordpress-zorka-theme-1-5-7-broken-access-control-vulnerability?_s_id=cve |
| GestSup--GestSup | GestSup versions up to and including 3.2.56 contain a cross-site request forgery (CSRF) vulnerability where the application does not verify the authenticity of client requests. An attacker can induce a logged-in user to submit crafted requests that perform actions with the victim's privileges. This can be exploited to create privileged accounts by targeting the administrative user creation endpoint. | 2026-01-09 | not yet calculated | CVE-2026-22194 | https://gestsup.fr/index.php?page=changelog https://www.vulncheck.com/advisories/gestsup-csrf-allows-privileged-actions |
| GestSup--GestSup | GestSup versions up to and including 3.2.56 contain a SQL injection vulnerability in the search bar functionality. User-controlled search input is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges. | 2026-01-09 | not yet calculated | CVE-2026-22195 | https://gestsup.fr/index.php?page=changelog https://www.vulncheck.com/advisories/gestsup-sqli-in-search-bar |
| GestSup--GestSup | GestSup versions up to and including 3.2.56 contain a SQL injection vulnerability in ticket creation functionality. User-controlled input provided during ticket creation is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges. | 2026-01-09 | not yet calculated | CVE-2026-22196 | https://gestsup.fr/index.php?page=changelog https://www.vulncheck.com/advisories/gestsup-sqli-in-ticket-creation |
| GestSup--GestSup | GestSup versions up to and including 3.2.56 contain multiple SQL injection vulnerabilities in the asset list functionality. Multiple request parameters used to filter, search, or sort assets are incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges. | 2026-01-09 | not yet calculated | CVE-2026-22197 | https://gestsup.fr/index.php?page=changelog https://www.vulncheck.com/advisories/gestsup-multiple-sqli-in-asset-list |
| GestSup--GestSup | GestSup versions up to and including 3.2.56 contain a pre-authentication stored cross-site scripting (XSS) vulnerability in the API error logging functionality. By sending an API request with a crafted X-API-KEY header value (for example, to /api/v1/ticket.php), an unauthenticated attacker can cause attacker-controlled HTML/JavaScript to be written to log entries. When an administrator later views the affected logs in the web interface, the injected content is rendered without proper output encoding, resulting in arbitrary script execution in the administrator's browser session. | 2026-01-09 | not yet calculated | CVE-2026-22198 | https://gestsup.fr/index.php?page=changelog https://www.vulncheck.com/advisories/gestsup-stored-xss-in-api-error-logs |
| getkirby--kirby | Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write actions, specifically by disabling the update permission with the intent to prevent modifications to site content. This vulnerability does not affect those who have not altered the deviated from default user permissions. This issue has been patched in version 5.2.2. | 2026-01-08 | not yet calculated | CVE-2026-21896 | https://github.com/getkirby/kirby/security/advisories/GHSA-4j78-4xrm-cr2f https://github.com/getkirby/kirby/commit/f5ce1347b427b819bf193acf11fd0da232f7af47 https://github.com/getkirby/kirby/releases/tag/5.2.2 |
| GitHub--Enterprise Server | An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component (search) across GitHub that could be used to exfiltrate sensitive information. An attacker would require permissions to create or modify the names of milestones, issues, pull requests, or similar entities that are rendered in the vulnerable filter/search components. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.1, and 3.18.2, 3.17.8, 3.16.11, 3.15.15, and 3.14.20. This vulnerability was reported via the GitHub Bug Bounty program. | 2026-01-06 | not yet calculated | CVE-2025-13744 | https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.20 https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.15 https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.11 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.8 https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.2 https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.1 |
| GnuTLS--libtasn1 | Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string. | 2026-01-07 | not yet calculated | CVE-2025-13151 | Source Code Respoitory Proposed Pull Request |
| Google--Chrome | Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High) | 2026-01-06 | not yet calculated | CVE-2026-0628 | |
| gopiplus@hotmail.com--Scroll rss excerpt | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gopiplus@hotmail.com Scroll rss excerpt scroll-rss-excerpt allows Reflected XSS.This issue affects Scroll rss excerpt: from n/a through <= 5.0. | 2026-01-08 | not yet calculated | CVE-2025-68892 | https://vdp.patchstack.com/database/Wordpress/Plugin/scroll-rss-excerpt/vulnerability/wordpress-scroll-rss-excerpt-plugin-5-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an arbitrary file upload vulnerability in the theme import functionality enables an attacker with administrative privileges to upload arbitrary files on the server's file system. The main cause of the issue is that no validation or sanitization of the file's present inside the zip archive. This leads to remote code execution on the web server. Version 4.2 patches the issue. | 2026-01-08 | not yet calculated | CVE-2026-22241 | https://github.com/gunet/openeclass/security/advisories/GHSA-rf6j-xgqp-wjxg https://github.com/gunet/openeclass/commit/3f9d267b79812a4dd708bb1302339e6a5abe67d9 |
| hands01--e-shops | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hands01 e-shops e-shops-cart2 allows DOM-Based XSS.This issue affects e-shops: from n/a through <= 1.0.4. | 2026-01-08 | not yet calculated | CVE-2025-68890 | https://vdp.patchstack.com/database/Wordpress/Plugin/e-shops-cart2/vulnerability/wordpress-e-shops-plugin-1-0-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| https://github.com/FoobarOy/--Foomuuri | A Improper Authorization vulnerability in Foomuuri llows arbitrary users to influence the firewall configuration.This issue affects Foomuuri: from ? before 0.31. | 2026-01-08 | not yet calculated | CVE-2025-67603 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67603 https://security.opensuse.org/2026/01/07/foomuuri-lack-of-dbus-authorization.html |
| https://github.com/FoobarOy/--Foomuuri | A Improper Neutralization of Argument Delimiters vulnerability in Foomuuri can lead to integrity loss of the firewall configuration or further unspecified impact by manipulating the JSON configuration passed to `nft`. This issue affects Foomuuri: from ? before 0.31. | 2026-01-08 | not yet calculated | CVE-2025-67858 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67858 https://security.opensuse.org/2026/01/07/foomuuri-lack-of-dbus-authorization.html |
| https://github.com/KDE/--smb4k | An Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability allows local users ton perform arbitrary unmounts via smb4k mount helper | 2026-01-08 | not yet calculated | CVE-2025-66002 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66002 https://security.opensuse.org/2025/12/10/smb4k-major-issues-in-kauth-helper.html |
| https://github.com/KDE/--smb4k | An External Control of File Name or Path vulnerability in smb4k allowsl ocal users to perform a local root exploit via smb4k mounthelper if they can access and control the contents of a Samba shareThis issue affects smb4k: from ? before 4.0.5. | 2026-01-08 | not yet calculated | CVE-2025-66003 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66003 https://security.opensuse.org/2025/12/10/smb4k-major-issues-in-kauth-helper.html |
| IAMB--Crypt::Sodium::XS | Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodium libsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277 https://www.cve.org/CVERecord?id=CVE-2025-69277 . The libsodium vulnerability states: In atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. 0.000042 includes a version of libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability. | 2026-01-06 | not yet calculated | CVE-2025-15444 | https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae https://00f.net/2025/12/30/libsodium-vulnerability/ https://metacpan.org/dist/Crypt-Sodium-XS/changes |
| jcaruso001--Flaming Password Reset | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jcaruso001 Flaming Password Reset flaming-password-reset allows Stored XSS.This issue affects Flaming Password Reset: from n/a through <= 1.0.3. | 2026-01-08 | not yet calculated | CVE-2025-68875 | https://vdp.patchstack.com/database/Wordpress/Plugin/flaming-password-reset/vulnerability/wordpress-flaming-password-reset-plugin-1-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Jeroen Schmit--Theater for WordPress | Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.19. | 2026-01-06 | not yet calculated | CVE-2025-69331 | https://vdp.patchstack.com/database/Wordpress/Plugin/theatre/vulnerability/wordpress-theater-for-wordpress-plugin-0-19-broken-access-control-vulnerability?_s_id=cve |
| Joomla! Project--Joomla! CMS | Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags. | 2026-01-06 | not yet calculated | CVE-2025-63082 | https://developer.joomla.org/security-centre/1016-20260101-core-inadequate-content-filtering-for-data-urls.html |
| Joomla! Project--Joomla! CMS | Lack of output escaping leads to a XSS vector in the pagebreak plugin. | 2026-01-06 | not yet calculated | CVE-2025-63083 | https://developer.joomla.org/security-centre/1017-20260102-core-xss-vector-in-the-pagebreak-plugin.html |
| jvoisin--snuffleupagus | Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of Snuffleupagus prior to version 0.13.0 with the non-default upload validation feature enabled and configured to use one of the upstream validation scripts based on Vulcan Logic Disassembler (VLD) while the VLD extension is not available to the CLI SAPI, all files from multipart POST requests are evaluated as PHP code. The issue was fixed in version 0.13.0. | 2026-01-08 | not yet calculated | CVE-2026-22034 | https://github.com/jvoisin/snuffleupagus/security/advisories/GHSA-c4ch-xw5p-2mvc https://github.com/jvoisin/snuffleupagus/commit/9278dc77bab2a219e770a1b31dd6797bc9070e37 https://github.com/jvoisin/snuffleupagus/blob/9278dc77bab2a219e770a1b31dd6797bc9070e37/src/sp_upload_validation.c#L92-L100 https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.php https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.py https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/ext/standard/dl.c#L165-L166 https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/main/rfc1867.c#L1269-L1274 https://snuffleupagus.readthedocs.io/config.html#upload-validation |
| jwsthemes--OchaHouse | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes OchaHouse ochahouse allows PHP Local File Inclusion.This issue affects OchaHouse: from n/a through <= 2.2.8. | 2026-01-08 | not yet calculated | CVE-2025-12550 | https://vdp.patchstack.com/database/Wordpress/Theme/ochahouse/vulnerability/wordpress-ochahouse-theme-2-2-8-local-file-inclusion-vulnerability?_s_id=cve |
| Kaira--Blockons | Missing Authorization vulnerability in Kaira Blockons blockons allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Blockons: from n/a through <= 1.2.15. | 2026-01-08 | not yet calculated | CVE-2025-14360 | https://vdp.patchstack.com/database/Wordpress/Plugin/blockons/vulnerability/wordpress-blockons-plugin-1-2-15-broken-access-control-vulnerability?_s_id=cve |
| KAON--CG3000T | The firmware in KAON CG3000TC and CG3000T routers contains hard-coded credentials in clear text (shared across all routers of this model) that an unauthenticated remote attacker could use to execute commands with root privileges. This vulnerability has been fixed in firmware version: 1.00.67 for CG3000TC and 1.00.27 for CG3000T. | 2026-01-09 | not yet calculated | CVE-2025-7072 | https://cert.pl/posts/2026/01/CVE-2025-7072/ |
| Kentico--Kentico Xperience | Kentico Xperience 13 is vulnerable to a stored cross-site scripting attack via a form component, allowing an attacker to hijack a victim user's session and perform actions in their security context. | 2026-01-05 | not yet calculated | CVE-2025-5591 | https://www.themissinglink.com.au/security-advisories/cve-2025-5591 |
| Kieback&Peter--Neutrino-GLT | Kieback&Peter Neutrino-GLT product is used for building management. It's web component "SM70 PHWEB" is vulnerable to shell command injection via login form. The injected commands would execute with low privileges. The vulnerability has been fixed in version 9.40.02 | 2026-01-07 | not yet calculated | CVE-2025-6225 | https://cert.pl/en/posts/2026/01/CVE-2025-6225/ |
| KnowageLabs--Knowage-Server | Knowage is an open source analytics and business intelligence suite. Prior to version 8.1.37, there is a blind server-side request forgery vulnerability. The vulnerability allows attackers to send requests to arbitrary hosts/paths. Since the attacker is not able to read the response, the impact of this vulnerability is limited. However, an attacker should be able to leverage this vulnerability to scan the internal network. This issue has been patched in version 8.1.37. | 2026-01-07 | not yet calculated | CVE-2025-58441 | https://github.com/KnowageLabs/Knowage-Server/security/advisories/GHSA-m6x8-wh9v-6jxp |
| LambertGroup--CountDown With Image or Video Background | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup CountDown With Image or Video Background countdown-with-background allows Reflected XSS.This issue affects CountDown With Image or Video Background: from n/a through <= 1.5. | 2026-01-08 | not yet calculated | CVE-2025-27002 | https://vdp.patchstack.com/database/Wordpress/Plugin/countdown-with-background/vulnerability/wordpress-countdown-with-image-or-video-background-plugin-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--Famous - Responsive Image And Video Grid Gallery WordPress Plugin | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Famous - Responsive Image And Video Grid Gallery WordPress Plugin famous_grid_image_and_video_gallery allows Reflected XSS.This issue affects Famous - Responsive Image And Video Grid Gallery WordPress Plugin: from n/a through <= 1.4. | 2026-01-08 | not yet calculated | CVE-2025-27004 | https://vdp.patchstack.com/database/Wordpress/Plugin/famous_grid_image_and_video_gallery/vulnerability/wordpress-famous-responsive-image-and-video-grid-gallery-wordpress-plugin-plugin-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| langgenius--dify | Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version 1.11.0 fixes the issue. | 2026-01-05 | not yet calculated | CVE-2025-67732 | https://github.com/langgenius/dify/security/advisories/GHSA-phpv-94hg-fv9g |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: s390/fpu: Fix false-positive kmsan report in fpu_vstl() A false-positive kmsan report is detected when running ping command. An inline assembly instruction 'vstl' can write varied amount of bytes depending on value of 'index' argument. If 'index' > 0, 'vstl' writes at least 2 bytes. clang generates kmsan write helper call depending on inline assembly constraints. Constraints are evaluated compile-time, but value of 'index' argument is known only at runtime. clang currently generates call to __msan_instrument_asm_store with 1 byte as size. Manually call kmsan function to indicate correct amount of bytes written and fix false-positive report. This change fixes following kmsan reports: [ 36.563119] ===================================================== [ 36.563594] BUG: KMSAN: uninit-value in virtqueue_add+0x35c6/0x7c70 [ 36.563852] virtqueue_add+0x35c6/0x7c70 [ 36.564016] virtqueue_add_outbuf+0xa0/0xb0 [ 36.564266] start_xmit+0x288c/0x4a20 [ 36.564460] dev_hard_start_xmit+0x302/0x900 [ 36.564649] sch_direct_xmit+0x340/0xea0 [ 36.564894] __dev_queue_xmit+0x2e94/0x59b0 [ 36.565058] neigh_resolve_output+0x936/0xb40 [ 36.565278] __neigh_update+0x2f66/0x3a60 [ 36.565499] neigh_update+0x52/0x60 [ 36.565683] arp_process+0x1588/0x2de0 [ 36.565916] NF_HOOK+0x1da/0x240 [ 36.566087] arp_rcv+0x3e4/0x6e0 [ 36.566306] __netif_receive_skb_list_core+0x1374/0x15a0 [ 36.566527] netif_receive_skb_list_internal+0x1116/0x17d0 [ 36.566710] napi_complete_done+0x376/0x740 [ 36.566918] virtnet_poll+0x1bae/0x2910 [ 36.567130] __napi_poll+0xf4/0x830 [ 36.567294] net_rx_action+0x97c/0x1ed0 [ 36.567556] handle_softirqs+0x306/0xe10 [ 36.567731] irq_exit_rcu+0x14c/0x2e0 [ 36.567910] do_io_irq+0xd4/0x120 [ 36.568139] io_int_handler+0xc2/0xe8 [ 36.568299] arch_cpu_idle+0xb0/0xc0 [ 36.568540] arch_cpu_idle+0x76/0xc0 [ 36.568726] default_idle_call+0x40/0x70 [ 36.568953] do_idle+0x1d6/0x390 [ 36.569486] cpu_startup_entry+0x9a/0xb0 [ 36.569745] rest_init+0x1ea/0x290 [ 36.570029] start_kernel+0x95e/0xb90 [ 36.570348] startup_continue+0x2e/0x40 [ 36.570703] [ 36.570798] Uninit was created at: [ 36.571002] kmem_cache_alloc_node_noprof+0x9e8/0x10e0 [ 36.571261] kmalloc_reserve+0x12a/0x470 [ 36.571553] __alloc_skb+0x310/0x860 [ 36.571844] __ip_append_data+0x483e/0x6a30 [ 36.572170] ip_append_data+0x11c/0x1e0 [ 36.572477] raw_sendmsg+0x1c8c/0x2180 [ 36.572818] inet_sendmsg+0xe6/0x190 [ 36.573142] __sys_sendto+0x55e/0x8e0 [ 36.573392] __s390x_sys_socketcall+0x19ae/0x2ba0 [ 36.573571] __do_syscall+0x12e/0x240 [ 36.573823] system_call+0x6e/0x90 [ 36.573976] [ 36.574017] Byte 35 of 98 is uninitialized [ 36.574082] Memory access of size 98 starts at 0000000007aa0012 [ 36.574218] [ 36.574325] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.17.0-dirty #16 NONE [ 36.574541] Tainted: [B]=BAD_PAGE, [N]=TEST [ 36.574617] Hardware name: IBM 3931 A01 703 (KVM/Linux) [ 36.574755] ===================================================== [ 63.532541] ===================================================== [ 63.533639] BUG: KMSAN: uninit-value in virtqueue_add+0x35c6/0x7c70 [ 63.533989] virtqueue_add+0x35c6/0x7c70 [ 63.534940] virtqueue_add_outbuf+0xa0/0xb0 [ 63.535861] start_xmit+0x288c/0x4a20 [ 63.536708] dev_hard_start_xmit+0x302/0x900 [ 63.537020] sch_direct_xmit+0x340/0xea0 [ 63.537997] __dev_queue_xmit+0x2e94/0x59b0 [ 63.538819] neigh_resolve_output+0x936/0xb40 [ 63.539793] ip_finish_output2+0x1ee2/0x2200 [ 63.540784] __ip_finish_output+0x272/0x7a0 [ 63.541765] ip_finish_output+0x4e/0x5e0 [ 63.542791] ip_output+0x166/0x410 [ 63.543771] ip_push_pending_frames+0x1a2/0x470 [ 63.544753] raw_sendmsg+0x1f06/0x2180 [ 63.545033] inet_sendmsg+0xe6/0x190 [ 63.546006] __sys_sendto+0x55e/0x8e0 ---truncated--- | 2026-01-05 | not yet calculated | CVE-2025-68751 | https://git.kernel.org/stable/c/946357a538bb47740635c25520924351d2d91544 https://git.kernel.org/stable/c/13dcd6308cb8f67134ee5d5d762b2a66363c695b https://git.kernel.org/stable/c/14e4e4175b64dd9216b522f6ece8af6997d063b2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iavf: Implement settime64 with -EOPNOTSUPP ptp_clock_settime() assumes every ptp_clock has implemented settime64(). Stub it with -EOPNOTSUPP to prevent a NULL dereference. The fix is similar to commit 329d050bbe63 ("gve: Implement settime64 with -EOPNOTSUPP"). | 2026-01-05 | not yet calculated | CVE-2025-68752 | https://git.kernel.org/stable/c/9e3dbc3bb2e2aa728b49422b2e5344488f93f690 https://git.kernel.org/stable/c/6d080f810ffd6b8e002ce5bee8b9c551ca2535c2 https://git.kernel.org/stable/c/1e43ebcd5152b3e681a334cc6542fb21770c3a2e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: firewire-motu: add bounds check in put_user loop for DSP events In the DSP event handling code, a put_user() loop copies event data. When the user buffer size is not aligned to 4 bytes, it could overwrite beyond the buffer boundary. Fix by adding a bounds check before put_user(). | 2026-01-05 | not yet calculated | CVE-2025-68753 | https://git.kernel.org/stable/c/ea2c921d9de6e32ca50cb817b9d57bb881be70de https://git.kernel.org/stable/c/6d4f17782ce4facf3197e79707df411ee3d7b30a https://git.kernel.org/stable/c/0d71b3c2ed742f1ccb3b0b7a61afb90c0251093f https://git.kernel.org/stable/c/df692cf2b601a54b34edfdb9e683d67483aa8ce1 https://git.kernel.org/stable/c/8f9e51cf2a2a43d0cd72d3dc0b5ccea3f639c187 https://git.kernel.org/stable/c/298e753880b6ea99ac30df34959a7a03b0878eed |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rtc: amlogic-a4: fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the redundant clk_disable_unprepare() calls from the probe error path and aml_rtc_remove(), allowing the devm framework to automatically manage the clock lifecycle. | 2026-01-05 | not yet calculated | CVE-2025-68754 | https://git.kernel.org/stable/c/9fed02c16488050cd4e33e045506336b216d7301 https://git.kernel.org/stable/c/2e1c79299036614ac32b251d145fad5391f4bcab https://git.kernel.org/stable/c/384150d7a5b60c1086790a8ee07b0629f906cca2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: most: remove broken i2c driver The MOST I2C driver has been completely broken for five years without anyone noticing so remove the driver from staging. Specifically, commit 723de0f9171e ("staging: most: remove device from interface structure") started requiring drivers to set the interface device pointer before registration, but the I2C driver was never updated which results in a NULL pointer dereference if anyone ever tries to probe it. | 2026-01-05 | not yet calculated | CVE-2025-68755 | https://git.kernel.org/stable/c/6cbba922934805f86eece6ba7010b7201962695d https://git.kernel.org/stable/c/6059a66dba7f26b21852831432e17075f1a1c783 https://git.kernel.org/stable/c/e463548fd80e779efea1cb2d3049b8a7231e6925 https://git.kernel.org/stable/c/495df2da6944477d282d5cc0c13174d06e25b310 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: block: Use RCU in blk_mq_[un]quiesce_tagset() instead of set->tag_list_lock blk_mq_{add,del}_queue_tag_set() functions add and remove queues from tagset, the functions make sure that tagset and queues are marked as shared when two or more queues are attached to the same tagset. Initially a tagset starts as unshared and when the number of added queues reaches two, blk_mq_add_queue_tag_set() marks it as shared along with all the queues attached to it. When the number of attached queues drops to 1 blk_mq_del_queue_tag_set() need to mark both the tagset and the remaining queues as unshared. Both functions need to freeze current queues in tagset before setting on unsetting BLK_MQ_F_TAG_QUEUE_SHARED flag. While doing so, both functions hold set->tag_list_lock mutex, which makes sense as we do not want queues to be added or deleted in the process. This used to work fine until commit 98d81f0df70c ("nvme: use blk_mq_[un]quiesce_tagset") made the nvme driver quiesce tagset instead of quiscing individual queues. blk_mq_quiesce_tagset() does the job and quiesce the queues in set->tag_list while holding set->tag_list_lock also. This results in deadlock between two threads with these stacktraces: __schedule+0x47c/0xbb0 ? timerqueue_add+0x66/0xb0 schedule+0x1c/0xa0 schedule_preempt_disabled+0xa/0x10 __mutex_lock.constprop.0+0x271/0x600 blk_mq_quiesce_tagset+0x25/0xc0 nvme_dev_disable+0x9c/0x250 nvme_timeout+0x1fc/0x520 blk_mq_handle_expired+0x5c/0x90 bt_iter+0x7e/0x90 blk_mq_queue_tag_busy_iter+0x27e/0x550 ? __blk_mq_complete_request_remote+0x10/0x10 ? __blk_mq_complete_request_remote+0x10/0x10 ? __call_rcu_common.constprop.0+0x1c0/0x210 blk_mq_timeout_work+0x12d/0x170 process_one_work+0x12e/0x2d0 worker_thread+0x288/0x3a0 ? rescuer_thread+0x480/0x480 kthread+0xb8/0xe0 ? kthread_park+0x80/0x80 ret_from_fork+0x2d/0x50 ? kthread_park+0x80/0x80 ret_from_fork_asm+0x11/0x20 __schedule+0x47c/0xbb0 ? xas_find+0x161/0x1a0 schedule+0x1c/0xa0 blk_mq_freeze_queue_wait+0x3d/0x70 ? destroy_sched_domains_rcu+0x30/0x30 blk_mq_update_tag_set_shared+0x44/0x80 blk_mq_exit_queue+0x141/0x150 del_gendisk+0x25a/0x2d0 nvme_ns_remove+0xc9/0x170 nvme_remove_namespaces+0xc7/0x100 nvme_remove+0x62/0x150 pci_device_remove+0x23/0x60 device_release_driver_internal+0x159/0x200 unbind_store+0x99/0xa0 kernfs_fop_write_iter+0x112/0x1e0 vfs_write+0x2b1/0x3d0 ksys_write+0x4e/0xb0 do_syscall_64+0x5b/0x160 entry_SYSCALL_64_after_hwframe+0x4b/0x53 The top stacktrace is showing nvme_timeout() called to handle nvme command timeout. timeout handler is trying to disable the controller and as a first step, it needs to blk_mq_quiesce_tagset() to tell blk-mq not to call queue callback handlers. The thread is stuck waiting for set->tag_list_lock as it tries to walk the queues in set->tag_list. The lock is held by the second thread in the bottom stack which is waiting for one of queues to be frozen. The queue usage counter will drop to zero after nvme_timeout() finishes, and this will not happen because the thread will wait for this mutex forever. Given that [un]quiescing queue is an operation that does not need to sleep, update blk_mq_[un]quiesce_tagset() to use RCU instead of taking set->tag_list_lock, update blk_mq_{add,del}_queue_tag_set() to use RCU safe list operations. Also, delete INIT_LIST_HEAD(&q->tag_set_list) in blk_mq_del_queue_tag_set() because we can not re-initialize it while the list is being traversed under RCU. The deleted queue will not be added/deleted to/from a tagset and it will be freed in blk_free_queue() after the end of RCU grace period. | 2026-01-05 | not yet calculated | CVE-2025-68756 | https://git.kernel.org/stable/c/ca8764c0ea1fb825f17f19704af55e9e02c9f768 https://git.kernel.org/stable/c/3baeec23a82e7ee9691f434c6ab0ab1387326108 https://git.kernel.org/stable/c/6e8d363786765a81e35083e0909e076796468edf https://git.kernel.org/stable/c/ef0cd7b694928573f6569e61c14f5f059253162e https://git.kernel.org/stable/c/59e25ef2b413c72da6686d431e7759302cfccafa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vgem-fence: Fix potential deadlock on release A timer that expires a vgem fence automatically in 10 seconds is now released with timer_delete_sync() from fence->ops.release() called on last dma_fence_put(). In some scenarios, it can run in IRQ context, which is not safe unless TIMER_IRQSAFE is used. One potentially risky scenario was demonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while working on new IGT subtests syncobj_timeline@stress-* as user space replacements of some problematic test cases of a dma-fence-chain selftest [1]. [117.004338] ================================ [117.004340] WARNING: inconsistent lock state [117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S U [117.004346] -------------------------------- [117.004347] inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. [117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes: [117.004352] ffff888138f86aa8 ((&fence->timer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190 [117.004361] {HARDIRQ-ON-W} state was registered at: [117.004363] lock_acquire+0xc4/0x2e0 [117.004366] call_timer_fn+0x80/0x2a0 [117.004368] __run_timers+0x231/0x310 [117.004370] run_timer_softirq+0x76/0xe0 [117.004372] handle_softirqs+0xd4/0x4d0 [117.004375] __irq_exit_rcu+0x13f/0x160 [117.004377] irq_exit_rcu+0xe/0x20 [117.004379] sysvec_apic_timer_interrupt+0xa0/0xc0 [117.004382] asm_sysvec_apic_timer_interrupt+0x1b/0x20 [117.004385] cpuidle_enter_state+0x12b/0x8a0 [117.004388] cpuidle_enter+0x2e/0x50 [117.004393] call_cpuidle+0x22/0x60 [117.004395] do_idle+0x1fd/0x260 [117.004398] cpu_startup_entry+0x29/0x30 [117.004401] start_secondary+0x12d/0x160 [117.004404] common_startup_64+0x13e/0x141 [117.004407] irq event stamp: 2282669 [117.004409] hardirqs last enabled at (2282668): [<ffffffff8289db71>] _raw_spin_unlock_irqrestore+0x51/0x80 [117.004414] hardirqs last disabled at (2282669): [<ffffffff82882021>] sysvec_irq_work+0x11/0xc0 [117.004419] softirqs last enabled at (2254702): [<ffffffff8289fd00>] __do_softirq+0x10/0x18 [117.004423] softirqs last disabled at (2254725): [<ffffffff813d4ddf>] __irq_exit_rcu+0x13f/0x160 [117.004426] other info that might help us debug this: [117.004429] Possible unsafe locking scenario: [117.004432] CPU0 [117.004433] ---- [117.004434] lock((&fence->timer)); [117.004436] <Interrupt> [117.004438] lock((&fence->timer)); [117.004440] *** DEADLOCK *** [117.004443] 1 lock held by swapper/0/0: [117.004445] #0: ffffc90000003d50 ((&fence->timer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0 [117.004450] stack backtrace: [117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary) [117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER [117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023 [117.004456] Call Trace: [117.004456] <IRQ> [117.004457] dump_stack_lvl+0x91/0xf0 [117.004460] dump_stack+0x10/0x20 [117.004461] print_usage_bug.part.0+0x260/0x360 [117.004463] mark_lock+0x76e/0x9c0 [117.004465] ? register_lock_class+0x48/0x4a0 [117.004467] __lock_acquire+0xbc3/0x2860 [117.004469] lock_acquire+0xc4/0x2e0 [117.004470] ? __timer_delete_sync+0x4b/0x190 [117.004472] ? __timer_delete_sync+0x4b/0x190 [117.004473] __timer_delete_sync+0x68/0x190 [117.004474] ? __timer_delete_sync+0x4b/0x190 [117.004475] timer_delete_sync+0x10/0x20 [117.004476] vgem_fence_release+0x19/0x30 [vgem] [117.004478] dma_fence_release+0xc1/0x3b0 [117.004480] ? dma_fence_release+0xa1/0x3b0 [117.004481] dma_fence_chain_release+0xe7/0x130 [117.004483] dma_fence_release+0xc1/0x3b0 [117.004484] ? _raw_spin_unlock_irqrestore+0x27/0x80 [117.004485] dma_fence_chain_irq_work+0x59/0x80 [117.004487] irq_work_single+0x75/0xa0 [117.004490] irq_work_r ---truncated--- | 2026-01-05 | not yet calculated | CVE-2025-68757 | https://git.kernel.org/stable/c/1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a https://git.kernel.org/stable/c/9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0 https://git.kernel.org/stable/c/338e388c0d80ffc04963b6b0ec702ffdfd2c4eba https://git.kernel.org/stable/c/4f335cb8fad69b2be5accf0ebac3a8b345915f4e https://git.kernel.org/stable/c/1f0ca9d3e7c38a39f1f12377c24decf0bba46e54 https://git.kernel.org/stable/c/78b4d6463e9e69e5103f98b367f8984ad12cdc6f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: backlight: led-bl: Add devlink to supplier LEDs LED Backlight is a consumer of one or multiple LED class devices, but devlink is currently unable to create correct supplier-producer links when the supplier is a class device. It creates instead a link where the supplier is the parent of the expected device. One consequence is that removal order is not correctly enforced. Issues happen for example with the following sections in a device tree overlay: // An LED driver chip pca9632@62 { compatible = "nxp,pca9632"; reg = <0x62>; // ... addon_led_pwm: led-pwm@3 { reg = <3>; label = "addon:led:pwm"; }; }; backlight-addon { compatible = "led-backlight"; leds = <&addon_led_pwm>; brightness-levels = <255>; default-brightness-level = <255>; }; In this example, the devlink should be created between the backlight-addon (consumer) and the pca9632@62 (supplier). Instead it is created between the backlight-addon (consumer) and the parent of the pca9632@62, which is typically the I2C bus adapter. On removal of the above overlay, the LED driver can be removed before the backlight device, resulting in: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 ... Call trace: led_put+0xe0/0x140 devm_led_release+0x6c/0x98 Another way to reproduce the bug without any device tree overlays is unbinding the LED class device (pca9632@62) before unbinding the consumer (backlight-addon): echo 11-0062 >/sys/bus/i2c/drivers/leds-pca963x/unbind echo ...backlight-dock >/sys/bus/platform/drivers/led-backlight/unbind Fix by adding a devlink between the consuming led-backlight device and the supplying LED device, as other drivers and subsystems do as well. | 2026-01-05 | not yet calculated | CVE-2025-68758 | https://git.kernel.org/stable/c/e06df738a9ad8417f1c4c7cd6992cda320e9e7ca https://git.kernel.org/stable/c/30cbe4b642745a9488a0f0d78be43afe69d7555c https://git.kernel.org/stable/c/0e63ea4378489e09eb5e920c8a50c10caacf563a https://git.kernel.org/stable/c/60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9 https://git.kernel.org/stable/c/08c9dc6b0f2c68e5e7c374ac4499e321e435d46c https://git.kernel.org/stable/c/9341d6698f4cfdfc374fb6944158d111ebe16a9d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring() In rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA allocations in a loop. When an allocation fails, the previously successful allocations are not freed on exit. Fix that by jumping to err_free_rings label on error, which calls rtl8180_free_rx_ring() to free the allocations. Remove the free of rx_ring in rtl8180_init_rx_ring() error path, and set the freed priv->rx_buf entry to null, to avoid double free. | 2026-01-05 | not yet calculated | CVE-2025-68759 | https://git.kernel.org/stable/c/a4fb7cca9837378878e6c94d9e7af019c8fdfcdb https://git.kernel.org/stable/c/bf8513dfa31ea015c9cf415796dca2113d293840 https://git.kernel.org/stable/c/ee7db11742b30641f21306105ad27a275e3c61d7 https://git.kernel.org/stable/c/a813a74570212cb5f3a7d3b05c0cb0cd00bace1d https://git.kernel.org/stable/c/c9d1c4152e6d32fa74034464854bee262a60bc43 https://git.kernel.org/stable/c/9b5b9c042b30befc5b37e4539ace95af70843473 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Fix potential out-of-bounds read in iommu_mmio_show In iommu_mmio_write(), it validates the user-provided offset with the check: `iommu->dbg_mmio_offset > iommu->mmio_phys_end - 4`. This assumes a 4-byte access. However, the corresponding show handler, iommu_mmio_show(), uses readq() to perform an 8-byte (64-bit) read. If a user provides an offset equal to `mmio_phys_end - 4`, the check passes, and will lead to a 4-byte out-of-bounds read. Fix this by adjusting the boundary check to use sizeof(u64), which corresponds to the size of the readq() operation. | 2026-01-05 | not yet calculated | CVE-2025-68760 | https://git.kernel.org/stable/c/b959df804c33913dbfdb90750f2d693502b3d126 https://git.kernel.org/stable/c/0ec4aaf5f3f559716a6559f3d6d9616e9470bed6 https://git.kernel.org/stable/c/a0c7005333f9a968abb058b1d77bbcd7fb7fd1e7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfs: fix potential use after free in hfs_correct_next_unused_CNID() This code calls hfs_bnode_put(node) which drops the refcount and then dreferences "node" on the next line. It's only safe to use "node" when we're holding a reference so flip these two lines around. | 2026-01-05 | not yet calculated | CVE-2025-68761 | https://git.kernel.org/stable/c/40a1e0142096dd7dd6cb5373841222b528698588 https://git.kernel.org/stable/c/c105e76bb17cf4b55fe89c6ad4f6a0e3972b5b08 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: netpoll: initialize work queue before error checks Prevent a kernel warning when netconsole setup fails on devices with IFF_DISABLE_NETPOLL flag. The warning (at kernel/workqueue.c:4242 in __flush_work) occurs because the cleanup path tries to cancel an uninitialized work queue. When __netpoll_setup() encounters a device with IFF_DISABLE_NETPOLL, it fails early and calls skb_pool_flush() for cleanup. This function calls cancel_work_sync(&np->refill_wq), but refill_wq hasn't been initialized yet, triggering the warning. Move INIT_WORK() to the beginning of __netpoll_setup(), ensuring the work queue is properly initialized before any potential failure points. This allows the cleanup path to safely cancel the work queue regardless of where the setup fails. | 2026-01-05 | not yet calculated | CVE-2025-68762 | https://git.kernel.org/stable/c/a90d0dc38a10347078cca60e7495ad0648838f18 https://git.kernel.org/stable/c/760bc6ceda8e2c273c0e2018ad2595967c3dd308 https://git.kernel.org/stable/c/e5235eb6cfe02a51256013a78f7b28779a7740d5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: starfive - Correctly handle return of sg_nents_for_len The return value of sg_nents_for_len was assigned to an unsigned long in starfive_hash_digest, causing negative error codes to be converted to large positive integers. Add error checking for sg_nents_for_len and return immediately on failure to prevent potential buffer overflows. | 2026-01-05 | not yet calculated | CVE-2025-68763 | https://git.kernel.org/stable/c/6cd14414394b4f3d6e1ed64b8241d1fcc2271820 https://git.kernel.org/stable/c/0c3854d65cc4402cb8c52d4d773450a06efecab6 https://git.kernel.org/stable/c/1af5c973dd744e29fa22121f43e8646b7a7a71a7 https://git.kernel.org/stable/c/9b3f71cf02e04cfaa482155e3078707fe7f8aef4 https://git.kernel.org/stable/c/e9eb52037a529fbb307c290e9951a62dd728b03d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags When a filesystem is being automounted, it needs to preserve the user-set superblock mount options, such as the "ro" flag. | 2026-01-05 | not yet calculated | CVE-2025-68764 | https://git.kernel.org/stable/c/c09070b4def1b34e473a746c6a5331ccb80902c1 https://git.kernel.org/stable/c/dce10c59211e5cd763a62ea01e79b82a629811e3 https://git.kernel.org/stable/c/612cc98698d667df804792f0c47d4e501e66da29 https://git.kernel.org/stable/c/4b296944e632cf4c6a4cc8e2585c6451eae47b1b https://git.kernel.org/stable/c/df9b003a2ecacc7218486fbb31fe008c93097d5f https://git.kernel.org/stable/c/8675c69816e4276b979ff475ee5fac4688f80125 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add() In mt7615_mcu_wtbl_sta_add(), an skb sskb is allocated. If the subsequent call to mt76_connac_mcu_alloc_wtbl_req() fails, the function returns an error without freeing sskb, leading to a memory leak. Fix this by calling dev_kfree_skb() on sskb in the error handling path to ensure it is properly released. | 2026-01-05 | not yet calculated | CVE-2025-68765 | https://git.kernel.org/stable/c/594ff8bb69e239678a8baa461827ce4bb90eff8f https://git.kernel.org/stable/c/1c3c234af9407256ed670c8752923a672eea4225 https://git.kernel.org/stable/c/278bfed4529a0c9c9119f5a52ddafe69db61a75c https://git.kernel.org/stable/c/fb905e69941b44e03fe1a24e95328d45442b6d6d https://git.kernel.org/stable/c/4d42aba0ee49c0aa015c50c4f2a07cf8fa1c3a49 https://git.kernel.org/stable/c/53d1548612670aa8b5d89745116cc33d9d172863 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc() If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then it results in an out of bounds access. The code checks for invalid values, but doesn't set the error code. Return -EINVAL in that case, instead of returning success. | 2026-01-05 | not yet calculated | CVE-2025-68766 | https://git.kernel.org/stable/c/324c60a67c4b9668497940f667db14d216cc7b1b https://git.kernel.org/stable/c/c21c606ad398eeb86a0f3aaff9ba4f2665e286c6 https://git.kernel.org/stable/c/3873afcb57614c1aaa5b6715554d6d1c22cac95a https://git.kernel.org/stable/c/09efe7cfbf919c4d763bc425473fcfee0dc98356 https://git.kernel.org/stable/c/efd65e2e2fd96f7aaa5cb07d79bbbfcfc80aa552 https://git.kernel.org/stable/c/7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7 |
| loopus--WP Attractive Donations System - Easy Stripe & Paypal donations | Missing Authorization vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Attractive Donations System - Easy Stripe & Paypal donations: from n/a through <= 1.25. | 2026-01-08 | not yet calculated | CVE-2025-22715 | https://vdp.patchstack.com/database/Wordpress/Plugin/WP_AttractiveDonationsSystem/vulnerability/wordpress-wp-attractive-donations-system-easy-stripe-paypal-donations-plugin-1-25-arbitrary-content-deletion-vulnerability?_s_id=cve |
| loopus--WP Virtual Assistant | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in loopus WP Virtual Assistant VirtualAssistant allows Stored XSS.This issue affects WP Virtual Assistant: from n/a through <= 3.0. | 2026-01-08 | not yet calculated | CVE-2025-22725 | https://vdp.patchstack.com/database/Wordpress/Plugin/VirtualAssistant/vulnerability/wordpress-wp-virtual-assistant-plugin-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| magentech--Rozy - Flower Shop | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech Rozy - Flower Shop rozy allows PHP Local File Inclusion.This issue affects Rozy - Flower Shop: from n/a through <= 1.2.25. | 2026-01-08 | not yet calculated | CVE-2025-12549 | https://vdp.patchstack.com/database/Wordpress/Theme/rozy/vulnerability/wordpress-rozy-flower-shop-theme-1-2-25-local-file-inclusion-vulnerability?_s_id=cve |
| magepeopleteam--Car Rental Manager | Missing Authorization vulnerability in magepeopleteam Car Rental Manager car-rental-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Car Rental Manager: from n/a through <= 1.0.9. | 2026-01-06 | not yet calculated | CVE-2025-69327 | https://vdp.patchstack.com/database/Wordpress/Plugin/car-rental-manager/vulnerability/wordpress-car-rental-manager-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve |
| mastodon--mastodon | Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon performs a lot of outbound requests to user-provided domains. Mastodon, however, has some protection mechanism to disallow requests to local IP addresses (unless specified in `ALLOWED_PRIVATE_ADDRESSES`) to avoid the "confused deputy" problem. The list of disallowed IP address ranges was lacking some IP address ranges that can be used to reach local IP addresses. An attacker can use an IP address in the affected ranges to make Mastodon perform HTTP requests against loopback or local network hosts, potentially allowing access to otherwise private resources and services. This is fixed in Mastodon v4.5.4, v4.4.11, v4.3.17 and v4.2.29. | 2026-01-08 | not yet calculated | CVE-2026-22245 | https://github.com/mastodon/mastodon/security/advisories/GHSA-xfrj-c749-jxxq https://github.com/mastodon/mastodon/commit/0f4e8a6240b5af1f2c3f34d2793d8610c6ef2aca https://github.com/mastodon/mastodon/commit/17022907866710a72a1b1fc0a5ce9538bad1b4c3 https://github.com/mastodon/mastodon/commit/71ae4cf2cf5138ccdda64b1b1d665849b688686d |
| MediaTek, Inc.--MT2718, MT6580, MT6739, MT6761, MT6765, MT6768, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6855, MT6873, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8195, MT8196, MT8370, MT8390, MT8391, MT8395, MT8676, MT8678, MT8696, MT8755, MT8766, MT8768, MT8781, MT8786, MT8788E, MT8791T, MT8792, MT8793, MT8796, MT8873, MT8883, MT8893 | In KeyInstall, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10276761; Issue ID: MSV-5141. | 2026-01-06 | not yet calculated | CVE-2025-20795 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8796 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10149879; Issue ID: MSV-4658. | 2026-01-06 | not yet calculated | CVE-2025-20787 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT2718, MT6765, MT6768, MT6781, MT6833, MT6835, MT6853, MT6855, MT6877, MT6879, MT6893, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8367, MT8391, MT8676, MT8678, MT8696, MT8766, MT8768, MT8781, MT8786, MT8788E, MT8791T, MT8792, MT8793, MT8796, MT8873, MT8883, MT8893 | In battery, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10315812; Issue ID: MSV-5534. | 2026-01-06 | not yet calculated | CVE-2025-20797 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT2718, MT6765, MT6768, MT6781, MT6833, MT6835, MT6853, MT6855, MT6877, MT6879, MT6893, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8367, MT8391, MT8676, MT8678, MT8696, MT8766, MT8768, MT8781, MT8786, MT8788E, MT8791T, MT8792, MT8793, MT8796, MT8873, MT8883, MT8893 | In battery, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10315812; Issue ID: MSV-5533. | 2026-01-06 | not yet calculated | CVE-2025-20798 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT2718, MT6899, MT6989, MT6991, MT8678, MT8793 | In mminfra, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10267349; Issue ID: MSV-5033. | 2026-01-06 | not yet calculated | CVE-2025-20800 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689259 / MOLY01586470; Issue ID: MSV-4847. | 2026-01-06 | not yet calculated | CVE-2025-20794 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6989, MT6990, MT6991, MT6993, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01430930; Issue ID: MSV-4836. | 2026-01-06 | not yet calculated | CVE-2025-20793 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT2735, MT2737, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01311265; Issue ID: MSV-4655. | 2026-01-06 | not yet calculated | CVE-2025-20761 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT2735, MT2737, MT6833, MT6835, MT6853, MT6855, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible read of uninitialized heap data due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01676750; Issue ID: MSV-4653. | 2026-01-06 | not yet calculated | CVE-2025-20760 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10184870; Issue ID: MSV-4729. | 2026-01-06 | not yet calculated | CVE-2025-20778 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible use after free due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10184084; Issue ID: MSV-4720. | 2026-01-06 | not yet calculated | CVE-2025-20779 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10184061; Issue ID: MSV-4712. | 2026-01-06 | not yet calculated | CVE-2025-20780 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182914; Issue ID: MSV-4699. | 2026-01-06 | not yet calculated | CVE-2025-20781 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182882; Issue ID: MSV-4685. | 2026-01-06 | not yet calculated | CVE-2025-20782 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182882; Issue ID: MSV-4684. | 2026-01-06 | not yet calculated | CVE-2025-20783 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible memory corruption due to uninitialized data. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182882; Issue ID: MSV-4683. | 2026-01-06 | not yet calculated | CVE-2025-20784 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10149882; Issue ID: MSV-4677. | 2026-01-06 | not yet calculated | CVE-2025-20785 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10149882; Issue ID: MSV-4673. | 2026-01-06 | not yet calculated | CVE-2025-20786 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6835, MT6835T, MT6878, MT6878M, MT6897, MT6899, MT6991, MT8676, MT8678, MT8755, MT8792, MT8793, MT8863, MT8873, MT8883 | In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01685181; Issue ID: MSV-4760. | 2026-01-06 | not yet calculated | CVE-2025-20762 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6878, MT6897, MT6899, MT6985, MT6989, MT6991, MT6993, MT8792, MT8796, MT8798 | In seninf, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10251210; Issue ID: MSV-4926. | 2026-01-06 | not yet calculated | CVE-2025-20801 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6899, MT6991 | In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is needed for exploitation. Patch ID: ALPS10198951; Issue ID: MSV-4503. | 2026-01-06 | not yet calculated | CVE-2025-20804 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6899, MT6991, MT6993, MT8793 | In c2ps, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10274607; Issue ID: MSV-5049. | 2026-01-06 | not yet calculated | CVE-2025-20799 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6899, MT6991, MT8793 | In dpe, there is a possible memory corruption due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is needed for exploitation. Patch ID: ALPS10199779; Issue ID: MSV-4504. | 2026-01-06 | not yet calculated | CVE-2025-20803 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6899, MT6991, MT8793 | In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10114696; Issue ID: MSV-4480. | 2026-01-06 | not yet calculated | CVE-2025-20805 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6899, MT6991, MT8793 | In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10114835; Issue ID: MSV-4479. | 2026-01-06 | not yet calculated | CVE-2025-20806 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6899, MT6991, MT8793 | In dpe, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10114841; Issue ID: MSV-4451. | 2026-01-06 | not yet calculated | CVE-2025-20807 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6989, MT8796, MT8893 | In imgsys, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is needed for exploitation. Patch ID: ALPS10314745; Issue ID: MSV-5553. | 2026-01-06 | not yet calculated | CVE-2025-20796 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6991, MT8196, MT8367, MT8781, MT8786, MT8793 | In geniezone, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10238968; Issue ID: MSV-4914. | 2026-01-06 | not yet calculated | CVE-2025-20802 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| Microsoft--Playwright | Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim's web browser and send unauthorized requests to a locally running MCP server, resulting in unintended invocation of MCP tool endpoints. | 2026-01-07 | not yet calculated | CVE-2025-9611 | https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-8rgw-6xp9-2fg3 https://github.com/microsoft/playwright/commit/1313fbd https://www.vulncheck.com/advisories/microsoft-playwright-mcp-server-dns-rebinding-via-missing-origin-header-validation |
| Mikado-Themes--Curly | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3. | 2026-01-08 | not yet calculated | CVE-2025-67936 | https://vdp.patchstack.com/database/Wordpress/Theme/curly/vulnerability/wordpress-curly-theme-3-3-local-file-inclusion-vulnerability?_s_id=cve |
| Mikado-Themes--Hendon | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Hendon hendon allows PHP Local File Inclusion.This issue affects Hendon: from n/a through < 1.7. | 2026-01-08 | not yet calculated | CVE-2025-67937 | https://vdp.patchstack.com/database/Wordpress/Theme/hendon/vulnerability/wordpress-hendon-theme-1-7-local-file-inclusion-vulnerability?_s_id=cve |
| Mikado-Themes--Optimize | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Optimize optimizewp allows PHP Local File Inclusion.This issue affects Optimize: from n/a through < 2.4. | 2026-01-08 | not yet calculated | CVE-2025-67935 | https://vdp.patchstack.com/database/Wordpress/Theme/optimizewp/vulnerability/wordpress-optimize-theme-2-4-local-file-inclusion-vulnerability?_s_id=cve |
| Mikado-Themes--Wellspring | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wellspring wellspring allows PHP Local File Inclusion.This issue affects Wellspring: from n/a through < 2.8. | 2026-01-08 | not yet calculated | CVE-2025-67934 | https://vdp.patchstack.com/database/Wordpress/Theme/wellspring/vulnerability/wordpress-wellspring-theme-2-8-local-file-inclusion-vulnerability?_s_id=cve |
| n/a-- GL Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 | An issue in GL Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 are vulnerable. GL.Inet AX1800 Version 4.6.4 & 4.6.8 in the GL.iNet custom opkg wrapper script located at /usr/libexec/opkg-call. The script is executed with root privileges when triggered via the LuCI web interface or authenticated API calls to manage packages. The vulnerable code uses shell redirection to create a lock file in the world-writable /tmp directory. | 2026-01-08 | not yet calculated | CVE-2025-67091 | https://www.gl-inet.com/ https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51?postPublishedType=repub https://aleksazatezalo.medium.com/critical-authentication-bypass-vulnerability-in-gl-inet-gl-axt1800-router-firmware-f19442ca721d |
| n/a-- realme Internet browser v.45.13.4.1 | An issue in realme Internet browser v.45.13.4.1 allows a remote attacker to execute arbitrary code via a crafted webpage in the built-in HeyTap/ColorOS browser | 2026-01-05 | not yet calculated | CVE-2025-67316 | http://internet.com http://realme.com https://gist.github.com/Brucewebva/ceb365b7cea0d0b8ec0ce6755177de83 |
| n/a--@sylphxltd/filesystem-mcp v0.5.8 | @sylphxltd/filesystem-mcp v0.5.8 is an MCP server that provides file content reading functionality. Version 0.5.8 of filesystem-mcp contains a critical path traversal vulnerability in its "read_content" tool. This vulnerability arises from improper symlink handling in the path validation mechanism: the resolvePath function checks path validity before resolving symlinks, while fs.readFile resolves symlinks automatically during file access. This allows attackers to bypass directory restrictions by leveraging symlinks within the allowed directory that point to external files, enabling unauthorized access to files outside the intended operational scope. | 2026-01-07 | not yet calculated | CVE-2025-67366 | https://github.com/sylphxltd/filesystem-mcp/issues/134 https://github.com/sylphxltd/filesystem-mcp |
| n/a--AppConnector component version 10.10.0.183 and earlier of enaio 10.10, in the AppConnector component version 11.0.0.183 and earlier of enaio 11.0, and in the AppConnctor component version 11.10.0.183 and earlier of enaio 11.10 | An issue was discovered in the AppConnector component version 10.10.0.183 and earlier of enaio 10.10, in the AppConnector component version 11.0.0.183 and earlier of enaio 11.0, and in the AppConnctor component version 11.10.0.183 and earlier of enaio 11.10. The vulnerability allows authenticated remote attackers to inject arbitrary SMTP commands via crafted input to the /osrest/api/organization/sendmail endpoint | 2026-01-08 | not yet calculated | CVE-2025-56425 | https://www.optimal-systems.de/enaio https://mind-bytes.de/smtp-injection-in-enaio-component-appconnector-cve-2025-56425/ |
| n/a--Area9 Rhapsode 1.47.3 | In Area9 Rhapsode 1.47.3, an authenticated attacker can exploit the operation, url, and filename parameters via POST request to read arbitrary files from the server filesystem. Fixed in 1.47.4 (#7254) and further versions. | 2026-01-09 | not yet calculated | CVE-2025-67810 | https://area9.com https://security.area9lyceum.com/cve-2025-67810/ |
| n/a--Area9 Rhapsode 1.47.3 | Area9 Rhapsode 1.47.3 allows SQL Injection via multiple API endpoints accessible to authenticated users. Insufficient input validation allows remote attackers to inject arbitrary SQL commands, resulting in unauthorized database access and potential compromise of sensitive data. Fixed in v.1.47.4 and beyond. | 2026-01-09 | not yet calculated | CVE-2025-67811 | https://area9.com https://security.area9lyceum.com/cve-2025-67811/ |
| n/a--ARIS 10.0.23.0.3587512 | A file upload vulnerability in ARIS 10.0.23.0.3587512 allows attackers to execute arbitrary code via uploading a crafted PDF file/Malware | 2026-01-07 | not yet calculated | CVE-2025-66837 | https://www.softwareag.com/ https://github.com/saykino/CVE-2025-66837/ |
| n/a--Aris v10.0.23.0.3587512 and before | In Aris v10.0.23.0.3587512 and before, the file upload functionality does not enforce any rate limiting or throttling, allowing users to upload files at an unrestricted rate. An attacker can exploit this behavior to rapidly upload a large volume of files, potentially leading to resource exhaustion such as disk space depletion, increased server load, or degraded performance | 2026-01-07 | not yet calculated | CVE-2025-66838 | https://www.softwareag.com/ https://github.com/saykino/CVE-2025-66838/ |
| n/a--Axtion ODISSAAS ODIS v1.8.4 | A DLL hijacking vulnerability in Axtion ODISSAAS ODIS v1.8.4 allows attackers to execute arbitrary code via a crafted DLL file. | 2026-01-09 | not yet calculated | CVE-2025-66715 | https://www.axtion.nl/odis/ https://b1tsec.gitbook.io/offensive-repo/cve-repository/cve-2025-66715 |
| n/a--Blue Access Cobalt v02.000.195 | Blue Access Cobalt v02.000.195 suffers from an authentication bypass vulnerability, which allows an attacker to selectively proxy requests in order to operate functionality on the web application without the need to authenticate with legitimate credentials. | 2026-01-06 | not yet calculated | CVE-2025-60534 | http://blue.com https://github.com/PilotPatrickk/Published-CVEs/blob/main/CVE-2025-60534.md |
| n/a--ComfyUI-Manager prior to version 3.38 | An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the application storing its files in an insufficiently protected location that was accessible via the web interface | 2026-01-05 | not yet calculated | CVE-2025-67303 | https://github.com/Comfy-Org/ComfyUI-Manager/blob/main/docs/en/v3.38-userdata-security-migration.md https://github.com/Comfy-Org/ComfyUI-Manager/pull/2338/commits/e44c5cef58fb4973670b86433b9d24d077b44a26 |
| n/a--CouchCMS 2.4 | An Information Disclosure vulnerability in CouchCMS 2.4 allow an Admin user to read arbitrary files via traversing directories back after back. It can Disclosure the source code or any other confidential information if weaponize accordingly. | 2026-01-09 | not yet calculated | CVE-2025-67004 | https://www.couchcms.com/ https://github.com/CouchCMS/CouchCMS https://gist.github.com/thepiyushkumarshukla/d01f8004c43692f18c75548f4739955a |
| n/a--D-Link DIR895LA1 v102b07 | A Command Injection Vulnerability has been discovered in the DHCP daemon service of D-Link DIR895LA1 v102b07. The vulnerability exists in the lease renewal processing logic where the DHCP hostname parameter is directly concatenated into a system command without proper sanitization. When a DHCP client renews an existing lease with a malicious hostname, arbitrary commands can be executed with root privileges. | 2026-01-09 | not yet calculated | CVE-2025-69542 | https://tzh00203.notion.site/D-Link-DIR895LA1-v102b07-Command-Injection-in-DHCPd-2d4b5c52018a80a1a5ccfb317b308861?source=copy_link |
| n/a--D-Link Router DIR-605L (Hardware version F1; Firmware version: V6.02CN02) | An issue was discovered in D-Link Router DIR-605L (Hardware version F1; Firmware version: V6.02CN02) allowing an attacker with physical access to the UART pins to execute arbitrary commands due to presence of root terminal access on a serial interface without proper access control. | 2026-01-08 | not yet calculated | CVE-2025-65731 | https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/uk/en/products/dir-605l-wireless-n-300-home-cloud-router https://gist.github.com/whitej3rry/f142a93bac360f9b1126f552f64957ea https://github.com/whitej3rry/CVE-2025-65731 |
| n/a--DwyerOmega Isensix Advanced Remote Monitoring System (ARMS) 1.5.7 | DwyerOmega Isensix Advanced Remote Monitoring System (ARMS) 1.5.7 allows an attacker to retrieve sensitive information from the underlying SQL database via Blind SQL Injection through the user parameter in the login page. This allows an attacker to steal credentials, which may be cleartext, from existing users (and admins) and use them to authenticate to the application. | 2026-01-06 | not yet calculated | CVE-2025-59379 | https://isensix.com/guardian/ https://info.dwyeromega.com/brands https://github.com/PilotPatrickk/Published-CVEs/blob/main/CVE-2025-59379.md |
| n/a--EDIMAX BR-6208AC V2_1.02 | EDIMAX BR-6208AC V2_1.02 is vulnerable to Command Injection. This arises because the pppUserName field is directly passed to a shell command via the system() function without proper sanitization. An attacker can exploit this by injecting malicious commands into the pppUserName field, allowing arbitrary code execution. | 2026-01-09 | not yet calculated | CVE-2025-70161 | https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Command-Injection-Vulnerability-in-Web-setWAN-handler-2d3b5c52018a80d7ae8dce2bf5e3294c?source=copy_link |
| n/a--edu Business Solutions Print Shop Pro WebDesk version 18.34 | There is an issue on the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34 that enables remote attacker to create financial discrepancies by purchasing items with a negative quantity. This vulnerability is possible due to reliance on client-side input validation controls. | 2026-01-08 | not yet calculated | CVE-2025-61546 | https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2025-61546 |
| n/a--edu Business Solutions Print Shop Pro WebDesk version 18.34 | Cross-Site Request Forgery (CSRF) is present on all functions in edu Business Solutions Print Shop Pro WebDesk version 18.34. The application does not implement proper CSRF tokens or other other protective measures, allowing a remote attacker to trick authenticated users into unknowingly executing unintended actions within their session. This can lead to unauthorized data modification such as credential updates. | 2026-01-08 | not yet calculated | CVE-2025-61547 | https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2025-61547 |
| n/a--edu Business Solutions Print Shop Pro WebDesk version 18.34 | SQL Injection is present on the hfInventoryDistFormID parameter in the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34. Unsanitized user input is incorporated directly into SQL queries without proper parameterization or escaping. This vulnerability allows remote attackers to execute arbitrary SQL commands | 2026-01-08 | not yet calculated | CVE-2025-61548 | https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2025-61548 |
| n/a--edu Business Solutions Print Shop Pro WebDesk version 18.34 | Cross-Site Scripting (XSS) is present on the LoginID parameter on the /PSP/app/web/reg/reg_display.asp endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34. Unsanitized user input is reflected in HTTP responses without proper HTML encoding or escaping. This allows attackers to execute arbitrary JavaScript in the context of a victim s browser session | 2026-01-08 | not yet calculated | CVE-2025-61549 | https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2025-61549 |
| n/a--edu Business Solutions Print Shop Pro WebDesk version 18.34 | Cross-Site Scripting (XSS) is present on the ctl00_Content01_fieldValue parameters on the /psp/appNet/TemplateOrder/TemplatePreview.aspx endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34. User-supplied input is stored and later rendered in HTML pages without proper output encoding or sanitization. This allows attackers to persistently inject arbitrary JavaScript that executes in the context of other users' sessions | 2026-01-08 | not yet calculated | CVE-2025-61550 | https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2025-61550 |
| n/a--Employee Leave Management System v.2.1 | Cross Site Request Forgery vulnerability in Employee Leave Management System v.2.1 allows a remote attacker to escalate privileges via the manage-employee.php component | 2026-01-05 | not yet calculated | CVE-2025-67315 | https://phpgurukul.com/employee-leaves-management-system-elms/ https://github.com/r-pradyun/CVE-2025-67315 |
| n/a--evershop 2.1.0 | A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the application server's resources via the "GET /images" API. The application fails to limit the height of the use-element shadow tree or the dimensions of pattern tiles during the processing of SVG files, resulting in unbounded resource consumption and system-wide denial of service. | 2026-01-05 | not yet calculated | CVE-2025-67419 | https://github.com/evershopcommerce/evershop https://github.com/dos-m0nk3y/CVE/tree/main/CVE-2025-67419 |
| n/a--evershop 2.1.0 | A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter, which permits arbitrary HTTP or HTTPS URIs, resulting in unexpected requests against internal and external networks. | 2026-01-05 | not yet calculated | CVE-2025-67427 | https://github.com/evershopcommerce/evershop https://github.com/dos-m0nk3y/CVE/tree/main/CVE-2025-67427 |
| n/a--fast-filesystem-mcp version 3.4.0 | fast-filesystem-mcp version 3.4.0 contains a critical path traversal vulnerability in its file operation tools including fast_read_file. This vulnerability arises from improper path validation that fails to resolve symbolic links to their actual physical paths. The safePath and isPathAllowed functions use path.resolve() which does not handle symlinks, allowing attackers to bypass directory access restrictions by creating symlinks within allowed directories that point to restricted system paths. When these symlinks are accessed through valid path references, the validation checks are circumvented, enabling access to unauthorized files. | 2026-01-07 | not yet calculated | CVE-2025-67364 | https://github.com/efforthye/fast-filesystem-mcp/issues/10 https://github.com/efforthye/fast-filesystem-mcp |
| n/a--fluidsynth-2.4.6 and earlier versions | fluidsynth-2.4.6 and earlier versions is vulnerable to Null pointer dereference in fluid_synth_monopoly.c, that can be triggered when loading an invalid midi file. | 2026-01-09 | not yet calculated | CVE-2025-56225 | https://github.com/FluidSynth/fluidsynth/issues/1602 https://github.com/FluidSynth/fluidsynth/pull/1607 |
| n/a--Gl Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 | The LuCI web interface on Gl Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 are vulnerable. Fix available in version 4.8.2 GL.Inet AX1800 Version 4.6.4 & 4.6.8 lacks rate limiting or account lockout mechanisms on the authentication endpoint (`/cgi-bin/luci`). An unauthenticated attacker on the local network can perform unlimited password attempts against the admin interface. | 2026-01-08 | not yet calculated | CVE-2025-67090 | https://www.gl-inet.com/security/ https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51?postPublishedType=repub https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51 |
| n/a--GL-iNet GL-AXT1800 router firmware v4.6.8 | A command injection vulnerability exists in the GL-iNet GL-AXT1800 router firmware v4.6.8. The vulnerability is present in the `plugins.install_package` RPC method, which fails to properly sanitize user input in package names. Authenticated attackers can exploit this to execute arbitrary commands with root privileges | 2026-01-08 | not yet calculated | CVE-2025-67089 | https://www.gl-inet.com/security-updates/ https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51?postPublishedType=repub |
| n/a--H3C M102G HM1A0V200R010 wireless controller and BA1500L SWBA1A0V100R006 wireless access point | An issue in H3C M102G HM1A0V200R010 wireless controller and BA1500L SWBA1A0V100R006 wireless access point, there is a misconfiguration vulnerability about vsftpd. Through this vulnerability, all files uploaded anonymously via the FTP protocol is automatically owned by the root user and remote attackers could gain root-level control over the devices. | 2026-01-06 | not yet calculated | CVE-2025-60262 | https://www.notion.so/23e54a1113e780d686fbe1624ee0465d https://www.notion.so/Misconfiguration-in-H3C-23e54a1113e780d686fbe1624ee0465d |
| n/a--Hero Motocorp Vida V1 Pro 2.0.7 | An issue in Hero Motocorp Vida V1 Pro 2.0.7 allows a local attacker to cause a denial of service via the BLE component | 2026-01-09 | not yet calculated | CVE-2025-67133 | http://hero.com http://vida.com https://threadpoolx.gitbook.io/docs/cve/cve-2025-67133-denial-of-service-via-unauthenticated-ble-connection |
| n/a--indieka900 online-shopping-system-php 1.0 | indieka900 online-shopping-system-php 1.0 is vulnerable to SQL Injection in master/review_action.php via the proId parameter. | 2026-01-08 | not yet calculated | CVE-2025-61246 | https://github.com/hackergovind/CVE-2025-61246 |
| n/a--Insiders Technologies GmbH e-invoice pro before release 1 | An issue in Insiders Technologies GmbH e-invoice pro before release 1 Service Pack 2 allows a remote attacker to cause a denial of service via a crafted script | 2026-01-08 | not yet calculated | CVE-2025-56424 | https://insiders-technologies.com/en/e-invoice/ https://mind-bytes.de/xml-external-entity-xxe-injection-in-e-invoice-pro-cve-2025-56424/ |
| n/a--Intelbras CFTV IP NVD 9032 R Ftd V2.800.00IB00C.0.T | A vulnerability exists in Intelbras CFTV IP NVD 9032 R Ftd V2.800.00IB00C.0.T, which allows an unauthenticated attacker to bypass the multi-factor authentication (MFA) mechanism during the password recovery process. This results in the ability to change the admin password and gain full access to the administrative panel. | 2026-01-09 | not yet calculated | CVE-2025-67070 | https://github.com/teteco/intelbras-cftv-admin-bypass |
| n/a--JimuReport thru version 2.1.3 | JimuReport thru version 2.1.3 is vulnerable to remote code execution when processing user-controlled H2 JDBC URLs. The application passes the attacker-supplied JDBC URL directly to the H2 driver, allowing the use of certain directives to execute arbitrary Java code. A different vulnerability than CVE-2025-10770. | 2026-01-08 | not yet calculated | CVE-2025-66913 | https://github.com/jeecgboot/jimureport/issues/4306 https://gist.github.com/Catherines77/f15d53e9705b24cf018e5bffed3e8234 |
| n/a--KAYSUS KS-WR1200 routers with firmware 107 | KAYSUS KS-WR1200 routers with firmware 107 expose SSH and TELNET services on the LAN interface with hardcoded root credentials (root:12345678). The administrator cannot disable these services or change the hardcoded password. (Changing the management GUI password does not affect SSH/TELNET authentication.) Any LAN-adjacent attacker can trivially log in with root privileges. | 2026-01-08 | not yet calculated | CVE-2025-68718 | https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html https://github.com/actuator/cve/tree/main/KAYSUS https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68718.txt |
| n/a--KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 | KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. This allows any LAN-adjacent attacker to trivially gain root shell access and execute arbitrary commands with full privileges. | 2026-01-08 | not yet calculated | CVE-2025-68716 | https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html https://github.com/actuator/cve/tree/main/KAYSUS https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68716.txt |
| n/a--KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 | KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 allow authentication bypass during session validation. If any user is logged in, endpoints such as /cgi-bin/system-tool accept unauthenticated requests with empty or invalid session values. This design flaw lets attackers piggyback on another user's active session to retrieve sensitive configuration data or execute privileged actions without authentication. | 2026-01-08 | not yet calculated | CVE-2025-68717 | https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html https://github.com/actuator/cve/tree/main/KAYSUS https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68717.txt |
| n/a--KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 | KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 mishandle configuration management. Once any user is logged in and maintains an active session, an attacker can directly query the backup endpoint and download a full configuration archive. This archive contains sensitive files such as /etc/shadow, enabling credential recovery and potential full compromise of the device. | 2026-01-08 | not yet calculated | CVE-2025-68719 | https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html https://github.com/actuator/cve/tree/main/KAYSUS https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68719.txt |
| n/a--Mega-Fence (webgate-lib.*) 25.1.914 and prior | Mega-Fence (webgate-lib.*) 25.1.914 and prior trusts the first value of the X-Forwarded-For (XFF) header as the client IP without validating a trusted proxy chain. An attacker can supply an arbitrary XFF value in a remote request to spoof the client IP, which is then propagated to security-relevant state (e.g., WG_CLIENT_IP cookie). Deployments that rely on this value for IP allowlists may be bypassed. | 2026-01-05 | not yet calculated | CVE-2025-65328 | https://drive.proton.me/urls/MY05PVBFXG#xDd2Xqy98WM9 https://raw.githubusercontent.com/p1aintext/CVE/main/CVE-2025-65328.md |
| n/a--Nitro PDF Pro for Windows before 14.42.0.34. | An issue was discovered in Nitro PDF Pro for Windows before 14.42.0.34. In certain cases, it displays signer information from a non-verified PDF field rather than from the verified certificate subject. This could allow a document to present inconsistent signer details. The display logic was updated to ensure signer information consistently reflects the verified certificate identity. | 2026-01-08 | not yet calculated | CVE-2025-67825 | https://gonitro.com https://www.gonitro.com/documentation/release-notes |
| n/a--NJHYST HY511 POE core before 2.1 and plugins before 0.1. | An issue was discovered in NJHYST HY511 POE core before 2.1 and plugins before 0.1. The vulnerability stems from the device's insufficient cookie verification, allowing an attacker to directly request the configuration file address and download the core configuration file without logging into the device management backend. By reading the corresponding username and self-decrypted MD5 password in the core configuration file, the attacker can directly log in to the backend, thereby bypassing the front-end backend login page. | 2026-01-06 | not yet calculated | CVE-2025-65212 | https://github.com/a2148001284/test1/blob/main/%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E5%90%8E%E5%8F%B0%E6%BC%8F%E6%B4%9EEN.md https://gist.github.com/a2148001284/bcdda75fc8718454f16a7b9259463719 |
| n/a--OpenAirInterface CN5G AMF<=v2.0.1 | OpenAirInterface CN5G AMF<=v2.0.1 There is a logical error when processing JSON format requests. Unauthorized remote attackers can send malicious JSON data to AMF's SBI interface to launch a denial-of-service attack. | 2026-01-07 | not yet calculated | CVE-2025-66786 | https://github.com/swallele/Vulnerability/blob/main/Openairinterface/Dos/Json_Dos.md |
| n/a--OpenAirInterface CN5G AMF<=v2.1.9 | OpenAirInterface CN5G AMF<=v2.1.9 has a buffer overflow vulnerability in processing NAS messages. Unauthorized remote attackers can launch a denial-of-service attack and potentially execute malicious code by accessing port N1 and sending an imsi string longer than 1000 to AMF. | 2026-01-07 | not yet calculated | CVE-2025-65805 | https://github.com/swallele/Vulnerability/blob/main/Openairinterface/Buffer_Overflow/Vulnerability_Report.md |
| n/a--Panda Wireless PWRU0 devices with firmware 2.2.9 | An issue was discovered in Panda Wireless PWRU0 devices with firmware 2.2.9 that exposes multiple HTTP endpoints (/goform/setWan, /goform/setLan, /goform/wirelessBasic) that do not enforce authentication. A remote unauthenticated attacker can modify WAN, LAN, and wireless settings directly, leading to privilege escalation and denial of service. | 2026-01-08 | not yet calculated | CVE-2025-68715 | https://github.com/actuator/cve/tree/main/PandaWireless https://github.com/actuator/cve/blob/main/PandaWireless/CVE-2025-68715.txt |
| n/a--Passy v.1.6.3 | An issue in Passy v.1.6.3 allows a remote authenticated attacker to execute arbitrary commands via a crafted HTTP request using a specific payload injection. | 2026-01-05 | not yet calculated | CVE-2025-67397 | https://www.passy.it/ https://github.com/giulioschiavone/Vulnerability-Research/tree/main/CVE-2025-67397 |
| n/a--Perch CMS version 3.2 | A stored Cross-Site Scripting (XSS) vulnerability exists in Perch CMS version 3.2. An authenticated attacker with administrative privileges can inject malicious JavaScript code into the "Help button url" setting within the admin panel. The injected payload is stored and executed when any authenticated user clicks the Help button, potentially leading to session hijacking, information disclosure, privilege escalation, and unauthorized administrative actions. | 2026-01-07 | not yet calculated | CVE-2025-66686 | https://github.com/mertdurum06/Perch-v3.2 https://github.com/mertdurum06/Perch-v3.2/blob/main/Perch%20v3.2_Poc.txt |
| n/a--phpgurukul Hostel Management System v2.1 | Cross-Site Scripting in phpgurukul Hostel Management System v2.1 user-provided complaint fields (Explain the Complaint) submitted via /register-complaint.php are stored and rendered unescaped in the admin viewer (/admin/complaint-details.php?cid=<id>). When an administrator opens the complaint, injected HTML/JavaScript executes in the admin's browser. | 2026-01-08 | not yet calculated | CVE-2025-63611 | https://phpgurukul.com/hostel-management-system/ https://medium.com/@tanushkushtk01/cve-2025-63611-stored-cross-site-scripting-xss-in-hostel-management-system-v2-1-a23c2efc86ea |
| n/a--Plesk Obsidian versions 8.0.1 through 18.0.73 | Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a malicious payload can cause the affected web interface to continuously reload, rendering the service unavailable to legitimate users. An attacker can exploit this issue remotely without authentication, resulting in a persistent availability impact on the affected Plesk Obsidian instance. | 2026-01-08 | not yet calculated | CVE-2025-65518 | http://plesk.com https://github.com/Jainil-89/CVE-2025-65518/blob/main/cve.md https://docs.plesk.com/release-notes/obsidian/change-log/ |
| n/a--pss.sale.com 1.0 | SQL injection vulnerability in pss.sale.com 1.0 via the id parameter to the userfiles/php/cancel_order.php endpoint. | 2026-01-09 | not yet calculated | CVE-2025-51626 | https://gitee.com/XiaoLiuChu/pss.sale.com/tree/master https://gist.github.com/hnking-star/17d4c9c990c2324ef109fecb4fc4630c |
| n/a--QloApps versions 1.7.0 and earlier | Unrestricted file upload in the hotel review feature in QloApps versions 1.7.0 and earlier allows remote unauthenticated attackers to achieve remote code execution. | 2026-01-08 | not yet calculated | CVE-2025-67325 | https://github.com/Qloapps/QloApps https://github.com/mr7s3d0/CVE-2025-67325 |
| n/a--RuoYi-Vue-Plus versions 5.5.1 and earlier | The snailjob component in RuoYi-Vue-Plus versions 5.5.1 and earlier, interface /snail-job/workflow/check-node-expression can execute QLExpress expressions, but it does not filter user input, allowing attackers to use the File class to perform arbitrary file reading and writing. | 2026-01-08 | not yet calculated | CVE-2025-66916 | https://gitee.com/dromara/RuoYi-Vue-Plus https://github.com/Catherines77/code-au/blob/main/ruoyi-vue-plus/QLExpress.md https://gist.github.com/Catherines77/e3f06b9c4cc6298579e858088a243c3d |
| n/a--Samsung Magician 6.3.0 through 8.3.2 on Windows | An issue was discovered in Samsung Magician 6.3.0 through 8.3.2 on Windows. The installer creates a temporary folder with weak permissions during installation, allowing a non-admin user to perform DLL hijacking and escalate privileges. | 2026-01-05 | not yet calculated | CVE-2025-57836 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-57836/ |
| n/a--Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500 | An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. A race condition in the issimian device driver results in an out-of-bounds access, leading to a denial of service. | 2026-01-05 | not yet calculated | CVE-2025-52515 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-52515/ |
| n/a--Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500 | An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. An invalid kernel address dereference in the issimian device driver leads to a denial of service. | 2026-01-05 | not yet calculated | CVE-2025-52516 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-52516/ |
| n/a--Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500 | An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. A race condition in the issimian device driver results in a double free, leading to a denial of service. | 2026-01-05 | not yet calculated | CVE-2025-52517 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-52517/ |
| n/a--Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500 | An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, and 2500. Improper validation of user-space input in the issimian device driver leads to information disclosure and a denial of service. | 2026-01-05 | not yet calculated | CVE-2025-52519 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-52519/ |
| n/a--Samsung Mobile Processor Exynos 1380, 1480, 2400, 1580 | An issue was discovered in the WiFi driver in Samsung Mobile Processor Exynos 1380, 1480, 2400, 1580. Mishandling of an NL80211 vendor command leads to a buffer overflow. | 2026-01-05 | not yet calculated | CVE-2025-49495 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-49495/ |
| n/a--Samsung Mobile Processor Exynos 1380, 1480, 2400, and 1580 | An issue was discovered in Samsung Mobile Processor Exynos 1380, 1480, 2400, and 1580. Incorrect Handling of the NL80211 vendor command leads to a buffer overflow during handling of an IOCTL message. | 2026-01-05 | not yet calculated | CVE-2025-53966 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-53966/ |
| n/a--Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400 | An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400. The lack of a length check leads to out-of-bounds writes via malformed NAS packets. | 2026-01-05 | not yet calculated | CVE-2025-27807 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-27807/ |
| n/a--Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400 | An issue was discovered in L2 in c. Incorrect handling of RRC packets leads to a Denial of Service. | 2026-01-05 | not yet calculated | CVE-2025-43706 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-43706/ |
| n/a--shiori v1.7.4 | A lack of rate limiting in the login page of shiori v1.7.4 and below allows attackers to bypass authentication via a brute force attack. | 2026-01-09 | not yet calculated | CVE-2025-60538 | https://github.com/go-shiori/shiori https://github.com/go-shiori/shiori/issues/1138 |
| n/a--sonirico mcp-shell v0.3.1 | A command injection vulnerability in the shell_exec function of sonirico mcp-shell v0.3.1 allows attackers to execute arbitrary commands via supplying a crafted command string. | 2026-01-07 | not yet calculated | CVE-2025-61489 | https://github.com/sonirico/mcp-shell https://github.com/sonirico/mcp-shell/issues/4 |
| n/a--Technitium DNS Server v.13.5 | An issue in Technitium DNS Server v.13.5 allows a remote attacker to cause a denial of service via the rate-limiting component | 2026-01-08 | not yet calculated | CVE-2025-50334 | https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md http://technitium.com https://github.com/TechnitiumSoftware/DnsServer/blob/v13.3/DnsServerCore/Dns/DnsServer.cs https://github.com/FPokerFace/Security-Advisory/tree/main/CVE-2025-50334 https://github.com/TechnitiumSoftware/DnsServer/commit/7229b217238213cc6275eea68a7e17d73df1603e |
| n/a--terminal-controller-mcp 0.1.7 | A command injection vulnerability in the execute_command function of terminal-controller-mcp 0.1.7 allows attackers to execute arbitrary commands via a crafted input. | 2026-01-07 | not yet calculated | CVE-2025-61492 | https://github.com/cfdude/super-shell-mcp/issues/19 https://github.com/GongRzhe/terminal-controller-mcp https://github.com/GongRzhe/terminal-controller-mcp/issues/7 |
| n/a--TIM BPM Suite/ TIM FLOW through 9.1.2 | In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Authorization Bypass vulnerabilities exists which allow a low privileged user to download password hashes of other user, access work items of other user, modify restricted content in workflows, modify the applications logo and manipulate the profile of other user. | 2026-01-09 | not yet calculated | CVE-2025-67282 | https://tim-doc.atlassian.net/wiki/spaces/eng/pages/230981636/Release+Notes https://www.y-security.de/news-en/tim-bpm-suite-tim-flow-multiple-vulnerabilities/ |
| n/a--TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 | An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via a crafted HTTP request | 2026-01-09 | not yet calculated | CVE-2025-67278 | https://tim-doc.atlassian.net/wiki/spaces/eng/pages/230981636/Release+Notes https://www.y-security.de/news-en/tim-bpm-suite-tim-flow-multiple-vulnerabilities/ |
| n/a--TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 | An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via the application stores password hashes in MD5 format | 2026-01-09 | not yet calculated | CVE-2025-67279 | https://tim-doc.atlassian.net/wiki/spaces/eng/pages/230981636/Release+Notes https://www.y-security.de/news-en/tim-bpm-suite-tim-flow-multiple-vulnerabilities/ |
| n/a--TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 | In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Hibernate Query Language injection vulnerabilities exist which allow a low privileged user to extract passwords of other users and access sensitive data of another user. | 2026-01-09 | not yet calculated | CVE-2025-67280 | https://tim-doc.atlassian.net/wiki/spaces/eng/pages/230981636/Release+Notes https://www.y-security.de/news-en/tim-bpm-suite-tim-flow-multiple-vulnerabilities/ |
| n/a--TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 | In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple SQL injection vulnerabilities exists which allow a low privileged and administrative user to access the database and its content. | 2026-01-09 | not yet calculated | CVE-2025-67281 | https://tim-doc.atlassian.net/wiki/spaces/eng/pages/230981636/Release+Notes https://www.y-security.de/news-en/tim-bpm-suite-tim-flow-multiple-vulnerabilities/ |
| n/a--Yonyou YonBIP v3 and before | In Yonyou YonBIP v3 and before, the LoginWithV8 interface in the series data application service system is vulnerable to path traversal, allowing unauthorized access to sensitive information within the system | 2026-01-09 | not yet calculated | CVE-2025-66744 | https://github.com/iSee857/YonYouBip-path-travel |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, an out-of-bounds heap read vulnerability in cryptography_encrypt() occurs when parsing JSON metadata from KMC server responses. The flawed strtok iteration pattern uses ptr + strlen(ptr) + 1 which reads one byte past allocated buffer boundaries when processing short or malformed metadata strings. This issue has been patched in version 1.4.3. | 2026-01-10 | not yet calculated | CVE-2026-21900 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-4g6v-36fv-qcvw https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb226b4297222e25f41ecc84821d https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, there is an out-of-bounds heap read vulnerability in cryptography_aead_encrypt(). This issue has been patched in version 1.4.3. | 2026-01-10 | not yet calculated | CVE-2026-22023 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-8w3h-q8jm-3chq https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb226b4297222e25f41ecc84821d https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the cryptography_encrypt() function allocates multiple buffers for HTTP requests and JSON parsing that are never freed on any code path. Each call leaks approximately 400 bytes of memory. Sustained traffic can gradually exhaust available memory. This issue has been patched in version 1.4.3. | 2026-01-10 | not yet calculated | CVE-2026-22024 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-r3wg-g8xv-gxvf https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb226b4297222e25f41ecc84821d https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, when the KMC server returns a non-200 HTTP status code, cryptography_encrypt() and cryptography_decrypt() return immediately without freeing previously allocated buffers. Each failed request leaks approximately 467 bytes. Repeated failures (from a malicious server or network issues) can gradually exhaust memory. This issue has been patched in version 1.4.3. | 2026-01-10 | not yet calculated | CVE-2026-22025 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-h74x-vwwr-mm5g https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb226b4297222e25f41ecc84821d https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the libcurl write_callback function in the KMC crypto service client allows unbounded memory growth by reallocating response buffers without any size limit or overflow check. A malicious KMC server can return arbitrarily large HTTP responses, forcing the client to allocate excessive memory until the process is terminated by the OS. This issue has been patched in version 1.4.3. | 2026-01-10 | not yet calculated | CVE-2026-22026 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-w9cm-q69w-34x7 https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb226b4297222e25f41ecc84821d https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the convert_hexstring_to_byte_array() function in the MariaDB SA interface writes decoded bytes into a caller-provided buffer without any capacity check. When importing SA fields from the database (e.g., IV, ARSN, ABM), a malformed or oversized hex string in the database can overflow the destination buffer, corrupting adjacent heap memory. This issue has been patched in version 1.4.3. | 2026-01-10 | not yet calculated | CVE-2026-22027 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-3m35-m689-h29x https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb226b4297222e25f41ecc84821d https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| Nokia--SR Linux | Nokia SR Linux is vulnerable to an authentication vulnerability allowing unauthorized access to the JSON-RPC service. When exploited, an invalid validation allows JSON RPC access without providing valid authentication credentials. | 2026-01-07 | not yet calculated | CVE-2025-0980 | Nokia Product Security Advisory |
| Noor Alam--Easy Media Download | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Noor Alam Easy Media Download easy-media-download allows Reflection Injection.This issue affects Easy Media Download: from n/a through <= 1.1.11. | 2026-01-08 | not yet calculated | CVE-2025-69169 | https://vdp.patchstack.com/database/Wordpress/Plugin/easy-media-download/vulnerability/wordpress-easy-media-download-plugin-1-1-11-css-injection-vulnerability?_s_id=cve |
| Open Microscopy Environment--Bio-Formats | Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing. | 2026-01-07 | not yet calculated | CVE-2026-22186 | https://seclists.org/fulldisclosure/2026/Jan/6 https://docs.openmicroscopy.org/bio-formats/ https://www.vulncheck.com/advisories/bio-formats-xxe-in-leica-xlef-metadata-parser |
| Open Microscopy Environment--Bio-Formats | Bio-Formats versions up to and including 8.3.0 perform unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An attacker who can supply a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, which may result in denial of service, logic manipulation, or potentially remote code execution in environments where suitable gadget chains are present on the classpath. | 2026-01-07 | not yet calculated | CVE-2026-22187 | https://seclists.org/fulldisclosure/2026/Jan/7 https://docs.openmicroscopy.org/bio-formats/ https://www.vulncheck.com/advisories/bio-formats-memoizer-unsafe-deserialization-via-bfmemo-cache-files |
| open-metadata--OpenMetadata | OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must have administrative privileges to exploit the vulnerability. Version 1.11.4 contains a patch. | 2026-01-08 | not yet calculated | CVE-2026-22244 | https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-5f29-2333-h9c7 https://github.com/open-metadata/OpenMetadata/commit/bffe7c45807763f9b682021d4211c478d2a08bb3 |
| OpenFlagr--Flagr | OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data. | 2026-01-07 | not yet calculated | CVE-2026-0650 | https://github.com/openflagr/flagr/releases/tag/1.1.19 https://dreyand.rs/code%20review/golang/2026/01/03/0day-speedrun-openflagr-less-1118-authentication-bypass https://www.vulncheck.com/advisories/openflagr-authentication-bypass-via-prefix-whitelist-path-normalization |
| OpenLDAP Foundation--OpenLDAP | OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition. | 2026-01-07 | not yet calculated | CVE-2026-22185 | https://seclists.org/fulldisclosure/2026/Jan/5 https://seclists.org/fulldisclosure/2026/Jan/8 https://www.openldap.org/ https://www.vulncheck.com/advisories/openldap-lmdb-mdb-load-heap-buffer-underflow-in-readline https://bugs.openldap.org/show_bug.cgi?id=10421 |
| opf--openproject | OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has been patched in version 16.6.2. | 2026-01-10 | not yet calculated | CVE-2026-22601 | https://github.com/opf/openproject/security/advisories/GHSA-9vrv-7h26-c7jc https://github.com/opf/openproject/releases/tag/v16.6.2 |
| opf--openproject | OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject's unauthenticated password-change endpoint (/account/change_password) was not protected by the same brute-force safeguards that apply to the normal login form. In affected versions, an attacker who can guess or enumerate user IDs can send unlimited password-change requests for a given account without triggering lockout or other rate-limiting controls. This allows automated password-guessing (e.g., with wordlists of common passwords) against valid accounts. Successful guessing results in full account compromise for the targeted user and, depending on that user's role, can lead to further privilege escalation inside the application. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually. | 2026-01-10 | not yet calculated | CVE-2026-22603 | https://github.com/opf/openproject/security/advisories/GHSA-93x5-prx9-x239 https://github.com/opf/openproject/pull/21272 https://github.com/opf/openproject/commit/2b394b9ba5af1e5d96a64d7d452d4d44598a4c7f https://github.com/opf/openproject/releases/tag/v16.6.2 |
| opf--openproject | OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/change_password endpoint with an arbitrary User ID as the password_change_user_id parameter, the resulting error page would show the username for the requested user. Since this endpoint is intended to be called without being authenticated, this allows to enumerate the user names of all accounts registered in an OpenProject instance. This issue has been patched in version 16.6.2. | 2026-01-10 | not yet calculated | CVE-2026-22604 | https://github.com/opf/openproject/security/advisories/GHSA-q7qp-p3vw-j2fh https://github.com/opf/openproject/pull/3451 https://github.com/opf/openproject/commit/2cff5e98649e32a197a62659a23dd4b864b7855b https://github.com/opf/openproject/releases/tag/v16.6.2 |
| pallets--werkzeug | Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as CON.txt, or trailing spaces such as CON. This issue has been patched in version 3.1.5. | 2026-01-08 | not yet calculated | CVE-2026-21860 | https://github.com/pallets/werkzeug/security/advisories/GHSA-87hc-h4r5-73f7 https://github.com/pallets/werkzeug/commit/7ae1d254e04a0c33e241ac1cca4783ce6c875ca3 |
| Panda3D--Panda3D | Panda3D versions up to and including 1.10.16 deploy-stub contains a denial of service vulnerability due to unbounded stack allocation. The deploy-stub executable allocates argv_copy and argv_copy2 using alloca() based directly on the attacker-controlled argc value without validation. Supplying a large number of command-line arguments can exhaust stack space and propagate uninitialized stack memory into Python interpreter initialization, resulting in a reliable crash and undefined behavior. | 2026-01-07 | not yet calculated | CVE-2026-22188 | https://seclists.org/fulldisclosure/2026/Jan/9 https://www.panda3d.org/ https://github.com/panda3d/panda3d https://www.vulncheck.com/advisories/panda3d-deploy-stub-stack-exhaustion-via-unbounded-alloca |
| Panda3D--Panda3D | Panda3D versions up to and including 1.10.16 egg-mkfont contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into a fixed-size stack buffer without length validation. Supplying an excessively long glyph pattern string can overflow the stack buffer, resulting in memory corruption and a deterministic crash. Depending on build configuration and execution environment, the overflow may also be exploitable for arbitrary code execution. | 2026-01-07 | not yet calculated | CVE-2026-22189 | https://seclists.org/fulldisclosure/2026/Jan/10 https://www.panda3d.org/ https://github.com/panda3d/panda3d https://www.vulncheck.com/advisories/panda3d-egg-mkfont-stack-buffer-overflow |
| Panda3D--Panda3D | Panda3D versions up to and including 1.10.16 egg-mkfont contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an attacker provides additional format specifiers, egg-mkfont may read unintended stack values and write the formatted output into generated .egg and .png files, resulting in disclosure of stack-resident memory and pointer values. | 2026-01-07 | not yet calculated | CVE-2026-22190 | https://seclists.org/fulldisclosure/2026/Jan/11 https://www.panda3d.org/ https://github.com/panda3d/panda3d https://www.vulncheck.com/advisories/panda3d-egg-mkfont-format-string-information-disclosure |
| parallax--jsPDF | jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are `addImage`, `html`, and `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. Some workarounds areavailable. With recent node versions, jsPDF recommends using the `--permission` flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. For older node versions, sanitize user-provided paths before passing them to jsPDF. | 2026-01-05 | not yet calculated | CVE-2025-68428 | https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2 https://github.com/parallax/jsPDF/commit/a688c8f479929b24a6543b1fa2d6364abb03066d https://github.com/parallax/jsPDF/releases/tag/v4.0.0 |
| Pinpoll--Pinpoll | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pinpoll Pinpoll pinpoll allows Reflected XSS.This issue affects Pinpoll: from n/a through <= 4.0.0. | 2026-01-08 | not yet calculated | CVE-2025-68889 | https://vdp.patchstack.com/database/Wordpress/Plugin/pinpoll/vulnerability/wordpress-pinpoll-plugin-3-0-22-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PIONEER CORPORATION--USB DAC Amplifier APS-DA101JS | The installers for multiple products provided by PIONEER CORPORATION contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the privileges of the running installer. | 2026-01-08 | not yet calculated | CVE-2026-21427 | https://jpn.pioneer/ja/support/software/stellanova/dac_driver/ https://jvn.jp/en/jp/JVN17956874/ |
| Plat'Home Co.,Ltd.--OpenBlocks IoT DX1 (FW5.0.x) | Authentication bypass issue exists in OpenBlocks series versions prior to FW5.0.8, which may allow an attacker to bypass administrator authentication and change the password. | 2026-01-06 | not yet calculated | CVE-2026-21411 | https://www.plathome.co.jp/support/software/fw5/dx1-v5-0-8/ https://jvn.jp/en/vu/JVNVU97172240/ |
| POSIMYTH--UiChemy | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH UiChemy uichemy allows Stored XSS.This issue affects UiChemy: from n/a through <= 4.4.2. | 2026-01-06 | not yet calculated | CVE-2025-69362 | https://vdp.patchstack.com/database/Wordpress/Plugin/uichemy/vulnerability/wordpress-uichemy-plugin-4-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| preactjs--preact | Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed to be strings and passed unmodified to Preact as children, a specially-crafted JSON payload could be constructed that would be incorrectly treated as a valid VNode. When this chain of failures occurs it can result in HTML injection, which can allow arbitrary script execution if not mitigated by CSP or other means. Applications using affected Preact versions are vulnerable if they meet all of the following conditions: first, pass unmodified, unsanitized values from user-modifiable data sources (APIs, databases, local storage, etc.) directly into the render tree; second assume these values are strings but the data source could return actual JavaScript objects instead of JSON strings; and third, the data source either fails to perform type sanitization AND blindly stores/returns raw objects interchangeably with strings, OR is compromised (e.g., poisoned local storage, filesystem, or database). Versions 10.26.10, 10.27.3, and 10.28.2 patch the issue. The patch versions restore the previous strict equality checks that prevent JSON-parsed objects from being treated as valid VNodes. Other mitigations are available for those who cannot immediately upgrade. Validate input types, cast or validate network data, sanitize external data, and use Content Security Policy (CSP). | 2026-01-08 | not yet calculated | CVE-2026-22028 | https://github.com/preactjs/preact/security/advisories/GHSA-36hm-qxxp-pg3m |
| Proxy & VPN Blocker--Proxy & VPN Blocker | Missing Authorization vulnerability in Proxy & VPN Blocker Proxy & VPN Blocker proxy-vpn-blocker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Proxy & VPN Blocker: from n/a through <= 3.5.3. | 2026-01-06 | not yet calculated | CVE-2025-69353 | https://vdp.patchstack.com/database/Wordpress/Plugin/proxy-vpn-blocker/vulnerability/wordpress-proxy-vpn-blocker-plugin-3-5-3-broken-access-control-vulnerability?_s_id=cve |
| pterodactyl--panel | Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked. A user must have been connected to SFTP at the time of their permissions being revoked in order for this vulnerability to be exploited. This issue is fixed in version 1.12.0. | 2026-01-06 | not yet calculated | CVE-2025-68954 | https://github.com/pterodactyl/panel/security/advisories/GHSA-8c39-xppg-479c https://github.com/pterodactyl/panel/commit/2bd9d8baddb0e0606e4a9d5be402f48678ac88d5 https://github.com/pterodactyl/panel/releases/tag/v1.12.0 |
| PublishPress--Post Expirator | Missing Authorization vulnerability in PublishPress Post Expirator post-expirator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Expirator: from n/a through <= 4.9.3. | 2026-01-06 | not yet calculated | CVE-2025-69361 | https://vdp.patchstack.com/database/Wordpress/Plugin/post-expirator/vulnerability/wordpress-post-expirator-plugin-4-9-3-broken-access-control-vulnerability?_s_id=cve |
| purethemes--Listeo Core | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes Listeo Core listeo-core allows Reflected XSS.This issue affects Listeo Core: from n/a through < 2.0.19. | 2026-01-08 | not yet calculated | CVE-2025-67932 | https://vdp.patchstack.com/database/Wordpress/Plugin/listeo-core/vulnerability/wordpress-listeo-core-plugin-2-0-19-cross-site-scripting-xss-vulnerability?_s_id=cve |
| py-pdf--pypdf | pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the /Root entry in the trailer, while using a rather large /Size value. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0. | 2026-01-10 | not yet calculated | CVE-2026-22690 | https://github.com/py-pdf/pypdf/security/advisories/GHSA-4xc4-762w-m6cg https://github.com/py-pdf/pypdf/pull/3594 https://github.com/py-pdf/pypdf/commit/294165726b646bb7799be1cc787f593f2fdbcf45 https://github.com/py-pdf/pypdf/releases/tag/6.6.0 |
| py-pdf--pypdf | pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0. | 2026-01-10 | not yet calculated | CVE-2026-22691 | https://github.com/py-pdf/pypdf/security/advisories/GHSA-4f6g-68pf-7vhv https://github.com/py-pdf/pypdf/pull/3594 https://github.com/py-pdf/pypdf/commit/294165726b646bb7799be1cc787f593f2fdbcf45 https://github.com/py-pdf/pypdf/releases/tag/6.6.0 |
| QantumThemes--Typify | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Typify typify allows PHP Local File Inclusion.This issue affects Typify: from n/a through <= 3.0.2. | 2026-01-08 | not yet calculated | CVE-2025-22712 | https://vdp.patchstack.com/database/Wordpress/Theme/typify/vulnerability/wordpress-typify-theme-3-0-2-local-file-inclusion-vulnerability?_s_id=cve |
| redaxo--redaxo | REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive. Version 5.20.2 fixes this issue. | 2026-01-07 | not yet calculated | CVE-2026-21857 | https://github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrv https://github.com/redaxo/redaxo/releases/tag/5.20.2 |
| rezmoss--axios4go | axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global `defaultClient` is mutated during request execution without synchronization, directly modifying the shared `http.Client`'s `Transport`, `Timeout`, and `CheckRedirect` properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, `GetAsync`, `PostAsync`, etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue. | 2026-01-07 | not yet calculated | CVE-2026-21697 | https://github.com/rezmoss/axios4go/security/advisories/GHSA-cmj9-27wj-7x47 https://github.com/rezmoss/axios4go/commit/b651604c64e66a115ab90cdab358b0181d74a842 https://github.com/rezmoss/axios4go/releases/tag/v0.6.4 |
| RiceTheme--Felan Framework | Authentication Bypass Using an Alternate Path or Channel vulnerability in RiceTheme Felan Framework felan-framework allows Authentication Abuse.This issue affects Felan Framework: from n/a through <= 1.1.3. | 2026-01-08 | not yet calculated | CVE-2025-23504 | https://vdp.patchstack.com/database/Wordpress/Plugin/felan-framework/vulnerability/wordpress-felan-framework-plugin-1-1-3-account-takeover-vulnerability?_s_id=cve |
| RiceTheme--Felan Framework | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RiceTheme Felan Framework felan-framework allows SQL Injection.This issue affects Felan Framework: from n/a through <= 1.1.3. | 2026-01-08 | not yet calculated | CVE-2025-23993 | https://vdp.patchstack.com/database/Wordpress/Plugin/felan-framework/vulnerability/wordpress-felan-framework-plugin-1-1-3-sql-injection-vulnerability?_s_id=cve |
| Ricoh Company, Ltd.--RICOH Streamline NX | Improper authorization vulnerability exists in RICOH Streamline NX 3.5.1 to 24R3. If a man-in-the-middle attack is conducted on the communication between the affected product and its user, and some crafted request is processed by the product, the user's registration information and/or OIDC (OpenID Connect) tokens may be retrieved. | 2026-01-09 | not yet calculated | CVE-2026-21409 | https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2025-000011 https://jvn.jp/en/jp/JVN12770174/ |
| RUCKUS Networks--vRIoT IOT Controller | The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can escape the container and execute arbitrary OS commands as root on the underlying vRIoT controller, resulting in complete system compromise. | 2026-01-09 | not yet calculated | CVE-2025-69426 | https://support.ruckuswireless.com/security_bulletins/336 https://www.vulncheck.com/advisories/ruckus-vriot-iot-controller-hardcoded-ssh-credentials-rce |
| RUCKUS Networks--vRIoT IoT Controller | The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise. | 2026-01-09 | not yet calculated | CVE-2025-69425 | https://support.ruckuswireless.com/security_bulletins/336 https://www.vulncheck.com/advisories/ruckus-vriot-iot-controller-hardcoded-tokens-rce |
| RustCrypto--elliptic-curves | RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a critical vulnerability exists in the SM2 Public Key Encryption (PKE) implementation where the ephemeral nonce k is generated with severely reduced entropy. A unit mismatch error causes the nonce generation function to request only 32 bits of randomness instead of the expected 256 bits. This reduces the security of the encryption from a 128-bit level to a trivial 16-bit level, allowing a practical attack to recover the nonce k and decrypt any ciphertext given only the public key and ciphertext. This issue has been patched via commit e4f7778. | 2026-01-10 | not yet calculated | CVE-2026-22698 | https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-w3g8-fp6j-wvqw https://github.com/RustCrypto/elliptic-curves/pull/1600 https://github.com/RustCrypto/elliptic-curves/commit/4781762f23ff22ab34763410f648128055c93731 https://github.com/RustCrypto/elliptic-curves/commit/e4f77788130d065d760e57fb109370827110a525 https://crates.io/crates/sm2/0.14.0-pre.0 https://crates.io/crates/sm2/0.14.0-rc.0 |
| RustCrypto--RSA | The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue. | 2026-01-08 | not yet calculated | CVE-2026-21895 | https://github.com/RustCrypto/RSA/security/advisories/GHSA-9c48-w39g-hm26 https://github.com/RustCrypto/RSA/commit/2926c91bef7cb14a7ccd42220a698cf4b1b692f7 |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.78, RustFS contains a path traversal vulnerability in the /rustfs/rpc/read_file_stream endpoint. This issue has been patched in version 1.0.0-alpha.79. | 2026-01-07 | not yet calculated | CVE-2025-68705 | https://github.com/rustfs/rustfs/security/advisories/GHSA-pq29-69jg-9mxc https://github.com/rustfs/rustfs/commit/ab752458ce431c6397175d167beee2ea00507d3e |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.77, a malformed gRPC GetMetrics request causes get_metrics to unwrap() failed deserialization of metric_type/opts, panicking the handler thread and enabling remote denial of service of the metrics endpoint. This issue has been patched in version 1.0.0-alpha.78. | 2026-01-07 | not yet calculated | CVE-2025-69255 | https://github.com/rustfs/rustfs/security/advisories/GHSA-gw2x-q739-qhcr https://github.com/rustfs/rustfs/commit/eb33e82b56ed11fd12bb39416359d8d60737dc7a |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates permissions using `ExportIAMAction` instead of `ImportIAMAction`, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions (creating/updating users, groups, policies, and service accounts), this can lead to unauthorized IAM modification and privilege escalation. Version 1.0.0-alpha.79 fixes the issue. | 2026-01-08 | not yet calculated | CVE-2026-22042 | https://github.com/rustfs/rustfs/security/advisories/GHSA-vcwh-pff9-64cc |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent's full privileges. This enables privilege escalation and bypass of session/inline policy restrictions. Version 1.0.0-alpha.79 fixes the issue. | 2026-01-08 | not yet calculated | CVE-2026-22043 | https://github.com/rustfs/rustfs/security/advisories/GHSA-xgr5-qc6w-vcg9 |
| Ryan Sutana--WP App Bar | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Sutana WP App Bar wp-app-bar allows Reflected XSS.This issue affects WP App Bar: from n/a through <= 1.5. | 2026-01-08 | not yet calculated | CVE-2025-68891 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-app-bar/vulnerability/wordpress-wp-app-bar-plugin-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Salesforce--Uni2TS | Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable Files.This issue affects Uni2TS: through 1.2.0. | 2026-01-09 | not yet calculated | CVE-2026-22584 | https://help.salesforce.com/s/articleView?id=005239354&type=1 |
| Samsung Mobile--Galaxy Store | Improper input validation in Galaxy Store prior to version 4.6.02 allows local attacker to execute arbitrary script. | 2026-01-09 | not yet calculated | CVE-2026-20976 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=01 |
| Samsung Mobile--Samsung Cloud | Improper handling of insufficient permission in Samsung Cloud prior to version 5.6.11 allows local attackers to access specific files in arbitrary path. | 2026-01-09 | not yet calculated | CVE-2026-20975 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=01 |
| Samsung Mobile--Samsung Mobile Devices | Use after free in DualDAR prior to SMR Jan-2026 Release 1 allows local privileged attackers to execute arbitrary code. | 2026-01-09 | not yet calculated | CVE-2026-20968 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01 |
| Samsung Mobile--Samsung Mobile Devices | Improper input validation in SecSettings prior to SMR Jan-2026 Release 1 allows local attacker to access file with system privilege. User interaction is required for triggering this vulnerability. | 2026-01-09 | not yet calculated | CVE-2026-20969 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01 |
| Samsung Mobile--Samsung Mobile Devices | Improper access control in SLocation prior to SMR Jan-2026 Release 1 allows local attackers to execute the privileged APIs. | 2026-01-09 | not yet calculated | CVE-2026-20970 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01 |
| Samsung Mobile--Samsung Mobile Devices | Use After Free in PROCA driver prior to SMR Jan-2026 Release 1 allows local attackers to potentially execute arbitrary code. | 2026-01-09 | not yet calculated | CVE-2026-20971 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01 |
| Samsung Mobile--Samsung Mobile Devices | Improper Export of Android Application Components in UwbTest prior to SMR Jan-2026 Release 1 allows local attackers to enable UWB. | 2026-01-09 | not yet calculated | CVE-2026-20972 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01 |
| Samsung Mobile--Samsung Mobile Devices | Improper input validation in data related to network restrictions prior to SMR Jan-2026 Release 1 allows physical attackers to bypass Carrier Relock. | 2026-01-09 | not yet calculated | CVE-2026-20974 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01 |
| Shahjada--Visitor Stats Widget | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada Visitor Stats Widget visitor-stats-widget allows Reflected XSS.This issue affects Visitor Stats Widget: from n/a through <= 1.5.0. | 2026-01-08 | not yet calculated | CVE-2025-68874 | https://vdp.patchstack.com/database/Wordpress/Plugin/visitor-stats-widget/vulnerability/wordpress-visitor-stats-widget-plugin-1-5-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Shahjahan Jewel--Fluent Support | Missing Authorization vulnerability in Shahjahan Jewel Fluent Support fluent-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fluent Support: from n/a through <= 1.10.4. | 2026-01-08 | not yet calculated | CVE-2025-67926 | https://vdp.patchstack.com/database/Wordpress/Plugin/fluent-support/vulnerability/wordpress-fluent-support-plugin-1-10-4-broken-access-control-vulnerability?_s_id=cve |
| Shahjahan Jewel--Ninja Tables | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows Blind SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.4. | 2026-01-06 | not yet calculated | CVE-2025-69351 | https://vdp.patchstack.com/database/Wordpress/Plugin/ninja-tables/vulnerability/wordpress-ninja-tables-plugin-5-2-4-sql-injection-vulnerability?_s_id=cve |
| shinetheme--Traveler | Missing Authorization vulnerability in shinetheme Traveler traveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Traveler: from n/a through <= 3.2.6. | 2026-01-08 | not yet calculated | CVE-2025-67917 | https://vdp.patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-6-broken-access-control-vulnerability-2?_s_id=cve |
| silabs.com--Z-Wave Protocol Controller | An integer underflow vulnerability in the Silicon Labs Z-Wave Protocol Controller can lead to out of bounds memory reads. | 2026-01-05 | not yet calculated | CVE-2025-10933 | https://community.silabs.com/068Vm00000a4nNI |
| sizam--REHub Framework | Missing Authorization vulnerability in sizam REHub Framework rehub-framework allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects REHub Framework: from n/a through <= 19.9.5. | 2026-01-08 | not yet calculated | CVE-2025-14358 | https://vdp.patchstack.com/database/Wordpress/Plugin/rehub-framework/vulnerability/wordpress-rehub-framework-plugin-19-9-5-broken-access-control-vulnerability?_s_id=cve |
| Spencer Haws--Link Whisper Free | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spencer Haws Link Whisper Free link-whisper allows Reflected XSS.This issue affects Link Whisper Free: from n/a through <= 0.8.8. | 2026-01-08 | not yet calculated | CVE-2025-67927 | https://vdp.patchstack.com/database/Wordpress/Plugin/link-whisper/vulnerability/wordpress-link-whisper-free-plugin-0-8-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| StellarWP--The Events Calendar | Missing Authorization vulnerability in StellarWP The Events Calendar the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar: from n/a through <= 6.15.12.2. | 2026-01-06 | not yet calculated | CVE-2025-69352 | https://vdp.patchstack.com/database/Wordpress/Plugin/the-events-calendar/vulnerability/wordpress-the-events-calendar-plugin-6-15-12-2-broken-access-control-vulnerability?_s_id=cve |
| taskbuilder--Taskbuilder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in taskbuilder Taskbuilder taskbuilder allows Reflected XSS.This issue affects Taskbuilder: from n/a through <= 4.0.9. | 2026-01-08 | not yet calculated | CVE-2025-67933 | https://vdp.patchstack.com/database/Wordpress/Plugin/taskbuilder/vulnerability/wordpress-taskbuilder-plugin-4-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| TECNO Mobile--com.afmobi.boomplayer | Insufficient Verification of Data Authenticity vulnerability in TECNO Mobile com.Afmobi.Boomplayer allows Authentication Bypass.This issue affects com.Afmobi.Boomplayer: 7.4.63. | 2026-01-06 | not yet calculated | CVE-2025-15385 | https://security.tecno.com/SRC/securityUpdates |
| Tenda--300Mbps Wireless Router F3 and N300 Easy Setup Router | This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the plaintext transmission of login credentials during the initial login or post-factory reset setup through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the credentials transmitted in plaintext. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device. | 2026-01-09 | not yet calculated | CVE-2026-22079 | https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0004 |
| Tenda--300Mbps Wireless Router F3 and N300 Easy Setup Router | This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the transmission of credentials encoded using reversible Base64 encoding through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the Base64-encoded credentials. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device. | 2026-01-09 | not yet calculated | CVE-2026-22080 | https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0004 |
| Tenda--300Mbps Wireless Router F3 and N300 Easy Setup Router | This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface. A remote at-tacker could exploit this vulnerability by capturing session cookies transmitted over an insecure HTTP connection. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unau-thorized access to the targeted device. | 2026-01-09 | not yet calculated | CVE-2026-22081 | https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0004 |
| Tenda--300Mbps Wireless Router F3 and N300 Easy Setup Router | This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the use of login credentials as the session ID through its web-based administrative interface. A remote attacker could exploit this vulnerability by intercepting network traffic and capturing the session ID during insecure transmission. Successful exploitation of this vulnerability could allow the attacker to hijack an authenticated session and compromise sensitive configuration information on the targeted device. | 2026-01-09 | not yet calculated | CVE-2026-22082 | https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0004 |
| The Wikimedia Foundation--Mediawiki - ApprovedRevs Extension | Improper Encoding or Escaping of Output due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.45, 1.44, 1.43, 1.39. | 2026-01-09 | not yet calculated | CVE-2026-22712 | https://phabricator.wikimedia.org/T412068 https://gerrit.wikimedia.org/r/q/Iee1bf1cbc8a519899e7f9dde508856bd4e5a5d2a |
| The Wikimedia Foundation--Mediawiki - GrowthExperiments Extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - GrowthExperiments Extension: 1.45, 1.44, 1.43, 1.39. | 2026-01-09 | not yet calculated | CVE-2026-22713 | https://phabricator.wikimedia.org/T411144 https://gerrit.wikimedia.org/r/q/Iff01940a163ed87ec52f3a64ba6b2dbfa2759df3 |
| The Wikimedia Foundation--Mediawiki - Monaco Skin | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Monaco Skin: 1.45, 1.44, 1.43, 1.39. | 2026-01-08 | not yet calculated | CVE-2026-22714 | https://phabricator.wikimedia.org/T411126 https://gerrit.wikimedia.org/r/q/I00b2e369fa189803380ca7409022a11b670d2500 |
| The Wikimedia Foundation--Mediawiki - Wikibase Extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Extension: 1.45, 1.44, 1.43, 1.39. | 2026-01-08 | not yet calculated | CVE-2026-22710 | https://phabricator.wikimedia.org/T409737 https://gerrit.wikimedia.org/r/q/I39d0074b2ad022b6efe6ab3dd8c8ec0f86c6c466 |
| ThemeGoods--Grand Restaurant | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Reflected XSS.This issue affects Grand Restaurant: from n/a through < 7.0.9. | 2026-01-08 | not yet calculated | CVE-2025-67922 | https://vdp.patchstack.com/database/Wordpress/Theme/grandrestaurant/vulnerability/wordpress-grand-restaurant-theme-7-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| THEMELOGI--Navian | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in THEMELOGI Navian navian allows PHP Local File Inclusion.This issue affects Navian: from n/a through <= 1.5.4. | 2026-01-08 | not yet calculated | CVE-2025-14431 | https://vdp.patchstack.com/database/Wordpress/Theme/navian/vulnerability/wordpress-navian-theme-1-5-4-local-file-inclusion-vulnerability?_s_id=cve |
| ThemeMove--AeroLand | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove AeroLand aeroland allows PHP Local File Inclusion.This issue affects AeroLand: from n/a through <= 1.6.6. | 2026-01-08 | not yet calculated | CVE-2025-14429 | https://vdp.patchstack.com/database/Wordpress/Theme/aeroland/vulnerability/wordpress-aeroland-theme-1-6-6-local-file-inclusion-vulnerability?_s_id=cve |
| ThemeMove--Brook - Agency Business Creative | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Brook - Agency Business Creative brook allows PHP Local File Inclusion.This issue affects Brook - Agency Business Creative: from n/a through <= 2.8.9. | 2026-01-08 | not yet calculated | CVE-2025-14430 | https://vdp.patchstack.com/database/Wordpress/Theme/brook/vulnerability/wordpress-brook-agency-business-creative-theme-2-8-9-local-file-inclusion-vulnerability?_s_id=cve |
| ThemeMove--Mitech | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Mitech mitech allows PHP Local File Inclusion.This issue affects Mitech: from n/a through <= 2.3.4. | 2026-01-08 | not yet calculated | CVE-2025-22708 | https://vdp.patchstack.com/database/Wordpress/Theme/mitech/vulnerability/wordpress-mitech-theme-2-3-4-local-file-inclusion-vulnerability?_s_id=cve |
| ThemeMove--Moody | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Moody tm-moody allows PHP Local File Inclusion.This issue affects Moody: from n/a through <= 2.7.3. | 2026-01-08 | not yet calculated | CVE-2025-22707 | https://vdp.patchstack.com/database/Wordpress/Theme/tm-moody/vulnerability/wordpress-moody-theme-2-7-3-local-file-inclusion-vulnerability?_s_id=cve |
| Themepoints--Accordion | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Accordion accordions-wp allows Stored XSS.This issue affects Accordion: from n/a through <= 3.0.3. | 2026-01-06 | not yet calculated | CVE-2025-69350 | https://vdp.patchstack.com/database/Wordpress/Plugin/accordions-wp/vulnerability/wordpress-accordion-plugin-3-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Themepoints--Team Showcase | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Team Showcase team-showcase allows Stored XSS.This issue affects Team Showcase: from n/a through <= 2.9. | 2026-01-06 | not yet calculated | CVE-2025-69335 | https://vdp.patchstack.com/database/Wordpress/Plugin/team-showcase/vulnerability/wordpress-team-showcase-plugin-2-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| themesuite--Automotive Listings | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in themesuite Automotive Listings automotive allows Blind SQL Injection.This issue affects Automotive Listings: from n/a through <= 18.6. | 2026-01-08 | not yet calculated | CVE-2025-67928 | https://vdp.patchstack.com/database/Wordpress/Plugin/automotive/vulnerability/wordpress-automotive-listings-plugin-18-6-sql-injection-vulnerability?_s_id=cve |
| Tickera--Tickera | Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through <= 3.5.6.4. | 2026-01-06 | not yet calculated | CVE-2025-69355 | https://vdp.patchstack.com/database/Wordpress/Plugin/tickera-event-ticketing-system/vulnerability/wordpress-tickera-plugin-3-5-6-4-broken-access-control-vulnerability?_s_id=cve |
| TMRW-studio--Atlas | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TMRW-studio Atlas atlas allows PHP Local File Inclusion.This issue affects Atlas: from n/a through <= 2.1.0. | 2026-01-08 | not yet calculated | CVE-2025-22509 | https://vdp.patchstack.com/database/Wordpress/Theme/atlas/vulnerability/wordpress-atlas-theme-2-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| TP-Link Systems Inc.--Archer AXE75 v1.6 | Improper Input Validation vulnerability in TP-Link Archer AXE75 v1.6 (vpn modules) allows an authenticated adjacent attacker to delete arbitrary server file, leading to possible loss of critical system files and service interruption or degraded functionality.This issue affects Archer AXE75 v1.6: ≤ build 20250107. | 2026-01-09 | not yet calculated | CVE-2025-15035 | https://github.com/PaloAltoNetworks/u42-vulnerability-disclosures/tree/master/2025/PANW-2025-0004 https://www.tp-link.com/us/support/download/archer-axe75/v1/#Firmware https://www.tp-link.com/en/support/download/archer-axe75/v1/#Firmware https://www.tp-link.com/jp/support/download/archer-axe75/v1/#Firmware https://www.tp-link.com/phppage/preview.php?url=https://www.tp-link.com/en/support/faq/4881/ |
| TP-Link Systems Inc.--Archer BE400 | A NULL Pointer Dereference vulnerability in TP-Link Archer BE400 V1(802.11 modules) allows an adjacent attacker to cause a denial-of-service (DoS) by triggering a device reboot. This issue affects Archer BE400: xi 1.1.0 Build 20250710 rel.14914. | 2026-01-07 | not yet calculated | CVE-2025-14631 | https://www.tp-link.com/en/support/download/archer-be400/v1/#Firmware https://www.tp-link.com/us/support/download/archer-be400/#Firmware https://www.tp-link.com/us/support/faq/4871/ |
| trailofbits--fickling | Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's runpy module as unsafe. Because of this, a malicious pickle that uses runpy.run_path() or runpy.run_module() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling's output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7. | 2026-01-10 | not yet calculated | CVE-2026-22606 | https://github.com/trailofbits/fickling/security/advisories/GHSA-wfq2-52f7-7qvj https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66 https://github.com/trailofbits/fickling/releases/tag/v0.1.7 |
| trailofbits--fickling | Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling's output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7. | 2026-01-10 | not yet calculated | CVE-2026-22607 | https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9 https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43 https://github.com/trailofbits/fickling/releases/tag/v0.1.7 |
| trailofbits--fickling | Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, both ctypes and pydoc modules aren't explicitly blocked. Even other existing pickle scanning tools (like picklescan) do not block pydoc.locate. Chaining these two together can achieve RCE while the scanner still reports the file as LIKELY_SAFE. This issue has been patched in version 0.1.7. | 2026-01-10 | not yet calculated | CVE-2026-22608 | https://github.com/trailofbits/fickling/security/advisories/GHSA-5hvc-6wx8-mvv4 https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1 https://github.com/trailofbits/fickling/releases/tag/v0.1.7 |
| trailofbits--fickling | Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafe_imports() method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected as unsafe, allowing attackers to bypass Fickling's primary static safety checks. This issue has been patched in version 0.1.7. | 2026-01-10 | not yet calculated | CVE-2026-22609 | https://github.com/trailofbits/fickling/security/advisories/GHSA-q5qq-mvfm-j35x https://github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91 https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66 https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1 https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9 https://github.com/trailofbits/fickling/releases/tag/v0.1.7 |
| trailofbits--fickling | Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, Fickling is vulnerable to detection bypass due to "builtins" blindness. This issue has been patched in version 0.1.7. | 2026-01-10 | not yet calculated | CVE-2026-22612 | https://github.com/trailofbits/fickling/security/advisories/GHSA-h4rm-mm56-xf63 https://github.com/trailofbits/fickling/commit/9f309ab834797f280cb5143a2f6f987579fa7cdf https://github.com/trailofbits/fickling/releases/tag/v0.1.7 |
| Tribulant Software--Newsletters | Deserialization of Untrusted Data vulnerability in Tribulant Software Newsletters newsletters-lite allows Object Injection.This issue affects Newsletters: from n/a through <= 4.11. | 2026-01-08 | not yet calculated | CVE-2025-67911 | https://vdp.patchstack.com/database/Wordpress/Plugin/newsletters-lite/vulnerability/wordpress-newsletters-plugin-4-11-php-object-injection-vulnerability?_s_id=cve |
| TryGhost--Ghost | Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF. This issue has been patched in versions 5.130.6 and 6.11.0. | 2026-01-10 | not yet calculated | CVE-2026-22597 | https://github.com/TryGhost/Ghost/security/advisories/GHSA-vmc4-9828-r48r https://github.com/TryGhost/Ghost/commit/15d49131ff4aac3aca8642501c793f01f2bfcbb9 https://github.com/TryGhost/Ghost/commit/93add549ccf079d8e28bdb724fbb71a76942ff51 |
| Ubiquiti Inc--airMAX AC | A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Affected Products: airMAX AC (Version 8.7.20 and earlier) airMAX M (Version 6.3.22 and earlier) airFiber AF60-XG (Version 1.2.2 and earlier) airFiber AF60 (Version 2.6.7 and earlier) Mitigation: Update your airMAX AC to Version 8.7.21 or later. Update your airMAX M to Version 6.3.24 or later. Update your airFiber AF60-XG to Version 1.2.3 or later. Update your airFiber AF60 to Version 2.6.8 or later. | 2026-01-08 | not yet calculated | CVE-2026-21639 | https://community.ui.com/releases/Security-Advisory-Bulletin-061-061/1e4fe5f8-29c7-4a7d-a518-01b1537983ba |
| Unknown--FlexTable | The FlexTable WordPress plugin before 3.19.2 does not sanitise and escape the imported links from Google Sheet cells, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 2026-01-05 | not yet calculated | CVE-2025-9543 | https://wpscan.com/vulnerability/6cc212f4-aa61-409a-b257-9c920956a401/ |
| Unknown--Frontend File Manager Plugin | The Frontend File Manager Plugin WordPress plugin before 23.5 did not validate a path parameter and ownership of the file, allowing any authenticated users, such as subscribers to delete arbitrary files on the server | 2026-01-07 | not yet calculated | CVE-2025-14804 | https://wpscan.com/vulnerability/c572c0ad-1b36-49ce-b254-2181e53abb46/ |
| Unknown--NEX-Forms | The NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The NEX-Forms WordPress plugin before 9.1.8 can be configured in such a way that could allow subscribers to perform Stored Cross-Site Scripting. | 2026-01-09 | not yet calculated | CVE-2025-14803 | https://wpscan.com/vulnerability/219af0e7-3d8b-4405-8005-b8969a370b0b/ |
| Unknown--Relevanssi | The Relevanssi WordPress plugin before 4.26.0, Relevanssi Premium WordPress plugin before 2.29.0 do not sanitize and escape a parameter before using it in a SQL statement, allowing contributor and above roles to perform SQL injection attacks | 2026-01-07 | not yet calculated | CVE-2025-14719 | https://wpscan.com/vulnerability/bd8e27c7-8f97-4313-b16e-50ac6f0676f5/ |
| Unknown--Team | The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. | 2026-01-05 | not yet calculated | CVE-2025-14124 | https://wpscan.com/vulnerability/fdd19027-b70e-45a4-882b-77ab1819af91/ |
| urllib3--urllib3 | urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source. | 2026-01-07 | not yet calculated | CVE-2026-21441 | https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99 https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b |
| vaadin--vaadin | Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input. In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility. In Vaadin 23 and newer, the Action class is only used by the Spreadsheet component. The fixed versions sanitize HTML using Jsoup with a relaxed safelist. Vaadin 14 is not affected as Spreadsheet component was not supported. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Vaadin 7.0.0 - 7.7.49 Vaadin 8.0.0 - 8.29.1 Vaadin 23.1.0 - 23.6.5 Vaadin 24.0.0 - 24.8.13 Vaadin 24.9.0 - 24.9.6 Mitigation Upgrade to 7.7.50 Upgrade to 8.30.0 Upgrade to 23.6.6 Upgrade to 24.8.14 or 24.9.7 Upgrade to 25.0.0 or newer Artifacts Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server 7.0.0 - 7.7.49 ≥7.7.50 com.vaadin:vaadin-server 8.0.0 - 8.29.1 ≥8.30.0 com.vaadin:vaadin 23.1.0 - 23.6.5 ≥23.6.6 com.vaadin:vaadin24.0.0 - 24.8.13 ≥24.8.14 com.vaadin:vaadin24.9.0 - 24.9.6 ≥24.9.7 com.vaadin:vaadin-spreadsheet-flow 23.1.0 - 23.6.5 ≥23.6.6 com.vaadin:vaadin-spreadsheet-flow 24.0.0 - 24.8.13 ≥24.8.14 com.vaadin:vaadin-spreadsheet-flow 24.9.0 - 24.9.6 ≥24.9.7 | 2026-01-05 | not yet calculated | CVE-2025-15022 | https://vaadin.com/security/cve-2025-15022 https://github.com/vaadin/flow-components/pull/8285 |
| VanKarWai--Calafate | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in VanKarWai Calafate calafate allows PHP Local File Inclusion.This issue affects Calafate: from n/a through <= 1.7.7. | 2026-01-06 | not yet calculated | CVE-2025-69342 | https://vdp.patchstack.com/database/Wordpress/Theme/calafate/vulnerability/wordpress-calafate-theme-1-7-7-local-file-inclusion-vulnerability?_s_id=cve |
| VanKarWai--Lobo | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VanKarWai Lobo lobo allows Blind SQL Injection.This issue affects Lobo: from n/a through < 2.8.6. | 2026-01-08 | not yet calculated | CVE-2025-67921 | https://vdp.patchstack.com/database/Wordpress/Theme/lobo/vulnerability/wordpress-lobo-theme-2-8-6-sql-injection-vulnerability?_s_id=cve |
| vanquish--WooCommerce Orders & Customers Exporter | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in vanquish WooCommerce Orders & Customers Exporter woocommerce-orders-ei allows SQL Injection.This issue affects WooCommerce Orders & Customers Exporter: from n/a through <= 5.4. | 2026-01-08 | not yet calculated | CVE-2025-22713 | https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-orders-ei/vulnerability/wordpress-woocommerce-orders-customers-exporter-plugin-5-4-sql-injection-vulnerability?_s_id=cve |
| Vernon Systems Limited--eHive Search | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vernon Systems Limited eHive Search ehive-search allows Reflected XSS.This issue affects eHive Search: from n/a through <= 2.5.0. | 2026-01-08 | not yet calculated | CVE-2025-67930 | https://vdp.patchstack.com/database/Wordpress/Plugin/ehive-search/vulnerability/wordpress-ehive-search-plugin-2-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Vivotek--IP7137 | Vivotek IP7137 camera with firmware version 0200a is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. This allows unauthorized users with network access to view the camera's feed, potentially compromising user privacy and security. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released. | 2026-01-09 | not yet calculated | CVE-2025-66049 | https://cert.pl/posts/2026/01/CVE-2025-66049 |
| Vivotek--IP7137 | Vivotek IP7137 camera with firmware version 0200a by default dos not require to provide any password when logging in as an administrator. While it is possible to set up such a password, a user is not informed about such a need. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released. | 2026-01-09 | not yet calculated | CVE-2025-66050 | https://cert.pl/posts/2026/01/CVE-2025-66049 |
| Vivotek--IP7137 | Vivotek IP7137 camera with firmware version 0200a is vulnerable to path traversal. It is possible for an authenticated attacker to access resources beyond webroot directory using a direct HTTP request. Due to CVE-2025-66050, a password for administration panel is not set by default. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released. | 2026-01-09 | not yet calculated | CVE-2025-66051 | https://cert.pl/posts/2026/01/CVE-2025-66049 |
| Vivotek--IP7137 | Vivotek IP7137 camera with firmware version 0200a is vulnerable to command injection. Parameter "system_ntpIt" used by "/cgi-bin/admin/setparam.cgi" endpoint is not sanitized properly, allowing a user with administrative privileges to perform an attack. Due to CVE-2025-66050, administrative access is not protected by default, The vendor has not replied to the CNA Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released. | 2026-01-09 | not yet calculated | CVE-2025-66052 | https://cert.pl/posts/2026/01/CVE-2025-66049 |
| Wikimedia Foundation--MediaWiki - CampaignEvents extension | Missing Authorization vulnerability in Wikimedia Foundation MediaWiki - CampaignEvents extension allows Privilege Abuse.This issue affects MediaWiki - CampaignEvents extension: 1.45, 1.44, 1.43, 1.39. | 2026-01-09 | not yet calculated | CVE-2026-0817 | https://phabricator.wikimedia.org/T410560 https://gerrit.wikimedia.org/r/q/I7ed0049691258c8bd2555e599b9b88490fbe3358 |
| Wikimedia Foundation--MediaWiki - CSS extension | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Wikimedia Foundation MediaWiki - CSS extension allows Path Traversal.This issue affects MediaWiki - CSS extension: 1.44, 1.43, 1.39. | 2026-01-07 | not yet calculated | CVE-2026-0669 | https://phabricator.wikimedia.org/T401526 https://gerrit.wikimedia.org/r/q/Ia15bf3f2e5a341868568492a736ac3dbf706c22e |
| Wikimedia Foundation--MediaWiki - ProofreadPage Extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - ProofreadPage Extension: 1.45, 1.44, 1.43, 1.39. | 2026-01-07 | not yet calculated | CVE-2026-0670 | https://phabricator.wikimedia.org/T409423 https://gerrit.wikimedia.org/r/q/I7c028db5ed81843aacd596b0ee4dc2980f5b6e3c |
| Wikimedia Foundation--MediaWiki - UploadWizard extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - UploadWizard extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - UploadWizard extension: 1.45, 1.44, 1.43, 1.39. | 2026-01-08 | not yet calculated | CVE-2026-0671 | https://phabricator.wikimedia.org/T407157 https://gerrit.wikimedia.org/r/q/I16de2211594ea9a686868ad7789f9879bf981fa1 |
| Wikimedia Foundation--MediaWiki - VisualData Extension | Inefficient Regular Expression Complexity vulnerability in Wikimedia Foundation MediaWiki - VisualData Extension allows Regular Expression Exponential Blowup.This issue affects MediaWiki - VisualData Extension: 1.45. | 2026-01-07 | not yet calculated | CVE-2026-0668 | https://phabricator.wikimedia.org/T387008 https://gerrit.wikimedia.org/r/q/Ie08d9a8ceb2c9a22a635cfc27964353f14072dbf https://gerrit.wikimedia.org/r/q/Ifbf9c2ade621226e14fe852f3217293772bf8bb8 https://gerrit.wikimedia.org/r/q/I893a9fca694a2613e29e149dea2d76d7f06063e5 https://gerrit.wikimedia.org/r/q/I4ff2737c9f0ba805267d1fc8296e7cff61241ee3 |
| WofficeIO--Woffice | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WofficeIO Woffice woffice allows Reflected XSS.This issue affects Woffice: from n/a through <= 5.4.30. | 2026-01-08 | not yet calculated | CVE-2025-67918 | https://vdp.patchstack.com/database/Wordpress/Theme/woffice/vulnerability/wordpress-woffice-theme-5-4-30-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WofficeIO--Woffice Core | Authorization Bypass Through User-Controlled Key vulnerability in WofficeIO Woffice Core woffice-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Woffice Core: from n/a through <= 5.4.30. | 2026-01-08 | not yet calculated | CVE-2025-67919 | https://vdp.patchstack.com/database/Wordpress/Plugin/woffice-core/vulnerability/wordpress-woffice-core-plugin-5-4-30-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| wolfSSL--wolfSSH | wolfSSH's key exchange state machine can be manipulated to leak the client's password in the clear, trick the client to send a bogus signature, or trick the client into skipping user authentication. This affects client applications with wolfSSH version 1.4.21 and earlier. Users of wolfSSH must update or apply the fix patch and it's recommended to update credentials used. This fix is also recommended for wolfSSH server applications. While there aren't any specific attacks on server applications, the same defect is present. Thanks to Aina Toky Rasoamanana of Valeo and Olivier Levillain of Telecom SudParis for the report. | 2026-01-06 | not yet calculated | CVE-2025-14942 | https://github.com/wolfSSL/wolfssh/pull/855 |
| wolfSSL--wolfSSH | A heap buffer over-read vulnerability exists in the wolfSSH_CleanPath() function in wolfSSH. An authenticated remote attacker can trigger the issue via crafted SCP path input containing '/./' sequences, resulting in a heap over read by 1 byte. | 2026-01-06 | not yet calculated | CVE-2025-15382 | https://github.com/wolfSSL/wolfssh/pull/859 |
| wolfSSL--wolfSSL-py | A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced. Because the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag was not included, the behavior effectively matched CERT_OPTIONAL: a peer certificate was verified if presented, but connections were incorrectly authenticated when no client certificate was provided. This results in improper authentication, allowing attackers to bypass mutual TLS (mTLS) client authentication by omitting a client certificate during the TLS handshake. The issue affects versions up to and including 5.8.2. | 2026-01-07 | not yet calculated | CVE-2025-15346 | https://github.com/wolfSSL/wolfssl-py/pull/62 https://github.com/wolfSSL/wolfssl-py/commit/b4517dece79f682a8f453abce5cfc0b81bae769d https://github.com/wolfSSL/wolfssl-py/releases/tag/v5.8.4-stable |
| WPCenter--AffiliateX | Missing Authorization vulnerability in WPCenter AffiliateX affiliatex allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AffiliateX: from n/a through <= 1.3.9.3. | 2026-01-06 | not yet calculated | CVE-2025-69346 | https://vdp.patchstack.com/database/Wordpress/Plugin/affiliatex/vulnerability/wordpress-affiliatex-plugin-1-3-9-3-broken-access-control-vulnerability?_s_id=cve |
| WPFactory--Wishlist for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Wishlist for WooCommerce wish-list-for-woocommerce allows Stored XSS.This issue affects Wishlist for WooCommerce: from n/a through <= 3.3.0. | 2026-01-06 | not yet calculated | CVE-2025-69334 | https://vdp.patchstack.com/database/Wordpress/Plugin/wish-list-for-woocommerce/vulnerability/wordpress-wishlist-for-woocommerce-plugin-3-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WPFunnels--Creator LMS | Missing Authorization vulnerability in WPFunnels Creator LMS creatorlms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Creator LMS: from n/a through <= 1.1.12. | 2026-01-06 | not yet calculated | CVE-2025-69359 | https://vdp.patchstack.com/database/Wordpress/Plugin/creatorlms/vulnerability/wordpress-creator-lms-plugin-1-1-12-broken-access-control-vulnerability?_s_id=cve |
| yintibao--Fun Print Mobile | Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls. | 2026-01-08 | not yet calculated | CVE-2025-15464 | https://korelogic.com/Resources/Advisories/KL-001-2026-001.txt |
| zlib software--zlib | zlib versions up to and including 1.3.1.2 contain a global buffer overflow in the untgz utility. The TGZfname() function copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, build flags, architecture, and memory layout. The overflow occurs prior to any archive parsing or validation. | 2026-01-07 | not yet calculated | CVE-2026-22184 | https://seclists.org/fulldisclosure/2026/Jan/3 https://zlib.net/ https://github.com/madler/zlib https://www.vulncheck.com/advisories/zlib-untgz-global-buffer-overflow-in-tgzfname |
| zozothemes--Corpkit | Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Corpkit corpkit allows Upload a Web Shell to a Web Server.This issue affects Corpkit: from n/a through <= 2.0. | 2026-01-08 | not yet calculated | CVE-2025-67924 | https://vdp.patchstack.com/database/Wordpress/Theme/corpkit/vulnerability/wordpress-corpkit-theme-2-0-arbitrary-file-upload-vulnerability?_s_id=cve |
| zozothemes--Corpkit | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Corpkit corpkit allows PHP Local File Inclusion.This issue affects Corpkit: from n/a through <= 2.0. | 2026-01-08 | not yet calculated | CVE-2025-67925 | https://vdp.patchstack.com/database/Wordpress/Theme/corpkit/vulnerability/wordpress-corpkit-theme-2-0-local-file-inclusion-vulnerability?_s_id=cve |
請即與我們聯絡: fix@hk-computer-repair.com
有用連結:
